URL:

https://denunciadigital-gobmx.com/CitacionFiscalFGJ/N005675304-MX.html

Full analysis: https://app.any.run/tasks/2edc7e0b-36b0-48c0-a110-a93ad52ae177
Verdict: Malicious activity
Analysis date: February 14, 2025, 19:35:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
obfuscated-js
atera
tool
Indicators:
MD5:

25911098838E285FD897CC3AB0F31922

SHA1:

9C4DDA1080DC5A4AC14B6D62FDEAC803E8CFCFCA

SHA256:

2FBFBBAC4747C284E915CA61CDEB97BA01674E49A7A9E207A7E35708E3836957

SSDEEP:

3:N8Y2E6lkIirWVYiSRVpUJn:2Y+BdVJSRVpQn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 7516)
      • msiexec.exe (PID: 372)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 9040)

    • Changes powershell execution policy (Bypass)

      • AgentPackageAgentInformation.exe (PID: 3888)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msedge.exe (PID: 6464)
      • msedge.exe (PID: 5892)
      • msiexec.exe (PID: 6280)
      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 7668)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4488)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6280)
      • AteraAgent.exe (PID: 3796)
      • msiexec.exe (PID: 2280)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6280)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 5000)
      • rundll32.exe (PID: 4132)
      • rundll32.exe (PID: 7672)
      • rundll32.exe (PID: 5200)
      • AteraAgent.exe (PID: 904)
      • csc.exe (PID: 7672)
      • SplashtopStreamer.exe (PID: 4864)
      • PreVerCheck.exe (PID: 1828)
      • AteraAgent.exe (PID: 7668)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6244)
      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 7668)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 372)
      • cmd.exe (PID: 6908)
      • cmd.exe (PID: 8240)
      • cmd.exe (PID: 8340)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 8564)
      • cmd.exe (PID: 8664)
      • cmd.exe (PID: 8764)
      • cmd.exe (PID: 8864)
      • cmd.exe (PID: 8964)
      • cmd.exe (PID: 9152)

    • ATERAAGENT has been detected

      • AteraAgent.exe (PID: 3796)
      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 7668)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 7672)
      • rundll32.exe (PID: 5200)
      • AteraAgent.exe (PID: 904)
      • AgentPackageAgentInformation.exe (PID: 6388)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageMonitoring.exe (PID: 7356)
      • AgentPackageAgentInformation.exe (PID: 5028)
      • AgentPackageAgentInformation.exe (PID: 3888)

    • Restarts service on failure

      • sc.exe (PID: 7444)
      • sc.exe (PID: 4912)

    • Reads security settings of Internet Explorer

      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 3796)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • SplashtopStreamer.exe (PID: 4864)

    • Reads the date of Windows installation

      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 7668)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 7668)

    • The process executes Powershell scripts

      • AgentPackageAgentInformation.exe (PID: 3888)
      • cmd.exe (PID: 8476)

    • Starts POWERSHELL.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 3888)
      • cmd.exe (PID: 8476)

    • The process bypasses the loading of PowerShell profile settings

      • AgentPackageAgentInformation.exe (PID: 3888)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7672)

    • The process executes VB scripts

      • cmd.exe (PID: 8076)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 3888)
      • msiexec.exe (PID: 2280)
      • SetupUtil.exe (PID: 5540)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2160)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 2160)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2160)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 2160)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 2160)

    • Executes application which crashes

      • cscript.exe (PID: 2160)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 2160)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 7864)
      • msiexec.exe (PID: 6280)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 6280)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 8076)
      • msiexec.exe (PID: 6280)
      • msiexec.exe (PID: 848)
      • msiexec.exe (PID: 372)
      • AteraAgent.exe (PID: 3796)
      • AteraAgent.exe (PID: 904)
      • AgentPackageAgentInformation.exe (PID: 6388)
      • AgentPackageAgentInformation.exe (PID: 5028)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageAgentInformation.exe (PID: 2012)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageMonitoring.exe (PID: 7356)
      • msiexec.exe (PID: 2280)
      • SplashtopStreamer.exe (PID: 4864)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 7252)
      • _is3EBE.exe (PID: 3032)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 7608)
      • _is3EBE.exe (PID: 6936)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 7608)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 7608)
      • _is48A2.exe (PID: 8232)
      • _is48A2.exe (PID: 8300)
      • _is48A2.exe (PID: 8252)
      • _is48A2.exe (PID: 8296)
      • _is48A2.exe (PID: 5040)
      • _is48A2.exe (PID: 4764)
      • _is48A2.exe (PID: 5456)
      • _is48A2.exe (PID: 3744)
      • _is48A2.exe (PID: 2148)
      • _is665D.exe (PID: 5936)
      • _is48A2.exe (PID: 8440)

