download:

click

Full analysis: https://app.any.run/tasks/c29a2d18-05a2-401f-b56a-f7faa7547981
Verdict: Malicious activity
Analysis date: February 11, 2022, 11:21:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {2B8E0D9C-FD18-425C-A99E-EB91D57A1FD2}, Create Time/Date: Sun Nov 14 18:14:18 2021, Last Saved Time/Date: Sun Nov 14 18:14:18 2021, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

0CAED3A5D73BD87B7FCF028EFE589853

SHA1:

D52F8E3445F28A0E436B13FEEBE550954BE16805

SHA256:

470E0D1229125DC73528BDA689AD8C08E7BFB0E8F679F335377816780A94CFBE

SSDEEP:

24576:Ui/GZLEoquazO3v0aTJC8z8twySxuQZCJ32Knmn0ygYBR5uUxz9kbWtJjhOE2Z3y:UYGZYos8jJC/GyScQZCYKmn04pt9kb+7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • AteraAgent.exe (PID: 2008)
      • AgentPackageHeartbeat.exe (PID: 364)

    • Application was dropped or rewritten from another process

      • AteraAgent.exe (PID: 3292)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageAgentInformation.exe (PID: 3356)
      • AgentPackageMonitoring.exe (PID: 484)
      • AgentPackageAgentInformation.exe (PID: 3808)
      • AgentPackageMonitoring.exe (PID: 980)
      • AgentPackageTicketing.exe (PID: 1132)
      • AgentPackageSTRemote.exe (PID: 1564)
      • AgentPackageHeartbeat.exe (PID: 364)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • AgentPackageNetworkDiscovery.exe (PID: 2216)
      • AgentPackageUpgradeAgent.exe (PID: 116)
      • AgentPackageADRemote.exe (PID: 2900)
      • AgentPackageWindowsUpdate.exe (PID: 628)
      • AgentPackageProgramManagement.exe (PID: 2424)

    • Loads dropped or rewritten executable

      • AteraAgent.exe (PID: 3292)
      • AgentPackageMonitoring.exe (PID: 484)
      • AgentPackageMonitoring.exe (PID: 980)
      • AgentPackageAgentInformation.exe (PID: 3356)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageAgentInformation.exe (PID: 3808)
      • AgentPackageSTRemote.exe (PID: 1564)
      • AgentPackageHeartbeat.exe (PID: 364)
      • AgentPackageTicketing.exe (PID: 1132)
      • AgentPackageProgramManagement.exe (PID: 2424)
      • AgentPackageNetworkDiscovery.exe (PID: 2216)
      • AgentPackageUpgradeAgent.exe (PID: 116)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • AgentPackageWindowsUpdate.exe (PID: 628)
      • AgentPackageADRemote.exe (PID: 2900)

    • Drops executable file immediately after starts

      • AgentPackageUpgradeAgent.exe (PID: 3256)

    • Loads the Task Scheduler COM API

      • AgentPackageUpgradeAgent.exe (PID: 116)

  • SUSPICIOUS

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 2916)
      • msiexec.exe (PID: 2804)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 2916)
      • msiexec.exe (PID: 2804)

    • Executed as Windows Service

      • vssvc.exe (PID: 3840)
      • msiexec.exe (PID: 2804)
      • AteraAgent.exe (PID: 2008)

    • Drops a file that was compiled in debug mode

      • msiexec.exe (PID: 2804)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • AgentPackageMonitoring.exe (PID: 980)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2804)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • AgentPackageMonitoring.exe (PID: 980)

    • Reads Environment values

      • vssvc.exe (PID: 3840)
      • AteraAgent.exe (PID: 2008)
      • AteraAgent.exe (PID: 3292)
      • AgentPackageAgentInformation.exe (PID: 3356)
      • AgentPackageMonitoring.exe (PID: 484)
      • AgentPackageAgentInformation.exe (PID: 3808)
      • AgentPackageMonitoring.exe (PID: 980)
      • AgentPackageSTRemote.exe (PID: 1564)
      • AgentPackageTicketing.exe (PID: 1132)
      • AgentPackageHeartbeat.exe (PID: 364)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • AgentPackageProgramManagement.exe (PID: 2424)
      • AgentPackageADRemote.exe (PID: 2900)
      • AgentPackageUpgradeAgent.exe (PID: 116)
      • AgentPackageInternalPoller.exe (PID: 2468)
      • AgentPackageWindowsUpdate.exe (PID: 628)
      • AgentPackageNetworkDiscovery.exe (PID: 2216)

