Windows Analysis Report
ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Overview

General Information

Sample name:	ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
Analysis ID:	1561806
MD5:	d845db29c963e1314bdad5ae0e8363b4
SHA1:	29192740a48fd5e65e79cf8e32d129d9c0b84df1
SHA256:	cbd238f60cc3c1a95155ae46d88eeda33c8dfa1ee5093e22aa1dcf80d5965987
Tags:	msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AteraAgent

AI detected suspicious sample

Creates files in the system32 config directory

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Yara detected Generic Downloader

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.9:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49942 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50050 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50089 version: TLS 1.2

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1446980607.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.PDBrb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb% source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb( source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.14.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb2 source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, MSI2FB3.tmp.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr
Source:	Binary string: bHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbotm source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.PDBkd source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCultur source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb} source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
Source:	Binary string: eHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb(cyv source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI2D41.tmp.2.dr, MSI1264.tmp.2.dr, 5b113b.msi.2.dr, MSI489E.tmp.2.dr, 5b113d.msi.2.dr, MSI1766.tmp.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb Cul source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1444045873.0000000006E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A01FFFh	13_2_00007FF886A01FAC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A01873h	13_2_00007FF886A0172D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A01A44h	13_2_00007FF886A01A35
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A0B972h	14_2_00007FF886A0B5E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF8869F4ECBh	14_2_00007FF8869F4E6B
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A0B972h	14_2_00007FF886A0B620
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF8869F227Bh	14_2_00007FF8869F225D

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680 HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=409cd075-04de-411d-8e74-cc204daabc39&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9401654a-318b-4070-93c4-7e976e6983d7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f1a24d2c-ba5b-4f09-8ec6-e6a721939c6c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=70950088-2434-4193-ae45-e02cd33c7b05&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f891ad-5bb8-448f-80e4-1f3374b27f0a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=333b9046-7952-41dc-bdec-09303be50cd7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a698f03-89f8-46f9-b174-e35a78aa0274&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f92af507-a9f2-4685-b0f4-6803537136b8&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c5270a6-0d03-478f-9521-4fd0a22c23ee&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d98288cb-7af6-4190-8ccc-d63bc9858741&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8c6407e7-1c76-4c34-98c8-2e3504ec6917&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=969880c8-517d-439a-8ec9-8324c81e878e&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b7ef6ec-f467-4166-9556-35fba301ea49&tr=31&tt=17324434479667468&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49789 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49894 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49972 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49923 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49963 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49943 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50004 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50061 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50073 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50083 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50022 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50090 -> 13.232.67.198:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680 HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=409cd075-04de-411d-8e74-cc204daabc39&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9401654a-318b-4070-93c4-7e976e6983d7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f1a24d2c-ba5b-4f09-8ec6-e6a721939c6c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=70950088-2434-4193-ae45-e02cd33c7b05&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f891ad-5bb8-448f-80e4-1f3374b27f0a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=333b9046-7952-41dc-bdec-09303be50cd7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a698f03-89f8-46f9-b174-e35a78aa0274&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f92af507-a9f2-4685-b0f4-6803537136b8&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c5270a6-0d03-478f-9521-4fd0a22c23ee&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d98288cb-7af6-4190-8ccc-d63bc9858741&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8c6407e7-1c76-4c34-98c8-2e3504ec6917&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=969880c8-517d-439a-8ec9-8324c81e878e&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b7ef6ec-f467-4166-9556-35fba301ea49&tr=31&tt=17324434479667468&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

Source: global traffic	DNS traffic detected: DNS query: agent-api.atera.com
Source: global traffic	DNS traffic detected: DNS query: ps.pndsn.com
Source: global traffic	DNS traffic detected: DNS query: ps.atera.com

