adob024.msi| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6403_us | Aug. 16, 2024, 5:45 p.m. | Aug. 16, 2024, 5:47 p.m. |
-
msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\adob024.msi
1932 -
explorer.exe C:\Windows\Explorer.EXE
1236
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| ps.pndsn.com | 18.179.18.155 | |
| cacerts.digicert.com |
CNAME
fp2e7a.wpc.phicdn.net
|
152.195.38.76 |
| ocsp.digicert.com |
CNAME
ocsp.edge.digicert.com
CNAME
fp2e7a.wpc.phicdn.net
|
152.195.38.76 |
| ps.atera.com | 18.67.51.59 | |
| agent-api.atera.com | 20.37.139.187 |
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLS 1.2 192.168.56.103:49162 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49176 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49182 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49170 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49167 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49195 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49175 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49179 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49178 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49172 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49171 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49190 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49184 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49186 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49192 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49187 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49174 18.179.18.153:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M03 | CN=*.pndsn.com | 07:65:65:eb:fc:cb:2f:15:d8:c5:59:76:15:ef:f9:0b:d7:45:77:3f |
|
TLS 1.2 192.168.56.103:49198 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49202 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49183 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49188 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49177 18.67.51.98:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M02 | CN=ps.atera.com | 17:96:ac:89:29:aa:f5:b7:7e:8c:7e:d9:cf:00:0f:8c:5b:2e:f6:cc |
|
TLS 1.2 192.168.56.103:49191 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49173 18.179.18.153:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M03 | CN=*.pndsn.com | 07:65:65:eb:fc:cb:2f:15:d8:c5:59:76:15:ef:f9:0b:d7:45:77:3f |
|
TLS 1.2 192.168.56.103:49193 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49196 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49189 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49197 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49194 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49199 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49201 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49200 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49203 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49181 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
|
TLS 1.2 192.168.56.103:49185 20.37.139.187:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 | CN=*.atera.com | e4:80:61:96:ed:3c:73:9e:df:fd:66:a0:e4:af:c2:b9:14:d6:20:ad |
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cd541e6a-2ba4-4a03-a00f-094ee2b67135&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b153a57e-499b-4ae8-b169-598fc179a7f6&tt=0&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c09e2018-679b-4892-8c17-f018f66a11f3&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=12d00e9f-90ed-42bb-bf8d-a4cee20a83cf&tr=34&tt=17237979717852454&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af4be7e1-0f14-4a01-ac83-33610d59f4ff&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=08d6e7fe-8c3c-4170-8f89-6cd210f9977f&tr=34&tt=17237979729901531&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation.zip?kHE0a4AHPD06sRT5dNr8CEGDDgxItT/NNHjAvqtYD5Vp1AfUa8Y22WAUqOM87JT+ | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=00bd05cc-8d26-4ad1-94e7-04ee06e4e9a6&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/e00905d4-3856-4887-b595-3b102a6ce467/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=33bc53d7-b38d-4443-ad4c-fe2237b03869&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| suspicious_features | GET method with no useragent header | suspicious_request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=37d5c33a-d873-4f9c-819f-519051737e0b&uuid=e00905d4-3856-4887-b595-3b102a6ce467 | ||||||
| request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D |
| request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D |
| request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D |
| request | GET http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt |
| request | GET http://cacerts.digicert.com/DigiCertTrustedRootG4.crt |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cd541e6a-2ba4-4a03-a00f-094ee2b67135&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=b153a57e-499b-4ae8-b169-598fc179a7f6&tt=0&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c09e2018-679b-4892-8c17-f018f66a11f3&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=12d00e9f-90ed-42bb-bf8d-a4cee20a83cf&tr=34&tt=17237979717852454&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=af4be7e1-0f14-4a01-ac83-33610d59f4ff&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/e00905d4-3856-4887-b595-3b102a6ce467/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=08d6e7fe-8c3c-4170-8f89-6cd210f9977f&tr=34&tt=17237979729901531&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation.zip?kHE0a4AHPD06sRT5dNr8CEGDDgxItT/NNHjAvqtYD5Vp1AfUa8Y22WAUqOM87JT+ |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=00bd05cc-8d26-4ad1-94e7-04ee06e4e9a6&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/e00905d4-3856-4887-b595-3b102a6ce467/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=33bc53d7-b38d-4443-ad4c-fe2237b03869&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| request | GET https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=37d5c33a-d873-4f9c-819f-519051737e0b&uuid=e00905d4-3856-4887-b595-3b102a6ce467 |
| buffer | Buffer with sha1: 015b5f953d6ffe1926c8f9bcd0e109ad91cfc6c8 |
| buffer | Buffer with sha1: 73e0a81707960cc3ccb5dccef4cbb6cd51ee3710 |
| Skyhigh | RemAdm-Atera |
| K7AntiVirus | Trojan ( 0001140e1 ) |
| K7GW | Trojan ( 0001140e1 ) |
| McAfee | RemAdm-Atera |
| Kaspersky | not-a-virus:HEUR:RemoteAdmin.MSIL.Atera.gen |
| DrWeb | Program.RemoteAdminNET.1 |
| Detected | |
| Xcitium | ApplicUnwnt@#2s9re1zdfn0go |
| ZoneAlarm | not-a-virus:HEUR:RemoteAdmin.MSIL.Atera.gen |
| Varist | W32/Atera.KNVS-6994 |
| Fortinet | Riskware/Atera |
| alibabacloud | Backdoor[rat]:MSIL/Atera.gyf |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |