File name:

setup.msi

Full analysis: https://app.any.run/tasks/7cb28862-6168-4c35-a1c9-14dfc4908d6f
Verdict: Malicious activity
Analysis date: January 26, 2022, 11:16:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {2B8E0D9C-FD18-425C-A99E-EB91D57A1FD2}, Create Time/Date: Sun Nov 14 18:14:18 2021, Last Saved Time/Date: Sun Nov 14 18:14:18 2021, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

3B33E36DB136CD5BAB9EC406C2C50A4F

SHA1:

180F44873C5F9D2CF7D52A3F2AF09B8EB9C43426

SHA256:

69C3683D8558B6290DFA4598B39556A56DA55C46FB620BB92A20A1D2D13EEB95

SSDEEP:

24576:Wi/GZLEoquazO3v0aTJC8z8twySxuQZCJ32Knmn0ygYBR5uUxz9kbWtJjhOE2Z39:WYGZYos8jJC/GyScQZCYKmn04pt9kb+7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AteraAgent.exe (PID: 584)
      • AteraAgent.exe (PID: 2176)
      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageMonitoring.exe (PID: 852)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageMonitoring.exe (PID: 3216)
      • AgentPackageSTRemote.exe (PID: 968)
      • AgentPackageWindowsUpdate.exe (PID: 1172)
      • AgentPackageADRemote.exe (PID: 2796)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • AgentPackageUpgradeAgent.exe (PID: 3176)
      • AgentPackageInternalPoller.exe (PID: 2948)
      • AgentPackageHeartbeat.exe (PID: 2516)
      • AgentPackageProgramManagement.exe (PID: 2808)
      • AgentPackageTaskScheduler.exe (PID: 2476)
      • AgentPackageNetworkDiscovery.exe (PID: 3932)
      • AgentPackageHeartbeat.exe (PID: 3672)
      • AgentPackageInternalPoller.exe (PID: 3384)
      • PreVerCheck.exe (PID: 2384)
      • SetupUtil.exe (PID: 3388)
      • SetupUtil.exe (PID: 576)
      • SetupUtil.exe (PID: 2484)
      • SRSelfSignCertUtil.exe (PID: 3036)
      • SSU_Clean.exe (PID: 4060)
      • SSUService.exe (PID: 2064)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SRService.exe (PID: 3628)
      • SRService.exe (PID: 3616)
      • SRService.exe (PID: 1364)
      • SRManager.exe (PID: 2580)
      • SRUtility.exe (PID: 2220)
      • SRServer.exe (PID: 4036)
      • SRAgent.exe (PID: 1876)
      • SRAppPB.exe (PID: 3384)
      • SRFeature.exe (PID: 3788)
      • SRDetect.exe (PID: 3228)
      • SRUtility.exe (PID: 1988)
      • SRUtility.exe (PID: 3444)
      • AgentPackageSTRemote.exe (PID: 2084)
      • AgentPackageHeartbeat.exe (PID: 1988)
      • AgentPackageMonitoring.exe (PID: 3104)
      • SRUtility.exe (PID: 1612)
      • AgentPackageSystemTools.exe (PID: 924)
      • RunScriptAsUser.exe (PID: 2864)
      • AgentPackageHeartbeat.exe (PID: 3472)
      • AgentPackageInternalPoller.exe (PID: 3216)
      • SRUtility.exe (PID: 3016)
      • AgentPackageSTRemote.exe (PID: 3264)
      • AgentPackageHeartbeat.exe (PID: 440)
      • AgentPackageMonitoring.exe (PID: 3008)
      • AgentPackageHeartbeat.exe (PID: 3960)
      • AgentPackageSTRemote.exe (PID: 3296)
      • SRUtility.exe (PID: 2612)
      • AgentPackageHeartbeat.exe (PID: 1092)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3760)
      • AteraAgent.exe (PID: 584)
      • AteraAgent.exe (PID: 2176)
      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageMonitoring.exe (PID: 852)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageMonitoring.exe (PID: 3216)
      • AgentPackageSTRemote.exe (PID: 968)
      • AgentPackageWindowsUpdate.exe (PID: 1172)
      • AgentPackageADRemote.exe (PID: 2796)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • AgentPackageUpgradeAgent.exe (PID: 3176)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageInternalPoller.exe (PID: 2948)
      • AgentPackageHeartbeat.exe (PID: 2516)
      • AgentPackageInternalPoller.exe (PID: 3384)
      • AgentPackageTaskScheduler.exe (PID: 2476)
      • AgentPackageNetworkDiscovery.exe (PID: 3932)
      • AgentPackageHeartbeat.exe (PID: 3672)
      • AgentPackageProgramManagement.exe (PID: 2808)
      • MsiExec.exe (PID: 2080)
      • svchost.exe (PID: 2016)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SRManager.exe (PID: 2580)
      • SRUtility.exe (PID: 2220)
      • SRServer.exe (PID: 4036)
      • SRAgent.exe (PID: 1876)
      • SRFeature.exe (PID: 3788)
      • SRUtility.exe (PID: 1988)
      • AgentPackageHeartbeat.exe (PID: 1988)
      • SRUtility.exe (PID: 3444)
      • AgentPackageSTRemote.exe (PID: 2084)
      • AgentPackageMonitoring.exe (PID: 3104)
      • SRUtility.exe (PID: 1612)
      • RunScriptAsUser.exe (PID: 2864)
      • AgentPackageSystemTools.exe (PID: 924)
      • AgentPackageHeartbeat.exe (PID: 3472)
      • AgentPackageInternalPoller.exe (PID: 3216)
      • AgentPackageHeartbeat.exe (PID: 440)
      • AgentPackageSTRemote.exe (PID: 3264)
      • SRUtility.exe (PID: 3016)
      • AgentPackageHeartbeat.exe (PID: 3960)
      • AgentPackageMonitoring.exe (PID: 3008)
      • AgentPackageSTRemote.exe (PID: 3296)
      • SRUtility.exe (PID: 2612)
      • AgentPackageHeartbeat.exe (PID: 1092)