Source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.dr	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 00000005.00000002.1445956864.00000000044F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.00000177491EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D4BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA8012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 00000005.00000002.1445956864.00000000044F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.00000177491EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D4BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA8012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5C2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08D5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF0900000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.14.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ciCertTrustedimeStampingCA.cr0$
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlA
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlM
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crle
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl5
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/l
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crll
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlp
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crls
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabomI
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enb
Source: AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msdn.micros
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE05000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE2D000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5C2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08D5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF0900000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.14.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, MSI30EE.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, MSI2FB3.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, MSI2FB3.tmp.2.dr, Newtonsoft.Json.dll.17.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80;
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlh
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PrZ
Source: rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Pro
Source: AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294807A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesNENTIALBACKOFF
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesected.
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesiChannelSubscribeRequestk.server.
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesibe
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactory/sub-c-a02ceca8-a958-1
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactorya02ceca8-a958-11e5-bd8
Source: rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: System.ValueTuple.dll.2.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.ValueTuple.dll.2.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.3/AgentPackageProgramManageme
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294807A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294807AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480534000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948036C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948008E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948008E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948069B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.9:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49942 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50050 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50089 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Abnormal high CPU Usage

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5b113b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1264.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1766.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2D41.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FB3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FC4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3022.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5b113d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5b113d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI489E.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1264.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_06877678	5_3_06877678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_06870040	5_3_06870040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_072C59A8	6_3_072C59A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_072C50B8	6_3_072C50B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_072C4D68	6_3_072C4D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF886A0C922	13_2_00007FF886A0C922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF886A0BB76	13_2_00007FF886A0BB76
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF8869F0D42	14_2_00007FF8869F0D42
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886A0900E	14_2_00007FF886A0900E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C0E73C	14_2_00007FF886C0E73C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C0B0B9	14_2_00007FF886C0B0B9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C110E2	14_2_00007FF886C110E2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C093FA	14_2_00007FF886C093FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C06950	14_2_00007FF886C06950
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C11608	14_2_00007FF886C11608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_066B0040	17_3_066B0040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_066B71D0	17_3_066B71D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A278D6	19_2_00007FF886A278D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A21828	19_2_00007FF886A21828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A3100A	19_2_00007FF886A3100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A28682	19_2_00007FF886A28682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A4047D	19_2_00007FF886A4047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A2FA94	19_2_00007FF886A2FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A310C0	19_2_00007FF886A310C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A2BDB0	19_2_00007FF886A2BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A212FB	19_2_00007FF886A212FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A1108C	23_2_00007FF886A1108C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A078D6	23_2_00007FF886A078D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A01828	23_2_00007FF886A01828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A08682	23_2_00007FF886A08682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A2047D	23_2_00007FF886A2047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A0FA94	23_2_00007FF886A0FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A110C0	23_2_00007FF886A110C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A0BDB0	23_2_00007FF886A0BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A012FB	23_2_00007FF886A012FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A178D6	25_2_00007FF886A178D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A18682	25_2_00007FF886A18682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A3047D	25_2_00007FF886A3047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A1FA94	25_2_00007FF886A1FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A210C0	25_2_00007FF886A210C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A1BDB0	25_2_00007FF886A1BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A112FA	25_2_00007FF886A112FA

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2

Sample file is different than original file name gathered from version info

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: AteraAgent.exe.2.dr, SignatureValidator.cs

Base64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'

Source: classification engine

Classification label: mal88.troj.spyw.evad.winMSI@38/85@12/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1592:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5892DD4D99EE3C15.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\wbem\WMIADAP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1446980607.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.PDBrb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb% source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb( source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.14.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb2 source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, MSI2FB3.tmp.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr
Source:	Binary string: bHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbotm source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.PDBkd source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCultur source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb} source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
Source:	Binary string: eHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb(cyv source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI2D41.tmp.2.dr, MSI1264.tmp.2.dr, 5b113b.msi.2.dr, MSI489E.tmp.2.dr, 5b113d.msi.2.dr, MSI1766.tmp.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb Cul source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1444045873.0000000006E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: BouncyCastle.Crypto.dll.2.dr

Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]

PE file contains an invalid checksum

Source: MSI1264.tmp.2.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSI489E.tmp.2.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSI2D41.tmp.2.dr	Static PE information: real checksum: 0x32353 should be: 0x88610

