Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 30, 2024, 9:48 a.m.	April 30, 2024, 9:51 a.m.

Size	2.9MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5	`455bf264e54b9c7b8d0ff9b37443930f`
SHA256	`e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b`
CRC32	`2993506E`
ssdeep	`49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Malicious_Library_Zero - Malicious_Library CAB_file_format - CAB archive file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\2503.msi
2548
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
ps.pndsn.com	A 18.179.18.153 A 18.179.18.154	18.179.18.154
cacerts.digicert.com	CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
ocsp.digicert.com	CNAME ocsp.edge.digicert.com CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
ps.atera.com	A 18.67.51.104 CNAME d25btwd9wax8gu.cloudfront.net A 18.67.51.98 A 18.67.51.59 A 18.67.51.102	18.67.51.102
agent-api.atera.com	CNAME agentsapi.trafficmanager.net CNAME agentapigateway-us.centralus.cloudapp.azure.com A 20.37.139.187	20.37.139.187

IP Address	Status	Action
152.195.38.76	Active	Moloch
164.124.101.2	Active	Moloch
18.179.18.154	Active	Moloch
18.67.51.102	Active	Moloch
20.37.139.187	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49174 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 18.179.18.154:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 18.179.18.154:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 18.67.51.102:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 20.37.139.187:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49174 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49176 18.179.18.154:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.pndsn.com	30:66:1f:be:8c:fa:45:64:bd:97:f9:d4:01:c2:db:1c:80:a5:f3:e9
TLS 1.2 192.168.56.101:49177 18.179.18.154:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.pndsn.com	30:66:1f:be:8c:fa:45:64:bd:97:f9:d4:01:c2:db:1c:80:a5:f3:e9
TLS 1.2 192.168.56.101:49170 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49164 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49175 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49189 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49178 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49181 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49187 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49182 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49194 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49185 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49191 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49195 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49192 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49188 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49199 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49198 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49173 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49201 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49206 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49179 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49186 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49190 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49196 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49197 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49200 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49202 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49205 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49180 18.67.51.102:443	C=US, O=Amazon, CN=Amazon RSA 2048 M02	CN=ps.atera.com	17:96:ac:89:29:aa:f5:b7:7e:8c:7e:d9:cf:00:0f:8c:5b:2e:f6:cc
TLS 1.2 192.168.56.101:49184 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49193 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49203 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad
TLS 1.2 192.168.56.101:49204 20.37.139.187:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1	CN=*.atera.com	e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 30, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 30, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 30, 2024, 9:48 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 30, 2024, 9:48 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 30, 2024, 9:48 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0eabdbf1-beaf-4272-a144-a84870a9d7df&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/819da2a6-9fa4-4574-be40-60b373c39516/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=43a100d6-9441-4853-b22e-5183c58cb1c7&tt=0&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9136a7bb-a943-4340-87ea-3d7007e9ae9c&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/819da2a6-9fa4-4574-be40-60b373c39516/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d3cb1d72-57ed-43aa-99ca-eed7fe302eb3&tr=35&tt=17144381852163526&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d906b067-e718-4b04-847f-7ab206d48dd6&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/819da2a6-9fa4-4574-be40-60b373c39516/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a5094973-27d3-469c-96e6-85b45f0479b7&tr=35&tt=17144381874729437&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/36.7/AgentPackageAgentInformation.zip?+NlMC3zhv2neysJ0KxWrVu4y9D3I3oIn2psIKH5NnT/5nIlqdiP+ExkXbXUrK5Ez
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=10d6f7ca-f3ad-47d4-9eb3-644f1fff3fa9&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/819da2a6-9fa4-4574-be40-60b373c39516/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f0b99e74-7fd7-4a1e-8b4b-0fe005b09115&uuid=819da2a6-9fa4-4574-be40-60b373c39516
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9d755037-90b8-4efb-a244-0c93cfed1d39&uuid=819da2a6-9fa4-4574-be40-60b373c39516

Performs some HTTP requests (15 events)

request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
request	GET http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
request	GET http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0eabdbf1-beaf-4272-a144-a84870a9d7df&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/819da2a6-9fa4-4574-be40-60b373c39516/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=43a100d6-9441-4853-b22e-5183c58cb1c7&tt=0&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9136a7bb-a943-4340-87ea-3d7007e9ae9c&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/819da2a6-9fa4-4574-be40-60b373c39516/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d3cb1d72-57ed-43aa-99ca-eed7fe302eb3&tr=35&tt=17144381852163526&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d906b067-e718-4b04-847f-7ab206d48dd6&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/819da2a6-9fa4-4574-be40-60b373c39516/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a5094973-27d3-469c-96e6-85b45f0479b7&tr=35&tt=17144381874729437&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/36.7/AgentPackageAgentInformation.zip?+NlMC3zhv2neysJ0KxWrVu4y9D3I3oIn2psIKH5NnT/5nIlqdiP+ExkXbXUrK5Ez
request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=10d6f7ca-f3ad-47d4-9eb3-644f1fff3fa9&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/819da2a6-9fa4-4574-be40-60b373c39516/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f0b99e74-7fd7-4a1e-8b4b-0fe005b09115&uuid=819da2a6-9fa4-4574-be40-60b373c39516
request	GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9d755037-90b8-4efb-a244-0c93cfed1d39&uuid=819da2a6-9fa4-4574-be40-60b373c39516

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75831000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72631000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ea0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72622000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04020000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72551000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 9:48 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 9:49 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW April 30, 2024, 9:48 a.m.	total_number_of_free_bytes: 13320970240 free_bytes_available: 13320970240 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 30, 2024, 9:48 a.m.	number_of_free_clusters: 3252190 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 30, 2024, 9:48 a.m.	total_number_of_free_bytes: 13320970240 free_bytes_available: 13320970240 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 30, 2024, 9:48 a.m.	number_of_free_clusters: 3252190 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 30, 2024, 9:48 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 015b5f953d6ffe1926c8f9bcd0e109ad91cfc6c8
buffer	Buffer with sha1: 73e0a81707960cc3ccb5dccef4cbb6cd51ee3710

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Skyhigh	RemAdm-Atera
McAfee	RemAdm-Atera
Kaspersky	not-a-virus:HEUR:RemoteAdmin.MSIL.Atera.gen
Rising	HackTool.Atera!8.13A3B (CLOUD)
DrWeb	Program.RemoteAdminNET.1
Google	Detected
Xcitium	ApplicUnwnt@#2s9re1zdfn0go
ZoneAlarm	not-a-virus:HEUR:RemoteAdmin.MSIL.Atera.gen
Varist	W32/Atera.KNVS-6994
Fortinet	Riskware/Application

2503.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All