Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi

Overview

General Information

Sample name:	SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi
Analysis ID:	1520637
MD5:	96c976c658e8b4e145acd0018af782d9
SHA1:	54931426f0bdf779e208339a60870503859677d9
SHA256:	e92f49b13affdc1a1626c3bf922c651faccd20f6455fa6d728875a00d30c0cbe
Tags:	msi
Infos:

Detection

AteraAgent

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

Yara detected AteraAgent

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Creates files in the system32 config directory

Installs Task Scheduler Managed Wrapper

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Reads the Security eventlog

Reads the System eventlog

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect virtual machines (SGDT)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Is looking for software installed on the system

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 4184 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5724 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2676 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B5D92016C39FF7678052452FC1E699E8 MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Windows\Installer\MSIFBAD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4062296 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6328 cmdline: rundll32.exe "C:\Windows\Installer\MSI16A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4063718 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4300 cmdline: rundll32.exe "C:\Windows\Installer\MSI14C4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4068578 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1860 cmdline: rundll32.exe "C:\Windows\Installer\MSI330F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4076312 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 2608 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FE293C9828EFC6E5D88E7F26AF6615E9 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

net.exe (PID: 5932 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6648 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

taskkill.exe (PID: 3232 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AteraAgent.exe (PID: 2020 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ilpilarsaomateus@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Lu4JQIAZ" /AgentId="66902f0e-5571-47c0-8de5-86038d3e7b35" MD5: 477293F80461713D51A98A24023D45E8)

svchost.exe (PID: 5740 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6800 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 568 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3172 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6360 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 4244 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6680 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 8 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AteraAgent.exe (PID: 720 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)

sc.exe (PID: 3672 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 1920 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "a7726a3f-8b3e-4e5c-93fd-b7293e973556" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ MD5: EBFEC606B23961A73DB0F5541E93C03C)

conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 1480 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cd1ad75d-30e1-481a-b7d6-4d6b012e03f7" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ MD5: EBFEC606B23961A73DB0F5541E93C03C)

conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 5572 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "3f72da7d-d915-4f53-8bc1-de00eab8c542" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ MD5: EBFEC606B23961A73DB0F5541E93C03C)

conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 3964 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "db753a87-56d5-4df4-b088-df029e1319dc" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000Lu4JQIAZ MD5: EBFEC606B23961A73DB0F5541E93C03C)

conhost.exe (PID: 1964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 3260 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "b27bbec1-8375-4d6e-a646-54dd514ea664" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000Lu4JQIAZ MD5: EBFEC606B23961A73DB0F5541E93C03C)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1464 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 2352 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)

AgentPackageSTRemote.exe (PID: 6208 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "25d94b19-dd8c-444e-8649-b75dcdab378e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000Lu4JQIAZ MD5: 749C51599FBF82422791E0DF1C1E841C)

conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageMonitoring.exe (PID: 1100 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cb18c271-196a-4aaf-9ea1-03326a248300" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000Lu4JQIAZ MD5: B50005A1A62AFA85240D1F65165856EB)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AteraAgent.exe (PID: 1020 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)

sc.exe (PID: 1624 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 1340 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "62bbbd59-291d-44d5-8ada-88594b5f534e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000Lu4JQIAZ MD5: EBFEC606B23961A73DB0F5541E93C03C)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4948 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 5664 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)

AgentPackageUpgradeAgent.exe (PID: 2864 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "153560a1-b70b-409f-affc-69982282c523" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000Lu4JQIAZ MD5: D11B2139D29E79D795054C3866898B7F)

conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sppsvc.exe (PID: 6960 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)

svchost.exe (PID: 2040 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2840 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Temp\~DFF85B65DD083C28D1.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Windows\Temp\~DF07D540AE027F4656.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI2F94.tmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\3dfa4b.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\3dfa4b.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF27045DF9BB3D83EC.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF27045DF9BB3D83EC.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF8CD3DD11D85A5C11.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI4F07.tmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Windows\Temp\~DF3748246E0295C8E7.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF9A8BC046147F428C.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI16A.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI14C4.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSIFBAD.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSIFBAD.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\System32\InstallUtil.InstallLog	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF1E29FC9B342B27CE.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF1E29FC9B342B27CE.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF50AE555E1AE6C734.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\AteraSetupLog.txt	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\AteraSetupLog.txt	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFB1DAA7BE4628F397.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFB1DAA7BE4628F397.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI18BD.tmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFF55CA7399CFD76B7.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF8D23518F04E02162.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF0BA98394DFBAFEC5.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF4090650E6245C6F2.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF946B63CA5CEB85FD.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\3dfa46.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\3dfa46.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFA7EEBB2557D24724.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\3dfa53.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF7EC49C7F7F89DD72.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF2A5BC4EA07A7A256.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI330F.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF566BF609044F45EB.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 67 entries

Memory Dumps

Source	Rule	Description	Author
00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80539000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2150679963.0000027DEC26C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1789224660.00000248AC190000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329E61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2168433819.000001EE85220000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1694634338.000001D422C70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1589816031.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2145707445.0000027DEB230000.00000004.00000020.00040000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2046067313.000001F111BCB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1802242322.00000248C5385000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2202850018.000001EE9E2C8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.0000018792DEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D807EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1694216775.000001D422C12000.00000002.00000001.01000000.0000001F.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2151925768.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1878116692.000002A329149000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1804019914.00000248C546E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4E8A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1722197586.000001D43C915000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.00000187928C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1808201586.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1404747077.00000282CD823000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2140880493.0000027DEB1A9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4E5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2190568153.000001B35AEC5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2085641808.000000BE3C134000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1592759090.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1571490470.000001DD473A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1622260091.00000131ACD73000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2122617084.00000187AB1C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1898386456.000002A3424DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1877972695.000002A328FD0000.00000004.00000020.00040000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1789224660.00000248AC1D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1568260436.000002069BD9E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1569432210.000001DD470F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.1697045305.0000029025B50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1736383824.00007FFB036E9000.00000004.00000001.01000000.0000001E.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80060000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2168093156.000001EE851E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A00B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1560441536.000002069BD80000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D806BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.0000018792851000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2089271472.00000187920EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACBCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2140880493.0000027DEB15C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1569432210.000001DD4710F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2150679963.0000027DEC291000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2171122634.000001EE852CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2155555456.0000027DEC632000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACC3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1898386456.000002A3424C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1697943618.000001D4232A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2089271472.000001879213A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1405879986.00007FFB0BB30000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2046286937.000001F111CC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329DBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1568260436.000002069BDC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.0000018792897000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2087376733.000000BE3C335000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1626578796.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2169067788.000001EE8523E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4F4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D8033C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1610900588.00000131AC42B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2170161544.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACAA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329CE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2140880493.0000027DEB128000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1569432210.000001DD47132000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4E84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2084967627.000000BE3B935000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880039341.000002A329270000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1585093238.000001851EE00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329E4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4F02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2087554285.000000BE3C435000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2169067788.000001EE852AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2089271472.00000187920CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2190884933.000001B35B4DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D8035B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1722382611.000001D43C926000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1909211556.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1404420688.00000282CD5E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1789224660.00000248AC1CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1722155139.000001D43C717000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80545000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2183736490.000001B35ABB1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1568260436.000002069BDCB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1569432210.000001DD470F8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1590833917.000001851F683000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2169067788.000001EE85260000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.1697255268.0000029025C50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1800817334.00000248C52AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1590833917.000001851F601000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000000.1533103031.000002069BBD2000.00000002.00000001.01000000.00000018.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1571375000.000002069BFB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2190884933.000001B35B3D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1586780777.000001851EE68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80321000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4DD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2158613123.0000027DEC69C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80724000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A0BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D803D3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1571157311.000001DD472C2000.00000002.00000001.01000000.0000001A.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1586780777.000001851EE60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1875929368.000000A728B85000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2183736490.000001B35ABFD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2089271472.00000187920B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790376859.00000248AC490000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4F36000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D804E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1402227067.00000282B316E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.1697045305.0000029025B5B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1722496320.000001D43CB6D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1402227067.00000282B30EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1610900588.00000131AC472000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A19C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403357661.00000282B33D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1586780777.000001851EEE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.0000018792A26000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2190884933.000001B35B261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1569432210.000001DD47175000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1574235267.000002069C7E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4E59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1622260091.00000131ACD47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2189733854.000001B35AD40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1610900588.00000131AC431000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1696952170.000001D423198000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A04F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D805AD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1569432210.000001DD4712C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D8085E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACA11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329DDF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1574235267.000002069C7A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2199195531.000001EE9E228000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1790807938.00000248ACB73000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2046067313.000001F111BE3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2140880493.0000027DEB1C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1901343649.000002A34268D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2147079923.0000027DEB400000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000003.1591953076.0000029025C70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2135255406.00000187AB3DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D803EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1692653802.000001D422ACC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2088867970.0000018792070000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.1693658473.0000024616A80000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D8058E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2127533637.00000187AB286000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1692653802.000001D422A40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D802FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1896332173.000002A342100000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1402227067.00000282B3120000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329EA8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2190884933.000001B35B377000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D8051E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2174501497.000001EE85991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2155555456.0000027DEC64F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4F05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1692092530.000001D422860000.00000004.00000020.00040000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2046067313.000001F111BC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1692653802.000001D422A80000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1574235267.000002069C813000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1618685636.00000131AC6E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80726000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2086154085.000000BE3C229000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1878116692.000002A329100000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1405442881.00007FFAAC7E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1622260091.00000131ACD01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2155555456.0000027DEC617000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2089271472.0000018792193000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1878116692.000002A32913F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1590833917.000001851F673000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80543000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2155555456.0000027DEC610000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1692653802.000001D422A4C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80560000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000003.2045113682.000001F111BE7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2140880493.0000027DEB120000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2095306627.0000018792E36000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1902010257.000002A342905000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000003.1932548750.000001F111CE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2199195531.000001EE9E222000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2079087323.000000BE3A0F5000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.1697045305.0000029025B74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1403578923.00000282B4E82000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1692653802.000001D422A86000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D804D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1898386456.000002A3424CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.1586780777.000001851EE9D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1580440319.00000206B4E60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D80353000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000039.00000002.2038115398.000002056C000000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329AAE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2088334568.0000027D803F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1897843477.000002A3421CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1610900588.00000131AC3F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1789224660.00000248AC1AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.2089271472.00000187920FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000022.00000002.1789224660.00000248AC275000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1402227067.00000282B3184000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000014.00000002.1402227067.00000282B30E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1571797704.000001DD479D3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2174501497.000001EE85B96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000035.00000002.2183736490.000001B35AB70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000024.00000002.2150679963.0000027DEC317000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002A.00000002.2174501497.000001EE85B0D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1568260436.000002069BE0D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.1622260091.00000131ACD83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001A.00000002.1574235267.000002069C823000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.1878116692.000002A32918E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.1571797704.000001DD47961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.1697943618.000001D423841000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 7132	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 6328	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 4300	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AteraAgent.exe PID: 2020	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AteraAgent.exe PID: 720	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 1860	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 1920	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 1480	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 5572	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 3964	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 3260	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AteraAgent.exe PID: 1020	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: cmd.exe PID: 1464	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: cscript.exe PID: 2352	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageSTRemote.exe PID: 6208	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageMonitoring.exe PID: 1100	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 1340	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageUpgradeAgent.exe PID: 2864	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: cmd.exe PID: 4948	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: cscript.exe PID: 5664	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Click to see the 289 entries