    • Changes settings of System certificates

      • AteraAgent.exe (PID: 584)
      • AgentPackageTicketing.exe (PID: 520)

    • Drops executable file immediately after starts

      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • SplashtopStreamer3360.exe (PID: 1996)
      • MsiExec.exe (PID: 2080)
      • Splashtop_Software_Updater.exe (PID: 904)

    • Loads the Task Scheduler COM API

      • AgentPackageUpgradeAgent.exe (PID: 3176)
      • AgentPackageTaskScheduler.exe (PID: 2476)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3640)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3640)

  • SUSPICIOUS

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 2976)
      • msiexec.exe (PID: 1668)

    • Executed as Windows Service

      • msiexec.exe (PID: 1668)
      • vssvc.exe (PID: 3100)
      • AteraAgent.exe (PID: 584)
      • SSUService.exe (PID: 2064)
      • SRService.exe (PID: 1364)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 2976)
      • msiexec.exe (PID: 1668)

    • Reads Environment values

      • vssvc.exe (PID: 3100)
      • AteraAgent.exe (PID: 2176)
      • AteraAgent.exe (PID: 584)
      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageMonitoring.exe (PID: 852)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageMonitoring.exe (PID: 3216)
      • AgentPackageSTRemote.exe (PID: 968)
      • AgentPackageWindowsUpdate.exe (PID: 1172)
      • AgentPackageADRemote.exe (PID: 2796)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • AgentPackageUpgradeAgent.exe (PID: 3176)
      • AgentPackageInternalPoller.exe (PID: 2948)
      • AgentPackageProgramManagement.exe (PID: 2808)
      • AgentPackageInternalPoller.exe (PID: 3384)
      • AgentPackageHeartbeat.exe (PID: 2516)
      • AgentPackageTaskScheduler.exe (PID: 2476)
      • AgentPackageNetworkDiscovery.exe (PID: 3932)
      • AgentPackageHeartbeat.exe (PID: 3672)
      • AgentPackageHeartbeat.exe (PID: 1988)
      • AgentPackageSTRemote.exe (PID: 2084)
      • AgentPackageMonitoring.exe (PID: 3104)
      • AgentPackageSystemTools.exe (PID: 924)
      • powershell.exe (PID: 1936)
      • AgentPackageHeartbeat.exe (PID: 3472)
      • AgentPackageInternalPoller.exe (PID: 3216)
      • AgentPackageHeartbeat.exe (PID: 440)
      • AgentPackageSTRemote.exe (PID: 3264)
      • AgentPackageHeartbeat.exe (PID: 3960)
      • AgentPackageMonitoring.exe (PID: 3008)
      • AgentPackageSTRemote.exe (PID: 3296)
      • AgentPackageHeartbeat.exe (PID: 1092)

