URL:

https://hidrive.ionos.com/api/sharelink/download?id=bzjHzG4aa

Full analysis: https://app.any.run/tasks/e0407f91-d91e-4929-9ace-6420792d855e
Verdict: Malicious activity
Analysis date: March 24, 2025, 11:57:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autorun-download
phishing
phish-url
atera
rmm-tool
splashtop
ateraagent
Indicators:
MD5:

FC631F41183A900F0E4121BB8F7A7BA4

SHA1:

D217394DFFE8B6A0168E8A77F330ECF833702A2E

SHA256:

66B750D28FA36EDA03D34E4D32824E77674557F6D3843116B88C7896F4E37E99

SSDEEP:

3:N8whMTAJyK09KBjE0lEEE:2whMTiyK00BjOEE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 2908)
      • net.exe (PID: 5972)
      • net.exe (PID: 8664)
      • msiexec.exe (PID: 9464)
      • net.exe (PID: 9848)

    • Changes powershell execution policy (Bypass)

      • AgentPackageAgentInformation.exe (PID: 2800)
      • AgentPackageAgentInformation.exe (PID: 2596)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8028)
      • powershell.exe (PID: 10044)

    • Executing a file with an untrusted certificate

      • SRSelfSignCertUtil.exe (PID: 1852)

    • ATERA mutex has been found

      • AgentPackageMonitoring.exe (PID: 8644)

    • Changes the autorun value in the registry

      • dotnet-runtime-8.0.11-win-x64.exe (PID: 7100)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msedge.exe (PID: 7420)
      • msedge.exe (PID: 4868)
      • msiexec.exe (PID: 8876)
      • AteraAgent.exe (PID: 5936)
      • AteraAgent.exe (PID: 1540)
      • AgentPackageUpgradeAgent.exe (PID: 9132)
      • 8-0-11.exe (PID: 10004)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 7100)
      • 8-0-11.exe (PID: 7824)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8740)
      • AteraAgent.exe (PID: 5936)
      • AteraAgent.exe (PID: 1540)
      • SRService.exe (PID: 9880)
      • AteraAgent.exe (PID: 7104)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 8772)
      • rundll32.exe (PID: 4112)
      • rundll32.exe (PID: 8048)
      • AteraAgent.exe (PID: 5936)
      • rundll32.exe (PID: 8584)
      • csc.exe (PID: 8612)
      • SplashtopStreamer.exe (PID: 4208)
      • PreVerCheck.exe (PID: 6564)
      • AteraAgent.exe (PID: 1540)
      • SetupUtil.exe (PID: 3300)
      • AgentPackageUpgradeAgent.exe (PID: 9132)
      • csc.exe (PID: 4528)
      • AgentPackageTicketing.exe (PID: 4728)
      • rundll32.exe (PID: 9500)
      • rundll32.exe (PID: 9544)
      • rundll32.exe (PID: 9844)
      • AgentPackageRuntimeInstaller.exe (PID: 9044)
      • 8-0-11.exe (PID: 10004)
      • 8-0-11.exe (PID: 7824)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 7100)
      • rundll32.exe (PID: 9284)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 8584)
      • AgentPackageAgentInformation.exe (PID: 4268)
      • AteraAgent.exe (PID: 1540)
      • AteraAgent.exe (PID: 5936)
      • AgentPackageAgentInformation.exe (PID: 2800)
      • AgentPackageInternalPoller.exe (PID: 1628)
      • AgentPackageMarketplace.exe (PID: 9100)
      • rundll32.exe (PID: 9544)
      • AgentPackageAgentInformation.exe (PID: 2596)
      • AteraAgent.exe (PID: 7104)
      • rundll32.exe (PID: 9284)
      • AgentPackageTicketing.exe (PID: 4728)
      • AgentPackageMonitoring.exe (PID: 8644)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 2908)
      • cmd.exe (PID: 7620)
      • cmd.exe (PID: 8572)
      • cmd.exe (PID: 5972)
      • cmd.exe (PID: 8388)
      • cmd.exe (PID: 6592)
      • cmd.exe (PID: 4408)
      • cmd.exe (PID: 6632)
      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 7084)
      • cmd.exe (PID: 7972)
      • msiexec.exe (PID: 9464)