    • Application launched itself

      • msiexec.exe (PID: 2804)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 2804)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageUpgradeAgent.exe (PID: 3256)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2804)

    • Creates files in the Windows directory

      • AteraAgent.exe (PID: 3292)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • AgentPackageSTRemote.exe (PID: 1564)

    • Creates files in the program directory

      • msiexec.exe (PID: 2804)
      • AteraAgent.exe (PID: 3292)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageMonitoring.exe (PID: 484)
      • AgentPackageSTRemote.exe (PID: 1564)
      • AgentPackageInternalPoller.exe (PID: 2468)
      • AgentPackageWindowsUpdate.exe (PID: 628)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 2804)
      • AteraAgent.exe (PID: 2008)

    • Reads the computer name

      • AteraAgent.exe (PID: 3292)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageAgentInformation.exe (PID: 3356)
      • AgentPackageMonitoring.exe (PID: 484)
      • AgentPackageAgentInformation.exe (PID: 3808)
      • AgentPackageMonitoring.exe (PID: 980)
      • AgentPackageSTRemote.exe (PID: 1564)
      • AgentPackageTicketing.exe (PID: 1132)
      • AgentPackageHeartbeat.exe (PID: 364)
      • cscript.exe (PID: 3664)
      • cscript.exe (PID: 3884)
      • AgentPackageProgramManagement.exe (PID: 2424)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • AgentPackageUpgradeAgent.exe (PID: 116)
      • AgentPackageADRemote.exe (PID: 2900)
      • AgentPackageNetworkDiscovery.exe (PID: 2216)
      • AgentPackageInternalPoller.exe (PID: 2468)
      • AgentPackageWindowsUpdate.exe (PID: 628)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 2008)

    • Checks supported languages

      • AteraAgent.exe (PID: 3292)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageAgentInformation.exe (PID: 3356)
      • cscript.exe (PID: 3664)
      • AgentPackageMonitoring.exe (PID: 484)
      • AgentPackageAgentInformation.exe (PID: 3808)
      • AgentPackageMonitoring.exe (PID: 980)
      • AgentPackageSTRemote.exe (PID: 1564)
      • AgentPackageTicketing.exe (PID: 1132)
      • AgentPackageHeartbeat.exe (PID: 364)
      • cmd.exe (PID: 2204)
      • AgentPackageUpgradeAgent.exe (PID: 3256)
      • cscript.exe (PID: 3884)
      • AgentPackageProgramManagement.exe (PID: 2424)
      • AgentPackageNetworkDiscovery.exe (PID: 2216)
      • AgentPackageWindowsUpdate.exe (PID: 628)
      • AgentPackageUpgradeAgent.exe (PID: 116)
      • AgentPackageADRemote.exe (PID: 2900)
      • AgentPackageInternalPoller.exe (PID: 2468)
      • cmd.exe (PID: 2168)

    • Searches for installed software

      • msiexec.exe (PID: 2804)
      • AgentPackageAgentInformation.exe (PID: 3808)
      • AgentPackageProgramManagement.exe (PID: 2424)
      • AgentPackageAgentInformation.exe (PID: 3356)

    • Reads Windows Product ID

      • AgentPackageAgentInformation.exe (PID: 3356)
      • AgentPackageAgentInformation.exe (PID: 3808)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 3356)
      • AgentPackageAgentInformation.exe (PID: 3808)

    • Executes scripts

      • cmd.exe (PID: 2168)
      • cmd.exe (PID: 2204)

    • Adds / modifies Windows certificates

      • AgentPackageHeartbeat.exe (PID: 364)

    • Starts itself from another location

      • AgentPackageUpgradeAgent.exe (PID: 3256)

    • Drops a file with too old compile date

      • AgentPackageMonitoring.exe (PID: 980)

  • INFO

    • Reads settings of System Certificates

      • msiexec.exe (PID: 2916)
      • msiexec.exe (PID: 2804)
      • AteraAgent.exe (PID: 2008)
      • AgentPackageAgentInformation.exe (PID: 3356)
      • AgentPackageMonitoring.exe (PID: 484)
      • AgentPackageHeartbeat.exe (PID: 364)
      • AgentPackageSTRemote.exe (PID: 1564)
      • AgentPackageTicketing.exe (PID: 1132)
      • AgentPackageADRemote.exe (PID: 2900)
      • AgentPackageWindowsUpdate.exe (PID: 628)
      • AgentPackageInternalPoller.exe (PID: 2468)
      • AgentPackageProgramManagement.exe (PID: 2424)