Unpacked PEs

Source	Rule	Description	Author
42.0.AgentPackageSTRemote.exe.1ee85030000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
28.2.AgentPackageAgentInformation.exe.1dd472c0000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
45.0.AgentPackageMonitoring.exe.1d422770000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
53.0.AgentPackageUpgradeAgent.exe.1b35a970000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
45.2.AgentPackageMonitoring.exe.1d422c10000.1.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
36.2.AteraAgent.exe.27d802998d8.0.raw.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
20.0.AteraAgent.exe.282b3040000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
26.0.AgentPackageAgentInformation.exe.2069bbd0000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
26.0.AgentPackageAgentInformation.exe.2069bbd0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 4 entries

Sigma Signatures

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1464, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 2352, ProcessName: cscript.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding FE293C9828EFC6E5D88E7F26AF6615E9 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2608, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 5932, ProcessName: net.exe

Sigma detected: Stop Windows Service Via Net.EXE

Source: Process started

Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding FE293C9828EFC6E5D88E7F26AF6615E9 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2608, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 5932, ProcessName: net.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5740, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: 3dfa4c.rbf (copy)	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.0% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03564BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,	45_2_00007FFB03564BC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03564DE0 CryptReleaseContext,	45_2_00007FFB03564DE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03564E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,	45_2_00007FFB03564E20

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000002D.00000002.1696379168.000001D422D82000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: \mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NetworkInformation\4.1.2.0\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.36.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.ModelsV3\Atera.AgentPackages.ModelsV3\obj\Release\net45\Atera.AgentPackages.ModelsV3.pdbSHA256t source: Atera.AgentPackages.ModelsV3.dll.36.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000001C.00000002.1571157311.000001DD472C2000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll3.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdb source: System.Resources.Reader.dll.36.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.ModelsV3\Atera.AgentPackages.ModelsV3\obj\Release\net45\Atera.AgentPackages.ModelsV3.pdb source: Atera.AgentPackages.ModelsV3.dll.36.dr
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe.36.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.36.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1694921612.000001D422C82000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: .pdb) source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdbl( source: System.Resources.Reader.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TextWriterTraceListener\4.0.2.0\System.Diagnostics.TextWriterTraceListener.pdb source: System.Diagnostics.TextWriterTraceListener.dll.36.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdbSHA256 source: System.Buffers.dll.21.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb'` source: Atera.AgentPackages.CommonLib.dll.36.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Debug\4.0.11.0\System.Diagnostics.Debug.pdb source: System.Diagnostics.Debug.dll.36.dr
Source:	Binary string: ib.pdb: source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.53.dr, System.ValueTuple.dll.36.dr, System.ValueTuple.dll.2.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: System.Data.SQLite.dll.36.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Diagnostics.DiagnosticSource\net46\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.36.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000015.00000002.1901558159.000002A3428C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: System.Data.Common.dll.36.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000015.00000002.1901558159.000002A3428C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721452869.000001D43BCB2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.53.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbD source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1719646159.000001D43BAB2000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdbTn `*_CorDllMainmscoree.dll source: System.Net.Security.dll.36.dr
Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBpy/G source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdb source: System.Buffers.dll.21.dr
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1696379168.000001D422D82000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000000.1533103031.000002069BBD2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.21.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1571556014.000002069C692000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2195827231.000001EE9E170000.00000002.00000001.01000000.00000030.sdmp, Newtonsoft.Json.dll1.36.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1571556014.000002069C692000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2195827231.000001EE9E170000.00000002.00000001.01000000.00000030.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721452869.000001D43BCB2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll1.36.dr, Newtonsoft.Json.dll.53.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2209008639.000001B373A42000.00000002.00000001.01000000.00000031.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.53.dr, System.ValueTuple.dll.36.dr, System.ValueTuple.dll.2.dr
Source:	Binary string: t.pdbpdb source: AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2209008639.000001B373A42000.00000002.00000001.01000000.00000031.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr
Source:	Binary string: em.pdb source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000002D.00000002.1694921612.000001D422C82000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: System.Linq.Parallel.dll.36.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000001C.00000002.1571157311.000001DD472C2000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll3.36.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.36.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.Utils\Atera.Utils\obj\Release\net45\Atera.Utils.pdbSHA256 source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, Atera.Utils.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdb source: System.Net.Security.dll.36.dr
Source:	Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@Z L*_CorDllMainmscoree.dll source: System.Runtime.CompilerServices.VisualC.dll.36.dr
Source:	Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.36.dr
Source:	Binary string: /_/CommunityToolkit.WinUI.Notifications/obj/Release/net461/CommunityToolkit.WinUI.Notifications.pdbSHA2564 source: CommunityToolkit.WinUI.Notifications.dll.36.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000014.00000002.1404516323.00000282CD602000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.Utils\Atera.Utils\obj\Release\net45\Atera.Utils.pdb source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, Atera.Utils.dll.36.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000014.00000002.1404516323.00000282CD602000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.36.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI1FA3.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Ping\4.0.2.0\System.Net.Ping.pdb source: System.Net.Ping.dll.36.dr
Source:	Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/CommunityToolkit.WinUI.Notifications/obj/Release/net461/CommunityToolkit.WinUI.Notifications.pdb source: CommunityToolkit.WinUI.Notifications.dll.36.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll.36.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\cscript.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC751FFFh	20_2_00007FFAAC751FAC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC751873h	20_2_00007FFAAC75172D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC751A44h	20_2_00007FFAAC751A2F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC784ECBh	21_2_00007FFAAC784C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC79B972h	21_2_00007FFAAC79B5E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781FFFh	21_2_00007FFAAC781EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC784ECBh	21_2_00007FFAAC784DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC79B972h	21_2_00007FFAAC79B620
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781873h	21_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781A44h	21_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781FFFh	21_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC78227Bh	21_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC79BDF2h	36_2_00007FFAAC79BB9E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC784ECBh	36_2_00007FFAAC784C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781FFFh	36_2_00007FFAAC781EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC784ECBh	36_2_00007FFAAC784DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC9A4859h	36_2_00007FFAAC9A46E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC9A2EE0h	36_2_00007FFAAC9A2C39
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC9B18D0h	36_2_00007FFAAC9B1632
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then dec eax	36_2_00007FFAAC9A1FB5
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781873h	36_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781A44h	36_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC781FFFh	36_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAC78227Bh	36_2_00007FFAAC780C58

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Yara detected Generic Downloader

Source: Yara match	File source: 26.0.AgentPackageAgentInformation.exe.2069bbd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED

Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/19.4/AGENTPACKAGEOSUPDATES.ZIP
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/24.9/AGENTPACKAGEPROGRAMMANAGE
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIP
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/26.8/AGENTPACKAGESYSTEMTOOLS.ZIP
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
Source: AteraAgent.exe, 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 00000008.00000002.1327694824.0000000004865000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A027000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329DE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005255000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C8CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD47A8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACE2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D423810000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D423810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agentapigateway-us.centralus.cloudapp.azure.com
Source: rundll32.exe, 00000008.00000002.1327694824.0000000004865000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A027000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329DE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005255000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C8CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD47A8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACE2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B397000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1582163267.00000206B4EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.
Source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCe
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC26C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC617000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, CommunityToolkit.WinUI.Notifications.dll.36.dr, Pubnub.dll0.2.dr, Microsoft.Deployment.WindowsInstaller.dll.36.dr, System.Diagnostics.DiagnosticSource.dll.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804D7000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD56E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1897843477.000002A3421F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A342590000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80539000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80545000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B85000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B3BD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B3B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, CommunityToolkit.WinUI.Notifications.dll.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1897843477.000002A3421F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1896332173.000002A342100000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1582163267.00000206B4ECB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1577296513.000001DD60208000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1619271430.00000131ACBC0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1802242322.00000248C5385000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC291000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digl
Source: rundll32.exe, 00000008.00000003.1326647180.00000000072CC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digice
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC26C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC617000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, CommunityToolkit.WinUI.Notifications.dll.36.dr, Pubnub.dll0.2.dr, Microsoft.Deployment.WindowsInstaller.dll.36.dr, System.Diagnostics.DiagnosticSource.dll.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD545000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1402227067.00000282B3184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD56E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A141000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1897843477.000002A3421F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329DBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80539000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl8
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B85000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B3BD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B3B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, CommunityToolkit.WinUI.Notifications.dll.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404747077.00000282CD7FC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: System.Diagnostics.TextWriterTraceListener.dll.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/l
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlE773A8FDE8938C81DD40
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlLtd
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A141000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329DBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80726000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D8058E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD56E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1897843477.000002A3421F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A342590000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80539000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80545000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlBJv
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AteraAgent.exe, 00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A3424DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AteraAgent.exe, 00000015.00000002.1878116692.000002A32918E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: AteraAgent.exe, 00000015.00000002.1896332173.000002A3421CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab(
Source: AteraAgent.exe, 00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bfc690b
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D807EB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D8051E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
Source: AgentPackageAgentInformation.exe, 0000001A.00000000.1533103031.000002069BBD2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.21.dr	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.splashtop.com
Source: Newtonsoft.Json.dll.53.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://my.splashtop.com
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/ws/
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/ws/3
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/ws/5
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://nlog-project.org/ws/T
Source: AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com-v
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: AteraAgent.exe, 00000014.00000002.1404747077.00000282CD823000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404747077.00000282CD7E0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1402227067.00000282B3184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1402227067.00000282B3184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD56E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A141000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1897843477.000002A3421F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A342590000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329DBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80539000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1897843477.000002A3421F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1896332173.000002A342100000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1582163267.00000206B4EEF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1582163267.00000206B4ECB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1577296513.000001DD60208000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1619271430.00000131ACBC0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1802242322.00000248C5385000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC291000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC26C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC617000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, CommunityToolkit.WinUI.Notifications.dll.36.dr, Pubnub.dll0.2.dr, Microsoft.Deployment.WindowsInstaller.dll.36.dr, System.Diagnostics.DiagnosticSource.dll.36.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B85000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B3BD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B3B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, CommunityToolkit.WinUI.Notifications.dll.36.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comUv
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 00000015.00000002.1898386456.000002A3424C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC26C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl7
Source: AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comwvC
Source: AteraAgent.exe, 00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comxvD
Source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B397000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://packagesstore.blob.core.windows.net
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D807EB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D8051E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.atera.com
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.atera.comO
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A130000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACA11000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 0000000B.00000002.2503661287.000001FCAC287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2504747776.000001FCACB02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.36.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.36.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.36.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1695880267.000001D422D32000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://www.abit.com.tw/
Source: svchost.exe, 00000003.00000002.1365778651.000001ACC0413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A141000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329DBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80726000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D8058E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD56E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1897843477.000002A3421F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80539000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6B9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPSO
Source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cq
Source: AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329DDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PR
Source: rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACA11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D423803000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1619271430.00000131ACBC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/PrhP
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Acknowl
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329DDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329B29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACA11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACAA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/66902f0e-5571-47c0-8de5-86038d3e7b35
Source: rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 00000008.00000002.1327694824.0000000004886000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005276000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.comO
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.comh
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000003.1364967037.000001ACC0462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1366064915.000001ACC0468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364947300.000001ACC0467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1366229085.000001ACC0481000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1366029607.000001ACC0463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365868750.000001ACC043F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365160170.000001ACC045A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364967037.000001ACC0462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1365812001.000001ACC042B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366064915.000001ACC0468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364947300.000001ACC0467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.1366029607.000001ACC0463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365868750.000001ACC043F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364967037.000001ACC0462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.1365868750.000001ACC043F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1366029607.000001ACC0463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364967037.000001ACC0462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B09000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85AE7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.0.exe
Source: svchost.exe, 00000003.00000003.1365179336.000001ACC0449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365868750.000001ACC043F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1366029607.000001ACC0463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364967037.000001ACC0462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000003.1365203560.000001ACC0443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365895662.000001ACC0444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1365179336.000001ACC0449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000002.1365812001.000001ACC042B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366064915.000001ACC0468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364947300.000001ACC0467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: CommunityToolkit.WinUI.Notifications.dll.36.dr	String found in binary or memory: https://github.com/CommunityToolkit/WindowsCommunityToolkit
Source: CommunityToolkit.WinUI.Notifications.dll.36.dr	String found in binary or memory: https://github.com/CommunityToolkit/WindowsCommunityToolkitP
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1571556014.000002069C692000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2195827231.000001EE9E170000.00000002.00000001.01000000.00000030.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721452869.000001D43BCB2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll1.36.dr, Newtonsoft.Json.dll.53.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, System.Diagnostics.DiagnosticSource.dll.36.dr, System.ValueTuple.dll.53.dr, System.ValueTuple.dll.36.dr, System.ValueTuple.dll.2.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, System.Diagnostics.DiagnosticSource.dll.36.dr, System.ValueTuple.dll.53.dr, System.ValueTuple.dll.36.dr, System.ValueTuple.dll.2.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, System.Buffers.dll.21.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, System.Buffers.dll.21.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: AteraAgent.exe, 00000015.00000002.1901558159.000002A3428C2000.00000002.00000001.01000000.00000028.sdmp	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85AE2000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.splashtop.com
Source: AgentPackageSTRemote.exe, 0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://my.splashtop.com/csrs/win
Source: NLog.dll.36.dr	String found in binary or memory: https://nlog-project.org/
Source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net
Source: AgentPackageUpgradeAgent.exe, 00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp, AgentPackageUpgradeAgent.exe.36.dr	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Agents/Mac/
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
Source: AgentPackageUpgradeAgent.exe, 00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe.36.dr	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
Source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
Source: AgentPackageUpgradeAgent.exe, 00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp, AgentPackageUpgradeAgent.exe.36.dr	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
Source: AgentPackageUpgradeAgent.exe, 00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp, AgentPackageUpgradeAgent.exe.36.dr	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D807EB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateH
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateHH
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateHR;
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateHhh
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/a
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/ag
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.12/AgentPackage
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.12/AgentPackageA
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.12/AgentPackageAO
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.12/AgentPackageAgentI
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329EA8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/24.9/AgentPackageProgramManageme
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329EA8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/26.6/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/27.1/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?6aIkQo
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?6aIkQoLIi1
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.7/AgentPackageAgentInformati
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80560000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?6aIkQo
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zipO
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?6aIk
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMoni
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?6aIkQ
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zipO
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip?6aIkQoL
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/24.9/AgentPackageProgramManage
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip?6aIkQoLIi
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329EA8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?6aI
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.2/AgentPackageTicketing.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip?6
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitori8
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/Agen
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAge
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
Source: AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
Source: AgentPackageSTRemote.exe, 0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E61000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A130000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A136000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E61000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A130000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A136000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329AC8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=220604ff-7d82-4400-81a1-a9e4ac59a4ab
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a2a50c3f-9485-47a0-8a43-5c1c86bbb401
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a59c9018-5d76-42b0-adb5-5e60d00da0f5
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ab049951-757a-48f1-8723-61b58ab127f5
Source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D800DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c0f6c0b0-dc8d-4d9d-a87f-1136ef0d8d0b
Source: AteraAgent.exe, 00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/66902f0e-5571-47c0-8de5
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp, System.Data.SQLite.dll.36.dr	String found in binary or memory: https://system.data.sqlite.org/
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720464714.000001D43BB54000.00000002.00000001.01000000.00000024.sdmp, System.Data.SQLite.dll.36.dr	String found in binary or memory: https://system.data.sqlite.org/X
Source: svchost.exe, 00000003.00000003.1365256110.000001ACC0431000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365841926.000001ACC0433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ss
Source: svchost.exe, 00000003.00000003.1365256110.000001ACC0431000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365841926.000001ACC0433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.
Source: svchost.exe, 00000003.00000003.1365203560.000001ACC0443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1365256110.000001ACC0431000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365841926.000001ACC0433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs
Source: svchost.exe, 00000003.00000003.1365179336.000001ACC0449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1365179336.000001ACC0449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1365086679.000001ACC045D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365812001.000001ACC042B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: System.Data.SQLite.dll.36.dr	String found in binary or memory: https://urn.to/r/sds_see12https://urn.to/r/sds_see2
Source: System.Data.SQLite.dll.36.dr	String found in binary or memory: https://urn.to/r/sds_see23https://urn.to/r/sds_see1UInnerVerify
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.53.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721379810.000001D43BCA8000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
Source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1571556014.000002069C692000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2195827231.000001EE9E170000.00000002.00000001.01000000.00000030.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721452869.000001D43BCB2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll1.36.dr, Newtonsoft.Json.dll.53.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: AgentPackageMonitoring.exe	String found in binary or memory: https://www.sqlite.org/copyright.html
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1736500188.00007FFB036F4000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: https://www.sqlite.org/copyright.html2