    • ATERAAGENT has been detected

      • AteraAgent.exe (PID: 6392)
      • AteraAgent.exe (PID: 5936)
      • AteraAgent.exe (PID: 1540)
      • AteraAgent.exe (PID: 3884)
      • AteraAgent.exe (PID: 10124)
      • AteraAgent.exe (PID: 7104)

    • Reads security settings of Internet Explorer

      • AteraAgent.exe (PID: 6392)
      • AteraAgent.exe (PID: 1540)
      • AgentPackageAgentInformation.exe (PID: 2800)
      • AteraAgent.exe (PID: 7104)

    • Reads the date of Windows installation

      • AteraAgent.exe (PID: 5936)

    • Restarts service on failure

      • sc.exe (PID: 2192)
      • sc.exe (PID: 8172)
      • sc.exe (PID: 7316)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 5936)
      • AteraAgent.exe (PID: 1540)
      • AteraAgent.exe (PID: 7104)

    • The process bypasses the loading of PowerShell profile settings

      • AgentPackageAgentInformation.exe (PID: 2800)
      • AgentPackageAgentInformation.exe (PID: 2596)

    • The process executes Powershell scripts

      • AgentPackageAgentInformation.exe (PID: 2800)
      • cmd.exe (PID: 3968)
      • AgentPackageAgentInformation.exe (PID: 2596)
      • cmd.exe (PID: 9660)

    • Starts POWERSHELL.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 2800)
      • cmd.exe (PID: 3968)
      • AgentPackageAgentInformation.exe (PID: 2596)
      • cmd.exe (PID: 9660)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8612)
      • csc.exe (PID: 4528)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 2800)
      • msiexec.exe (PID: 7744)
      • SetupUtil.exe (PID: 3300)
      • AgentPackageRuntimeInstaller.exe (PID: 9044)
      • AgentPackageAgentInformation.exe (PID: 2596)

    • The process executes VB scripts

      • cmd.exe (PID: 8592)
      • cmd.exe (PID: 4376)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 4112)
      • cscript.exe (PID: 7000)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 4112)
      • cscript.exe (PID: 7000)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 4112)
      • cscript.exe (PID: 7000)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 4112)
      • cscript.exe (PID: 7000)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 4112)
      • cscript.exe (PID: 7000)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 4112)
      • cscript.exe (PID: 7000)

    • Executes application which crashes

      • cscript.exe (PID: 4112)
      • cscript.exe (PID: 7000)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 8876)

    • Creates a software uninstall entry

      • dotnet-runtime-8.0.11-win-x64.exe (PID: 7100)

    • Starts a Microsoft application from unusual location

      • dotnet-runtime-8.0.11-win-x64.exe (PID: 7100)
      • 8-0-11.exe (PID: 7824)

    • Starts itself from another location

      • 8-0-11.exe (PID: 7824)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 4868)

    • Autorun file from Downloads

      • msedge.exe (PID: 4868)
      • msedge.exe (PID: 8232)

    • Reads the computer name

      • identity_helper.exe (PID: 8588)
      • msiexec.exe (PID: 8900)
      • AteraAgent.exe (PID: 6392)
      • AgentPackageMonitoring.exe (PID: 7904)
      • _isE761.exe (PID: 4884)
      • AgentPackageMarketplace.exe (PID: 9100)
      • _isEB2.exe (PID: 2096)
      • _isEB2.exe (PID: 5084)
      • _is14FC.exe (PID: 9408)
      • _is14FC.exe (PID: 9612)
      • _is14FC.exe (PID: 9644)
      • _isEB2.exe (PID: 8420)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4868)
      • msedge.exe (PID: 7420)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 7744)

    • Reads Environment values

      • identity_helper.exe (PID: 8588)
      • AteraAgent.exe (PID: 5936)
      • AgentPackageMonitoring.exe (PID: 7904)
      • AgentPackageTicketing.exe (PID: 4728)
      • AteraAgent.exe (PID: 10124)