    • Checks supported languages

      • identity_helper.exe (PID: 8076)
      • msiexec.exe (PID: 848)
      • msiexec.exe (PID: 6280)
      • msiexec.exe (PID: 372)
      • AteraAgent.exe (PID: 3796)
      • AteraAgent.exe (PID: 904)
      • AgentPackageAgentInformation.exe (PID: 6388)
      • AgentPackageAgentInformation.exe (PID: 5028)
      • AgentPackageAgentInformation.exe (PID: 2012)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageMonitoring.exe (PID: 7356)
      • csc.exe (PID: 7672)
      • cvtres.exe (PID: 7132)
      • SplashtopStreamer.exe (PID: 4864)
      • PreVerCheck.exe (PID: 1828)
      • msiexec.exe (PID: 2280)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 7252)
      • _is3EBE.exe (PID: 3032)
      • _is3EBE.exe (PID: 7608)
      • _is3EBE.exe (PID: 6936)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 6908)
      • _is3EBE.exe (PID: 7608)
      • _is3EBE.exe (PID: 7608)
      • _is48A2.exe (PID: 8252)
      • _is48A2.exe (PID: 8440)
      • _is48A2.exe (PID: 8300)
      • _is48A2.exe (PID: 4764)
      • _is48A2.exe (PID: 8296)
      • _is48A2.exe (PID: 5040)
      • _is48A2.exe (PID: 5456)
      • _is48A2.exe (PID: 3744)
      • _is48A2.exe (PID: 2148)
      • _is48A2.exe (PID: 8232)
      • _is665D.exe (PID: 5936)
      • SetupUtil.exe (PID: 8328)

    • Reads Environment values

      • identity_helper.exe (PID: 8076)
      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 3796)
      • AgentPackageAgentInformation.exe (PID: 6388)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageAgentInformation.exe (PID: 5028)
      • AgentPackageAgentInformation.exe (PID: 2012)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageMonitoring.exe (PID: 7356)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)
      • msiexec.exe (PID: 7236)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6464)
      • msedge.exe (PID: 2144)
      • msedge.exe (PID: 5892)
      • msiexec.exe (PID: 6280)
      • msiexec.exe (PID: 2280)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4488)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4488)

    • The sample compiled with english language support

      • msedge.exe (PID: 2144)
      • rundll32.exe (PID: 5000)
      • rundll32.exe (PID: 4132)
      • rundll32.exe (PID: 7672)
      • rundll32.exe (PID: 5200)
      • AteraAgent.exe (PID: 904)
      • SplashtopStreamer.exe (PID: 4864)
      • PreVerCheck.exe (PID: 1828)
      • msiexec.exe (PID: 6280)
      • msiexec.exe (PID: 2280)
      • AteraAgent.exe (PID: 7668)

    • Application launched itself

      • msedge.exe (PID: 5892)

    • Reads the software policy settings

      • msiexec.exe (PID: 7236)
      • explorer.exe (PID: 4488)
      • msiexec.exe (PID: 6280)
      • rundll32.exe (PID: 7672)
      • AteraAgent.exe (PID: 3796)
      • rundll32.exe (PID: 5200)
      • AteraAgent.exe (PID: 904)
      • AgentPackageAgentInformation.exe (PID: 6388)
      • AgentPackageAgentInformation.exe (PID: 5028)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageMonitoring.exe (PID: 7356)
      • cscript.exe (PID: 2160)
      • WerFault.exe (PID: 7864)
      • msiexec.exe (PID: 2280)

    • Create files in a temporary directory

      • rundll32.exe (PID: 5000)
      • rundll32.exe (PID: 7672)
      • rundll32.exe (PID: 5200)

    • Checks proxy server information

      • explorer.exe (PID: 4488)
      • rundll32.exe (PID: 7672)
      • rundll32.exe (PID: 5200)