    • Checks supported languages

      • msiexec.exe (PID: 2916)
      • msiexec.exe (PID: 2804)
      • vssvc.exe (PID: 3840)
      • MsiExec.exe (PID: 3296)
      • sc.exe (PID: 2976)

    • Reads the computer name

      • msiexec.exe (PID: 2916)
      • msiexec.exe (PID: 2804)
      • vssvc.exe (PID: 3840)
      • MsiExec.exe (PID: 3296)
      • sc.exe (PID: 2976)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 2804)
      • msiexec.exe (PID: 2916)
      • cscript.exe (PID: 3664)
      • cscript.exe (PID: 3884)

    • Reads Microsoft Office registry keys

      • AgentPackageAgentInformation.exe (PID: 3356)
      • AgentPackageAgentInformation.exe (PID: 3808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: Read-only recommended
Software: Windows Installer XML Toolset (3.11.2.4516)
Words: 6
Pages: 200
ModifyDate: 2021:11:14 18:14:18
CreateDate: 2021:11:14 18:14:18
RevisionNumber: {2B8E0D9C-FD18-425C-A99E-EB91D57A1FD2}
Template: Intel;1033
Comments: This installer database contains the logic and data required to install AteraAgent.
Keywords: Installer
Author: Atera networks
Subject: AteraAgent
Title: Installation Database
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
26
Malicious processes
16
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe no specs ateraagent.exe no specs ateraagent.exe sc.exe no specs agentpackageagentinformation.exe cmd.exe no specs cscript.exe no specs agentpackagemonitoring.exe agentpackagemonitoring.exe agentpackageagentinformation.exe agentpackagestremote.exe agentpackageticketing.exe agentpackageheartbeat.exe cmd.exe no specs cscript.exe no specs agentpackageprogrammanagement.exe agentpackageupgradeagent.exe agentpackageupgradeagent.exe no specs agentpackagenetworkdiscovery.exe no specs agentpackageadremote.exe agentpackagewindowsupdate.exe agentpackageinternalpoller.exe agentpackageinternalpoller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "5a81c2f4-8914-45de-b324-a50b021a6ae9" "71f5ecb0-8b08-48b4-a26e-1650a087f4a8" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exeAgentPackageUpgradeAgent.exe
User:
SYSTEM
Company:
Atera Networks LTD
Integrity Level:
SYSTEM
Description:
AgentPackageUpgradeAgent
Exit code:
0
Version:
23.6.0.0
Modules
Images
c:\windows\temp\ateraupgradeagentpackage\agentpackageupgradeagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
364"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 5a81c2f4-8914-45de-b324-a50b021a6ae9 "ccd35186-d828-4047-ae23-67ed8fb94b6a" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageHeartbeat
Exit code:
0
Version:
17.4.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
484"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5a81c2f4-8914-45de-b324-a50b021a6ae9 "5b199431-5fc9-4aa5-a5ba-9c1e7f28279c" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
AteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageMonitoring
Exit code:
0
Version:
32.70.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
628"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe" 5a81c2f4-8914-45de-b324-a50b021a6ae9 "8d5adbd5-88ba-4834-b52a-c1cab9e33a29" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageWindowsUpdate
Exit code:
0
Version:
23.1.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\atera networks\ateraagent\packages\agentpackagewindowsupdate\agentpackagewindowsupdate.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
980"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5a81c2f4-8914-45de-b324-a50b021a6ae9 "4550899f-2ee0-4481-b6dc-6ea289c88832" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
AteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageMonitoring
Exit code:
0
Version:
32.70.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1132"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 5a81c2f4-8914-45de-b324-a50b021a6ae9 "2e4b6947-47bd-4f77-a5fa-0d08beea6320" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
AteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageTicketing
Exit code:
0
Version:
20.8.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1564"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 5a81c2f4-8914-45de-b324-a50b021a6ae9 "b01097f5-922f-4461-95cd-3dad15a1f875" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageSTRemote
Exit code:
0
Version:
18.12.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\program files\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2008"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
0
Version:
1.8.2.3
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2168"cmd.exe" /c "cscript ospp.vbs /dstatus"C:\Windows\system32\cmd.exeAgentPackageAgentInformation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2204"cmd.exe" /c "cscript ospp.vbs /dstatus"C:\Windows\system32\cmd.exeAgentPackageAgentInformation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
45 404
Read events
44 790
Write events
602
Delete events
12