    • Searches for installed software

      • msiexec.exe (PID: 1668)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageProgramManagement.exe (PID: 2808)

    • Application launched itself

      • msiexec.exe (PID: 1668)
      • cmd.exe (PID: 3640)

    • Checks supported languages

      • AteraAgent.exe (PID: 2176)
      • AteraAgent.exe (PID: 584)
      • cmd.exe (PID: 2276)
      • cscript.exe (PID: 3432)
      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageMonitoring.exe (PID: 852)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageMonitoring.exe (PID: 3216)
      • AgentPackageWindowsUpdate.exe (PID: 1172)
      • AgentPackageSTRemote.exe (PID: 968)
      • cscript.exe (PID: 4004)
      • cmd.exe (PID: 1816)
      • AgentPackageADRemote.exe (PID: 2796)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • AgentPackageUpgradeAgent.exe (PID: 3176)
      • AgentPackageInternalPoller.exe (PID: 2948)
      • AgentPackageHeartbeat.exe (PID: 2516)
      • AgentPackageInternalPoller.exe (PID: 3384)
      • AgentPackageProgramManagement.exe (PID: 2808)
      • AgentPackageTaskScheduler.exe (PID: 2476)
      • AgentPackageNetworkDiscovery.exe (PID: 3932)
      • AgentPackageHeartbeat.exe (PID: 3672)
      • PreVerCheck.exe (PID: 2384)
      • SplashtopStreamer3360.exe (PID: 1996)
      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 2536)
      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 3068)
      • cmd.exe (PID: 2304)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 3804)
      • SetupUtil.exe (PID: 2484)
      • SetupUtil.exe (PID: 3388)
      • cmd.exe (PID: 3472)
      • cmd.exe (PID: 1924)
      • SRSelfSignCertUtil.exe (PID: 3036)
      • SSU_Clean.exe (PID: 4060)
      • SetupUtil.exe (PID: 576)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SSUService.exe (PID: 2064)
      • SRService.exe (PID: 3628)
      • SRService.exe (PID: 3616)
      • SRService.exe (PID: 1364)
      • SRManager.exe (PID: 2580)
      • SRUtility.exe (PID: 2220)
      • SRServer.exe (PID: 4036)
      • SRFeature.exe (PID: 3788)
      • SRUtility.exe (PID: 1988)
      • SRDetect.exe (PID: 3228)
      • SRAgent.exe (PID: 1876)
      • SRAppPB.exe (PID: 3384)
      • AgentPackageHeartbeat.exe (PID: 1988)
      • SRUtility.exe (PID: 3444)
      • AgentPackageSTRemote.exe (PID: 2084)
      • SRUtility.exe (PID: 1612)
      • AgentPackageMonitoring.exe (PID: 3104)
      • AgentPackageSystemTools.exe (PID: 924)
      • RunScriptAsUser.exe (PID: 2864)
      • cmd.exe (PID: 3640)
      • powershell.exe (PID: 1936)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 292)
      • AgentPackageInternalPoller.exe (PID: 3216)
      • cmd.exe (PID: 400)
      • AgentPackageHeartbeat.exe (PID: 3472)
      • SRUtility.exe (PID: 3016)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 4052)
      • AgentPackageSTRemote.exe (PID: 3264)
      • AgentPackageHeartbeat.exe (PID: 440)
      • AgentPackageMonitoring.exe (PID: 3008)
      • AgentPackageHeartbeat.exe (PID: 3960)
      • AgentPackageSTRemote.exe (PID: 3296)
      • SRUtility.exe (PID: 2612)
      • cmd.exe (PID: 3448)
      • cmd.exe (PID: 2160)
      • AgentPackageHeartbeat.exe (PID: 1092)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 1668)
      • AteraAgent.exe (PID: 584)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • SplashtopStreamer3360.exe (PID: 1996)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1668)
      • Splashtop_Software_Updater.exe (PID: 904)