    • Manages system restore points

      • SrTasks.exe (PID: 6912)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6280)
      • AteraAgent.exe (PID: 904)
      • AteraAgent.exe (PID: 3796)
      • AgentPackageAgentInformation.exe (PID: 6388)
      • AgentPackageAgentInformation.exe (PID: 5028)
      • AgentPackageAgentInformation.exe (PID: 2012)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageMonitoring.exe (PID: 7356)
      • csc.exe (PID: 7672)
      • msiexec.exe (PID: 2280)

    • Disables trace logs

      • rundll32.exe (PID: 7672)
      • rundll32.exe (PID: 5200)
      • AgentPackageAgentInformation.exe (PID: 6388)
      • AteraAgent.exe (PID: 904)
      • AgentPackageAgentInformation.exe (PID: 5028)
      • AteraAgent.exe (PID: 7668)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageMonitoring.exe (PID: 7356)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6280)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 904)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
337
Monitored processes
193
Malicious processes
7
Suspicious processes
8

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs explorer.exe msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe THREAT ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackagestremote.exe conhost.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs agentpackagemonitoring.exe conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe splashtopstreamer.exe werfault.exe prevercheck.exe msiexec.exe no specs msiexec.exe _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs _is3ebe.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs _is48a2.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs _is665d.exe no specs setuputil.exe no specs setuputil.exe no specs setuputil.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs srselfsigncertutil.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132C:\WINDOWS\TEMP\{CDDD0021-DD18-41F9-B634-44541C28CCFA}\_is665D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DA9E5A7E-AE52-44C5-8C8C-4B65F0DAD87A}C:\Windows\Temp\{CDDD0021-DD18-41F9-B634-44541C28CCFA}\_is665D.exemsiexec.exe
User:
SYSTEM
Company:
Flexera
Integrity Level:
SYSTEM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.122
Modules
Images
c:\windows\temp\{cddd0021-dd18-41f9-b634-44541c28ccfa}\_is665d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
372C:\Windows\syswow64\MsiExec.exe -Embedding C4BFD8AC19C8C259B58B8CB92160ACB8 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
444"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5780 --field-trial-handle=2300,i,17026543929392605290,5350258612096688138,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848C:\Windows\syswow64\MsiExec.exe -Embedding 0F15651666D1CEDA56E85BC542D4499AC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
904"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
0
Version:
1.8.7.2
Modules
Images
c:\program files (x86)\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
936"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8096 --field-trial-handle=2300,i,17026543929392605290,5350258612096688138,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAgentPackageSTRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1604"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 1f7261bd-117e-4e51-a5db-cca597cc16d2 "797b4217-c2b6-4f36-ac29-956c4ba62eb6" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOjMsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000QJlPOIA1C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageSTRemote
Version:
24.4.0.0
Modules
Images
c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1828"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1C:\Windows\Temp\unpack\PreVerCheck.exe
SplashtopStreamer.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop® Streamer
Version:
3.72.4.150
Modules
Images
c:\windows\temp\unpack\prevercheck.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
76 343
Read events
75 233
Write events
1 081
Delete events
29

Modification events

(PID) Process:(5892) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5892) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5892) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5892) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5892) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
E542CD8EB58C2F00
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000602A8
Operation:writeName:VirtualDesktop
Value:
1000000030304456A48A294F7A40804AB924005FF030B61F
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000040294
Operation:writeName:VirtualDesktop
Value:
1000000030304456A48A294F7A40804AB924005FF030B61F
(PID) Process:(5892) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
3AE2D98EB58C2F00
(PID) Process:(5892) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393896
Operation:writeName:WindowTabManagerFileMappingId
Value:
{D3304D1B-56CC-4242-BA8F-8FAAE55AA9C3}
(PID) Process:(5892) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393896
Operation:writeName:WindowTabManagerFileMappingId
Value:
{EB7DA137-B8B2-4366-8DAA-06A45715B15B}
Executable files
771
Suspicious files
1 237
Text files
323
Unknown types
1

Dropped files

PID
Process
Filename
Type
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1350d3.TMP
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1350d3.TMP
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1350d3.TMP
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1350d3.TMP
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1350e2.TMP
MD5:
SHA256:
5892msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
249
DNS requests
298
Threats
57

