Windows Analysis Report
registration.msi

Overview

General Information

Sample name: registration.msi
Analysis ID: 1561803
MD5: 62367ba07bdc8e7abdc94d2bbe076216
SHA1: 5f0f1c2d77230f41cbb65989f24868a6dc4c9cfc
SHA256: ed0ae67f36657cfe892fb58cc02b28f237ab5de0ed5f8cd902981dc892d7f737
Tags: msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: registration.msi ReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.6% probability
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\InstallUtil.InstallLog Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog Jump to behavior
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49950 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49965 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49977 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50091 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50097 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50114 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50118 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50126 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50130 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50132 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50131 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50136 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50140 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50142 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50145 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50154 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50166 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50208 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50224 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50239 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50246 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50262 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50272 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50280 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50282 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50284 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50319 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50323 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50326 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50329 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50330 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50334 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50339 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50349 version: TLS 1.2
Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2580452917.000001FE48962000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.dr
Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2347431568.0000000007033000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2484645083.0000000007330000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2338894865.0000000002A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCn source: rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000016.00000002.2620350123.000002A86664B000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.15.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbpH source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2366604814.000001D0B8FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4750635024.0000025E6EB92000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2620350123.000002A86664B000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
Source: Binary string: l\System.pdb source: rundll32.exe, 00000012.00000002.2481662391.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000012.00000002.2481662391.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2619260815.000001FE49192000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbCDSD source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdbD\Enco source: rundll32.exe, 00000005.00000002.2338894865.0000000002A20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.PDBk.Q source: rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2338335084.00000000024D7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481375475.00000000027F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: registration.msi, MSIE596.tmp.2.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, MSIE49B.tmp.2.dr
Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000005.00000002.2338894865.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2484645083.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2619260815.000001FE49192000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
Source: Binary string: \??\C:\Windows\System.pdbalth source: rundll32.exe, 00000012.00000002.2484645083.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2366604814.000001D0B8FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbs[F source: rundll32.exe, 00000012.00000002.2481662391.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.2338894865.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2421806948.000001D0D3562000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbviderW source: rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2421806948.000001D0D3562000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbeH*c% source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mC:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.pdbU source: rundll32.exe, 00000005.00000002.2338335084.00000000024D7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: registration.msi, 41c382.msi.2.dr, MSIC4F9.tmp.2.dr, MSIFFD7.tmp.2.dr, MSICAE6.tmp.2.dr
Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.4753488973.0000025E6F162000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.4753488973.0000025E6F162000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4750635024.0000025E6EB92000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
Source: Binary string: \??\C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.pdb4 source: rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mC:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.2481375475.00000000027F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000012.00000002.2481662391.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File opened: c:
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1FFFh 13_2_00007FFD341C1E88
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1FFFh 13_2_00007FFD341C1E7E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1FFFh 13_2_00007FFD341C1EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1873h 13_2_00007FFD341C184E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1A44h 13_2_00007FFD341C184E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1873h 13_2_00007FFD341C0C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1A44h 13_2_00007FFD341C0C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C1FFFh 13_2_00007FFD341C0C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341C227Bh 13_2_00007FFD341C0C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD34194ECBh 15_2_00007FFD34194E6B
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341A6E42h 15_2_00007FFD341A6AE6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD3419227Bh 15_2_00007FFD3419225D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD341A6E42h 15_2_00007FFD341A6AF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD343B5920h 15_2_00007FFD343B5740
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then dec eax 15_2_00007FFD343B2F66
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD343B0C76h 15_2_00007FFD343B0A19
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD343B0C76h 15_2_00007FFD343B0420
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD343B00EAh 15_2_00007FFD343B0079
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD343B5920h 15_2_00007FFD343B5886
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 4x nop then jmp 00007FFD343B5920h 15_2_00007FFD343B58EF

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 20.0.AgentPackageAgentInformation.exe.1fe48960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af5bf701-7249-45e5-86be-19d8d9c83003&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2437e5c2-c49a-46e7-85a0-5bd5b0f3e346&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bf7ca070-0a55-4d8e-8d7a-52b5cb49f44c&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5acd82f0-57ae-41e0-85e3-b5cb80ee27df&tr=31&tt=17324433379477685&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?w8Q4MxnxsTU+y3lbIKhb1p3E6E9NGNGr43vM7ggjDRD5G9cDVa0pn3fF3kInqamc HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dd31cbca-11f7-438d-95d1-0103076c3b19&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8a545e8a-5ca3-4586-95ee-223486bad101&tr=31&tt=17324433411580562&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a550ee73-b0e6-4203-86b7-33ebef664c1d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3dabc9ca-50ca-4769-82eb-40791913b06c&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/,/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=82fdf8d4-8981-41b8-81dd-da3d6c848351&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=aa11bfe9-8289-42c2-be65-d6291fd164cf&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d06e9be8-9779-43f1-a370-eed925135e8d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cc4be31c-7bd0-4546-8157-021785aaabf9&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e695b199-cbc9-44ed-b89a-77707fde66b0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7ad0a761-601d-4dfb-892a-87e5a80d8cfd&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=939e5a96-d596-4e59-936e-7ae5d28307cc&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c583dbc-af1e-4d45-80f1-003dabe8eea7&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e10b719b-981a-446e-ba23-7c69d7f94ded&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=15951373-2c36-4fa8-affe-36f2ec07b81f&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=44d081ca-4526-4116-82b9-755899f28369&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2a3f0c53-5de8-4152-9013-693952c09124&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1ddb02cf-39da-4196-a130-53d484e9194d