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3dfa45.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFBAD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14C4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18BD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18BE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI191D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A18.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3dfa47.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3dfa47.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI330F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3dfa48.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FA3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21B7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI294A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F94.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FA5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3071.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4F07.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4F08.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5003.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI50FE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3dfa54.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3dfa54.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI57D5.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIFBAD.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06D50040	8_3_06D50040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_044150B8	13_3_044150B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_044159A8	13_3_044159A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_04414D68	13_3_04414D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFAAC75C922	20_2_00007FFAAC75C922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFAAC75BB76	20_2_00007FFAAC75BB76
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC791CE0	21_2_00007FFAAC791CE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC79C910	21_2_00007FFAAC79C910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC7A1B54	21_2_00007FFAAC7A1B54
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC79CF58	21_2_00007FFAAC79CF58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC79900E	21_2_00007FFAAC79900E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC789AF2	21_2_00007FFAAC789AF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC99E2C1	21_2_00007FFAAC99E2C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC994330	21_2_00007FFAAC994330
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC999453	21_2_00007FFAAC999453
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC99AC97	21_2_00007FFAAC99AC97
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC9A0F51	21_2_00007FFAAC9A0F51
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC9A1080	21_2_00007FFAAC9A1080
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC9A1090	21_2_00007FFAAC9A1090
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC9A0FD3	21_2_00007FFAAC9A0FD3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC9A0FFA	21_2_00007FFAAC9A0FFA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC9A1130	21_2_00007FFAAC9A1130
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC9A1200	21_2_00007FFAAC9A1200
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC780C58	21_2_00007FFAAC780C58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_075B0040	24_3_075B0040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC788682	26_2_00007FFAAC788682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC79100A	26_2_00007FFAAC79100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC7878D6	26_2_00007FFAAC7878D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC78FA94	26_2_00007FFAAC78FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC7A047D	26_2_00007FFAAC7A047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC78BDB0	26_2_00007FFAAC78BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC7910C0	26_2_00007FFAAC7910C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC7812FA	26_2_00007FFAAC7812FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC768682	28_2_00007FFAAC768682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC77108C	28_2_00007FFAAC77108C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC761828	28_2_00007FFAAC761828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC7678D6	28_2_00007FFAAC7678D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC76FA94	28_2_00007FFAAC76FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC78047D	28_2_00007FFAAC78047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC76BDB0	28_2_00007FFAAC76BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC7710C0	28_2_00007FFAAC7710C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC7612FB	28_2_00007FFAAC7612FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC7728D0	30_2_00007FFAAC7728D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC76FA94	30_2_00007FFAAC76FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC77529D	30_2_00007FFAAC77529D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC76C798	30_2_00007FFAAC76C798
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC78047D	30_2_00007FFAAC78047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC77108C	30_2_00007FFAAC77108C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC77AFF2	30_2_00007FFAAC77AFF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC77DD84	30_2_00007FFAAC77DD84
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC76BDB0	30_2_00007FFAAC76BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC7710C0	30_2_00007FFAAC7710C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC7755D9	30_2_00007FFAAC7755D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC77DDFA	30_2_00007FFAAC77DDFA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC7678D6	30_2_00007FFAAC7678D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC768682	30_2_00007FFAAC768682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC761828	30_2_00007FFAAC761828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC76969D	30_2_00007FFAAC76969D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC7635DD	30_2_00007FFAAC7635DD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC7612FB	30_2_00007FFAAC7612FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC76246B	30_2_00007FFAAC76246B
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 32_2_00007FFAAC751828	32_2_00007FFAAC751828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 32_2_00007FFAAC7512FB	32_2_00007FFAAC7512FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC79977E	34_2_00007FFAAC79977E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC7989CE	34_2_00007FFAAC7989CE
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC7912FB	34_2_00007FFAAC7912FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC79C47F	34_2_00007FFAAC79C47F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC790730	34_2_00007FFAAC790730
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC7B00B8	34_2_00007FFAAC7B00B8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC7AD370	34_2_00007FFAAC7AD370
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC7A5B31	34_2_00007FFAAC7A5B31
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC793BF3	34_2_00007FFAAC793BF3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC79CD90	36_2_00007FFAAC79CD90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC7A3CE0	36_2_00007FFAAC7A3CE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC79CEB0	36_2_00007FFAAC79CEB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC791DC8	36_2_00007FFAAC791DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC7A2063	36_2_00007FFAAC7A2063
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC791A8B	36_2_00007FFAAC791A8B
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC791AB8	36_2_00007FFAAC791AB8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC799446	36_2_00007FFAAC799446
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC79D3D8	36_2_00007FFAAC79D3D8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC999E9D	36_2_00007FFAAC999E9D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9AB719	36_2_00007FFAAC9AB719
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9A87D3	36_2_00007FFAAC9A87D3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9AD151	36_2_00007FFAAC9AD151
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9A126E	36_2_00007FFAAC9A126E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9A92D0	36_2_00007FFAAC9A92D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9A73D7	36_2_00007FFAAC9A73D7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9A8728	36_2_00007FFAAC9A8728
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC99AF2D	36_2_00007FFAAC99AF2D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC996950	36_2_00007FFAAC996950
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9A99D1	36_2_00007FFAAC9A99D1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC9993F2	36_2_00007FFAAC9993F2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 36_2_00007FFAAC780C58	36_2_00007FFAAC780C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 42_2_00007FFAAC7915FD	42_2_00007FFAAC7915FD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 42_2_00007FFAAC796F59	42_2_00007FFAAC796F59
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 42_2_00007FFAAC7952FA	42_2_00007FFAAC7952FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 42_2_00007FFAAC798476	42_2_00007FFAAC798476
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB036901E0	45_2_00007FFB036901E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB036820E0	45_2_00007FFB036820E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03686960	45_2_00007FFB03686960
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035DB880	45_2_00007FFB035DB880
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03618310	45_2_00007FFB03618310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03572310	45_2_00007FFB03572310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035FA2F0	45_2_00007FFB035FA2F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035F22B0	45_2_00007FFB035F22B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03570330	45_2_00007FFB03570330
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035C2240	45_2_00007FFB035C2240
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0360C220	45_2_00007FFB0360C220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035DC110	45_2_00007FFB035DC110
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035EA0C0	45_2_00007FFB035EA0C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035F40A0	45_2_00007FFB035F40A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0355E80C	45_2_00007FFB0355E80C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035EA7E0	45_2_00007FFB035EA7E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03568860	45_2_00007FFB03568860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03616860	45_2_00007FFB03616860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0356E720	45_2_00007FFB0356E720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03562738	45_2_00007FFB03562738
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035D0600	45_2_00007FFB035D0600
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB036705D0	45_2_00007FFB036705D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0360A5D0	45_2_00007FFB0360A5D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035585D4	45_2_00007FFB035585D4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0368E5B0	45_2_00007FFB0368E5B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0368C680	45_2_00007FFB0368C680
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035A0510	45_2_00007FFB035A0510
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035644DC	45_2_00007FFB035644DC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035B64A0	45_2_00007FFB035B64A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0360E590	45_2_00007FFB0360E590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03636590	45_2_00007FFB03636590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035D4550	45_2_00007FFB035D4550
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0355A524	45_2_00007FFB0355A524
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035FCC00	45_2_00007FFB035FCC00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03684C80	45_2_00007FFB03684C80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0363AB00	45_2_00007FFB0363AB00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035A8B90	45_2_00007FFB035A8B90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035CCB50	45_2_00007FFB035CCB50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03576A80	45_2_00007FFB03576A80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0361AA70	45_2_00007FFB0361AA70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03598A60	45_2_00007FFB03598A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03558A3C	45_2_00007FFB03558A3C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03646910	45_2_00007FFB03646910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035528C0	45_2_00007FFB035528C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035A88A0	45_2_00007FFB035A88A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035AE990	45_2_00007FFB035AE990
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035EEFD0	45_2_00007FFB035EEFD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0359AFB0	45_2_00007FFB0359AFB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03599020	45_2_00007FFB03599020
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0355CEA8	45_2_00007FFB0355CEA8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03562F8C	45_2_00007FFB03562F8C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03554DB4	45_2_00007FFB03554DB4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0357CE70	45_2_00007FFB0357CE70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035B0E30	45_2_00007FFB035B0E30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035C4D00	45_2_00007FFB035C4D00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03566CC0	45_2_00007FFB03566CC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0359ACD0	45_2_00007FFB0359ACD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0368CD60	45_2_00007FFB0368CD60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035D6D20	45_2_00007FFB035D6D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB036A0D30	45_2_00007FFB036A0D30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03618D20	45_2_00007FFB03618D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0362F3E0	45_2_00007FFB0362F3E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035793D0	45_2_00007FFB035793D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03553474	45_2_00007FFB03553474
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035EB370	45_2_00007FFB035EB370
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0355F340	45_2_00007FFB0355F340
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035ED350	45_2_00007FFB035ED350
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03663200	45_2_00007FFB03663200
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035511B0	45_2_00007FFB035511B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035BF1B0	45_2_00007FFB035BF1B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0355D284	45_2_00007FFB0355D284
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035CF220	45_2_00007FFB035CF220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB036850F0	45_2_00007FFB036850F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035E9170	45_2_00007FFB035E9170
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB036A1840	45_2_00007FFB036A1840
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0356D830	45_2_00007FFB0356D830
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035C36E0	45_2_00007FFB035C36E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB036456D0	45_2_00007FFB036456D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0369F790	45_2_00007FFB0369F790
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035AF780	45_2_00007FFB035AF780
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0359D770	45_2_00007FFB0359D770
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035F7720	45_2_00007FFB035F7720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035F1690	45_2_00007FFB035F1690
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03565640	45_2_00007FFB03565640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035BB647	45_2_00007FFB035BB647
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0359F630	45_2_00007FFB0359F630
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0355D634	45_2_00007FFB0355D634
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035574B0	45_2_00007FFB035574B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0355955C	45_2_00007FFB0355955C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0357BBE0	45_2_00007FFB0357BBE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03599BA0	45_2_00007FFB03599BA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03693C20	45_2_00007FFB03693C20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035F3AF0	45_2_00007FFB035F3AF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03585AD0	45_2_00007FFB03585AD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0363DB80	45_2_00007FFB0363DB80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035B7B30	45_2_00007FFB035B7B30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035BB9F0	45_2_00007FFB035BB9F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03607A60	45_2_00007FFB03607A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03589A60	45_2_00007FFB03589A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0357D910	45_2_00007FFB0357D910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035B18DA	45_2_00007FFB035B18DA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035AFEF0	45_2_00007FFB035AFEF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03557EC0	45_2_00007FFB03557EC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035EFED0	45_2_00007FFB035EFED0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03605EA0	45_2_00007FFB03605EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035F7EA0	45_2_00007FFB035F7EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035D3EB0	45_2_00007FFB035D3EB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB035E5F20	45_2_00007FFB035E5F20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03567F30	45_2_00007FFB03567F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03589F30	45_2_00007FFB03589F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03583E10	45_2_00007FFB03583E10
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03597E70	45_2_00007FFB03597E70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03565E50	45_2_00007FFB03565E50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03599CF0	45_2_00007FFB03599CF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0363BCD0	45_2_00007FFB0363BCD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB0362DCC0	45_2_00007FFB0362DCC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFB03627D20	45_2_00007FFB03627D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAAC7A0FD5	45_2_00007FFAAC7A0FD5
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAAC79BD51	45_2_00007FFAAC79BD51
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAAC9BACF8	45_2_00007FFAAC9BACF8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC4557	45_2_00007FFAACAC4557
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACB04DA0	45_2_00007FFAACB04DA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAB403D	45_2_00007FFAACAB403D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC1037	45_2_00007FFAACAC1037
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC58E7	45_2_00007FFAACAC58E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAF5138	45_2_00007FFAACAF5138
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC0B88	45_2_00007FFAACAC0B88
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAB2AD3	45_2_00007FFAACAB2AD3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC644D	45_2_00007FFAACAC644D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC34B1	45_2_00007FFAACAC34B1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC46A7	45_2_00007FFAACAC46A7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAF1F88	45_2_00007FFAACAF1F88
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACAC1069	45_2_00007FFAACAC1069
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAACABA8FC	45_2_00007FFAACABA8FC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 45_2_00007FFAAC79CC7B	45_2_00007FFAAC79CC7B

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB036A1D30 appears 114 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB036A1B70 appears 102 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB036A06B0 appears 145 times

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi
Source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi
Source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi

Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: AteraAgent.exe.2.dr, SignatureValidator.cs	Base64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
Source: AteraAgent.exe0.2.dr, SignatureValidator.cs	Base64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@92/410@0/12

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1964:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1528:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3672:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7152:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF946B63CA5CEB85FD.TMP

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIFBAD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4062296 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId

Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1722197586.000001D43C915000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1722197586.000001D43C915000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D423841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D423841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B5D92016C39FF7678052452FC1E699E8
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIFBAD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4062296 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI16A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4063718 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI14C4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4068578 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FE293C9828EFC6E5D88E7F26AF6615E9 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ilpilarsaomateus@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Lu4JQIAZ" /AgentId="66902f0e-5571-47c0-8de5-86038d3e7b35"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI330F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4076312 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "a7726a3f-8b3e-4e5c-93fd-b7293e973556" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cd1ad75d-30e1-481a-b7d6-4d6b012e03f7" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "3f72da7d-d915-4f53-8bc1-de00eab8c542" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "db753a87-56d5-4df4-b088-df029e1319dc" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "b27bbec1-8375-4d6e-a646-54dd514ea664" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "25d94b19-dd8c-444e-8649-b75dcdab378e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cb18c271-196a-4aaf-9ea1-03326a248300" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "62bbbd59-291d-44d5-8ada-88594b5f534e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "153560a1-b70b-409f-affc-69982282c523" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B5D92016C39FF7678052452FC1E699E8	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FE293C9828EFC6E5D88E7F26AF6615E9 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ilpilarsaomateus@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Lu4JQIAZ" /AgentId="66902f0e-5571-47c0-8de5-86038d3e7b35"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIFBAD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4062296 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI16A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4063718 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI14C4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4068578 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI330F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4076312 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "a7726a3f-8b3e-4e5c-93fd-b7293e973556" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cd1ad75d-30e1-481a-b7d6-4d6b012e03f7" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "3f72da7d-d915-4f53-8bc1-de00eab8c542" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "db753a87-56d5-4df4-b088-df029e1319dc" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "b27bbec1-8375-4d6e-a646-54dd514ea664" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "25d94b19-dd8c-444e-8649-b75dcdab378e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cb18c271-196a-4aaf-9ea1-03326a248300" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "62bbbd59-291d-44d5-8ada-88594b5f534e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "153560a1-b70b-409f-affc-69982282c523" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wscapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