    • Creates files in the Windows directory

      • AteraAgent.exe (PID: 2176)
      • AteraAgent.exe (PID: 584)
      • AgentPackageSTRemote.exe (PID: 968)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • SplashtopStreamer3360.exe (PID: 1996)
      • msiexec.exe (PID: 3356)
      • PreVerCheck.exe (PID: 2384)
      • MsiExec.exe (PID: 2080)
      • msiexec.exe (PID: 1668)
      • SetupUtil.exe (PID: 3388)
      • SetupUtil.exe (PID: 2484)
      • svchost.exe (PID: 2016)
      • SSU_Clean.exe (PID: 4060)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SRManager.exe (PID: 2580)
      • SSUService.exe (PID: 2064)
      • SRServer.exe (PID: 4036)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1668)
      • AteraAgent.exe (PID: 584)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • AgentPackageMonitoring.exe (PID: 3216)
      • SplashtopStreamer3360.exe (PID: 1996)
      • MsiExec.exe (PID: 2080)
      • SetupUtil.exe (PID: 576)
      • Splashtop_Software_Updater.exe (PID: 904)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageMonitoring.exe (PID: 3104)
      • AgentPackageMonitoring.exe (PID: 3008)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 2176)
      • msiexec.exe (PID: 1668)
      • AteraAgent.exe (PID: 584)
      • AgentPackageMonitoring.exe (PID: 852)
      • AgentPackageWindowsUpdate.exe (PID: 1172)
      • AgentPackageSTRemote.exe (PID: 968)
      • AgentPackageProgramManagement.exe (PID: 2808)
      • AgentPackageInternalPoller.exe (PID: 3384)
      • AgentPackageInternalPoller.exe (PID: 2948)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageMonitoring.exe (PID: 3216)
      • MsiExec.exe (PID: 2080)
      • SetupUtil.exe (PID: 576)
      • SRSelfSignCertUtil.exe (PID: 3036)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SRService.exe (PID: 3628)
      • SRManager.exe (PID: 2580)
      • AgentPackageTicketing.exe (PID: 520)
      • SSUService.exe (PID: 2064)
      • SRAgent.exe (PID: 1876)
      • AgentPackageMonitoring.exe (PID: 3104)
      • AgentPackageSystemTools.exe (PID: 924)
      • AgentPackageMonitoring.exe (PID: 3008)

    • Reads the computer name

      • AteraAgent.exe (PID: 2176)
      • AteraAgent.exe (PID: 584)
      • AgentPackageAgentInformation.exe (PID: 2748)
      • cscript.exe (PID: 3432)
      • AgentPackageMonitoring.exe (PID: 3216)
      • AgentPackageMonitoring.exe (PID: 852)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageSTRemote.exe (PID: 968)
      • AgentPackageWindowsUpdate.exe (PID: 1172)
      • cscript.exe (PID: 4004)
      • AgentPackageADRemote.exe (PID: 2796)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • AgentPackageUpgradeAgent.exe (PID: 3176)
      • AgentPackageInternalPoller.exe (PID: 2948)
      • AgentPackageHeartbeat.exe (PID: 2516)
      • AgentPackageInternalPoller.exe (PID: 3384)
      • AgentPackageProgramManagement.exe (PID: 2808)
      • AgentPackageTaskScheduler.exe (PID: 2476)
      • AgentPackageNetworkDiscovery.exe (PID: 3932)
      • AgentPackageHeartbeat.exe (PID: 3672)
      • SplashtopStreamer3360.exe (PID: 1996)
      • SetupUtil.exe (PID: 2484)
      • SetupUtil.exe (PID: 3388)
      • SRSelfSignCertUtil.exe (PID: 3036)
      • SetupUtil.exe (PID: 576)
      • SSU_Clean.exe (PID: 4060)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SSUService.exe (PID: 2064)
      • SRService.exe (PID: 3628)
      • SRService.exe (PID: 3616)
      • SRService.exe (PID: 1364)
      • SRUtility.exe (PID: 2220)
      • SRServer.exe (PID: 4036)
      • SRManager.exe (PID: 2580)
      • SRAgent.exe (PID: 1876)
      • SRAppPB.exe (PID: 3384)
      • SRFeature.exe (PID: 3788)
      • AgentPackageHeartbeat.exe (PID: 1988)
      • SRUtility.exe (PID: 3444)
      • AgentPackageSTRemote.exe (PID: 2084)
      • SRUtility.exe (PID: 1612)
      • AgentPackageMonitoring.exe (PID: 3104)
      • AgentPackageSystemTools.exe (PID: 924)
      • RunScriptAsUser.exe (PID: 2864)
      • powershell.exe (PID: 1936)
      • AgentPackageHeartbeat.exe (PID: 3472)
      • AgentPackageInternalPoller.exe (PID: 3216)
      • AgentPackageHeartbeat.exe (PID: 440)
      • AgentPackageSTRemote.exe (PID: 3264)
      • SRUtility.exe (PID: 3016)
      • AgentPackageMonitoring.exe (PID: 3008)
      • AgentPackageHeartbeat.exe (PID: 3960)
      • SRUtility.exe (PID: 2612)
      • AgentPackageSTRemote.exe (PID: 3296)
      • AgentPackageHeartbeat.exe (PID: 1092)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 584)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 1668)
      • AteraAgent.exe (PID: 584)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SRManager.exe (PID: 2580)
      • SRService.exe (PID: 3628)
      • SRAgent.exe (PID: 1876)