    • Checks supported languages

      • identity_helper.exe (PID: 8588)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 8900)
      • AgentPackageAgentInformation.exe (PID: 2800)
      • AteraAgent.exe (PID: 6392)
      • AgentPackageAgentInformation.exe (PID: 6652)
      • AgentPackageMonitoring.exe (PID: 7904)
      • msiexec.exe (PID: 7744)
      • _isE761.exe (PID: 4884)
      • SetupUtil.exe (PID: 3300)
      • SRSelfSignCertUtil.exe (PID: 1852)
      • _isEB2.exe (PID: 8420)
      • _isEB2.exe (PID: 2096)
      • _isEB2.exe (PID: 5084)
      • _is14FC.exe (PID: 9612)
      • _is14FC.exe (PID: 9644)
      • SRManager.exe (PID: 9912)
      • SRFeature.exe (PID: 5452)
      • SRUtility.exe (PID: 9372)
      • 8-0-11.exe (PID: 10004)
      • _is14FC.exe (PID: 9408)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 8876)
      • AteraAgent.exe (PID: 6392)
      • AteraAgent.exe (PID: 5936)
      • AgentPackageAgentInformation.exe (PID: 4268)
      • AteraAgent.exe (PID: 1540)
      • AgentPackageMonitoring.exe (PID: 7904)
      • msiexec.exe (PID: 7744)
      • AgentPackageHeartbeat.exe (PID: 5408)
      • AgentPackageMarketplace.exe (PID: 9100)
      • AgentPackageTicketing.exe (PID: 4728)
      • AteraAgent.exe (PID: 10124)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 4868)

    • Create files in a temporary directory

      • rundll32.exe (PID: 8772)

    • Reads the software policy settings

      • msiexec.exe (PID: 7736)
      • AteraAgent.exe (PID: 6392)
      • AteraAgent.exe (PID: 5936)
      • AgentPackageSTRemote.exe (PID: 8404)
      • AteraAgent.exe (PID: 1540)
      • AgentPackageAgentInformation.exe (PID: 2800)
      • SRManager.exe (PID: 9912)
      • AgentPackageAgentInformation.exe (PID: 2596)

    • The sample compiled with english language support

      • rundll32.exe (PID: 8772)
      • rundll32.exe (PID: 4112)
      • rundll32.exe (PID: 8048)
      • AteraAgent.exe (PID: 5936)
      • PreVerCheck.exe (PID: 6564)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 7744)
      • AteraAgent.exe (PID: 1540)
      • SetupUtil.exe (PID: 3300)
      • rundll32.exe (PID: 9500)
      • rundll32.exe (PID: 9544)
      • rundll32.exe (PID: 9844)
      • 8-0-11.exe (PID: 10004)
      • 8-0-11.exe (PID: 7824)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 7100)
      • rundll32.exe (PID: 9284)

    • Disables trace logs

      • rundll32.exe (PID: 8584)
      • AgentPackageAgentInformation.exe (PID: 4268)
      • AteraAgent.exe (PID: 1540)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 8876)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 6392)
      • AteraAgent.exe (PID: 5936)
      • AgentPackageSTRemote.exe (PID: 8404)
      • AteraAgent.exe (PID: 1540)
      • SRAgent.exe (PID: 10200)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 7100)
      • AteraAgent.exe (PID: 3884)

    • Manages system restore points

      • SrTasks.exe (PID: 8648)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8896)
      • powershell.exe (PID: 8228)

    • SPLASHTOP has been detected

      • msiexec.exe (PID: 7744)
      • msiexec.exe (PID: 7744)
      • SRSelfSignCertUtil.exe (PID: 1852)
      • SRService.exe (PID: 684)
      • SRService.exe (PID: 9880)
      • SRManager.exe (PID: 9912)
      • SRAppPB.exe (PID: 10220)
      • SRFeature.exe (PID: 5452)
      • SRServer.exe (PID: 10164)
      • SRUtility.exe (PID: 9372)
      • SRAgent.exe (PID: 10200)
      • SRServer.exe (PID: 10164)
      • SRManager.exe (PID: 9912)
      • osqueryi.exe (PID: 9832)
      • SetupUtil.exe (PID: 3300)
      • msiexec.exe (PID: 8876)
      • SRAgent.exe (PID: 10200)
      • SRVirtualDisplay.exe (PID: 4988)
      • SRFeature.exe (PID: 5452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
406
Monitored processes
262
Malicious processes
14
Suspicious processes
7