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440A228 pushfd ; ret	5_3_0440A3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_044057B8 push es; ret	5_3_04405840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EF6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EF7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04404E90 push es; ret	5_3_04404EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B418 push ecx; iretd	5_3_0440B453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push ecx; iretd	5_3_0440B51B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push ecx; iretd	5_3_0440B52B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push eax; iretd	5_3_0440B55B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push eax; iretd	5_3_0440B57B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B48F push ecx; iretd	5_3_0440B493
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B494 push ecx; iretd	5_3_0440B4B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B494 push ecx; iretd	5_3_0440B4C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440576F push es; ret	5_3_04405840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B1D0 push esp; iretd	5_3_0440B213
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B1D0 push esp; iretd	5_3_0440B223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B27C push ebx; iretd	5_3_0440B28B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B27C push ebx; iretd	5_3_0440B29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04405870 push es; ret	5_3_044058C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF8869FC65D push ds; ret	14_2_00007FF886A4E02F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C00F64 push eax; ret	14_2_00007FF886C00F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C1411C pushad ; iretd	14_2_00007FF886C1411D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_042857B8 push es; ret	17_3_04285840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_04284E90 push es; ret	17_3_04284EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_04286880 push es; ret	17_3_04286890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_04286BF1 push es; ret	17_3_04286C00

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI489E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1766.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2D41.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FC4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3022.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1264.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1766.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2D41.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FC4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI489E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3022.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1264.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 14C08340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 14C21EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 294E9FD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 294EA180000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 17748900000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 177610C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1DA9CE00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1DAB5390000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1CAEFB60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1CAF0040000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3413
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 6218
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 853

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30EE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2FC4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3022.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8140	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3816	Thread sleep count: 3413 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2700	Thread sleep count: 6218 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3868	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3868	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 764	Thread sleep count: 49 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 764	Thread sleep time: -490000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1876	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1900	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1868	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4944	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7868	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8012	Thread sleep count: 853 > 30

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: AgentPackageAgentInformation.exe.14.dr	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5BFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`^
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09C79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="lauraclima92@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000maueiiap" /agentid="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="lauraclima92@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000maueiiap" /agentid="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.AgentPackageAgentInformation.exe.17748cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.AteraAgent.exe.14c07ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1516184383.0000014C228FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF92B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1514461483.0000014C08440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.0000017748910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2366838259.000001CAF0860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.000002948006E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C0A01C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1516159547.0000014C22890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CBD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D3D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2631705568.00000294EAA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CBF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9A78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CC0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1736416646.0000017748BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2366618676.000001CAEFB70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.0000017748963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205522551.000001DA9CB60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09FD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.0000017748955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630000184.00000294E98B0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.00000177489A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D413000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2620087046.000000C589D95000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630233935.00000294E9A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1516958239.00007FF886A94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1737064202.0000017749133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9AF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CC55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1737064202.00000177490C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 8072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF31BE93D7FB3585D0.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFBEDEA443DEFE141C.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF906A73D282F9BD42.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFD7B20DF7F70954E9.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF5892DD4D99EE3C15.TMP, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\5b113c.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF552422D476BA62BF.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2FB3.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.232.67.198	ps.pndsn.com	United States		16509	AMAZON-02US	false
108.158.75.12	d25btwd9wax8gu.cloudfront.net	United States		16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
ps.pndsn.com	13.232.67.198	true
bg.microsoft.map.fastly.net	199.232.214.172	true
d25btwd9wax8gu.cloudfront.net	108.158.75.12	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
windowsupdatebg.s.llnwi.net	178.79.238.0	true
ps.atera.com	unknown	unknown
agent-api.atera.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4	false	high

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.9:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49942 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50050 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50089 version: TLS 1.2

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1446980607.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.PDBrb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb% source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb( source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.14.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb2 source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, MSI2FB3.tmp.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr
Source:	Binary string: bHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbotm source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.PDBkd source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCultur source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb} source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
Source:	Binary string: eHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb(cyv source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI2D41.tmp.2.dr, MSI1264.tmp.2.dr, 5b113b.msi.2.dr, MSI489E.tmp.2.dr, 5b113d.msi.2.dr, MSI1766.tmp.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb Cul source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1444045873.0000000006E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A01FFFh	13_2_00007FF886A01FAC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A01873h	13_2_00007FF886A0172D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A01A44h	13_2_00007FF886A01A35
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A0B972h	14_2_00007FF886A0B5E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF8869F4ECBh	14_2_00007FF8869F4E6B
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF886A0B972h	14_2_00007FF886A0B620
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF8869F227Bh	14_2_00007FF8869F225D