    • Drops a file that was compiled in debug mode

      • msiexec.exe (PID: 1668)
      • AteraAgent.exe (PID: 584)
      • AgentPackageUpgradeAgent.exe (PID: 2440)
      • AgentPackageMonitoring.exe (PID: 3216)
      • SplashtopStreamer3360.exe (PID: 1996)
      • MsiExec.exe (PID: 2080)
      • Splashtop_Software_Updater.exe (PID: 904)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageMonitoring.exe (PID: 3104)
      • AgentPackageMonitoring.exe (PID: 3008)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • MsiExec.exe (PID: 2080)
      • SetupUtil.exe (PID: 576)
      • cmd.exe (PID: 3640)
      • RunScriptAsUser.exe (PID: 2864)

    • Reads Windows Product ID

      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageAgentInformation.exe (PID: 3036)

    • Reads the time zone

      • svchost.exe (PID: 2016)

    • Executes scripts

      • cmd.exe (PID: 2276)
      • cmd.exe (PID: 1816)

    • Starts itself from another location

      • AgentPackageUpgradeAgent.exe (PID: 2440)

    • Adds / modifies Windows certificates

      • AgentPackageTicketing.exe (PID: 520)

    • Drops a file with too old compile date

      • AgentPackageMonitoring.exe (PID: 3216)
      • MsiExec.exe (PID: 2080)
      • msiexec.exe (PID: 1668)
      • Splashtop_Software_Updater.exe (PID: 904)
      • AgentPackageMonitoring.exe (PID: 3104)
      • AgentPackageMonitoring.exe (PID: 3008)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 3068)
      • cmd.exe (PID: 2536)
      • cmd.exe (PID: 2304)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 3804)

    • Removes files from Windows directory

      • MsiExec.exe (PID: 2080)
      • SetupUtil.exe (PID: 3388)
      • Splashtop_Software_Updater.exe (PID: 904)
      • SSU_Clean.exe (PID: 4060)
      • SSUService.exe (PID: 2064)
      • SplashtopStreamer3360.exe (PID: 1996)

    • Changes default file association

      • MsiExec.exe (PID: 2080)

    • Uses REG.EXE to modify Windows registry

      • MsiExec.exe (PID: 2080)

    • Creates/Modifies COM task schedule object

      • reg.exe (PID: 1576)
      • SRService.exe (PID: 3628)

    • Creates or modifies windows services

      • Splashtop_Software_Updater.exe (PID: 904)
      • SRManager.exe (PID: 2580)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 2976)
      • msiexec.exe (PID: 1668)
      • vssvc.exe (PID: 3100)
      • sc.exe (PID: 1484)
      • MsiExec.exe (PID: 3760)
      • msiexec.exe (PID: 3356)
      • MsiExec.exe (PID: 2080)
      • taskkill.exe (PID: 2288)
      • taskkill.exe (PID: 2712)
      • taskkill.exe (PID: 652)
      • taskkill.exe (PID: 2788)
      • taskkill.exe (PID: 3012)
      • taskkill.exe (PID: 3292)
      • taskkill.exe (PID: 440)
      • taskkill.exe (PID: 2124)
      • regedit.exe (PID: 2344)
      • reg.exe (PID: 1576)
      • regedit.exe (PID: 292)
      • wevtutil.exe (PID: 2756)
      • wevtutil.exe (PID: 924)
      • svchost.exe (PID: 2016)
      • PING.EXE (PID: 2528)
      • PING.EXE (PID: 3712)
      • PING.EXE (PID: 3660)
      • PING.EXE (PID: 484)
      • PING.EXE (PID: 488)
      • PING.EXE (PID: 2184)
      • PING.EXE (PID: 4004)

    • Reads the computer name

      • msiexec.exe (PID: 2976)
      • msiexec.exe (PID: 1668)
      • vssvc.exe (PID: 3100)
      • sc.exe (PID: 1484)
      • MsiExec.exe (PID: 3760)
      • msiexec.exe (PID: 3356)
      • MsiExec.exe (PID: 2080)
      • taskkill.exe (PID: 2712)
      • taskkill.exe (PID: 652)
      • taskkill.exe (PID: 2788)
      • taskkill.exe (PID: 2288)
      • taskkill.exe (PID: 440)
      • taskkill.exe (PID: 3012)
      • taskkill.exe (PID: 3292)
      • taskkill.exe (PID: 2124)
      • wevtutil.exe (PID: 2756)
      • wevtutil.exe (PID: 924)
      • PING.EXE (PID: 2528)
      • PING.EXE (PID: 3712)
      • PING.EXE (PID: 3660)
      • PING.EXE (PID: 484)
      • PING.EXE (PID: 488)
      • PING.EXE (PID: 4004)
      • PING.EXE (PID: 2184)

    • Reads settings of System Certificates

      • msiexec.exe (PID: 2976)
      • msiexec.exe (PID: 1668)
      • AteraAgent.exe (PID: 584)
      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageMonitoring.exe (PID: 852)
      • AgentPackageSTRemote.exe (PID: 968)
      • AgentPackageWindowsUpdate.exe (PID: 1172)
      • AgentPackageTicketing.exe (PID: 520)
      • AgentPackageADRemote.exe (PID: 2796)
      • AgentPackageInternalPoller.exe (PID: 3384)
      • AgentPackageAgentInformation.exe (PID: 3036)
      • AgentPackageProgramManagement.exe (PID: 2808)
      • AgentPackageInternalPoller.exe (PID: 2948)
      • AgentPackageMonitoring.exe (PID: 3216)
      • AgentPackageHeartbeat.exe (PID: 3672)
      • SRManager.exe (PID: 2580)
      • SSUService.exe (PID: 2064)
      • AgentPackageHeartbeat.exe (PID: 1988)
      • AgentPackageSystemTools.exe (PID: 924)
      • AgentPackageHeartbeat.exe (PID: 3472)
      • AgentPackageHeartbeat.exe (PID: 440)
      • AgentPackageHeartbeat.exe (PID: 3960)
      • AgentPackageHeartbeat.exe (PID: 1092)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 2976)
      • msiexec.exe (PID: 1668)
      • cscript.exe (PID: 3432)
      • cscript.exe (PID: 4004)
      • SRManager.exe (PID: 2580)
      • powershell.exe (PID: 1936)

    • Reads CPU info

      • svchost.exe (PID: 2016)

    • Reads Microsoft Office registry keys

      • AgentPackageAgentInformation.exe (PID: 2748)
      • AgentPackageAgentInformation.exe (PID: 3036)

    • Dropped object may contain Bitcoin addresses

      • AgentPackageWindowsUpdate.exe (PID: 1172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: Read-only recommended
Software: Windows Installer XML Toolset (3.11.2.4516)
Words: 6
Pages: 200
ModifyDate: 2021:11:14 18:14:18
CreateDate: 2021:11:14 18:14:18
RevisionNumber: {2B8E0D9C-FD18-425C-A99E-EB91D57A1FD2}
Template: Intel;1033
Comments: This installer database contains the logic and data required to install AteraAgent.
Keywords: Installer
Author: Atera networks
Subject: AteraAgent
Title: Installation Database
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
199
Monitored processes
107
Malicious processes
47
Suspicious processes
13