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe vssvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe THREAT ateraagent.exe sc.exe no specs rundll32.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs agentpackagestremote.exe conhost.exe no specs agentpackagemonitoring.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe msedge.exe no specs werfault.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs splashtopstreamer.exe prevercheck.exe msiexec.exe no specs msiexec.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs _isbcf4.exe no specs _isbcf4.exe no specs _isbcf4.exe no specs _isbcf4.exe no specs _isbcf4.exe no specs slui.exe _isbcf4.exe no specs _isbcf4.exe no specs _isbcf4.exe no specs _isbcf4.exe no specs _isbcf4.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _isc8fb.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs _ise761.exe no specs setuputil.exe no specs setuputil.exe no specs agentpackageagentinformation.exe conhost.exe no specs msedge.exe no specs setuputil.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs agentpackageheartbeat.exe conhost.exe no specs agentpackageinternalpoller.exe conhost.exe no specs THREAT agentpackagemonitoring.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs agentpackageupgradeagent.exe conhost.exe no specs agentpackagesystemtools.exe no specs agentpackageadremote.exe no specs conhost.exe no specs conhost.exe no specs agentpackageruntimeinstaller.exe conhost.exe no specs srselfsigncertutil.exe agentpackagemarketplace.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs agentpackageticketing.exe conhost.exe no specs msiexec.exe no specs agent.package.availability.exe conhost.exe no specs csc.exe cvtres.exe no specs agent.package.software.exe conhost.exe no specs agent.package.watchdog.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs _iseb2.exe no specs cscript.exe _iseb2.exe no specs _iseb2.exe no specs _iseb2.exe no specs _iseb2.exe no specs _iseb2.exe no specs _iseb2.exe no specs _iseb2.exe no specs _iseb2.exe no specs _iseb2.exe no specs agentpackageosupdates.exe no specs conhost.exe no specs srservice.exe no specs conhost.exe no specs _is14fc.exe no specs _is14fc.exe no specs _is14fc.exe no specs _is14fc.exe no specs _is14fc.exe no specs werfault.exe no specs _is14fc.exe no specs _is14fc.exe no specs _is14fc.exe no specs _is14fc.exe no specs _is14fc.exe no specs srservice.exe no specs conhost.exe no specs srservice.exe no specs srmanager.exe powershell.exe no specs conhost.exe no specs srserver.exe sragent.exe no specs srapppb.exe no specs srfeature.exe no specs msiexec.exe no specs srutility.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs rundll32.exe osqueryi.exe no specs bdepsdk.exe no specs conhost.exe no specs conhost.exe no specs 8-0-11.exe 8-0-11.exe dotnet-runtime-8.0.11-win-x64.exe net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe no specs msedge.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs rundll32.exe msiexec.exe no specs msedge.exe no specs srvirtualdisplay.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672C:\WINDOWS\TEMP\{E17AD454-9D1E-4092-B08D-5666C878463F}\_isEB2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E4DF725-138B-4AAE-B1CB-054B0376BB9B}C:\Windows\Temp\{E17AD454-9D1E-4092-B08D-5666C878463F}\_isEB2.exemsiexec.exe
User:
SYSTEM
Company:
Flexera
Integrity Level:
SYSTEM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.122
Modules
Images
c:\windows\temp\{e17ad454-9d1e-4092-b08d-5666c878463f}\_iseb2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
684"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -iC:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exemsiexec.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop® Streamer Service
Exit code:
1066
Version:
3.74.0.16
Modules
Images
c:\program files (x86)\splashtop\splashtop remote\server\srservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
812powershell.exe -File "C:\Program Files\Microsoft Office\Office16\vNextDiag.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1004"msiexec.exe" /i C:\WINDOWS\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestartC:\Windows\System32\msiexec.exeAgentPackageUpgradeAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
1618
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1020C:\WINDOWS\TEMP\{EA2E0714-4DF1-4418-A266-C24979C6C69F}\_isC8FB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3A84EF52-EB9B-4EB6-9209-985CAE212752}C:\Windows\Temp\{EA2E0714-4DF1-4418-A266-C24979C6C69F}\_isC8FB.exemsiexec.exe
User:
SYSTEM
Company:
Flexera
Integrity Level:
SYSTEM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.122
Modules
Images
c:\windows\temp\{ea2e0714-4df1-4418-a266-c24979c6c69f}\_isc8fb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exemsiexec.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop® Streamer Setup Utility
Exit code:
0
Version:
1.0.4.0
Modules
Images
c:\program files (x86)\splashtop\splashtop remote\server\support\setuputil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=8132 --field-trial-handle=2632,i,6731394920476584010,6328704669548732112,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
128 860
Read events
126 990
Write events
1 675
Delete events
195