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680 HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=409cd075-04de-411d-8e74-cc204daabc39&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9401654a-318b-4070-93c4-7e976e6983d7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f1a24d2c-ba5b-4f09-8ec6-e6a721939c6c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=70950088-2434-4193-ae45-e02cd33c7b05&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f891ad-5bb8-448f-80e4-1f3374b27f0a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=333b9046-7952-41dc-bdec-09303be50cd7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a698f03-89f8-46f9-b174-e35a78aa0274&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f92af507-a9f2-4685-b0f4-6803537136b8&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c5270a6-0d03-478f-9521-4fd0a22c23ee&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d98288cb-7af6-4190-8ccc-d63bc9858741&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8c6407e7-1c76-4c34-98c8-2e3504ec6917&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=969880c8-517d-439a-8ec9-8324c81e878e&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b7ef6ec-f467-4166-9556-35fba301ea49&tr=31&tt=17324434479667468&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49789 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49894 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49972 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49923 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49963 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49943 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50004 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50061 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50073 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50083 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50022 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:50090 -> 13.232.67.198:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=3eaa9905-10e5-43ca-a5ec-3f04289fa0f4&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ab4cb35d-22c9-4fd4-8e1d-46a28fd23be0&tr=31&tt=17324433393200501&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?yFk+9uu9aja3RXZs7wXkvbKodLamRoX+E2lNjbQETmCf6sqL8+70SxX20aW8U680 HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=49524d65-4fb1-4bb1-9c7b-f5d3e2dbe3f7&tr=31&tt=17324433418622730&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=409cd075-04de-411d-8e74-cc204daabc39&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8dc1d376-2e7b-4680-b35a-6e4e965362d5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=432189bc-183c-4c40-a56b-6e5a68b3917f&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9401654a-318b-4070-93c4-7e976e6983d7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f23dd88-0fc7-4a6a-9b6f-a8e42f785442&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9887171e-f6b2-4985-868a-76f8a9ac9c69&tr=31&tt=17324433983044696&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b092b222-e28c-4cbf-b2ce-1ad35a4da96f&tr=31&tt=17324434136474401&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=7abf71f1-a15a-4c21-a35a-f3e49209c1fb&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=87de8078-9f58-41e2-9c51-2e34fbeb83af&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b90d88ed-90a0-4d85-a3f0-2431379878e6&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f1a24d2c-ba5b-4f09-8ec6-e6a721939c6c&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=70950088-2434-4193-ae45-e02cd33c7b05&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f891ad-5bb8-448f-80e4-1f3374b27f0a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a0accb58-72c6-4bcd-b5e6-5bf070d2bbb5&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8d3291ed-c39f-4716-80d8-7d0a2db2f535&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=333b9046-7952-41dc-bdec-09303be50cd7&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a698f03-89f8-46f9-b174-e35a78aa0274&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f92af507-a9f2-4685-b0f4-6803537136b8&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e628df81-96dc-46ed-9afe-0cd2a51d1679&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0162374f-2552-479f-be18-4b11df053a72&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=1c5270a6-0d03-478f-9521-4fd0a22c23ee&tt=0&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d98288cb-7af6-4190-8ccc-d63bc9858741&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8c6407e7-1c76-4c34-98c8-2e3504ec6917&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=69f1cfdc-a5c4-4346-9133-ec4ebbe57718&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2d83b3c6-7779-408a-91cc-201421fcc115&tr=31&tt=17324434371950064&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=969880c8-517d-439a-8ec9-8324c81e878e&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=65e5bee7-d50d-4689-beb6-7331ad74953a&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72-16266eeb5dd4/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5b7ef6ec-f467-4166-9556-35fba301ea49&tr=31&tt=17324434479667468&uuid=ca4f6eb7-da88-4119-8d72-16266eeb5dd4 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

Source: global traffic	DNS traffic detected: DNS query: agent-api.atera.com
Source: global traffic	DNS traffic detected: DNS query: ps.pndsn.com
Source: global traffic	DNS traffic detected: DNS query: ps.atera.com