Jump to behavior

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000002D.00000002.1696379168.000001D422D82000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: \mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NetworkInformation\4.1.2.0\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.36.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.ModelsV3\Atera.AgentPackages.ModelsV3\obj\Release\net45\Atera.AgentPackages.ModelsV3.pdbSHA256t source: Atera.AgentPackages.ModelsV3.dll.36.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000001C.00000002.1571157311.000001DD472C2000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll3.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdb source: System.Resources.Reader.dll.36.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.ModelsV3\Atera.AgentPackages.ModelsV3\obj\Release\net45\Atera.AgentPackages.ModelsV3.pdb source: Atera.AgentPackages.ModelsV3.dll.36.dr
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe.36.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.36.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1694921612.000001D422C82000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: .pdb) source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdbl( source: System.Resources.Reader.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TextWriterTraceListener\4.0.2.0\System.Diagnostics.TextWriterTraceListener.pdb source: System.Diagnostics.TextWriterTraceListener.dll.36.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdbSHA256 source: System.Buffers.dll.21.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb'` source: Atera.AgentPackages.CommonLib.dll.36.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Debug\4.0.11.0\System.Diagnostics.Debug.pdb source: System.Diagnostics.Debug.dll.36.dr
Source:	Binary string: ib.pdb: source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.53.dr, System.ValueTuple.dll.36.dr, System.ValueTuple.dll.2.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: System.Data.SQLite.dll.36.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Diagnostics.DiagnosticSource\net46\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.36.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000015.00000002.1901558159.000002A3428C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: System.Data.Common.dll.36.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000015.00000002.1901558159.000002A3428C2000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721452869.000001D43BCB2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.53.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbD source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1719646159.000001D43BAB2000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdbTn `*_CorDllMainmscoree.dll source: System.Net.Security.dll.36.dr
Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBpy/G source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdb source: System.Buffers.dll.21.dr
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1696379168.000001D422D82000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000000.1533103031.000002069BBD2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.21.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1571556014.000002069C692000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2195827231.000001EE9E170000.00000002.00000001.01000000.00000030.sdmp, Newtonsoft.Json.dll1.36.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1571556014.000002069C692000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2195827231.000001EE9E170000.00000002.00000001.01000000.00000030.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721452869.000001D43BCB2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll1.36.dr, Newtonsoft.Json.dll.53.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2209008639.000001B373A42000.00000002.00000001.01000000.00000031.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.53.dr, System.ValueTuple.dll.36.dr, System.ValueTuple.dll.2.dr
Source:	Binary string: t.pdbpdb source: AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC317000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2209008639.000001B373A42000.00000002.00000001.01000000.00000031.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr
Source:	Binary string: em.pdb source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000002D.00000002.1694921612.000001D422C82000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: System.Linq.Parallel.dll.36.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000001C.00000002.1571157311.000001DD472C2000.00000002.00000001.01000000.0000001A.sdmp, Atera.AgentPackage.Common.dll3.36.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.36.dr
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.Utils\Atera.Utils\obj\Release\net45\Atera.Utils.pdbSHA256 source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, Atera.Utils.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdb source: System.Net.Security.dll.36.dr
Source:	Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.36.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@Z L*_CorDllMainmscoree.dll source: System.Runtime.CompilerServices.VisualC.dll.36.dr
Source:	Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.36.dr
Source:	Binary string: /_/CommunityToolkit.WinUI.Notifications/obj/Release/net461/CommunityToolkit.WinUI.Notifications.pdbSHA2564 source: CommunityToolkit.WinUI.Notifications.dll.36.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1736042091.00007FFB036AA000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000014.00000002.1404516323.00000282CD602000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.Utils\Atera.Utils\obj\Release\net45\Atera.Utils.pdb source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, Atera.Utils.dll.36.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000014.00000002.1404516323.00000282CD602000.00000002.00000001.01000000.00000012.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.36.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI1FA3.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Ping\4.0.2.0\System.Net.Ping.pdb source: System.Net.Ping.dll.36.dr
Source:	Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/CommunityToolkit.WinUI.Notifications/obj/Release/net461/CommunityToolkit.WinUI.Notifications.pdb source: CommunityToolkit.WinUI.Notifications.dll.36.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll.36.dr

Source: BouncyCastle.Crypto.dll.2.dr

Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB03561910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

45_2_00007FFB03561910

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C657B8 push es; ret	8_3_06C65840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C60E8C push ebp; retn 5506h	8_3_06C620AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C64E90 push es; ret	8_3_06C64EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C66BF3 push es; ret	8_3_06C66C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C6688B push es; ret	8_3_06C66890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C6576F push es; ret	8_3_06C65860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C634AB push edi; retf	8_3_06C634B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C63439 push esi; retf	8_3_06C6343A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C63373 push ebp; retf	8_3_06C6337A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C658D1 push es; ret	8_3_06C658E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C658F0 push es; ret	8_3_06C65900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C65890 push es; ret	8_3_06C658A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C658B0 push es; ret	8_3_06C658C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C65850 push es; ret	8_3_06C65860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C65873 push es; ret	8_3_06C65880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C65951 push es; ret	8_3_06C65960
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C65910 push es; ret	8_3_06C65920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06C65931 push es; ret	8_3_06C65940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_3_06D584A1 push es; ret	8_3_06D584B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC790E8D push eax; retf	21_2_00007FFAAC790EAC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC787A95 push ecx; retf	21_2_00007FFAAC787A3A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC7A0AAA pushad ; ret	21_2_00007FFAAC7A0AB9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC787A15 push ecx; retf	21_2_00007FFAAC787A3A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 21_2_00007FFAAC990F64 push eax; ret	21_2_00007FFAAC990F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAC7894FD push eax; retf	26_2_00007FFAAC78950C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAC775587 push ebp; iretd	28_2_00007FFAAC7755D8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 30_2_00007FFAAC775587 push ebp; iretd	30_2_00007FFAAC7755D8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC7AD2E5 pushad ; iretd	34_2_00007FFAAC7BAA65
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC792D9B push eax; ret	34_2_00007FFAAC792E1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC79F650 push eax; iretd	34_2_00007FFAAC79F65D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 34_2_00007FFAAC79F8E5 push ecx; retf	34_2_00007FFAAC79F8EA

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A18.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5003.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14C4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI50FE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI18BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4F08.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI57D5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3071.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FA3.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\Temp\SplashtopStreamer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI191D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI330F.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21B7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI294A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIFBAD.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFBAD.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI16A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FA5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI14C4.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI330F.tmp	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB0355A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

45_2_00007FFB0355A524

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 282B3390000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 282CCDD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 2A329280000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 2A341A40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 2069BF30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 206B47A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1DD47280000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1DD5F960000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 131AC690000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 131C4D00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1851F400000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 18537600000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 248AC430000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 248C4A10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 27DEB3D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 27DEB950000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 1EE85380000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 1EE9D990000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 1D422A00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 1D43B2A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 18792200000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 187AA850000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Memory allocated: 1B35AD90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Memory allocated: 1B373260000 memory reserve \| memory write watch

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Code function: 36_2_00007FFAAC9A92D0 rdtsc

36_2_00007FFAAC9A92D0

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Code function: 21_2_00007FFAAC9A09B5 sgdt fword ptr [eax]

21_2_00007FFAAC9A09B5

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599436
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599327
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599109
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598999
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598890
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598780
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598671
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598562
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598452
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598343
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598124
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598015
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597906
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597796
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597578
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597359
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597249
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596812
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596702
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596593
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596156
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596046
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599635
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599516
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599403
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599151
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598919
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598807
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598672
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598545
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598410
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598295
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598183
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598057
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597949
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597840
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597641
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597498
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597382
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597260
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597030
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596907
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596782
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596670
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596558
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596443
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595110
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594827
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594694
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594572
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594459
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594340
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594194
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594078
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593969
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593489
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593360
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593032
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592445
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591445
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591325
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590969
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590859
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590750
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590641
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590297
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590172
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590061
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3582
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 5939
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 3034
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 6371
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 4650
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 4886
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 5377
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 4325
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 1957
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 878
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 1152

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Registry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6816	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2172	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 576	Thread sleep count: 3582 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 576	Thread sleep count: 5939 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1532	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2500	Thread sleep time: -160000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2324	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1180	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6424	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6772	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6972	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6596	Thread sleep count: 3034 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4460	Thread sleep count: 6371 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599875s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599765s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599546s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599436s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599327s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599218s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -599109s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598999s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598890s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598780s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598671s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598562s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598452s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598343s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598234s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598124s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -598015s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597906s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597796s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597687s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597578s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597468s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597359s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597249s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597140s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -597031s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596921s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596812s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596702s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596593s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596484s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596375s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596265s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596156s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -596046s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -595937s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3168	Thread sleep time: -595828s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4232	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5788	Thread sleep count: 4650 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 348	Thread sleep count: 34 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 348	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 348	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1568	Thread sleep count: 4886 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6944	Thread sleep time: -210000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6720	Thread sleep time: -180000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep count: 37 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5880	Thread sleep count: 5377 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -599766s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -599635s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5880	Thread sleep count: 4325 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -599516s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -599403s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -599282s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -599151s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -599031s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598919s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598807s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598672s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598545s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598410s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598295s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598183s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -598057s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597949s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597840s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597641s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597498s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597382s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597260s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597141s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -597030s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -596907s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -596782s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -596670s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -596558s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -596443s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -596218s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -595110s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594937s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594827s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594694s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594572s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594459s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594340s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594194s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -594078s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593969s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593844s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593734s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593625s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593489s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593360s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593250s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593140s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -593032s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -592922s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -592445s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -592282s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -591625s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -591445s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -591325s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -591203s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -591094s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590969s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590859s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590750s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590641s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590531s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590421s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590297s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590172s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 712	Thread sleep time: -590061s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2332	Thread sleep count: 1957 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1588	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1588	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2332	Thread sleep count: 878 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2044	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3492	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5740	Thread sleep count: 1152 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2044	Thread sleep count: 201 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2836	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 2908	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3660	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 2992	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599436
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599327
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599109
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598999
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598890
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598780
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598671
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598562
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598452
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598343
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598234
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598124
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598015
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597906
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597796
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597578
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597359
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597249
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596812
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596702
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596593
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596156
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596046
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599635
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599516
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599403
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599151
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598919
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598807
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598672
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598545
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598410
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598295
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598183
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598057
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597949
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597840
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597641
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597498
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597382
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597260
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597030
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596907
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596782
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596670
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596558
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596443
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595110
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594827
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594694
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594572
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594459
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594340
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594194
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594078
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593969
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593489
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593360
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593032
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592445
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591445
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591325
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 591094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590969
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590859
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590750
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590641
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590297
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590172
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 590061
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