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe no specs ateraagent.exe no specs ateraagent.exe sc.exe no specs agentpackageagentinformation.exe cmd.exe no specs cscript.exe no specs agentpackagemonitoring.exe agentpackageagentinformation.exe agentpackagemonitoring.exe agentpackagestremote.exe agentpackagewindowsupdate.exe cmd.exe no specs cscript.exe no specs agentpackageadremote.exe agentpackageticketing.exe agentpackageupgradeagent.exe agentpackageupgradeagent.exe no specs agentpackageinternalpoller.exe agentpackageprogrammanagement.exe agentpackageheartbeat.exe no specs agentpackageinternalpoller.exe agentpackagetaskscheduler.exe no specs agentpackagenetworkdiscovery.exe no specs agentpackageheartbeat.exe splashtopstreamer3360.exe prevercheck.exe msiexec.exe no specs msiexec.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs setuputil.exe no specs regedit.exe no specs setuputil.exe no specs regedit.exe no specs reg.exe no specs setuputil.exe cmd.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs svchost.exe no specs srselfsigncertutil.exe ssu_clean.exe no specs splashtop_software_updater.exe ssuservice.exe srservice.exe no specs srservice.exe no specs srservice.exe no specs srmanager.exe srutility.exe no specs srserver.exe no specs sragent.exe no specs srapppb.exe no specs srfeature.exe no specs srdetect.exe no specs srutility.exe no specs agentpackageheartbeat.exe srutility.exe no specs agentpackagestremote.exe no specs srutility.exe no specs agentpackagemonitoring.exe agentpackagesystemtools.exe runscriptasuser.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs ping.exe no specs agentpackageheartbeat.exe cmd.exe no specs ping.exe no specs agentpackageinternalpoller.exe no specs cmd.exe no specs ping.exe no specs agentpackageheartbeat.exe agentpackagestremote.exe no specs srutility.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs agentpackagemonitoring.exe agentpackageheartbeat.exe cmd.exe no specs ping.exe no specs agentpackagestremote.exe no specs srutility.exe no specs ping.exe no specs cmd.exe no specs agentpackageheartbeat.exe

Process information

PID
CMD
Path
Indicators
Parent process
292regedit.exe /s "C:\Windows\TEMP\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\InstRegExp.reg"C:\Windows\regedit.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
292cmd /c new.batC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
400cmd /c new.batC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
440taskkill.exe /F /IM SRAgent.exe /TC:\Windows\system32\taskkill.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
440"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 401ff0c4-bf69-4948-a382-a9c58806e1f0 "bb7ede02-b7bd-4dfd-b118-ac80315a9a02" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageHeartbeat
Exit code:
0
Version:
17.4.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
484ping 127.0.0.1 -n 20 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
488ping 127.0.0.1 -n 20 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
520"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 401ff0c4-bf69-4948-a382-a9c58806e1f0 "20c95262-a005-4763-85c9-532844827620" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
AteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageTicketing
Exit code:
0
Version:
20.8.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
576C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe /P ST_EVENTC:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe
MsiExec.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop� Streamer Setup Utility
Exit code:
0
Version:
1.0.3.5
Modules
Images
c:\windows\temp\{b7c5ea94-b96a-41f5-be95-25d78b486678}\setuputil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
584"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
0
Version:
1.8.2.3
Modules
Images
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\program files\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
Total events
107 763
Read events
105 888
Write events
1 850
Delete events
25

Modification events

(PID) Process:(2976) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1668) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000005741F726A612D80184060000A4050000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1668) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000B1A3F926A612D80184060000A4050000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1668) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
69
(PID) Process:(1668) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000003D2A4127A612D80184060000A4050000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1668) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000003D2A4127A612D8018406000078000000E803000001000000000000000000000091BC622EECF99E4B9D6A39239C5F6FFD0000000000000000
(PID) Process:(3100) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000F1EE4527A612D8011C0C0000A4090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3100) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000F1EE4527A612D8011C0C00002C0B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3100) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000F1EE4527A612D8011C0C000078090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3100) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000F1EE4527A612D8011C0C000090090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
355
Suspicious files
106
Text files
184
Unknown types
41