Source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.2.dr	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 00000005.00000002.1445956864.00000000044F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.00000177491EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D4BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA8012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 00000005.00000002.1445956864.00000000044F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.00000177491EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D4BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA8012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5C2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08D5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF0900000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.14.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ciCertTrustedimeStampingCA.cr0$
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlA
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlM
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crle
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl5
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/l
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crll
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlp
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crls
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabomI
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enb
Source: AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: Newtonsoft.Json.dll.17.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msdn.micros
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE05000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA1F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE2D000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5C2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08D5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF0900000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.14.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, MSI30EE.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, MSI2FB3.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Newtonsoft.Json.dll.5.dr, MSI2FB3.tmp.2.dr, Newtonsoft.Json.dll.17.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr, AteraAgent.exe.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09C79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80;
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlh
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAF66000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, AgentPackageAgentInformation.exe.14.dr, System.ValueTuple.dll.2.dr, Pubnub.dll.2.dr, ICSharpCode.SharpZipLib.dll.2.dr, Atera.AgentPackage.Common.dll.14.dr, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480647000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PrZ
Source: rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Pro
Source: AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AgentPackageAgentInformation.exe, 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294807A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesNENTIALBACKOFF
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesected.
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesiChannelSubscribeRequestk.server.
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesibe
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactory/sub-c-a02ceca8-a958-1
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesseTaskFactorya02ceca8-a958-11e5-bd8
Source: rundll32.exe, 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: System.ValueTuple.dll.2.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.ValueTuple.dll.2.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.3/AgentPackageProgramManageme
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948006A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294800DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294801C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948028E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294807A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294807AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294805C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480534000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948036C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.000002948008E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0b64e705-668e-465a-845d-ea16cbb2791c
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948008E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=59dc8d89-7bee-4d36-a28b-270400da27e0
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7d96955c-b644-4f48-b6cb-41b97a7be479
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=83d4ff7e-819b-463d-a1d8-c1180d5bfe08
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af1c8f78-a8fb-4782-9e02-8522647fac57
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c89efe78-d68a-44aa-b962-a0da30029aef
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ee319b7e-c8e0-4aa4-aa35-08507a3b4589
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948069B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619
Source: AteraAgent.exe, 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ca4f6eb7
Source: AteraAgent.exe, 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd
Source: AteraAgent.exe, 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2623775013.00000294800BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ca4f6eb7-da88-4119-8d72
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, MSI2FB3.tmp.2.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.12:443 -> 192.168.2.9:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49942 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50047 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50050 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50086 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.9:50089 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Abnormal high CPU Usage

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5b113b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1264.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1766.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2D41.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FB3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FC4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3022.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5b113d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5b113d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI489E.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1264.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_06877678	5_3_06877678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_06870040	5_3_06870040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_072C59A8	6_3_072C59A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_072C50B8	6_3_072C50B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_072C4D68	6_3_072C4D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF886A0C922	13_2_00007FF886A0C922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF886A0BB76	13_2_00007FF886A0BB76
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF8869F0D42	14_2_00007FF8869F0D42
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886A0900E	14_2_00007FF886A0900E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C0E73C	14_2_00007FF886C0E73C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C0B0B9	14_2_00007FF886C0B0B9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C110E2	14_2_00007FF886C110E2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C093FA	14_2_00007FF886C093FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C06950	14_2_00007FF886C06950
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C11608	14_2_00007FF886C11608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_066B0040	17_3_066B0040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_066B71D0	17_3_066B71D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A278D6	19_2_00007FF886A278D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A21828	19_2_00007FF886A21828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A3100A	19_2_00007FF886A3100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A28682	19_2_00007FF886A28682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A4047D	19_2_00007FF886A4047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A2FA94	19_2_00007FF886A2FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A310C0	19_2_00007FF886A310C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A2BDB0	19_2_00007FF886A2BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF886A212FB	19_2_00007FF886A212FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A1108C	23_2_00007FF886A1108C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A078D6	23_2_00007FF886A078D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A01828	23_2_00007FF886A01828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A08682	23_2_00007FF886A08682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A2047D	23_2_00007FF886A2047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A0FA94	23_2_00007FF886A0FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A110C0	23_2_00007FF886A110C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A0BDB0	23_2_00007FF886A0BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF886A012FB	23_2_00007FF886A012FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A178D6	25_2_00007FF886A178D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A18682	25_2_00007FF886A18682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A3047D	25_2_00007FF886A3047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A1FA94	25_2_00007FF886A1FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A210C0	25_2_00007FF886A210C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A1BDB0	25_2_00007FF886A1BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FF886A112FA	25_2_00007FF886A112FA