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=15a8e400-4d66-4396-85a9-a52c47560c82&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=01eea71f-f36d-4bce-8cd1-fb9075d78180&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b72bd97c-f6a1-480d-9594-461af2e421f4&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3f56d55c-6ba5-4af1-9be1-2dea66d5d0f7&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5fe5955e-4d52-4f15-a999-10b126f5fc74&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b748dd63-e45c-4e56-a14e-2acb4546abf0&tr=31&tt=17324434315367656&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b46022d7-cbaa-40b8-8c72-fd984bb21007&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b554e624-5e74-4caa-b7de-790b1533e993&tr=31&tt=17324434350865773&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12ab6b1a-a82d-4206-b67b-cf0ecb23de70&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e3aa32f8-3a58-4ef4-b289-b05205d0c00e&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bc070723-3cfb-4171-b999-27f32c59f0dd&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6d5cfce1-b215-4be8-a3eb-65f371d376ce&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b59d65c0-c360-410b-969c-bbedbf0ff1c9&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9ead68d6-bdd5-4770-a068-8d3fb261cd22&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8dec4445-c0f5-4b3e-90c5-b0e958ca91da&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=57719228-a14b-4385-bc90-4fb880778c52&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=92f4880d-dc2f-4ace-a46f-d9a0bf4fb400&tr=33&tt=17324434578282801&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ec561522-6fb6-4012-8b4a-f77b6640fc9d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49797 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49906 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49985 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49963 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49949 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50006 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50035 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50063 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50107 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50088 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50097 -> 13.232.67.198:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50339 -> 13.232.67.199:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50343 -> 13.232.67.199:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50349 -> 13.232.67.199:443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af5bf701-7249-45e5-86be-19d8d9c83003&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2437e5c2-c49a-46e7-85a0-5bd5b0f3e346&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bf7ca070-0a55-4d8e-8d7a-52b5cb49f44c&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5acd82f0-57ae-41e0-85e3-b5cb80ee27df&tr=31&tt=17324433379477685&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?w8Q4MxnxsTU+y3lbIKhb1p3E6E9NGNGr43vM7ggjDRD5G9cDVa0pn3fF3kInqamc HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dd31cbca-11f7-438d-95d1-0103076c3b19&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8a545e8a-5ca3-4586-95ee-223486bad101&tr=31&tt=17324433411580562&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a550ee73-b0e6-4203-86b7-33ebef664c1d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3dabc9ca-50ca-4769-82eb-40791913b06c&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/,/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=82fdf8d4-8981-41b8-81dd-da3d6c848351&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=aa11bfe9-8289-42c2-be65-d6291fd164cf&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d06e9be8-9779-43f1-a370-eed925135e8d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cc4be31c-7bd0-4546-8157-021785aaabf9&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e695b199-cbc9-44ed-b89a-77707fde66b0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7ad0a761-601d-4dfb-892a-87e5a80d8cfd&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=939e5a96-d596-4e59-936e-7ae5d28307cc&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c583dbc-af1e-4d45-80f1-003dabe8eea7&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e10b719b-981a-446e-ba23-7c69d7f94ded&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=15951373-2c36-4fa8-affe-36f2ec07b81f&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=44d081ca-4526-4116-82b9-755899f28369&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2a3f0c53-5de8-4152-9013-693952c09124&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1ddb02cf-39da-4196-a130-53d484e9194d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=15a8e400-4d66-4396-85a9-a52c47560c82&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=01eea71f-f36d-4bce-8cd1-fb9075d78180&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b72bd97c-f6a1-480d-9594-461af2e421f4&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3f56d55c-6ba5-4af1-9be1-2dea66d5d0f7&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5fe5955e-4d52-4f15-a999-10b126f5fc74&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b748dd63-e45c-4e56-a14e-2acb4546abf0&tr=31&tt=17324434315367656&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b46022d7-cbaa-40b8-8c72-fd984bb21007&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b554e624-5e74-4caa-b7de-790b1533e993&tr=31&tt=17324434350865773&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12ab6b1a-a82d-4206-b67b-cf0ecb23de70&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e3aa32f8-3a58-4ef4-b289-b05205d0c00e&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bc070723-3cfb-4171-b999-27f32c59f0dd&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6d5cfce1-b215-4be8-a3eb-65f371d376ce&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b59d65c0-c360-410b-969c-bbedbf0ff1c9&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9ead68d6-bdd5-4770-a068-8d3fb261cd22&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8dec4445-c0f5-4b3e-90c5-b0e958ca91da&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=57719228-a14b-4385-bc90-4fb880778c52&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=92f4880d-dc2f-4ace-a46f-d9a0bf4fb400&tr=33&tt=17324434578282801&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ec561522-6fb6-4012-8b4a-f77b6640fc9d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 HTTP/1.1Host: ps.pndsn.com
Source: global traffic DNS traffic detected: DNS query: agent-api.atera.com
Source: global traffic DNS traffic detected: DNS query: ps.pndsn.com
Source: global traffic DNS traffic detected: DNS query: ps.atera.com
Source: AteraAgent.exe, 0000000D.00000000.2366604814.000001D0B8FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.dr String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 00000005.00000002.2341611865.0000000004805000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E004E4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00566000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00560000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E004C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004AF5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2619394288.000001FE4935F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2621291158.000002A8667BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3592707390.00000140BFC9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3789368598.000001AD0012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3980162683.000001BB8194F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 00000005.00000002.2341611865.0000000004805000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00560000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E004C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004AF5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2619394288.000001FE4935F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2621291158.000002A8667BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3592707390.00000140BFC9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3789368598.000001AD0012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3980162683.000001BB8194F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4753004046.0000025E6EF5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2422257360.000001D0D373C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4753708723.0000025E6F29D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4749463408.0000025E6E9D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2621254823.000001FE61B27000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2621254823.000001FE61B4C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2622805844.000002A87EDD1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2622805844.000002A87EDFF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3594676715.00000140D832A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3794289217.000001AD7BE4F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3794289217.000001AD7BE21000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3989509307.000001BB9A1E8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3989509307.000001BB9A1B9000.00000004.00000020.00020000.00000000.sdmp, registration.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com:80/DigiCertTrustedRootG4.crtlLow
Source: rundll32.exe, 00000012.00000002.2484645083.0000000007330000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4753004046.0000025E6EF5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 0000000F.00000002.4747454234.0000025E6D8EA000.00000004.00000020.00020000.00000000.sdmp, 1A374813EDB1A6631387E414D3E732320.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2422257360.000001D0D373C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 0000000D.00000002.2421295890.000001D0D34CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlc
Source: AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlt
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4753708723.0000025E6F29D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000000D.00000002.2420980464.000001D0D3420000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: BouncyCastle.Crypto.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 0000000F.00000002.4749463408.0000025E6EA16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlC
Source: AteraAgent.exe, 0000000F.00000002.4749463408.0000025E6EA16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 0000000D.00000002.2420980464.000001D0D3420000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crld
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 0000000D.00000002.2421295890.000001D0D34CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/teDe
Source: AteraAgent.exe, 0000000D.00000002.2421644078.000001D0D3508000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.2421295890.000001D0D34CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 0000000D.00000002.2421644078.000001D0D3508000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4749463408.0000025E6EA16000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4747454234.0000025E6D8EA000.00000004.00000020.00020000.00000000.sdmp, 329B6147266C1E26CD774EA22B79EC2E0.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2422257360.000001D0D373C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 0000000D.00000002.2419340480.000001D0B92EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl7
Source: AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl:
Source: AteraAgent.exe, 0000000D.00000002.2421644078.000001D0D3508000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlE
Source: AteraAgent.exe, 0000000D.00000002.2421644078.000001D0D3508000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlu
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 0000000D.00000002.2421644078.000001D0D3508000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlB
Source: AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabomk#
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.15.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE6A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2580452917.000001FE48962000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.dr String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: Newtonsoft.Json.dll.18.dr String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4753708723.0000025E6F2A7000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.13.dr String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.13.dr String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: AteraAgent.exe, 0000000F.00000002.4753708723.0000025E6F2A7000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.dr String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 0000000D.00000002.2421295890.000001D0D34CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/lIDq
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2422257360.000001D0D373C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, AteraAgent.exe.2.dr, BouncyCastle.Crypto.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EDF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4749463408.0000025E6E9D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2621254823.000001FE61B27000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2621254823.000001FE61B4C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2622805844.000002A87EDD1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2622805844.000002A87EDFF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3594676715.00000140D832A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3794289217.000001AD7BE4F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3794289217.000001AD7BE21000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3989509307.000001BB9A1E8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3989509307.000001BB9A1B9000.00000004.00000020.00020000.00000000.sdmp, registration.msi, C56C4404C4DEF0DC88E5FCD9F09CB2F1.15.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4753004046.0000025E6EF5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, MSIE6C0.tmp.2.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, Newtonsoft.Json.dll.5.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4753708723.0000025E6F29D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr, AteraAgent.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000000D.00000002.2422257360.000001D0D3724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 0000000D.00000002.2421295890.000001D0D34CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D348E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D348E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00434000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: rundll32.exe, 00000005.00000002.2341611865.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2341611865.0000000004741000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2619394288.000001FE492B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2621291158.000002A86674F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3592707390.00000140BFC2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3789368598.000001AD000BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3980162683.000001BB818DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr String found in binary or memory: http://wixtoolset.org/releases/
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2422257360.000001D0D373C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6EE89000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, 41c382.msi.2.dr, AgentPackageAgentInformation.exe.15.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.15.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007DB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007EF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.P
Source: rundll32.exe, 00000005.00000002.2341611865.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.aterD
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3980162683.000001BB818DF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2341611865.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2341611865.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2621254823.000001FE61AB0000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2619394288.000001FE492B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2621291158.000002A86674F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3592707390.00000140BFC2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3789368598.000001AD000BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3980162683.000001BB818DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2341611865.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2341611865.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007EF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00092000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00566000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E004C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2619394288.000001FE492B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2621291158.000002A86674F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3592707390.00000140BFC2F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3789368598.000001AD000BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3980162683.000001BB818DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E007B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands)
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands8
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback0
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00092000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesce
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesnection
Source: rundll32.exe, 00000005.00000002.2341611865.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2341611865.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2483405814.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4750635024.0000025E6EB92000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2620350123.000002A86664B000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: System.ValueTuple.dll.2.dr String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.ValueTuple.dll.2.dr String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 0000000F.00000002.4753488973.0000025E6F162000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00232000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00232000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00232000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00232000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00232000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00232000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00232000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00195000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001B6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E0023A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=05ecc6e5-ecbe-426c-b21f-2f414d78087e
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3a39f650-9aa7-486c-a971-f5b24a6e661c
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3af72751-dbe9-4596-b6ee-6d67e84a5830
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=50e4cbc2-cc27-4e42-b044-8c7a8b8e200d
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=61d95b76-5b67-4486-9f2d-f8d365c1f79d
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6369cfb0-4b84-4f4d-9006-15859c206f1e
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9264d1e3-b040-4685-8c12-22cc4dee131b
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00434000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9ead68d6-bdd5-4770-a068-8d3fb261cd22
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b02e1ef0-ec67-47b3-a61c-d81850d0d964
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E000E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bf7ca070-0a55-4d8e-8d7a-52b5cb49f44c
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c7890d66-5dda-44b9-9266-433341b69fe6
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d973c3b7-e1d5-4576-8927-c7ba728f6ebc
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e39b01e5-dc44-47cf-a0d2-d7bead94718e
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00092000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E001C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00092000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf
Source: AteraAgent.exe, 0000000F.00000002.4739839137.0000025E00304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ps.pndsn.com/v2T
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, registration.msi, MSIE596.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr, MSIE49B.tmp.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.18.dr String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4750635024.0000025E6EB92000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2620350123.000002A86664B000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50218
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50339
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50330
Source: unknown Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown Network traffic detected: HTTP traffic on port 50334 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50319 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50343 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50349
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50339 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50344
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50343
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50238
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50239
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50350
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50199
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50231
Source: unknown Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 50272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50326 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50240
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 50323 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50250
Source: unknown Network traffic detected: HTTP traffic on port 50294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 50218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 50330 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50272
Source: unknown Network traffic detected: HTTP traffic on port 50258 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50250 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50329 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 50200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown Network traffic detected: HTTP traffic on port 50262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50322 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50280
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50282
Source: unknown Network traffic detected: HTTP traffic on port 50307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50326
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 50284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50284
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50200
Source: unknown Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50323
Source: unknown Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50239 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50344 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50231 -> 443
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49950 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49965 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49963 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49977 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50091 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50097 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50114 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50118 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50126 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50130 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50132 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50131 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50136 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50140 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50142 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50145 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50154 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50166 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50208 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50218 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50224 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50239 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50246 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.6:50258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50262 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50272 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50280 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50282 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50284 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50319 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50323 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50326 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50329 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50330 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50334 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50339 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.6:50349 version: TLS 1.2
Drops certificate files (DER)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95 Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Reads the System eventlog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
Abnormal high CPU Usage
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\41c382.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC4F9.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICAE6.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE1CA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE49A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE49B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE596.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE6C0.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\41c384.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\41c384.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFFD7.tmp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp- Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\AlphaControlAgentInstallation.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\Newtonsoft.Json.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\System.Management.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\CustomAction.config Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp- Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\Newtonsoft.Json.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\System.Management.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\CustomAction.config Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp- Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\AlphaControlAgentInstallation.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\Newtonsoft.Json.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\System.Management.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\CustomAction.config Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\InstallUtil.InstallLog Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIC4F9.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_3_06A90040 5_3_06A90040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_3_04E150B8 6_3_04E150B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_3_04E159A8 6_3_04E159A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_3_04E14D68 6_3_04E14D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 13_2_00007FFD341CC922 13_2_00007FFD341CC922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 13_2_00007FFD341CBB76 13_2_00007FFD341CBB76
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 13_2_00007FFD341C0C1D 13_2_00007FFD341C0C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD34190D42 15_2_00007FFD34190D42
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD3419CFB8 15_2_00007FFD3419CFB8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD3419A7FA 15_2_00007FFD3419A7FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD341CF078 15_2_00007FFD341CF078
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD341CF220 15_2_00007FFD341CF220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD341A1CF0 15_2_00007FFD341A1CF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD34199AF2 15_2_00007FFD34199AF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343AC4FB 15_2_00007FFD343AC4FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343AE63D 15_2_00007FFD343AE63D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343A1FDB 15_2_00007FFD343A1FDB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343B4D35 15_2_00007FFD343B4D35
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343A2D70 15_2_00007FFD343A2D70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_3_06DB0040 18_3_06DB0040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341E047D 20_2_00007FFD341E047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341C8682 20_2_00007FFD341C8682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341C1828 20_2_00007FFD341C1828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341D108C 20_2_00007FFD341D108C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341C78D6 20_2_00007FFD341C78D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341CFA94 20_2_00007FFD341CFA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341CBDB0 20_2_00007FFD341CBDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341D10C0 20_2_00007FFD341D10C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341C30CD 20_2_00007FFD341C30CD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341C31FA 20_2_00007FFD341C31FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341C12FA 20_2_00007FFD341C12FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341D047D 22_2_00007FFD341D047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341B8682 22_2_00007FFD341B8682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341BB739 22_2_00007FFD341BB739
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341B1828 22_2_00007FFD341B1828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341C108C 22_2_00007FFD341C108C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341B78D6 22_2_00007FFD341B78D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341BFA94 22_2_00007FFD341BFA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341BBDB0 22_2_00007FFD341BBDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341C10C0 22_2_00007FFD341C10C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341B30CD 22_2_00007FFD341B30CD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341B31FA 22_2_00007FFD341B31FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341B12FB 22_2_00007FFD341B12FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341A8682 24_2_00007FFD341A8682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341AB739 24_2_00007FFD341AB739
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341B100A 24_2_00007FFD341B100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341A78D6 24_2_00007FFD341A78D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341AFA94 24_2_00007FFD341AFA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341ABD10 24_2_00007FFD341ABD10
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341ADE1D 24_2_00007FFD341ADE1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341B10C0 24_2_00007FFD341B10C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 24_2_00007FFD341A12FB 24_2_00007FFD341A12FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341C8682 26_2_00007FFD341C8682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341C78D6 26_2_00007FFD341C78D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341C30CD 26_2_00007FFD341C30CD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341C12FA 26_2_00007FFD341C12FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341C31FA 26_2_00007FFD341C31FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341E047D 26_2_00007FFD341E047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341D100A 26_2_00007FFD341D100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341CFA94 26_2_00007FFD341CFA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341CBDB0 26_2_00007FFD341CBDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 26_2_00007FFD341D10C0 26_2_00007FFD341D10C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341B8682 28_2_00007FFD341B8682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341B78D6 28_2_00007FFD341B78D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341B1828 28_2_00007FFD341B1828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341B30CD 28_2_00007FFD341B30CD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341B12FB 28_2_00007FFD341B12FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341B31FA 28_2_00007FFD341B31FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341D047D 28_2_00007FFD341D047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341C108C 28_2_00007FFD341C108C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341BFA94 28_2_00007FFD341BFA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341BBDB0 28_2_00007FFD341BBDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341C10C0 28_2_00007FFD341C10C0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll 443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
Sample file is different than original file name gathered from version info
Source: registration.msi Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs registration.msi
Source: registration.msi Binary or memory string: OriginalFilenameSfxCA.dll\ vs registration.msi
Source: registration.msi Binary or memory string: OriginalFilenamewixca.dll\ vs registration.msi
Source: AteraAgent.exe.2.dr, SignatureValidator.cs Base64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
Source: classification engine Classification label: mal88.troj.spyw.evad.winMSI@43/88@29/3
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ATERA Networks Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5200:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF4630E950FA28A864.TMP Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC4F9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4310406 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: taskkill.exe, 0000000B.00000002.2362910297.0000000002B90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process;1Q
Source: registration.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: registration.msi ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\registration.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D043D01D69573A731BD32BF0EBA042E
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC4F9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4310406 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICAE6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4311812 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4317703 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ED6036EDFA306B6AD29B763B80D7974F E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="1vf5mpi5iyis@upsnab.net" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kh41eIAB" /AgentId="95fbc98a-3c27-44ae-84cf-9e3acc292491"
Source: unknown Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIFFD7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4325359 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e8d80795-1e07-47b3-9c87-186f671b6a15" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "84e6126d-3464-4d76-9c19-0160eafb16a0" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e3e24934-4319-48e9-bf87-d4583f7e9574" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "bafe3b2c-3bd0-4df3-abe5-6f6b048de27b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "5da68ded-3041-4a37-bb29-975445cce246" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D043D01D69573A731BD32BF0EBA042E Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ED6036EDFA306B6AD29B763B80D7974F E Global\MSI0000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="1vf5mpi5iyis@upsnab.net" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kh41eIAB" /AgentId="95fbc98a-3c27-44ae-84cf-9e3acc292491" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC4F9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4310406 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICAE6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4311812 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4317703 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIFFD7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4325359 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e8d80795-1e07-47b3-9c87-186f671b6a15" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "84e6126d-3464-4d76-9c19-0160eafb16a0" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e3e24934-4319-48e9-bf87-d4583f7e9574" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "bafe3b2c-3bd0-4df3-abe5-6f6b048de27b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "5da68ded-3041-4a37-bb29-975445cce246" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: webio.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: registration.msi Static file information: File size 2994176 > 1048576
Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2580452917.000001FE48962000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.15.dr
Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2347431568.0000000007033000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2484645083.0000000007330000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.18.dr, AlphaControlAgentInstallation.dll.4.dr
Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2338894865.0000000002A16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCn source: rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000016.00000002.2620350123.000002A86664B000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.15.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbpH source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2366604814.000001D0B8FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4750635024.0000025E6EB92000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2620350123.000002A86664B000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.15.dr, Newtonsoft.Json.dll.18.dr
Source: Binary string: l\System.pdb source: rundll32.exe, 00000012.00000002.2481662391.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000012.00000002.2481662391.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2619260815.000001FE49192000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbCDSD source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdbD\Enco source: rundll32.exe, 00000005.00000002.2338894865.0000000002A20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.PDBk.Q source: rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2338335084.00000000024D7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481375475.00000000027F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: registration.msi, MSIE596.tmp.2.dr, 41c382.msi.2.dr, MSIE6C0.tmp.2.dr, MSIE49B.tmp.2.dr
Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000005.00000002.2338894865.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2484645083.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2619260815.000001FE49192000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.15.dr
Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.18.dr
Source: Binary string: \??\C:\Windows\System.pdbalth source: rundll32.exe, 00000012.00000002.2484645083.0000000007330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2366604814.000001D0B8FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbs[F source: rundll32.exe, 00000012.00000002.2481662391.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.2338894865.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2481662391.0000000002C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2421806948.000001D0D3562000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbviderW source: rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2421806948.000001D0D3562000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbeH*c% source: rundll32.exe, 00000005.00000002.2347431568.0000000007022000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mC:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.pdbU source: rundll32.exe, 00000005.00000002.2338335084.00000000024D7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: registration.msi, 41c382.msi.2.dr, MSIC4F9.tmp.2.dr, MSIFFD7.tmp.2.dr, MSICAE6.tmp.2.dr
Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000F.00000002.4753488973.0000025E6F162000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000F.00000002.4753488973.0000025E6F162000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2279701962.0000000004C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2291421210.0000000004431000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2350193018.0000000004BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4750635024.0000025E6EB92000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000012.00000003.2427395376.000000000472D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.18.dr
Source: Binary string: \??\C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.pdb4 source: rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mC:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000012.00000002.2481375475.00000000027F7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000012.00000002.2481662391.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: BouncyCastle.Crypto.dll.2.dr Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343A5835 push esp; retn 5F2Eh 15_2_00007FFD343A62D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343A7BCD push ss; ret 15_2_00007FFD343A7C17
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Code function: 15_2_00007FFD343A63E8 push eax; ret 15_2_00007FFD343A6444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_3_06DB84A1 push es; ret 18_3_06DB84B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 20_2_00007FFD341D5587 push ebp; iretd 20_2_00007FFD341D55D8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 22_2_00007FFD341C5587 push ebp; iretd 22_2_00007FFD341C55D8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Code function: 28_2_00007FFD341C5587 push ebp; iretd 28_2_00007FFD341C55D8

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICAE6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFFD7.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE596.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE6C0.tmp Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE1CA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE49B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC4F9.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICAE6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFFD7.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC4F9.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE596.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIC4F9.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIE1CA.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE6C0.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSICAE6.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\Installer\MSIFFD7.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE1CA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIE49B.tmp Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Windows\system32\InstallUtil.InstallLog Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog Jump to behavior
Creates or modifies windows services
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application Jump to behavior
Uses net.exe to stop services
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Stores large binary data to the registry
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Memory allocated: 1D0BAB00000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Memory allocated: 1D0D2D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Memory allocated: 25E6DF80000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Memory allocated: 25E6E1D0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 1FE48CB0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 1FE61230000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 2A865E90000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 2A87E690000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 140BF420000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 140D7B70000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 1AD7B350000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 1AD7B5B0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 1BB81760000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Memory allocated: 1BB99820000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Window / User API: threadDelayed 5908
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Window / User API: threadDelayed 3780
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC4F9.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICAE6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFFD7.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICAE6.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC4F9.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CA.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICAE6.tmp-\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE596.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFFD7.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC4F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CA.tmp-\AlphaControlAgentInstallation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE6C0.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFFD7.tmp-\System.Management.dll Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE49B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFFD7.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC4F9.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CA.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC4F9.tmp-\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICAE6.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1048 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4916 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3856 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3916 Thread sleep count: 5908 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3916 Thread sleep count: 3780 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3424 Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3424 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3908 Thread sleep time: -160000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3460 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2632 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3560 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2736 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 528 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3856 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5984 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6272 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6228 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5544 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6816 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6600 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6872 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Thread delayed: delay time: 922337203685477
Source: AgentPackageAgentInformation.exe.15.dr Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWy
Source: rundll32.exe, 00000005.00000002.2338894865.00000000029A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: AteraAgent.exe, 0000000D.00000002.2421031200.000001D0D34A2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2421644078.000001D0D3508000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4752793452.0000025E6EEBF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4751349828.0000025E6ED90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000F.00000002.4749463408.0000025E6EA16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000012.00000002.2481662391.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: AgentPackageAgentInformation.exe, 00000016.00000002.2622542934.000002A87EDA4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.3594676715.00000140D832A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.3794289217.000001AD7BE21000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3989509307.000001BB9A19A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2621254823.000001FE61AB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll__
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="1vf5mpi5iyis@upsnab.net" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kh41eIAB" /AgentId="95fbc98a-3c27-44ae-84cf-9e3acc292491" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e8d80795-1e07-47b3-9c87-186f671b6a15" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "84e6126d-3464-4d76-9c19-0160eafb16a0" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e3e24934-4319-48e9-bf87-d4583f7e9574" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "bafe3b2c-3bd0-4df3-abe5-6f6b048de27b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "5da68ded-3041-4a37-bb29-975445cce246" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Kh41eIAB
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="1vf5mpi5iyis@upsnab.net" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kh41eiab" /agentid="95fbc98a-3c27-44ae-84cf-9e3acc292491"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e8d80795-1e07-47b3-9c87-186f671b6a15" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "84e6126d-3464-4d76-9c19-0160eafb16a0" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e3e24934-4319-48e9-bf87-d4583f7e9574" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "bafe3b2c-3bd0-4df3-abe5-6f6b048de27b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "5da68ded-3041-4a37-bb29-975445cce246" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="1vf5mpi5iyis@upsnab.net" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kh41eiab" /agentid="95fbc98a-3c27-44ae-84cf-9e3acc292491" Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e8d80795-1e07-47b3-9c87-186f671b6a15" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "84e6126d-3464-4d76-9c19-0160eafb16a0" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "e3e24934-4319-48e9-bf87-d4583f7e9574" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "bafe3b2c-3bd0-4df3-abe5-6f6b048de27b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 95fbc98a-3c27-44ae-84cf-9e3acc292491 "5da68ded-3041-4a37-bb29-975445cce246" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kh41eiab
