Guidelines_for_Citizen_Safety.msi| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6401 | Aug. 5, 2024, 9:51 a.m. | Aug. 5, 2024, 9:53 a.m. |
-
msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\Guidelines_for_Citizen_Safety.msi
2548 -
explorer.exe C:\Windows\Explorer.EXE
1452
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| ps.pndsn.com | 18.179.18.154 | |
| cacerts.digicert.com |
CNAME
fp2e7a.wpc.phicdn.net
|
152.195.38.76 |
| ocsp.digicert.com |
CNAME
ocsp.edge.digicert.com
CNAME
fp2e7a.wpc.phicdn.net
|
152.195.38.76 |
| ps.atera.com | 18.67.51.59 | |
| agent-api.atera.com | 20.37.139.187 |
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.101:49162 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49171 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49178 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49177 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49167 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49169 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49172 18.179.18.155:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M03 | CN=*.pndsn.com | 07:65:65:eb:fc:cb:2f:15:d8:c5:59:76:15:ef:f9:0b:d7:45:77:3f |
|
TLS 1.2 192.168.56.101:49188 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49170 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49181 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49173 18.179.18.155:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M03 | CN=*.pndsn.com | 07:65:65:eb:fc:cb:2f:15:d8:c5:59:76:15:ef:f9:0b:d7:45:77:3f |
|
TLS 1.2 192.168.56.101:49175 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49182 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49174 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49185 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49176 18.67.51.104:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M02 | CN=ps.atera.com | 17:96:ac:89:29:aa:f5:b7:7e:8c:7e:d9:cf:00:0f:8c:5b:2e:f6:cc |
|
TLS 1.2 192.168.56.101:49180 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49195 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49189 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49197 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49190 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49199 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49203 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49193 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49200 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49184 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49201 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49191 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49183 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49198 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49186 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49187 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49192 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.101:49202 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf65c790-3bba-4a64-9937-f36220f6c218&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/55038c67-569f-4d99-8a57-744508033a9a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b5e04d33-6bf0-42c4-8e59-52ccdb41e3db&tt=0&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e9e7b332-e51c-4aa0-a801-d87c8acbcc8a&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/55038c67-569f-4d99-8a57-744508033a9a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=702fbf86-0fa7-4934-b774-f6bcb0b8b572&tr=36&tt=17228191021137080&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=acca9136-a599-4cb0-ad20-a7cb3388de77&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/55038c67-569f-4d99-8a57-744508033a9a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ad327499-f709-4137-84e5-53afcd35656e&tr=36&tt=17228191047232239&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation.zip?IaYiaqQ9y9o8b7g3EnJ8yVxQedXylv6S7z7zWYWmLKBc3BStISV4S61La6VNNgx5 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=79383a77-1246-4ab7-add1-a742496ba2f9&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/55038c67-569f-4d99-8a57-744508033a9a/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e494ecc6-7d5c-4596-adb2-e9b303d7c1a2&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ca859d8d-9d89-4015-8fa6-99b7cf72a1f8&uuid=55038c67-569f-4d99-8a57-744508033a9a | ||||||
| request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D |
| request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D |
| request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D |
| request | GET http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt |
| request | GET http://cacerts.digicert.com/DigiCertTrustedRootG4.crt |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf65c790-3bba-4a64-9937-f36220f6c218&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/55038c67-569f-4d99-8a57-744508033a9a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b5e04d33-6bf0-42c4-8e59-52ccdb41e3db&tt=0&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e9e7b332-e51c-4aa0-a801-d87c8acbcc8a&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/55038c67-569f-4d99-8a57-744508033a9a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=702fbf86-0fa7-4934-b774-f6bcb0b8b572&tr=36&tt=17228191021137080&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=acca9136-a599-4cb0-ad20-a7cb3388de77&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/55038c67-569f-4d99-8a57-744508033a9a/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=ad327499-f709-4137-84e5-53afcd35656e&tr=36&tt=17228191047232239&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation.zip?IaYiaqQ9y9o8b7g3EnJ8yVxQedXylv6S7z7zWYWmLKBc3BStISV4S61La6VNNgx5 |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=79383a77-1246-4ab7-add1-a742496ba2f9&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/55038c67-569f-4d99-8a57-744508033a9a/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e494ecc6-7d5c-4596-adb2-e9b303d7c1a2&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ca859d8d-9d89-4015-8fa6-99b7cf72a1f8&uuid=55038c67-569f-4d99-8a57-744508033a9a |
| buffer | Buffer with sha1: 015b5f953d6ffe1926c8f9bcd0e109ad91cfc6c8 |
| buffer | Buffer with sha1: 73e0a81707960cc3ccb5dccef4cbb6cd51ee3710 |
| Skyhigh | RemAdm-Atera |
| K7AntiVirus | Trojan ( 0001140e1 ) |
| K7GW | Trojan ( 0001140e1 ) |
| McAfee | RemAdm-Atera |
| Kaspersky | not-a-virus:HEUR:RemoteAdmin.MSIL.Atera.gen |
| DrWeb | Program.RemoteAdminNET.1 |
| Detected | |
| Xcitium | ApplicUnwnt@#2s9re1zdfn0go |
| ZoneAlarm | not-a-virus:HEUR:RemoteAdmin.MSIL.Atera.gen |
| Varist | W32/Atera.KNVS-6994 |