Dropped files

PID
Process
Filename
Type
1668msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1668msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
1668msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{2e62bc91-f9ec-4b9e-9d6a-39239c5f6ffd}_OnDiskSnapshotPropbinary
MD5:
SHA256:
2176AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\log.txttext
MD5:
SHA256:
1668msiexec.exeC:\Windows\Installer\e3d72.msiexecutable
MD5:
SHA256:
1668msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF80066B77370E3543.TMPgmc
MD5:
SHA256:
1668msiexec.exeC:\Windows\Installer\e3d73.ipibinary
MD5:
SHA256:
1668msiexec.exeC:\Windows\Installer\MSI42F0.tmpbinary
MD5:
SHA256:
1668msiexec.exeC:\Windows\Installer\e3d75.msiexecutable
MD5:
SHA256:
1668msiexec.exeC:\Config.Msi\e3d74.rbsbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
67
DNS requests
42
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
584
AteraAgent.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA9Pb936OTbfiKMzmkd4EHs%3D
US
der
471 b
whitelisted
2580
SRManager.exe
GET
200
23.37.43.27:80
http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHhvSYT5N0gvTTb3x7RJTGs%3D
NL
der
1.47 Kb
shared
2064
SSUService.exe
POST
107.22.247.100:80
http://ds1.devicevm.com/
US
suspicious
2580
SRManager.exe
GET
200
23.37.43.27:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
NL
der
1.52 Kb
whitelisted
2064
SSUService.exe
GET
301
34.194.228.52:80
http://sn.splashtop.com/file_system/apt_repository/dists/ProtoSSU01/released/binary-i386/Packages.gz
US
html
134 b
unknown
584
AteraAgent.exe
GET
200
104.18.10.39:80
http://cacerts.thawte.com/ThawteRSACA2018.crt
US
der
1.14 Kb
whitelisted
584
AteraAgent.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
US
der
471 b
whitelisted
584
AteraAgent.exe
GET
200
104.18.11.39:80
http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt
US
der
1.69 Kb
whitelisted
584
AteraAgent.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0c6b94bb79b70885
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
584
AteraAgent.exe
104.18.10.39:80
cacerts.thawte.com
Cloudflare Inc
US
shared
584
AteraAgent.exe
20.37.139.187:443
agent-api.atera.com
US
suspicious
584
AteraAgent.exe
13.107.246.44:443
ps.atera.com
Microsoft Corporation
US
suspicious
584
AteraAgent.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
584
AteraAgent.exe
104.18.11.39:80
cacerts.thawte.com
Cloudflare Inc
US
shared
584
AteraAgent.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2748
AgentPackageAgentInformation.exe
40.119.152.241:443
agent-api.atera.com
Microsoft Corporation
US
suspicious
852
AgentPackageMonitoring.exe
40.119.152.241:443
agent-api.atera.com
Microsoft Corporation
US
suspicious
1172
AgentPackageWindowsUpdate.exe
20.37.139.187:443
agent-api.atera.com
US
suspicious
520
AgentPackageTicketing.exe
152.199.23.209:443
api.nuget.org
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious

DNS requests

Domain
IP
Reputation
agent-api.atera.com
  • 20.37.139.187
  • 40.119.152.241
suspicious
cacerts.thawte.com
  • 104.18.10.39
  • 104.18.11.39
whitelisted
ps.pndsn.com
  • 54.175.191.204
  • 54.175.191.203
suspicious
ps.atera.com
  • 13.107.246.44
  • 13.107.213.44
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
cacerts.digicert.com
  • 104.18.11.39
  • 104.18.10.39
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
my.splashtop.com
  • 13.57.153.19
  • 52.9.141.147
suspicious
api.nuget.org
  • 152.199.23.209
whitelisted
download.splashtop.com
  • 143.204.98.62
  • 143.204.98.68
  • 143.204.98.74
  • 143.204.98.8
suspicious

Threats

PID
Process
Class
Message
2580
SRManager.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
23 ETPRO signatures available at the full report
Process
Message
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUtility::OSInfo] OS 6.1(7601) Service Pack 1 x64:0 (Last=0)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::FindHeader] Name:C:\Windows\TEMP\SplashtopStreamer3360.exe (Last=0)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::FindHeader] Sign Size:7776 (Last=0)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::FindHeader] Header offset:429568 (Last=183)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::UnPackFiles] FreeSpace:234128191488 FileSize:34159616 (Last=0)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\Windows\TEMP\unpack\setup.msi (34159616) (Last=0)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::UnPackFiles] UnPack count:1 len:34159616 File:(null) (Last=0)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::UnPackFiles] FreeSpace:234094026752 FileSize:15 (Last=183)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::UnPackFiles] (2/5)UnPack file name:C:\Windows\TEMP\unpack\run.bat (15) (Last=122)
SplashtopStreamer3360.exe
[1996]2022-01-26 11:18:08 [CUnPack::UnPackFiles] UnPack count:2 len:15 File:(null) (Last=0)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.msi