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2

Sample file is different than original file name gathered from version info

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: AteraAgent.exe.2.dr, SignatureValidator.cs

Source: classification engine

Classification label: mal88.troj.spyw.evad.winMSI@38/85@12/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1592:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5892DD4D99EE3C15.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\wbem\WMIADAP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BEDEEE6C5E800683486D45882C70B787	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F32542BB014FEC02096438D522414E5D E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1264.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5968562 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1766.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5969828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D41.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5975390 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI489E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982406 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.14.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1446980607.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.6.dr, AlphaControlAgentInstallation.dll.17.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.PDBrb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb% source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb( source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.14.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1737873260.00000177618A2000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.14.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb2 source: rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI30EE.tmp.2.dr, MSI3022.tmp.2.dr, MSI2FB3.tmp.2.dr, 5b113b.msi.2.dr, 5b113d.msi.2.dr, MSI2FC4.tmp.2.dr
Source:	Binary string: bHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbotm source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbG source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.14.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006DD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 00000005.00000002.1446980607.0000000006E00000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.PDBkd source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.17.dr
Source:	Binary string: \??\C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbCultur source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000005.00000002.1444393467.0000000000497000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb} source: rundll32.exe, 00000011.00000002.1570641470.0000000000653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nC:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000005.00000002.1444743402.000000000060F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444294947.000000000060E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.2.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.1516024952.0000014C226B2000.00000002.00000001.01000000.00000011.sdmp, AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll.2.dr
Source:	Binary string: eHP~n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000011.00000002.1570401025.00000000000D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.pdb(cyv source: rundll32.exe, 00000005.00000002.1444559082.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444139924.00000000005BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi, MSI2D41.tmp.2.dr, MSI1264.tmp.2.dr, 5b113b.msi.2.dr, MSI489E.tmp.2.dr, 5b113d.msi.2.dr, MSI1766.tmp.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2634938179.00000294EB1C2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.2.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb Cul source: rundll32.exe, 00000011.00000002.1570641470.00000000005A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.1384418180.0000000004AD1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1393627816.0000000004271000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1449345788.0000000004D79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2632599707.00000294EABC2000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000011.00000003.1520522835.00000000040FF000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.6.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.2.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.17.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000005.00000003.1444045873.0000000006E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1575945285.0000000006C4A000.00000004.00000020.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: BouncyCastle.Crypto.dll.2.dr

Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]

PE file contains an invalid checksum

Source: MSI1264.tmp.2.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSI489E.tmp.2.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSI2D41.tmp.2.dr	Static PE information: real checksum: 0x32353 should be: 0x88610

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440A228 pushfd ; ret	5_3_0440A3C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_044057B8 push es; ret	5_3_04405840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EF6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EF7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440EECC push ss; iretd	5_3_0440EFD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04404E90 push es; ret	5_3_04404EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B418 push ecx; iretd	5_3_0440B453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push ecx; iretd	5_3_0440B51B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push ecx; iretd	5_3_0440B52B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push eax; iretd	5_3_0440B55B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B4F7 push eax; iretd	5_3_0440B57B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B48F push ecx; iretd	5_3_0440B493
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B494 push ecx; iretd	5_3_0440B4B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B494 push ecx; iretd	5_3_0440B4C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440576F push es; ret	5_3_04405840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B1D0 push esp; iretd	5_3_0440B213
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B1D0 push esp; iretd	5_3_0440B223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B27C push ebx; iretd	5_3_0440B28B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_0440B27C push ebx; iretd	5_3_0440B29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04405870 push es; ret	5_3_044058C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF8869FC65D push ds; ret	14_2_00007FF886A4E02F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C00F64 push eax; ret	14_2_00007FF886C00F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF886C1411C pushad ; iretd	14_2_00007FF886C1411D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_042857B8 push es; ret	17_3_04285840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_04284E90 push es; ret	17_3_04284EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_04286880 push es; ret	17_3_04286890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_04286BF1 push es; ret	17_3_04286C00