Modification events

(PID) Process:(4868) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
2EA11C99AB8F2F00
(PID) Process:(4868) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
A9BC2999AB8F2F00
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{C0DF2051-B8B6-495C-9626-87A22FF20071}
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262992
Operation:writeName:WindowTabManagerFileMappingId
Value:
{3A80B560-D528-424A-8723-A4234B7B290D}
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
(PID) Process:(4868) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\Commands\on-logon-autolaunch
Operation:writeName:Enabled
Value:
0
Executable files
911
Suspicious files
341
Text files
259
Unknown types
0

Dropped files

PID
Process
Filename
Type
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10bc2e.TMP
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10bc2e.TMP
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10bc2e.TMP
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10bc2e.TMP
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10bc2e.TMP
MD5:
SHA256:
4868msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
121
DNS requests
81
Threats
56

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8380
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4868
msedge.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
864
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6392
AteraAgent.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
4868
msedge.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6392
AteraAgent.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
864
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4112
cscript.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7420
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4868
msedge.exe
239.255.255.250:1900
whitelisted
7420
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7420
msedge.exe
13.107.246.60:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7420
msedge.exe
85.214.3.95:443
hidrive.ionos.com
Strato AG
DE
malicious
7420
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.106
  • 2.16.164.72
  • 104.124.11.17
  • 104.124.11.58
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
hidrive.ionos.com
  • 85.214.3.95
malicious
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.60
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.22.242.11
  • 2.22.242.105
  • 2.16.168.113
  • 2.16.168.107
whitelisted
update.googleapis.com
  • 142.250.185.227
whitelisted

Threats

PID
Process
Class
Message
7420
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] WordPress domains and hosting (hidrive .ionos .com)
7420
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] WordPress domains and hosting (hidrive .ionos .com)
8584
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
5936
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
5936
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
5936
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
5936
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
5936
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
5936
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
4268
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll"...
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::FindHeader] Name:C:\WINDOWS\TEMP\SplashtopStreamer.exe (Last=0)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::FindHeader] Header offset:434176 (Last=183)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\WINDOWS\TEMP\unpack\setup.msi (60999680) (Last=0)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::UnPackFiles] FreeSpace:231861051392 FileSize:60999680 (Last=0)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUtility::OSInfo] OS 10.0(19045) x64:1 (Last=0)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::FindHeader] Sign Size:10376 (Last=0)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::UnPackFiles] (2/5)UnPack file name:C:\WINDOWS\TEMP\unpack\run.bat (15) (Last=122)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::UnPackFiles] FreeSpace:231800033280 FileSize:15 (Last=183)
SplashtopStreamer.exe
[4208]2025-03-24 11:59:00 [CUnPack::UnPackFiles] UnPack count:1 len:60999680 File:(null) (Last=0)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://hidrive.ionos.com/api/sharelink/download?id=bzjHzG4aa