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4520
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4520
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7164
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7524
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1739801494&P2=404&P3=2&P4=O4bdXCqXB2pOyIi4qn899WQDNTkiy7QRqWFoye4vR9w5iP6Bf7inE68rmCsPmU%2fni2S5U6xUwnpHxTp1ZewH4g%3d%3d
unknown
whitelisted
7524
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1739801494&P2=404&P3=2&P4=O4bdXCqXB2pOyIi4qn899WQDNTkiy7QRqWFoye4vR9w5iP6Bf7inE68rmCsPmU%2fni2S5U6xUwnpHxTp1ZewH4g%3d%3d
unknown
whitelisted
7524
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1739801494&P2=404&P3=2&P4=O4bdXCqXB2pOyIi4qn899WQDNTkiy7QRqWFoye4vR9w5iP6Bf7inE68rmCsPmU%2fni2S5U6xUwnpHxTp1ZewH4g%3d%3d
unknown
whitelisted
7524
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1739805096&P2=404&P3=2&P4=F8U3zEZpwxtfy3UzZDL8Sb%2bn7bvT3iJWuvMe9YFMpEt3emkxM1OwuWGBxIi6EyKNhQdB0EJOwQjW3nCvmXbdRA%3d%3d
unknown
whitelisted
7524
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1739805096&P2=404&P3=2&P4=F8U3zEZpwxtfy3UzZDL8Sb%2bn7bvT3iJWuvMe9YFMpEt3emkxM1OwuWGBxIi6EyKNhQdB0EJOwQjW3nCvmXbdRA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.16.204.141:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1480
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6464
msedge.exe
52.123.243.95:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
whitelisted
5892
msedge.exe
239.255.255.250:1900
whitelisted
6464
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6464
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.141
  • 2.16.204.156
  • 2.16.204.135
  • 2.16.204.139
  • 2.16.204.134
  • 2.16.204.160
  • 2.16.204.143
  • 2.16.204.161
  • 2.16.204.146
  • 2.16.204.151
  • 2.16.204.159
  • 2.16.204.157
  • 2.16.204.154
  • 2.16.204.152
  • 2.16.204.132
  • 2.16.204.136
  • 104.126.37.129
  • 104.126.37.171
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.177
  • 104.126.37.170
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.162
  • 2.23.227.215
  • 2.23.227.208
  • 104.126.37.176
  • 104.126.37.179
  • 104.126.37.186
  • 104.126.37.155
  • 104.126.37.154
  • 104.126.37.160
  • 104.126.37.145
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
config.edge.skype.com
  • 52.123.243.95
  • 52.123.243.85
  • 52.123.243.81
  • 52.123.243.71
whitelisted
denunciadigital-gobmx.com
  • 195.179.237.110
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
  • 2.23.227.208
  • 2.23.227.215
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.16.10.175
  • 2.16.10.182
  • 2.22.242.11
  • 2.22.242.105
whitelisted
www.recaptcha.net
  • 142.250.186.35
whitelisted
www.gstatic.com
  • 142.250.181.227
whitelisted

Threats

PID
Process
Class
Message
6464
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
6464
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
6464
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
6464
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7672
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
904
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
5200
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
904
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
904
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
6388
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll"...
SplashtopStreamer.exe
[4864]2025-02-14 19:39:33 [CUnPack::FindHeader] Name:C:\WINDOWS\TEMP\SplashtopStreamer.exe (Last=0)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:33 [CUnPack::UnPackFiles] FreeSpace:231854350336 FileSize:53075456 (Last=0)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:33 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\WINDOWS\TEMP\unpack\setup.msi (53075456) (Last=0)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:33 [CUnPack::FindHeader] Header offset:434176 (Last=183)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:33 [CUtility::OSInfo] OS 10.0(19045) x64:1 (Last=0)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:33 [CUnPack::FindHeader] Sign Size:10240 (Last=0)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:34 [CUnPack::UnPackFiles] UnPack count:1 len:53075456 File:(null) (Last=0)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:34 [CUnPack::UnPackFiles] FreeSpace:231801257984 FileSize:15 (Last=183)
SplashtopStreamer.exe
[4864]2025-02-14 19:39:34 [CUnPack::UnPackFiles] (2/5)UnPack file name:C:\WINDOWS\TEMP\unpack\run.bat (15) (Last=122)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://denunciadigital-gobmx.com/CitacionFiscalFGJ/N005675304-MX.html