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSIC4F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSIC4F9.tmp-\AlphaControlAgentInstallation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSICAE6.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSICAE6.tmp-\Newtonsoft.Json.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSIE1CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSIE1CA.tmp-\AlphaControlAgentInstallation.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSIFFD7.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Installer\MSIFFD7.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Remote Access Functionality
barindex
Yara detected AteraAgent
Source: Yara match File source: 20.2.AgentPackageAgentInformation.exe.1fe49190000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.AteraAgent.exe.1d0b8ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.AgentPackageAgentInformation.exe.1fe48960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.3591613381.00000140BF2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4733388042.000000D20C6F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3591758846.00000140BF2DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3592387002.00000140BF5B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3591758846.00000140BF30D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2622426383.000002A87ED50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3978282360.000001BB81170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2619260815.000001FE49192000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2618394426.000001FE48A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BADE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2619167947.000002A865C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419340480.000001D0B928B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3791226568.000001AD7AC9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3592707390.00000140BFBE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4747454234.0000025E6D89F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BAE12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419340480.000001D0B92EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2619094670.000001FE48CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2422257360.000001D0D375F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.2366604814.000001D0B8FF2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2621254823.000001FE61AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4751349828.0000025E6ED9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4739839137.0000025E00566000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3592707390.00000140BFBF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2621291158.000002A866713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3980162683.000001BB81821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3980162683.000001BB81893000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419340480.000001D0B92C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2619167947.000002A865C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4748574493.0000025E6DA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2621291158.000002A866703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2620139095.000002A866020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2619394288.000001FE492A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2291421210.0000000004400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3980162683.000001BB818A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4751349828.0000025E6EE6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2622805844.000002A87EE13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BAE14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3591758846.00000140BF2FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BAEDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3789368598.000001AD00047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3591613381.00000140BF2C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4739839137.0000025E0006B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3791226568.000001AD7AC69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2619259032.000002A865CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3978282360.000001BB811B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4739839137.0000025E007B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3792603364.000001AD7AF60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3789368598.000001AD000BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419150017.000001D0B9220000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2618394426.000001FE48A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4747454234.0000025E6D860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3791226568.000001AD7AC9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2427395376.00000000046FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4747454234.0000025E6D8EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.2580452917.000001FE48962000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3978282360.000001BB811F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BADEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BAE92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2619394288.000001FE492B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2423440628.00007FFD34254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2621291158.000002A8666D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2341611865.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419340480.000001D0B92A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2619259032.000002A865D13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2621291158.000002A86674F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2618394426.000001FE48A66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4748462349.0000025E6D960000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4739839137.0000025E00242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2618394426.000001FE48AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3789368598.000001AD00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3979649317.000001BB81380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419269606.000001D0B9260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2421031200.000001D0D3456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2619259032.000002A865CE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3980162683.000001BB818DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3791226568.000001AD7AC60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2422023619.000001D0D3700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3978282360.000001BB811AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3789368598.000001AD00073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3978282360.000001BB81179000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2350193018.0000000004B8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4751349828.0000025E6EDB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3592707390.00000140BFBB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BAE1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2621291158.000002A866691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419269606.000001D0B9266000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2419340480.000001D0B927F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2619259032.000002A865CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2279701962.0000000004C02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BAEC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4747454234.0000025E6D8BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3591758846.00000140BF346000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2483405814.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2483405814.0000000004AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3980162683.000001BB81867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3791226568.000001AD7ACE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3989509307.000001BB9A15A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4739839137.0000025E004C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3592707390.00000140BFC2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3789368598.000001AD00083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3592707390.00000140BFB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2619394288.000001FE49231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2341611865.0000000004741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4739839137.0000025E00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2420125262.000001D0BAD61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AteraAgent.exe PID: 4064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AteraAgent.exe PID: 800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2664, type: MEMORYSTR
Source: Yara match File source: C:\Windows\Temp\~DF3BCE62784648DF98.TMP, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match File source: C:\Windows\Temp\~DF510E6906F6ABC59A.TMP, type: DROPPED
Source: Yara match File source: C:\Windows\Temp\~DF4630E950FA28A864.TMP, type: DROPPED
Source: Yara match File source: C:\Windows\Temp\~DFF883924653294067.TMP, type: DROPPED
Source: Yara match File source: C:\Windows\Temp\~DF21C9A09377CDFE9B.TMP, type: DROPPED
Source: Yara match File source: C:\Config.Msi\41c383.rbs, type: DROPPED