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI489E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1766.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2D41.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FC4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3022.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1264.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1766.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2D41.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2FC4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30EE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI489E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3022.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1264.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 14C08340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 14C21EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 294E9FD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 294EA180000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 17748900000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 177610C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1DA9CE00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1DAB5390000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1CAEFB60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1CAF0040000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3413
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 6218
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 853

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30EE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2D41.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2FC4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3022.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1264.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8140	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3816	Thread sleep count: 3413 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2700	Thread sleep count: 6218 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3868	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3868	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 764	Thread sleep count: 49 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 764	Thread sleep time: -490000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1876	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1900	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1868	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4944	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7868	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 8012	Thread sleep count: 853 > 30

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: AgentPackageAgentInformation.exe.14.dr	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AgentPackageAgentInformation.exe, 00000017.00000002.2207440429.000001DAB5BFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
Source: AteraAgent.exe, 0000000E.00000002.2631705568.00000294EAA99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`^
Source: AteraAgent.exe, 0000000E.00000002.2633116462.00000294EAE2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09C79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1516184383.0000014C228A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2634013625.00000294EAEF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000002.1444717726.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1444074163.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000011.00000002.1570641470.0000000000605000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: AgentPackageAgentInformation.exe, 00000019.00000002.2366838259.000001CAF08A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="lauraclima92@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MAUEiIAP" /AgentId="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MAUEiIAP

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="lauraclima92@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000maueiiap" /agentid="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="lauraclima92@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000maueiiap" /agentid="ca4f6eb7-da88-4119-8d72-16266eeb5dd4"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "40d7881e-bac7-4bc1-a310-af4ec03e6c5c" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "4d432fbf-e66a-4222-84c5-bc3b68a3273b" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ca4f6eb7-da88-4119-8d72-16266eeb5dd4 "47be830f-d7d7-401a-87fc-8b93e37bf80a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000maueiiap

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1264.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1766.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1766.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2D41.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI489E.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI489E.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 19.0.AgentPackageAgentInformation.exe.177486b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.AgentPackageAgentInformation.exe.17748cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.AteraAgent.exe.14c07ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1516184383.0000014C228FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF92B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294806F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1572886890.0000000004374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1514461483.0000014C08440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294806B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.0000017748910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2366838259.000001CAF0860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.000002948006E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1445956864.0000000004431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C0A01C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1516159547.0000014C22890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1520522835.00000000040CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CBD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D3D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2631705568.00000294EAA7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CBF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9A78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CC0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1736416646.0000017748BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2633116462.00000294EAEAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1737064202.0000017749143000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1449345788.0000000004D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1736549583.0000017748CC2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2366618676.000001CAEFB70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.0000017748963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205522551.000001DA9CB60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09FD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1462877199.0000014C07FF2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C08130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.000002948013F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1514531670.0000014C09CE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1736722380.0000017748FF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1513193634.0000014C080A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.0000017748955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630000184.00000294E98B0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1445956864.00000000044D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.000002948029A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1735966351.00000177489A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA800BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D44F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D413000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294806C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.00000294801DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1514531670.0000014C09BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2620087046.000000C589D95000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630233935.00000294E9A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1384418180.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1516958239.00007FF886A94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365662258.000001CAEF8DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2633116462.00000294EADC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1696182343.00000177486B2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1737064202.0000017749133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2623775013.0000029480538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2206503993.000001DA9D391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1572886890.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1393627816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2630403750.00000294E9AF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09F2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2205662443.000001DA9CC55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1737064202.00000177490C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2364172083.000001CA80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1515070102.0000014C09EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 8072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF31BE93D7FB3585D0.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFBEDEA443DEFE141C.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF906A73D282F9BD42.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFD7B20DF7F70954E9.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF5892DD4D99EE3C15.TMP, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\5b113c.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI1766.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2D41.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF552422D476BA62BF.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI489E.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI1264.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2FB3.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

Windows Analysis Report
ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1561806
Product:	CloudBasic
Start time:	11:14:18
Start date:	24.11.2024
Sample:	ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d845db29c963e1314bdad5ae0e8363b4
SHA1:	29192740a48fd5e65e79cf8e32d129d9c0b84df1
SHA256:	cbd238f60cc3c1a95155ae46d88eeda33c8dfa1ee5093e22aa1dcf80d5965987
Filetype:	Microsoft Windows Installer (60509/1) 57.88%

Windows Analysis Report ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msi