Modification events

(PID) Process:(2916) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2804) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000008373C895391FD801F40A0000AC090000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2804) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000008373C895391FD801F40A0000AC090000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2804) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
69
(PID) Process:(2804) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000001D211796391FD801F40A0000AC090000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2804) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000001D211796391FD801F40A000010060000E803000001000000000000000000000003E8B38AE77B7C4192EFA8242F24C5F50000000000000000
(PID) Process:(3840) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000002B481E96391FD801000F0000D8040000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3840) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000002B481E96391FD801000F0000780B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3840) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000002B481E96391FD801000F00004C0B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3840) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000002B481E96391FD801000F0000DC0E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
132
Suspicious files
27
Text files
43
Unknown types
7

Dropped files

PID
Process
Filename
Type
2804msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2804msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF5A82214C04447AD2.TMPgmc
MD5:
SHA256:
2804msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
2804msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{8ab3e803-7be7-417c-92ef-a8242f24c5f5}_OnDiskSnapshotPropbinary
MD5:
SHA256:
2804msiexec.exeC:\Windows\Installer\MSI50D5.tmpbinary
MD5:
SHA256:
2804msiexec.exeC:\Config.Msi\194adc.rbsbinary
MD5:
SHA256:
3292AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\log.txttext
MD5:
SHA256:
2804msiexec.exeC:\Windows\Installer\194add.msiexecutable
MD5:
SHA256:
2804msiexec.exeC:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllexecutable
MD5:C8164876B6F66616D68387443621510C
SHA256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
2804msiexec.exeC:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configxml
MD5:4DDB0C634CB71A359F292ECA91B4CE25
SHA256:C6CEF49C06F0E348BDF3CCA91B49EA4718B71741C026BCCBF462BE8778F2AA9E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
37
DNS requests
15
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2008
AteraAgent.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
US
der
471 b
whitelisted
2008
AteraAgent.exe
GET
200
104.18.10.39:80
http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt
US
der
1.69 Kb
whitelisted
2008
AteraAgent.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA9Pb936OTbfiKMzmkd4EHs%3D
US
der
471 b
whitelisted
2008
AteraAgent.exe
GET
200
104.18.11.39:80
http://cacerts.thawte.com/ThawteRSACA2018.crt
US
der
1.14 Kb
whitelisted
2008
AteraAgent.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?649d06d35fc65520
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2008
AteraAgent.exe
35.157.63.227:443
ps.pndsn.com
Amazon.com, Inc.
DE
unknown
2008
AteraAgent.exe
40.119.152.241:443
agent-api.atera.com
Microsoft Corporation
US
suspicious
2008
AteraAgent.exe
104.18.11.39:80
cacerts.thawte.com
Cloudflare Inc
US
shared
484
AgentPackageMonitoring.exe
40.119.152.241:443
agent-api.atera.com
Microsoft Corporation
US
suspicious
2008
AteraAgent.exe
13.107.246.44:443
ps.atera.com
Microsoft Corporation
US
suspicious
1564
AgentPackageSTRemote.exe
40.119.152.241:443
agent-api.atera.com
Microsoft Corporation
US
suspicious
1132
AgentPackageTicketing.exe
152.199.23.209:443
api.nuget.org
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
364
AgentPackageHeartbeat.exe
52.236.186.4:443
atera-agent-heartbeat.servicebus.windows.net
Microsoft Corporation
NL
unknown
2424
AgentPackageProgramManagement.exe
40.119.152.241:443
agent-api.atera.com
Microsoft Corporation
US
suspicious
1564
AgentPackageSTRemote.exe
52.9.141.147:443
my.splashtop.com
Amazon.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
agent-api.atera.com
  • 40.119.152.241
suspicious
cacerts.thawte.com
  • 104.18.11.39
  • 104.18.10.39
whitelisted
ps.pndsn.com
  • 35.157.63.227
  • 35.157.63.229
suspicious
ps.atera.com
  • 13.107.246.44
  • 13.107.213.44
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
cacerts.digicert.com
  • 104.18.10.39
  • 104.18.11.39
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.nuget.org
  • 152.199.23.209
whitelisted
atera-agent-heartbeat.servicebus.windows.net
  • 52.236.186.4
unknown
my.splashtop.com
  • 52.9.141.147
  • 52.8.180.196
suspicious

Threats

Found threats are available for the paid subscriptions
18 ETPRO signatures available at the full report
No debug info