Source: Yara match File source: C:\Windows\Temp\~DF2D3E5DF2735593AB.TMP, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSIE1CA.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSICAE6.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSIC4F9.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSIFFD7.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSIE49A.tmp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561803 Sample: registration.msi Startdate: 24/11/2024 Architecture: WINDOWS Score: 88 97 windowsupdatebg.s.llnwi.net 2->97 99 ps.pndsn.com 2->99 101 6 other IPs or domains 2->101 109 Multi AV Scanner detection for dropped file 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Yara detected AteraAgent 2->113 115 3 other signatures 2->115 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 msiexec.exe 5 2->16         started        signatures3 process4 dnsIp5 81 C:\Windows\Installer\MSIFFD7.tmp, PE32 9->81 dropped 83 C:\Windows\Installer\MSIE1CA.tmp, PE32 9->83 dropped 85 C:\Windows\Installer\MSICAE6.tmp, PE32 9->85 dropped 95 20 other files (17 malicious) 9->95 dropped 18 AteraAgent.exe 6 13 9->18         started        22 msiexec.exe 9->22         started        24 msiexec.exe 9->24         started        103 d25btwd9wax8gu.cloudfront.net 108.158.75.12, 443, 49795 AMAZON-02US United States 12->103 105 ps.pndsn.com 13.232.67.198, 443, 49774, 49775 AMAZON-02US United States 12->105 107 2 other IPs or domains 12->107 87 C:\...87ewtonsoft.Json.dll, PE32 12->87 dropped 89 C:\...\Atera.AgentPackage.Common.dll, PE32 12->89 dropped 91 C:\...\AgentPackageAgentInformation.exe, PE32 12->91 dropped 93 AgentPackageAgentInformation.exe.config, XML 12->93 dropped 123 Creates files in the system32 config directory 12->123 125 Reads the Security eventlog 12->125 127 Reads the System eventlog 12->127 26 AgentPackageAgentInformation.exe 12->26         started        28 sc.exe 12->28         started        30 AgentPackageAgentInformation.exe 12->30         started        32 3 other processes 12->32 file6 signatures7 process8 file9 59 C:\Windows\System32\InstallUtil.InstallLog, Unicode 18->59 dropped 61 C:\...\AteraAgent.InstallLog, Unicode 18->61 dropped 117 Creates files in the system32 config directory 18->117 119 Reads the Security eventlog 18->119 121 Reads the System eventlog 18->121 34 rundll32.exe 15 9 22->34         started        37 rundll32.exe 7 22->37         started        39 rundll32.exe 8 22->39         started        41 rundll32.exe 22->41         started        49 2 other processes 24->49 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        51 3 other processes 32->51 signatures10 process11 file12 63 C:\...\AlphaControlAgentInstallation.dll, PE32 34->63 dropped 73 3 other files (none is malicious) 34->73 dropped 65 C:\...\AlphaControlAgentInstallation.dll, PE32 37->65 dropped 75 3 other files (none is malicious) 37->75 dropped 67 C:\...\AlphaControlAgentInstallation.dll, PE32 39->67 dropped 77 3 other files (none is malicious) 39->77 dropped 69 C:\...\AlphaControlAgentInstallation.dll, PE32 41->69 dropped 71 C:\Windows\...\System.Management.dll, PE32 41->71 dropped 79 2 other files (none is malicious) 41->79 dropped 53 conhost.exe 49->53         started        55 conhost.exe 49->55         started        57 net1.exe 1 49->57         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.232.67.198
 ps.pndsn.com United States
16509 AMAZON-02US false
13.232.67.199
 unknown United States
16509 AMAZON-02US false
108.158.75.12
 d25btwd9wax8gu.cloudfront.net United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
ps.pndsn.com 13.232.67.198 true
bg.microsoft.map.fastly.net 199.232.214.172 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
d25btwd9wax8gu.cloudfront.net 108.158.75.12 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
windowsupdatebg.s.llnwi.net 178.79.238.128 true
ps.atera.com unknown unknown
agent-api.atera.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5acd82f0-57ae-41e0-85e3-b5cb80ee27df&tr=31&tt=17324433379477685&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
    		high
    https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?w8Q4MxnxsTU+y3lbIKhb1p3E6E9NGNGr43vM7ggjDRD5G9cDVa0pn3fF3kInqamc false
      		high
      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8dec4445-c0f5-4b3e-90c5-b0e958ca91da&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
        		high
        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b554e624-5e74-4caa-b7de-790b1533e993&tr=31&tt=17324434350865773&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
          		high
          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b46022d7-cbaa-40b8-8c72-fd984bb21007&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
            		high
            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e695b199-cbc9-44ed-b89a-77707fde66b0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
              		high
              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e3aa32f8-3a58-4ef4-b289-b05205d0c00e&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                		high
                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=57719228-a14b-4385-bc90-4fb880778c52&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                  		high
                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=12ab6b1a-a82d-4206-b67b-cf0ecb23de70&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                    		high
                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=dd31cbca-11f7-438d-95d1-0103076c3b19&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                      		high
                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e10b719b-981a-446e-ba23-7c69d7f94ded&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                        		high
                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9ead68d6-bdd5-4770-a068-8d3fb261cd22&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                          		high
                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b748dd63-e45c-4e56-a14e-2acb4546abf0&tr=31&tt=17324434315367656&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                            		high
                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2437e5c2-c49a-46e7-85a0-5bd5b0f3e346&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                              		high
                              https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=44d081ca-4526-4116-82b9-755899f28369&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                		high
                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8a545e8a-5ca3-4586-95ee-223486bad101&tr=31&tt=17324433411580562&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                  		high
                                  https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=15951373-2c36-4fa8-affe-36f2ec07b81f&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                    		high
                                    https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=939e5a96-d596-4e59-936e-7ae5d28307cc&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                      		high
                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af5bf701-7249-45e5-86be-19d8d9c83003&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                        		high
                                        https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d06e9be8-9779-43f1-a370-eed925135e8d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                          		high
                                          https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=15a8e400-4d66-4396-85a9-a52c47560c82&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                            		high
                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=aa11bfe9-8289-42c2-be65-d6291fd164cf&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                              		high
                                              https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=92f4880d-dc2f-4ace-a46f-d9a0bf4fb400&tr=33&tt=17324434578282801&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                		high
                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3dabc9ca-50ca-4769-82eb-40791913b06c&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                  		high
                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3f56d55c-6ba5-4af1-9be1-2dea66d5d0f7&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                    		high
                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1ddb02cf-39da-4196-a130-53d484e9194d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                      		high
                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/95fbc98a-3c27-44ae-84cf-9e3acc292491/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6d5cfce1-b215-4be8-a3eb-65f371d376ce&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                        		high
                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cc4be31c-7bd0-4546-8157-021785aaabf9&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                          		high
                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a550ee73-b0e6-4203-86b7-33ebef664c1d&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                            		high
                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7ad0a761-601d-4dfb-892a-87e5a80d8cfd&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                              		high
                                                              https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/95fbc98a-3c27-44ae-84cf-9e3acc292491/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c583dbc-af1e-4d45-80f1-003dabe8eea7&tt=0&uuid=95fbc98a-3c27-44ae-84cf-9e3acc292491 false
                                                                		high