Source: AgentPackageAgentInformation.exe, 00000033.00000002.2130780477.00000187AB30C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000030.00000002.2501821114.0000018A90E00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DC
Source: AteraAgent.exe, 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2122617084.00000187AB1C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: AgentPackageAgentInformation.exe, 0000001E.00000002.1619271430.00000131ACBC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ$
Source: svchost.exe, 00000030.00000002.2502093962.0000018A90E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @"VMware"
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped?M
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800667400.00000248C5292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2126951951.00000187AB255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicvss"
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD518000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1404068454.00000282CD575000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1900170957.000002A342598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2123477917.00000187AB1E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicshutdownvmicshutdownStoppedvice"
Source: svchost.exe, 00000009.00000002.2505169096.000001C53ED02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000030.00000002.2503212869.0000018A90EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.FriendlyName("VMware Virtual disk");
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2089271472.000001879213A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800406533.00000248C5274000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicheartbeat"oaf6
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2130780477.00000187AB30C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Source: AgentPackageAgentInformation.exe.21.dr	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800594829.00000248C528C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown\|
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.pP
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedP
Source: rundll32.exe, 00000008.00000002.1327209850.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1326692205.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1799050263.00000248C5209000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped
Source: svchost.exe, 00000009.00000002.2503905148.000001C53EC4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2127456015.00000187AB26F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Atera.AgentPackages.CommonLib.dll.36.dr	Binary or memory string: vmware
Source: svchost.exe, 00000030.00000002.2502286071.0000018A90E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JSetPropValue.Manufacturer("VMware");
Source: AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: svchost.exe, 00000030.00000002.2502404404.0000018A90E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2127533637.00000187AB275000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800667400.00000248C529D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped?
Source: svchost.exe, 00000009.00000002.2504391110.000001C53EC66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000?
Source: svchost.exe, 00000030.00000002.2504895805.0000018A91123000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2122617084.00000187AB1C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800667400.00000248C5292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: svchost.exe, 00000030.00000002.2503658268.0000018A90ED3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @friendlyname"vmware virtual disk"lse
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2089271472.000001879213A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedyy
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800667400.00000248C5292000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2127456015.00000187AB26F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: svchost.exe, 00000030.00000002.2502286071.0000018A90E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
Source: AteraAgent.exe, 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%\System32\fveui.dll,-843RA%20NetworksAteraAgentAteraAgent.exe
Source: AteraAgent.exe, 00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvHyper-V Data Exchange ServicevmickvpexchangeHyper-V Heartbeat ServicevmicheartbeatHyper-V Guest Service InterfacevmicguestinterfaceVirtual DiskvdsCredent
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800406533.00000248C5274000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicshutdown"ea
Source: svchost.exe, 00000009.00000002.2504391110.000001C53EC7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2124034008.00000187AB1F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicvssvmicvssStoppedA
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2126951951.00000187AB255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicheartbeat"
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Win32_Service.Name="vmicheartbeat"p^
Source: AteraAgent.exe, 00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800667400.00000248C5292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: svchost.exe, 00000030.00000002.2502093962.0000018A90E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dnSS @
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStoppedlm[
Source: svchost.exe, 00000030.00000002.2502286071.0000018A90E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: svchost.exe, 0000000C.00000002.2502671926.0000020AD4231000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1466810362.0000000003370000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1577296513.000001DD601D2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2150679963.0000027DEC291000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2199195531.000001EE9E228000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1696952170.000001D423198000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2130381875.00000187AB2FC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1799050263.00000248C5209000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedF
Source: svchost.exe, 00000030.00000002.2502404404.0000018A90E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk6000C298128B8C02A71A2474AEB5F3DC0VMwareVirtual disk<m
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2126951951.00000187AB255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicshutdown"5U
Source: svchost.exe, 00000030.00000002.2502675641.0000018A90EA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: svchost.exe, 00000030.00000002.2502675641.0000018A90EA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122617084.00000187AB1C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
Source: svchost.exe, 00000009.00000002.2503437386.000001C53EC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000009.00000002.2503437386.000001C53EC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2127241458.00000187AB267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
Source: AteraAgent.exe, 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1694216775.000001D422C12000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe, 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp, Atera.AgentPackages.CommonLib.dll.36.dr	Binary or memory string: get_IsVirtualMachine
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800667400.00000248C5292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicvss"p^
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1800667400.00000248C529D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2127241458.00000187AB267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2130780477.00000187AB30C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}"6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1799756671.00000248C522F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicvssvmicvssStoppedh:
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Win32_Service.Name="vmicshutdown"p^
Source: svchost.exe, 00000009.00000002.2502544883.000001C53EC02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000030.00000002.2503658268.0000018A90ED3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SetPropValue.Manufacturer("VMware");
Source: svchost.exe, 00000030.00000002.2503212869.0000018A90EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SetPropValue.FriendlyName("VMware Virtual disk");
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122617084.00000187AB1C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: svchost.exe, 00000009.00000002.2503905148.000001C53EC4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000030.00000002.2503658268.0000018A90ED3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SetPropValue.Manufacturer("VMware");
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1581204637.00000206B4E85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldd
Source: AgentPackageAgentInformation.exe, 00000022.00000002.1801549524.00000248C5316000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Code function: 36_2_00007FFAAC9A92D0 rdtsc

36_2_00007FFAAC9A92D0

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB03557B4C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,

45_2_00007FFB03557B4C

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB0359AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,

45_2_00007FFB0359AFB0

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

45_2_00007FFB03561910

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

45_2_00007FFB0359AFB0

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB0355ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

45_2_00007FFB0355ACD4

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ilpilarsaomateus@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Lu4JQIAZ" /AgentId="66902f0e-5571-47c0-8de5-86038d3e7b35"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "a7726a3f-8b3e-4e5c-93fd-b7293e973556" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cd1ad75d-30e1-481a-b7d6-4d6b012e03f7" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "3f72da7d-d915-4f53-8bc1-de00eab8c542" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "db753a87-56d5-4df4-b088-df029e1319dc" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "b27bbec1-8375-4d6e-a646-54dd514ea664" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "25d94b19-dd8c-444e-8649-b75dcdab378e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cb18c271-196a-4aaf-9ea1-03326a248300" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "62bbbd59-291d-44d5-8ada-88594b5f534e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "153560a1-b70b-409f-affc-69982282c523" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000Lu4JQIAZ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB0355739C cpuid

45_2_00007FFB0355739C

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIFBAD.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIFBAD.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI16A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI16A.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI16A.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI14C4.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI14C4.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI330F.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI330F.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI330F.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB0355CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

45_2_00007FFB0355CC04

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB035585D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,

45_2_00007FFB035585D4

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

Source: svchost.exe, 0000000A.00000002.2505955863.0000029515F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000A.00000002.2505955863.0000029515F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 42.0.AgentPackageSTRemote.exe.1ee85030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.AgentPackageAgentInformation.exe.1dd472c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.0.AgentPackageMonitoring.exe.1d422770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.0.AgentPackageUpgradeAgent.exe.1b35a970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.AgentPackageMonitoring.exe.1d422c10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.AteraAgent.exe.27d802998d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.AteraAgent.exe.282b3040000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.AgentPackageAgentInformation.exe.2069bbd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000002.2155555456.0000027DEC66C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2150679963.0000027DEC26C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1789224660.00000248AC190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2168433819.000001EE85220000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1694634338.000001D422C70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1589816031.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2145707445.0000027DEB230000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2046067313.000001F111BCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1802242322.00000248C5385000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2202850018.000001EE9E2C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.0000018792DEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D807EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1694216775.000001D422C12000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2151925768.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1878116692.000002A329149000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1804019914.00000248C546E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4E8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1722197586.000001D43C915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.00000187928C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1808201586.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1404747077.00000282CD823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2140880493.0000027DEB1A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4E5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2190568153.000001B35AEC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1789224660.00000248AC215000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2085641808.000000BE3C134000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1592759090.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1571490470.000001DD473A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1622260091.00000131ACD73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2122617084.00000187AB1C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1898386456.000002A3424DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1877972695.000002A328FD0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1789224660.00000248AC1D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1568260436.000002069BD9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1569432210.000001DD470F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1697045305.0000029025B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1736383824.00007FFB036E9000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2168093156.000001EE851E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A00B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1560441536.000002069BD80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D806BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.0000018792851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2089271472.00000187920EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACBCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2140880493.0000027DEB15C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000000.1930927486.000001B35A972000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1569432210.000001DD4710F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2150679963.0000027DEC291000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2158613123.0000027DEC6DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2171122634.000001EE852CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2155555456.0000027DEC632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACC3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1898386456.000002A3424C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1697943618.000001D4232A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2089271472.000001879213A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1405879986.00007FFB0BB30000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2046286937.000001F111CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329DBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1568260436.000002069BDC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.0000018792897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2087376733.000000BE3C335000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1626578796.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2169067788.000001EE8523E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D8033C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1610900588.00000131AC42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2170161544.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACAA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2182180380.000000AC472F3000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2140880493.0000027DEB128000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1569432210.000001DD47132000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4E84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2084967627.000000BE3B935000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880039341.000002A329270000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1585093238.000001851EE00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2087554285.000000BE3C435000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2210125521.000001B373BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2169067788.000001EE852AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2089271472.00000187920CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2190884933.000001B35B4DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D8035B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1722382611.000001D43C926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1909211556.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1404420688.00000282CD5E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1789224660.00000248AC1CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1722155139.000001D43C717000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2183736490.000001B35ABB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1568260436.000002069BDCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1569432210.000001DD470F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1590833917.000001851F683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D802B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2169067788.000001EE85260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1697255268.0000029025C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1800817334.00000248C52AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1590833917.000001851F601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1533103031.000002069BBD2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1571375000.000002069BFB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2190884933.000001B35B3D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1586780777.000001851EE68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2158613123.0000027DEC69C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80724000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D803D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1571157311.000001DD472C2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1586780777.000001851EE60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1875929368.000000A728B85000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2183736490.000001B35ABFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2089271472.00000187920B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790376859.00000248AC490000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4F36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D804E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1402227067.00000282B316E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1697045305.0000029025B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1722496320.000001D43CB6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1402227067.00000282B30EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1610900588.00000131AC472000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A19C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403357661.00000282B33D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1586780777.000001851EEE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.0000018792A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2190884933.000001B35B261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1569432210.000001DD47175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1574235267.000002069C7E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1622260091.00000131ACD47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2189733854.000001B35AD40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1610900588.00000131AC431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1696952170.000001D423198000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A04F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D805AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1569432210.000001DD4712C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D8085E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACA11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329DDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1574235267.000002069C7A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2199195531.000001EE9E228000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1790807938.00000248ACB73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2046067313.000001F111BE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2140880493.0000027DEB1C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1901343649.000002A34268D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2147079923.0000027DEB400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.1591953076.0000029025C70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2135255406.00000187AB3DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D803EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1692653802.000001D422ACC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2088867970.0000018792070000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.1693658473.0000024616A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D803D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D8058E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2127533637.00000187AB286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1692653802.000001D422A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D802FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1896332173.000002A342100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1402227067.00000282B3120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329EA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2190884933.000001B35B377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D8051E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2174501497.000001EE85991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2155555456.0000027DEC64F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4F05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1692092530.000001D422860000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2046067313.000001F111BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1692653802.000001D422A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1574235267.000002069C813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1618685636.00000131AC6E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80726000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2086154085.000000BE3C229000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1878116692.000002A329100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1405442881.00007FFAAC7E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1622260091.00000131ACD01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2155555456.0000027DEC617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2089271472.0000018792193000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1878116692.000002A32913F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1590833917.000001851F673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2155555456.0000027DEC610000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1692653802.000001D422A4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000003.2045113682.000001F111BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2140880493.0000027DEB120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2095306627.0000018792E36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1902010257.000002A342905000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000003.1932548750.000001F111CE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2199195531.000001EE9E222000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2079087323.000000BE3A0F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1697045305.0000029025B74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1403578923.00000282B4E82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1692653802.000001D422A86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D804D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1898386456.000002A3424CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1586780777.000001851EE9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1580440319.00000206B4E60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D80353000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000039.00000002.2038115398.000002056C000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329AAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2088334568.0000027D803F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1897843477.000002A3421CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1610900588.00000131AC3F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1789224660.00000248AC1AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2089271472.00000187920FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1789224660.00000248AC275000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1402227067.00000282B3184000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1402227067.00000282B30E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1571797704.000001DD479D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2174501497.000001EE85B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2183736490.000001B35AB70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2150679963.0000027DEC317000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2174501497.000001EE85B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1568260436.000002069BE0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1622260091.00000131ACD83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1574235267.000002069C823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1878116692.000002A32918E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1571797704.000001DD47961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.1697943618.000001D423841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 1020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageSTRemote.exe PID: 6208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageMonitoring.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 2864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\~DFF85B65DD083C28D1.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF07D540AE027F4656.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2F94.tmp, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\3dfa4b.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF27045DF9BB3D83EC.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF8CD3DD11D85A5C11.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI4F07.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF3748246E0295C8E7.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF9A8BC046147F428C.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI16A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI14C4.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIFBAD.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF1E29FC9B342B27CE.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF50AE555E1AE6C734.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFB1DAA7BE4628F397.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI18BD.tmp, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFF55CA7399CFD76B7.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF8D23518F04E02162.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF0BA98394DFBAFEC5.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF4090650E6245C6F2.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF946B63CA5CEB85FD.TMP, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\3dfa46.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFA7EEBB2557D24724.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\3dfa53.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF7EC49C7F7F89DD72.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF2A5BC4EA07A7A256.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI330F.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF566BF609044F45EB.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 45_2_00007FFB0359B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,

45_2_00007FFB0359B9F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	541 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	121 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	32 Windows Service	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	32 Windows Service	111 Process Injection	31 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Timestomp	NTDS	175 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Service Execution	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	7111 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	123 Masquerading	DCSync	11 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	491 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	491 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
3dfa4c.rbf (copy)	21%	ReversingLabs	Win32.Trojan.Atera
3dfa4e.rbf (copy)	0%	ReversingLabs
3dfa4f.rbf (copy)	0%	ReversingLabs
3dfa50.rbf (copy)	0%	ReversingLabs
3dfa51.rbf (copy)	0%	ReversingLabs
3dfa52.rbf (copy)	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	21%	ReversingLabs	Win32.Trojan.Atera
C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll	3%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll	0%	ReversingLabs

Name	Source	Malicious
https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.datacontract.org	AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ab049951-757a-48f1-8723-61b58ab127f5	AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/CommunityToolkit/WindowsCommunityToolkitP	CommunityToolkit.WinUI.Notifications.dll.36.dr	false
https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.12/AgentPackageAO	AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.ateHH	AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp	false
https://nlog-project.org/	NLog.dll.36.dr	false
https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/24.9/AgentPackageProgramManageme	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/track-event	rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c0f6c0b0-dc8d-4d9d-a87f-1136ef0d8d0b	AteraAgent.exe, 00000024.00000002.2088334568.0000027D800DD000.00000004.00000800.00020000.00000000.sdmp	false
http://dl.google.com/googletalk/googletalk-setup.exe	AgentPackageAgentInformation.exe, 0000001A.00000000.1533103031.000002069BBD2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.21.dr	false
https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip?6	AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.PR	AteraAgent.exe, 00000015.00000002.1880894733.000002A329DDF000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP	AteraAgent.exe, 00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp	false
http://standards.iso.org/iso/19770/-2/2009/schema.xsd	svchost.exe, 0000000B.00000002.2503661287.000001FCAC287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2504747776.000001FCACB02000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.datacontract.org/2004/07/System.ServiceProcess	AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z	AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	false
https://my.splashtop.com/csrs/win	AgentPackageSTRemote.exe, 0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp	false
http://wixtoolset.org	rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi, MSI18BE.tmp.2.dr, ateraAgentSetup64_1_8_7_2.msi.53.dr, MSI5003.tmp.2.dr	false
https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/track-event;	rundll32.exe, 00000008.00000002.1327694824.0000000004886000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005276000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	false
http://acontrol.atera.com/	AteraAgent.exe, 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80001000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/dynamic-fields/	AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACA11000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2190884933.000001B35B261000.00000004.00000800.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1366029607.000001ACC0463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365868750.000001ACC043F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365160170.000001ACC045A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364967037.000001ACC0462000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/66902f0e-5571-47c0-8de5	AteraAgent.exe, 00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800DD000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE	AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
http://my.splashtop.com	AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85AE7000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?6aIkQo	AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph	AteraAgent.exe, 00000015.00000002.1880894733.000002A329EA8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	false
https://download.splashtop.com	AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B0D000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	false
https://agent-api.atera.com	rundll32.exe, 00000005.00000003.1267628350.00000000048F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005234000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1468699862.0000000005191000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004EEA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.1571797704.000001DD479E3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACA11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1697943618.000001D423803000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp	false
https://www.nuget.org/packages/NLog.Web.AspNetCore	AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721379810.000001D43BCA8000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	false
http://www.w3.oh	AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	false
http://ps.atera.comO	AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.ateHhh	AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp	false
https://dynamic.t	svchost.exe, 00000003.00000003.1365179336.000001ACC0449000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?6aIkQoLIi1	AteraAgent.exe, 00000024.00000002.2088334568.0000027D804E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	false
http://nlog-project.org/ws/	NLog.dll.36.dr	false
http://crl3.digice	AteraAgent.exe, 00000015.00000002.1898386456.000002A342524000.00000004.00000020.00020000.00000000.sdmp	false
http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT	AgentPackageMonitoring.exe, 0000002D.00000002.1720602037.000001D43BBD2000.00000002.00000001.01000000.00000025.sdmp, NLog.dll.36.dr	false
https://ps.atera.com/a	AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	false
https://urn.to/r/sds_see	AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	false
https://urn.to/r/sds_see12https://urn.to/r/sds_see2	System.Data.SQLite.dll.36.dr	false
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000003.00000003.1365179336.000001ACC0449000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.12/AgentPackageAgentI	AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=220604ff-7d82-4400-81a1-a9e4ac59a4ab	AteraAgent.exe, 00000015.00000002.1880894733.000002A32A130000.00000004.00000800.00020000.00000000.sdmp	false
https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.0.exe	AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B09000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85AE7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85B0D000.00000004.00000800.00020000.00000000.sdmp	false
https://my.splashtop.com	AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85AE2000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000003.00000002.1365937440.000001ACC0458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1365229631.000001ACC0457000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/24.9/AgentPackageProgramManage	AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
http://cacerts.digicert.	AgentPackageAgentInformation.exe, 0000001A.00000002.1582163267.00000206B4EEF000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/CommunityToolkit/WindowsCommunityToolkit	CommunityToolkit.WinUI.Notifications.dll.36.dr	false
https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	false
https://system.data.sqlite.org/X	AgentPackageMonitoring.exe, 0000002D.00000002.1720464714.000001D43BB54000.00000002.00000001.01000000.00000024.sdmp, System.Data.SQLite.dll.36.dr	false
https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9	AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp	false
http://www.abit.com.tw/	AgentPackageMonitoring.exe, 0000002D.00000002.1695880267.000001D422D32000.00000002.00000001.01000000.00000021.sdmp	false
https://agent-api.atera.com/Production/Agent/recurringCommandResult	AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACBD1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC0C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000003.00000002.1365812001.000001ACC042B000.00000004.00000020.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/AcknowledgeCommands	AteraAgent.exe, 00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a59c9018-5d76-42b0-adb5-5e60d00da0f5	AteraAgent.exe, 00000015.00000002.1880894733.000002A329AC8000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe	AgentPackageSTRemote.exe, 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D800CD000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIP	AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.P	AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC3F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp	false
http://www.w3.o	AteraAgent.exe, 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp	false
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1365812001.000001ACC042B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366064915.000001ACC0468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364947300.000001ACC0467000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/JamesNK/Newtonsoft.Json	rundll32.exe, 00000005.00000003.1267628350.0000000004921000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1288418547.000000000467B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1331654140.0000000004225000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1408439085.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1571556014.000002069C692000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 0000002A.00000002.2195827231.000001EE9E170000.00000002.00000001.01000000.00000030.sdmp, AgentPackageMonitoring.exe, 0000002D.00000002.1721452869.000001D43BCB2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll1.36.dr, Newtonsoft.Json.dll.53.dr	false
https://agent-api.atera.com/PrhP	AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B21000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000003.00000002.1366229085.000001ACC0481000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000003.1365179336.000001ACC0449000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000003.00000002.1366029607.000001ACC0463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364967037.000001ACC0462000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/Agen	AteraAgent.exe, 00000015.00000002.1880894733.000002A329E97000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn	AteraAgent.exe, 00000015.00000002.1880894733.000002A329E61000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A130000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A32A136000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp	false
https://www.sqlite.org/copyright.html2	AgentPackageMonitoring.exe, 0000002D.00000002.1736500188.00007FFB036F4000.00000002.00000001.01000000.0000001E.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP	AteraAgent.exe, 00000024.00000002.2088334568.0000027D80232000.00000004.00000800.00020000.00000000.sdmp	false
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000002.1365868750.000001ACC043F000.00000004.00000020.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/guiComm	AgentPackageAgentInformation.exe, 00000022.00000002.1790807938.00000248ACC86000.00000004.00000800.00020000.00000000.sdmp	false
https://urn.to/r/sds_see23https://urn.to/r/sds_see1UInnerVerify	System.Data.SQLite.dll.36.dr	false
https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.12/AgentPackageA	AteraAgent.exe, 00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z	AteraAgent.exe, 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000015.00000002.1880894733.000002A329B82000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000024.00000002.2088334568.0000027D80102000.00000004.00000800.00020000.00000000.sdmp	false
https://system.data.sqlite.org/	AgentPackageMonitoring.exe, 0000002D.00000002.1719872483.000001D43BAF2000.00000002.00000001.01000000.00000024.sdmp, System.Data.SQLite.dll.36.dr	false
http://crl.micros	rundll32.exe, 00000008.00000003.1326647180.00000000072CC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000035.00000002.2210125521.000001B373C55000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
40.119.152.241	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
93.184.221.240	unknown	European Union	15133	EDGECASTUS	false
13.35.58.89	unknown	United States	16509	AMAZON-02US	false
35.157.63.229	unknown	United States	16509	AMAZON-02US	false
20.37.139.187	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.163	unknown	European Union	16625	AKAMAI-ASUS	false
13.35.58.124	unknown	United States	16509	AMAZON-02US	false
20.101.57.9	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.71.184.3	unknown	United States	237	MERIT-AS-14US	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
13.35.58.7	unknown	United States	16509	AMAZON-02US	false
20.60.197.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520637
Start date and time:	2024-09-27 17:36:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	59
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@92/410@0/12
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 67% Number of executed functions: 425 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 1480 because it is empty
Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 1920 because it is empty
Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 3964 because it is empty
Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 5572 because it is empty
Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 6208 because it is empty
Execution Graph export aborted for target AteraAgent.exe, PID 1020 because it is empty
Execution Graph export aborted for target AteraAgent.exe, PID 2020 because it is empty
Execution Graph export aborted for target AteraAgent.exe, PID 720 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 1860 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 4300 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 6328 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 7132 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi

Simulations

Behavior and APIs

Time	Type	Description
11:37:11	API Interceptor	2x Sleep call for process: rundll32.exe modified
11:37:17	API Interceptor	1236x Sleep call for process: AteraAgent.exe modified
12:43:10	API Interceptor	44x Sleep call for process: AgentPackageAgentInformation.exe modified
12:43:17	API Interceptor	6545x Sleep call for process: AgentPackageSTRemote.exe modified
12:43:20	API Interceptor	16x Sleep call for process: AgentPackageMonitoring.exe modified
12:43:44	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
12:44:12	API Interceptor	7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
18:43:50	Task Scheduler	Run new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	145968
Entropy (8bit):	5.874150428357998
Encrypted:	false
SSDEEP:	3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
MD5:	477293F80461713D51A98A24023D45E8
SHA1:	E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
SHA-256:	A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
SHA-512:	23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...\|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{.....0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+.....0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+....0..6........~....%-.&~..........s....%.....s ......o!.....o".......0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.966299883488245
Encrypted:	false
SSDEEP:	24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
MD5:	24567B9212F806F6E3E27CDEB07728C0
SHA1:	371AE77042FFF52327BF4B929495D5603404107D
SHA-256:	82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
SHA-512:	5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.343677015075984
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
MD5:	7EEF860682F76EC7D541A8C1A3494E3D
SHA1:	58D759A845D2D961A5430E429EF777E60C48C87E
SHA-256:	65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
SHA-512:	BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2452451731803147
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rXl+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxU:FaqdF7Xl+AAHdKoqKFxcxkFN/
MD5:	2F90C3F36A09880706AE3885355F01EE
SHA1:	2FC805CE1A1742517DAC2273E5063C1467F968E1
SHA-256:	8E9EAE08CC7604A9489C6CF2AE40B691D2BEA2D6D41BFC2C96E424D0E7642132
SHA-512:	D84F43E2DF6B9F3E5EAFFEBFF7B90A7369D284F6BAFFF2EE889DF41EAC081C8733BCE1720BACF2C21A5ECBC1507619D8ACCB464FC6584E26D654C040DB3AC3FD
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. S.e.p. .. 2.7. .. 2.0.2.4. .1.2.:.4.3.:.4.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.878679101802603
TrID:	Microsoft Windows Installer (60509/1) 57.88% ClickyMouse macro set (36024/1) 34.46% Generic OLE2 / Multistream Compound File (8008/1) 7.66%
File name:	SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi
File size:	2'994'176 bytes
MD5:	96c976c658e8b4e145acd0018af782d9
SHA1:	54931426f0bdf779e208339a60870503859677d9
SHA256:	e92f49b13affdc1a1626c3bf922c651faccd20f6455fa6d728875a00d30c0cbe
SHA512:	6e73213c6bf984cdc8d4928a55753c56e9b51008179d8fadde1b364550079605e607f844d6d9494b942c528f1980d82bae22bdefd2af9d1ce557c833de32d097
SSDEEP:	49152:Q+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:Q+lUlz9FKbsodq0YaH7ZPxMb8tT
TLSH:	D5D523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
File Content Preview:	........................>......................................................................................................................................................................................................................................

Target ID:	0
Start time:	11:37:04
Start date:	27/09/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi"
Imagebase:	0x7ff6bc570000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	11:37:05
Start date:	27/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	11:37:07
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Windows\Installer\MSI16A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4063718 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Imagebase:	0x80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000008.00000002.1327694824.0000000004844000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000008.00000003.1288418547.000000000464A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000008.00000002.1327694824.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	11:37:08
Start date:	27/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	12
Start time:	11:37:10
Start date:	27/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	14
Start time:	11:37:13
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding FE293C9828EFC6E5D88E7F26AF6615E9 E Global\MSI0000
Imagebase:	0xf50000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	11:37:15
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ilpilarsaomateus@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Lu4JQIAZ" /AgentId="66902f0e-5571-47c0-8de5-86038d3e7b35"
Imagebase:	0x282b3040000
File size:	145'968 bytes
MD5 hash:	477293F80461713D51A98A24023D45E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4E8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1404747077.00000282CD823000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4E5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1405879986.00007FFB0BB30000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4E84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4F02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1404068454.00000282CD490000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1404420688.00000282CD5E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.1363107154.00000282B3042000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4F36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1402227067.00000282B316E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1402227067.00000282B30EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403357661.00000282B33D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1402227067.00000282B3120000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4F05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1405442881.00007FFAAC7E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1403578923.00000282B4E82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1404068454.00000282CD4D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1402227067.00000282B3184000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1402227067.00000282B30E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Has exited:	true

Target ID:	21
Start time:	11:37:18
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Imagebase:	0x2a328f20000
File size:	145'968 bytes
MD5 hash:	477293F80461713D51A98A24023D45E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1896332173.000002A342148000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329C7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1878116692.000002A329149000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329FBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329F68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1898386456.000002A3424DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1877972695.000002A328FD0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A00B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1898386456.000002A3424C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329C08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1898386456.000002A34254E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329DBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329CF6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880039341.000002A329270000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329E4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1909211556.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1898386456.000002A342563000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A0BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329E50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1875929368.000000A728B85000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A1A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A19C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329CD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A04F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329DDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1901343649.000002A34268D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1900170957.000002A3425F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1898386456.000002A342505000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1896332173.000002A342100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329EA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A0BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1878116692.000002A329100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1878116692.000002A32913F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A32A056000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1902010257.000002A342905000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329E0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1898386456.000002A3424CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329AAE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1897843477.000002A3421CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1880894733.000002A329F12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1878116692.000002A32918E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	22
Start time:	11:37:19
Start date:	27/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Imagebase:	0x7ff6b0080000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	12:43:08
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "a7726a3f-8b3e-4e5c-93fd-b7293e973556" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Imagebase:	0x2069bbd0000
File size:	177'200 bytes
MD5 hash:	EBFEC606B23961A73DB0F5541E93C03C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1592759090.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1574235267.000002069C85F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1568260436.000002069BD9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1560441536.000002069BD80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1568260436.000002069BDC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1568260436.000002069BDCB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000000.1533103031.000002069BBD2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1571375000.000002069BFB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1574235267.000002069C7E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1574235267.000002069C7A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1574235267.000002069C813000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1580440319.00000206B4E60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1568260436.000002069BE0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1574235267.000002069C823000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Target ID:	30
Start time:	12:43:11
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "3f72da7d-d915-4f53-8bc1-de00eab8c542" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Lu4JQIAZ
Imagebase:	0x131ac260000
File size:	177'200 bytes
MD5 hash:	EBFEC606B23961A73DB0F5541E93C03C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1622260091.00000131ACD73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1626578796.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1610900588.00000131AC42B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1622260091.00000131ACDBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1610900588.00000131AC472000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1622260091.00000131ACD47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1610900588.00000131AC431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1618685636.00000131AC6E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1622260091.00000131ACD01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1610900588.00000131AC3F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.1622260091.00000131ACD83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	32
Start time:	12:43:12
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "db753a87-56d5-4df4-b088-df029e1319dc" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000Lu4JQIAZ
Imagebase:	0x1851ec30000
File size:	177'200 bytes
MD5 hash:	EBFEC606B23961A73DB0F5541E93C03C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1585093238.000001851EE00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1590833917.000001851F683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1590833917.000001851F601000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1586780777.000001851EE68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1586780777.000001851EE60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1586780777.000001851EEE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1590833917.000001851F673000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.1586780777.000001851EE9D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	37
Start time:	12:43:13
Start date:	27/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Imagebase:	0x7ff6b0080000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	41
Start time:	12:43:14
Start date:	27/09/2024
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Imagebase:	0x7ff629960000
File size:	161'280 bytes
MD5 hash:	24590BF74BBBBFD7D7AC070F4E3C44FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.1693658473.0000024616A80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	42
Start time:	12:43:15
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "25d94b19-dd8c-444e-8649-b75dcdab378e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000Lu4JQIAZ
Imagebase:	0x1ee85030000
File size:	74'288 bytes
MD5 hash:	749C51599FBF82422791E0DF1C1E841C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2168433819.000001EE85220000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2202850018.000001EE9E2C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2168093156.000001EE851E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2171122634.000001EE852CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2169067788.000001EE8523E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2169067788.000001EE852AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2169067788.000001EE85260000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000000.1610870120.000001EE85032000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2174501497.000001EE85A08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2199195531.000001EE9E228000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2174501497.000001EE85991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2199195531.000001EE9E222000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2174501497.000001EE85B96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2174501497.000001EE85B0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
Has exited:	true

Target ID:	44
Start time:	12:43:16
Start date:	27/09/2024
Path:	C:\Windows\System32\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sppsvc.exe
Imagebase:	0x7ff7aeb80000
File size:	4'630'384 bytes
MD5 hash:	320823F03672CEB82CC3A169989ABD12
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

3dfa4c.rbf (copy)

3dfa4d.rbf (copy)

3dfa4e.rbf (copy)

3dfa4f.rbf (copy)

3dfa50.rbf (copy)

3dfa51.rbf (copy)

3dfa52.rbf (copy)

C:\Config.Msi\3dfa46.rbs

C:\Config.Msi\3dfa4b.rbs

C:\Config.Msi\3dfa53.rbs

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi

Target ID:	45
Start time:	12:43:18
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "cb18c271-196a-4aaf-9ea1-03326a248300" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000Lu4JQIAZ
Imagebase:	0x1d422770000
File size:	396'336 bytes
MD5 hash:	B50005A1A62AFA85240D1F65165856EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1694634338.000001D422C70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1694216775.000001D422C12000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1722197586.000001D43C915000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1736383824.00007FFB036E9000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1697943618.000001D4232A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1722382611.000001D43C926000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1722155139.000001D43C717000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1722496320.000001D43CB6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1696952170.000001D423198000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1697943618.000001D42338D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1692653802.000001D422ACC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1692653802.000001D422A40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000000.1639820961.000001D422772000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1692092530.000001D422860000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1692653802.000001D422A80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1692653802.000001D422A4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1692653802.000001D422A86000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1697943618.000001D423841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Target ID:	47
Start time:	12:43:26
Start date:	27/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	51
Start time:	12:43:46
Start date:	27/09/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 66902f0e-5571-47c0-8de5-86038d3e7b35 "62bbbd59-291d-44d5-8ada-88594b5f534e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000Lu4JQIAZ
Imagebase:	0x18791ea0000
File size:	177'200 bytes
MD5 hash:	EBFEC606B23961A73DB0F5541E93C03C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.0000018792DEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2151925768.00007FFB23B20000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.00000187928C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2122617084.00000187AB1C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.0000018792851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2089271472.00000187920EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2089271472.000001879213A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.0000018792897000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2089271472.00000187920CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2089271472.00000187920B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.0000018792A26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2135255406.00000187AB3DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.0000018792DAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2088867970.0000018792070000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2127533637.00000187AB286000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.00000187928D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2089271472.0000018792193000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2095306627.0000018792E36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2089271472.00000187920FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	52
Start time:	12:43:47
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	55
Start time:	12:43:48
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre