File name:

Ösztöndíjprogram.msi

Full analysis: https://app.any.run/tasks/54e2a425-ab8d-4edb-957b-e368bc8287b9
Verdict: Malicious activity
Analysis date: April 14, 2025, 09:10:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
atera
rmm-tool
splashtop
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

E52455D67D3D45211AAE128BDA4F57E9

SHA1:

6D1A56218A110CB0BD5539F946FA0055AC0962AE

SHA256:

7261E0C3D40BCAAB476D265D98935C23379E2536E459503F27ECDA30180DB7D9

SSDEEP:

98304:NIZTffzvns6eLKLdpRwznfsJb+7J7ERXndiWaKzPtSjXmbABY/lT8vjkZBvrePVE:i3XP9No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 5332)
      • msiexec.exe (PID: 664)
      • msiexec.exe (PID: 2096)
      • net.exe (PID: 8792)
      • net.exe (PID: 8568)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 9128)

    • Changes powershell execution policy (Bypass)

      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageAgentInformation.exe (PID: 3956)

    • Executing a file with an untrusted certificate

      • SRSelfSignCertUtil.exe (PID: 2392)

    • ATERA mutex has been found

      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AgentPackageInternalPoller.exe (PID: 1128)
      • AgentPackageMonitoring.exe (PID: 8716)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 1512)
      • msiexec.exe (PID: 7244)
      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageUpgradeAgent.exe (PID: 5776)
      • 8-0-11.exe (PID: 6660)
      • 8-0-11.exe (PID: 7740)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)
      • AteraAgent.exe (PID: 924)
      • Agent.Package.Availability.exe (PID: 8140)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7332)
      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 2268)
      • SRService.exe (PID: 7628)
      • AteraAgent.exe (PID: 924)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 4120)
      • AteraAgent.exe (PID: 7324)
      • AgentPackageAgentInformation.exe (PID: 1132)
      • AgentPackageAgentInformation.exe (PID: 1660)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageMonitoring.exe (PID: 4488)
      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageMarketplace.exe (PID: 8120)
      • AgentPackageTicketing.exe (PID: 7084)
      • rundll32.exe (PID: 6268)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • rundll32.exe (PID: 7952)
      • AteraAgent.exe (PID: 924)
      • Agent.Package.Availability.exe (PID: 8140)
      • AgentPackageInternalPoller.exe (PID: 1128)
      • Agent.Package.Software.exe (PID: 2960)
      • AgentPackageMarketplace.exe (PID: 8388)
      • AgentPackageSTRemote.exe (PID: 9092)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 5668)
      • rundll32.exe (PID: 780)
      • rundll32.exe (PID: 4120)
      • rundll32.exe (PID: 732)
      • AteraAgent.exe (PID: 7324)
      • csc.exe (PID: 5436)
      • SplashtopStreamer.exe (PID: 904)
      • PreVerCheck.exe (PID: 7212)
      • SetupUtil.exe (PID: 2340)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageTicketing.exe (PID: 7084)
      • AgentPackageUpgradeAgent.exe (PID: 5776)
      • rundll32.exe (PID: 1532)
      • csc.exe (PID: 6344)
      • rundll32.exe (PID: 6268)
      • rundll32.exe (PID: 8616)
      • 8-0-11.exe (PID: 6660)
      • 8-0-11.exe (PID: 7740)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)
      • rundll32.exe (PID: 7952)
      • AteraAgent.exe (PID: 924)
      • Agent.Package.Availability.exe (PID: 8140)
      • Agent.Package.Software.exe (PID: 2960)
      • Agent.Package.Watchdog.exe (PID: 7852)
      • AgentPackageTicketing.exe (PID: 8996)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7244)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 664)
      • cmd.exe (PID: 7580)
      • cmd.exe (PID: 7676)
      • cmd.exe (PID: 3332)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 7208)
      • cmd.exe (PID: 7372)
      • cmd.exe (PID: 5112)
      • cmd.exe (PID: 2084)
      • cmd.exe (PID: 872)
      • cmd.exe (PID: 4164)
      • msiexec.exe (PID: 2096)

    • ATERAAGENT has been detected

      • AteraAgent.exe (PID: 3008)
      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 2268)
      • AteraAgent.exe (PID: 8984)
      • AteraAgent.exe (PID: 8832)
      • AteraAgent.exe (PID: 924)

    • Reads security settings of Internet Explorer

      • AteraAgent.exe (PID: 3008)
      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageAgentInformation.exe (PID: 7564)
      • SplashtopStreamer.exe (PID: 904)
      • SetupUtil.exe (PID: 2340)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • 8-0-11.exe (PID: 7740)
      • AteraAgent.exe (PID: 924)

    • Reads the date of Windows installation

      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 2268)
      • AteraAgent.exe (PID: 924)

    • Restarts service on failure

      • sc.exe (PID: 7900)
      • sc.exe (PID: 5548)
      • sc.exe (PID: 4976)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 2268)
      • AteraAgent.exe (PID: 924)

    • The process bypasses the loading of PowerShell profile settings

      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • AgentPackageAgentInformation.exe (PID: 7220)

    • Starts POWERSHELL.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 7564)
      • cmd.exe (PID: 7752)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • cmd.exe (PID: 8140)
      • AgentPackageAgentInformation.exe (PID: 7220)

    • The process executes Powershell scripts

      • AgentPackageAgentInformation.exe (PID: 7564)
      • cmd.exe (PID: 7752)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • cmd.exe (PID: 8140)
      • AgentPackageAgentInformation.exe (PID: 7220)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5436)
      • csc.exe (PID: 6344)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 7564)
      • msiexec.exe (PID: 684)
      • SetupUtil.exe (PID: 2340)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • AgentPackageRuntimeInstaller.exe (PID: 1676)

    • The process executes VB scripts

      • cmd.exe (PID: 8124)
      • cmd.exe (PID: 8372)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 5008)
      • cscript.exe (PID: 8444)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 5008)
      • cscript.exe (PID: 8444)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 5008)
      • cscript.exe (PID: 8444)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 5008)
      • cscript.exe (PID: 8444)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 5008)
      • cscript.exe (PID: 8444)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 5112)
      • msiexec.exe (PID: 7244)
      • AteraAgent.exe (PID: 2268)
      • WerFault.exe (PID: 8872)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 5008)
      • cscript.exe (PID: 8444)

    • Executes application which crashes

      • cscript.exe (PID: 5008)
      • cscript.exe (PID: 8444)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 7244)

    • Searches for installed software

      • AgentPackageAgentInformation.exe (PID: 7564)
      • 8-0-11.exe (PID: 7740)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)
      • Agent.Package.Software.exe (PID: 2960)

    • Creates/Modifies COM task schedule object

      • SRService.exe (PID: 7320)

    • Starts a Microsoft application from unusual location

      • 8-0-11.exe (PID: 7740)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)

    • Starts itself from another location

      • 8-0-11.exe (PID: 7740)
      • Agent.Package.Availability.exe (PID: 8140)

    • Creates a software uninstall entry

      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)

    • Connects to unusual port

      • Agent.Package.Availability.exe (PID: 8140)
      • Agent.Package.Availability.exe (PID: 5400)

  • INFO

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1512)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1512)

    • Reads the computer name

      • msiexec.exe (PID: 7244)
      • msiexec.exe (PID: 4040)
      • AteraAgent.exe (PID: 3008)
      • AteraAgent.exe (PID: 7324)
      • msiexec.exe (PID: 664)
      • AgentPackageAgentInformation.exe (PID: 1132)
      • AgentPackageAgentInformation.exe (PID: 1660)
      • AgentPackageAgentInformation.exe (PID: 7084)
      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageSTRemote.exe (PID: 5360)
      • AgentPackageMonitoring.exe (PID: 4488)
      • SplashtopStreamer.exe (PID: 904)
      • _is783A.exe (PID: 3024)
      • _is783A.exe (PID: 7608)
      • _is783A.exe (PID: 4920)
      • _is783A.exe (PID: 8068)
      • _is783A.exe (PID: 7664)
      • _is81E0.exe (PID: 6228)
      • _is81E0.exe (PID: 5048)
      • _is81E0.exe (PID: 5964)
      • _is81E0.exe (PID: 6272)
      • _is81E0.exe (PID: 7620)
      • _is81E0.exe (PID: 744)
      • _is81E0.exe (PID: 2064)
      • _is9F3D.exe (PID: 7300)
      • _is81E0.exe (PID: 3024)
      • _is9F3D.exe (PID: 3032)
      • _is9F3D.exe (PID: 7800)
      • SetupUtil.exe (PID: 2340)
      • _is9F3D.exe (PID: 5232)
      • _is9F3D.exe (PID: 1096)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • _isB2E6.exe (PID: 7752)
      • _isB2E6.exe (PID: 5304)
      • _isB2E6.exe (PID: 3100)
      • _isB2E6.exe (PID: 5064)
      • _isB2E6.exe (PID: 5800)
      • _isB2E6.exe (PID: 5552)
      • _isB2E6.exe (PID: 2100)
      • SRService.exe (PID: 7320)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AgentPackageSystemTools.exe (PID: 4976)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • _isBE41.exe (PID: 7924)
      • _isBE41.exe (PID: 5600)
      • _isBE41.exe (PID: 668)
      • AgentPackageMarketplace.exe (PID: 8120)
      • _isBE41.exe (PID: 6004)
      • _isBE41.exe (PID: 7000)
      • _isBE41.exe (PID: 4056)
      • _isBE41.exe (PID: 5756)
      • _isBE41.exe (PID: 8032)
      • AgentPackageADRemote.exe (PID: 2284)
      • SRService.exe (PID: 7224)
      • SRService.exe (PID: 7628)
      • Agent.Package.Availability.exe (PID: 4976)
      • Agent.Package.Watchdog.exe (PID: 6192)
      • AgentPackageOsUpdates.exe (PID: 6148)
      • msiexec.exe (PID: 2096)
      • SRManager.exe (PID: 7304)
      • SRServer.exe (PID: 856)
      • AteraAgent.exe (PID: 8984)
      • 8-0-11.exe (PID: 7740)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)
      • AteraAgent.exe (PID: 924)
      • SRVirtualDisplay.exe (PID: 5132)
      • msiexec.exe (PID: 7296)
      • msiexec.exe (PID: 1676)
      • AgentPackageInternalPoller.exe (PID: 1128)
      • Agent.Package.Availability.exe (PID: 8140)
      • AgentPackageMarketplace.exe (PID: 8388)
      • AgentPackageSTRemote.exe (PID: 9092)
      • AgentPackageADRemote.exe (PID: 9040)
      • Agent.Package.Watchdog.exe (PID: 7852)
      • Agent.Package.Availability.exe (PID: 5400)

    • Reads the software policy settings

      • msiexec.exe (PID: 1512)
      • msiexec.exe (PID: 7244)
      • rundll32.exe (PID: 4120)
      • AteraAgent.exe (PID: 3008)
      • rundll32.exe (PID: 732)
      • AteraAgent.exe (PID: 7324)
      • AgentPackageAgentInformation.exe (PID: 1660)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageSTRemote.exe (PID: 5360)
      • cscript.exe (PID: 5008)
      • msiexec.exe (PID: 684)
      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageHeartbeat.exe (PID: 6208)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageMarketplace.exe (PID: 8120)
      • AgentPackageUpgradeAgent.exe (PID: 5776)
      • SRManager.exe (PID: 7304)
      • AgentPackageTicketing.exe (PID: 7084)
      • rundll32.exe (PID: 6268)
      • cscript.exe (PID: 8444)
      • rundll32.exe (PID: 7952)
      • AteraAgent.exe (PID: 8832)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • AteraAgent.exe (PID: 924)
      • AgentPackageInternalPoller.exe (PID: 1128)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • Agent.Package.Software.exe (PID: 2960)
      • Agent.Package.Availability.exe (PID: 8140)
      • Agent.Package.Availability.exe (PID: 5400)
      • AgentPackageTicketing.exe (PID: 8996)

    • Checks supported languages

      • msiexec.exe (PID: 7244)
      • msiexec.exe (PID: 4040)
      • AteraAgent.exe (PID: 3008)
      • AteraAgent.exe (PID: 7324)
      • msiexec.exe (PID: 664)
      • AgentPackageAgentInformation.exe (PID: 1132)
      • AgentPackageAgentInformation.exe (PID: 7084)
      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageAgentInformation.exe (PID: 1660)
      • AgentPackageMonitoring.exe (PID: 4488)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageSTRemote.exe (PID: 5360)
      • cvtres.exe (PID: 7848)
      • csc.exe (PID: 5436)
      • msiexec.exe (PID: 684)
      • SplashtopStreamer.exe (PID: 904)
      • PreVerCheck.exe (PID: 7212)
      • _is783A.exe (PID: 4112)
      • _is783A.exe (PID: 4920)
      • _is783A.exe (PID: 7664)
      • _is783A.exe (PID: 7608)
      • _is783A.exe (PID: 8068)
      • _is783A.exe (PID: 3024)
      • _is81E0.exe (PID: 6272)
      • _is81E0.exe (PID: 7620)
      • _is81E0.exe (PID: 5048)
      • _is81E0.exe (PID: 6228)
      • _is81E0.exe (PID: 2064)
      • _is81E0.exe (PID: 3024)
      • _is9F3D.exe (PID: 7300)
      • _is9F3D.exe (PID: 5232)
      • _is81E0.exe (PID: 5964)
      • _is81E0.exe (PID: 744)
      • _is9F3D.exe (PID: 7800)
      • SetupUtil.exe (PID: 6148)
      • SetupUtil.exe (PID: 5008)
      • _is9F3D.exe (PID: 1096)
      • _is9F3D.exe (PID: 3032)
      • SetupUtil.exe (PID: 2340)
      • _isB2E6.exe (PID: 7752)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • SRSelfSignCertUtil.exe (PID: 2392)
      • _isB2E6.exe (PID: 3100)
      • _isB2E6.exe (PID: 5064)
      • _isB2E6.exe (PID: 5800)
      • _isB2E6.exe (PID: 5304)
      • _isB2E6.exe (PID: 5552)
      • _isB2E6.exe (PID: 2100)
      • SRService.exe (PID: 7320)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AgentPackageMarketplace.exe (PID: 8120)
      • AgentPackageUpgradeAgent.exe (PID: 5776)
      • AgentPackageTicketing.exe (PID: 7084)
      • AgentPackageSystemTools.exe (PID: 4976)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • _isBE41.exe (PID: 7924)
      • _isBE41.exe (PID: 5600)
      • AgentPackageADRemote.exe (PID: 2284)
      • _isBE41.exe (PID: 7000)
      • _isBE41.exe (PID: 6004)
      • _isBE41.exe (PID: 4056)
      • _isBE41.exe (PID: 8032)
      • _isBE41.exe (PID: 5756)
      • _isBE41.exe (PID: 668)
      • SRService.exe (PID: 7628)
      • SRManager.exe (PID: 7304)
      • SRService.exe (PID: 7224)
      • Agent.Package.Watchdog.exe (PID: 6192)
      • msiexec.exe (PID: 2096)
      • Agent.Package.Availability.exe (PID: 4976)
      • AgentPackageOsUpdates.exe (PID: 6148)
      • csc.exe (PID: 6344)
      • SRServer.exe (PID: 856)
      • SRAppPB.exe (PID: 8260)
      • SRFeature.exe (PID: 8472)
      • SRUtility.exe (PID: 8532)
      • SRAgent.exe (PID: 8236)
      • AteraAgent.exe (PID: 8984)
      • BdEpSDK.exe (PID: 9068)
      • 8-0-11.exe (PID: 6660)
      • 8-0-11.exe (PID: 7740)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)
      • AteraAgent.exe (PID: 8832)
      • AteraAgent.exe (PID: 924)
      • SRVirtualDisplay.exe (PID: 5132)
      • msiexec.exe (PID: 7296)
      • msiexec.exe (PID: 1676)
      • msiexec.exe (PID: 9084)
      • AgentPackageHeartbeat.exe (PID: 8416)
      • Agent.Package.Software.exe (PID: 2960)
      • Agent.Package.Availability.exe (PID: 8140)
      • AgentPackageInternalPoller.exe (PID: 1128)
      • dotnet.exe (PID: 904)
      • AgentPackageSTRemote.exe (PID: 9092)
      • AgentPackageMarketplace.exe (PID: 8388)
      • Agent.Package.Watchdog.exe (PID: 7852)
      • AgentPackageTicketing.exe (PID: 8996)
      • AgentPackageAgentInformation.exe (PID: 7220)
      • Agent.Package.Availability.exe (PID: 5400)
      • dotnet.exe (PID: 8132)
      • AgentPackageSystemTools.exe (PID: 7324)

    • Manages system restore points

      • SrTasks.exe (PID: 8148)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 7244)
      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 3008)
      • AgentPackageAgentInformation.exe (PID: 1132)
      • AgentPackageAgentInformation.exe (PID: 1660)
      • AgentPackageAgentInformation.exe (PID: 7084)
      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageSTRemote.exe (PID: 5360)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageMonitoring.exe (PID: 4488)
      • msiexec.exe (PID: 684)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageHeartbeat.exe (PID: 6208)
      • AgentPackageUpgradeAgent.exe (PID: 5776)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AgentPackageMarketplace.exe (PID: 8120)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • SRManager.exe (PID: 7304)
      • csc.exe (PID: 6344)
      • AteraAgent.exe (PID: 8984)
      • AteraAgent.exe (PID: 8832)
      • AteraAgent.exe (PID: 924)
      • AgentPackageHeartbeat.exe (PID: 8416)
      • AgentPackageSTRemote.exe (PID: 9092)
      • AgentPackageMarketplace.exe (PID: 8388)
      • AgentPackageADRemote.exe (PID: 9040)
      • Agent.Package.Availability.exe (PID: 8140)
      • AgentPackageAgentInformation.exe (PID: 7220)
      • AgentPackageSystemTools.exe (PID: 7324)
      • AgentPackageMonitoring.exe (PID: 8716)
      • AgentPackageRuntimeInstaller.exe (PID: 1676)

    • Disables trace logs

      • rundll32.exe (PID: 4120)
      • AteraAgent.exe (PID: 7324)
      • rundll32.exe (PID: 732)
      • AgentPackageAgentInformation.exe (PID: 1132)
      • AgentPackageAgentInformation.exe (PID: 1660)
      • AgentPackageSTRemote.exe (PID: 5360)
      • AgentPackageMonitoring.exe (PID: 4488)
      • AgentPackageAgentInformation.exe (PID: 7564)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageHeartbeat.exe (PID: 6208)
      • AgentPackageMarketplace.exe (PID: 8120)
      • AgentPackageUpgradeAgent.exe (PID: 5776)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • AgentPackageTicketing.exe (PID: 7084)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • AgentPackageHeartbeat.exe (PID: 8416)
      • AgentPackageMarketplace.exe (PID: 8388)
      • AgentPackageTicketing.exe (PID: 8996)

    • Create files in a temporary directory

      • rundll32.exe (PID: 5668)
      • rundll32.exe (PID: 780)
      • rundll32.exe (PID: 4120)
      • rundll32.exe (PID: 732)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7244)
      • msiexec.exe (PID: 684)

    • The sample compiled with english language support

      • rundll32.exe (PID: 780)
      • rundll32.exe (PID: 4120)
      • rundll32.exe (PID: 5668)
      • rundll32.exe (PID: 732)
      • AteraAgent.exe (PID: 7324)
      • SplashtopStreamer.exe (PID: 904)
      • msiexec.exe (PID: 684)
      • PreVerCheck.exe (PID: 7212)
      • msiexec.exe (PID: 7244)
      • SetupUtil.exe (PID: 2340)
      • AteraAgent.exe (PID: 2268)
      • rundll32.exe (PID: 1532)
      • rundll32.exe (PID: 6268)
      • rundll32.exe (PID: 8616)
      • 8-0-11.exe (PID: 6660)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)
      • 8-0-11.exe (PID: 7740)
      • rundll32.exe (PID: 7952)

    • Checks proxy server information

      • rundll32.exe (PID: 4120)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 3008)
      • AteraAgent.exe (PID: 7324)
      • AgentPackageMonitoring.exe (PID: 4488)
      • SetupUtil.exe (PID: 2340)
      • SRSelfSignCertUtil.exe (PID: 2392)
      • AteraAgent.exe (PID: 2268)
      • SRService.exe (PID: 7320)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • SRManager.exe (PID: 7304)
      • AgentPackageUpgradeAgent.exe (PID: 5776)
      • AgentPackageTicketing.exe (PID: 7084)
      • SRAgent.exe (PID: 8236)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AteraAgent.exe (PID: 8832)
      • dotnet-runtime-8.0.11-win-x64.exe (PID: 8788)
      • AgentPackageAgentInformation.exe (PID: 3956)
      • SRVirtualDisplay.exe (PID: 5132)
      • AteraAgent.exe (PID: 924)
      • Agent.Package.Availability.exe (PID: 8140)
      • Agent.Package.Software.exe (PID: 2960)
      • AgentPackageInternalPoller.exe (PID: 1128)
      • AgentPackageMonitoring.exe (PID: 8716)
      • AgentPackageRuntimeInstaller.exe (PID: 1676)

    • Reads Environment values

      • AteraAgent.exe (PID: 7324)
      • AteraAgent.exe (PID: 3008)
      • AgentPackageAgentInformation.exe (PID: 1132)
      • AgentPackageAgentInformation.exe (PID: 7084)
      • AteraAgent.exe (PID: 2268)
      • AgentPackageAgentInformation.exe (PID: 1660)
      • AgentPackageSTRemote.exe (PID: 5360)
      • AgentPackageMonitoring.exe (PID: 4488)
      • AgentPackageMonitoring.exe (PID: 1180)
      • AgentPackageInternalPoller.exe (PID: 7820)
      • AgentPackageMarketplace.exe (PID: 8120)
      • AgentPackageSystemTools.exe (PID: 4976)
      • AgentPackageRuntimeInstaller.exe (PID: 920)
      • AgentPackageADRemote.exe (PID: 2284)
      • AteraAgent.exe (PID: 8984)
      • SRManager.exe (PID: 7304)
      • AteraAgent.exe (PID: 924)
      • AgentPackageHeartbeat.exe (PID: 8416)
      • AgentPackageADRemote.exe (PID: 9040)
      • AgentPackageSTRemote.exe (PID: 9092)
      • AgentPackageMarketplace.exe (PID: 8388)
      • AgentPackageAgentInformation.exe (PID: 7220)
      • AgentPackageRuntimeInstaller.exe (PID: 1676)
      • AgentPackageMonitoring.exe (PID: 8716)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 5376)

    • SPLASHTOP has been detected

      • msiexec.exe (PID: 7244)
      • SetupUtil.exe (PID: 6148)
      • msiexec.exe (PID: 684)
      • msiexec.exe (PID: 684)
      • SetupUtil.exe (PID: 5008)
      • SetupUtil.exe (PID: 5008)
      • SetupUtil.exe (PID: 6148)
      • SetupUtil.exe (PID: 2340)
      • cmd.exe (PID: 5376)
      • SRSelfSignCertUtil.exe (PID: 2392)
      • SRService.exe (PID: 7320)
      • SRService.exe (PID: 7224)
      • SRService.exe (PID: 7628)
      • SRService.exe (PID: 7628)
      • SRManager.exe (PID: 7304)
      • PreVerCheck.exe (PID: 7212)
      • SRManager.exe (PID: 7304)
      • SRServer.exe (PID: 856)
      • SRServer.exe (PID: 856)
      • SRAgent.exe (PID: 8236)
      • SRAppPB.exe (PID: 8260)
      • SRAppPB.exe (PID: 8260)
      • SRFeature.exe (PID: 8472)
      • AgentPackageSTRemote.exe (PID: 5360)
      • conhost.exe (PID: 8580)
      • SRUtility.exe (PID: 8532)
      • SRFeature.exe (PID: 8472)
      • BdEpSDK.exe (PID: 9068)
      • SRUtility.exe (PID: 8532)
      • SRAgent.exe (PID: 8236)
      • SRVirtualDisplay.exe (PID: 5132)
      • SRVirtualDisplay.exe (PID: 5132)
      • AgentPackageSTRemote.exe (PID: 9092)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7244)

    • Reads product name

      • SRManager.exe (PID: 7304)

    • Process checks computer location settings

      • Agent.Package.Watchdog.exe (PID: 7852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: AteraAgent
Author: Atera networks
Keywords: Installer
Comments: This installer database contains the logic and data required to install AteraAgent.
Template: Intel;1033
RevisionNumber: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}
CreateDate: 2024:02:28 10:52:02
ModifyDate: 2024:02:28 10:52:02
Pages: 200
Words: 6
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
411
Monitored processes
269
Malicious processes
16
Suspicious processes
14

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe THREAT ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs agentpackagestremote.exe conhost.exe no specs agentpackagemonitoring.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe werfault.exe no specs powershell.exe no specs conhost.exe no specs splashtopstreamer.exe prevercheck.exe msiexec.exe no specs msiexec.exe _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs _is783a.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is81e0.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs _is9f3d.exe no specs setuputil.exe no specs setuputil.exe no specs setuputil.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs srselfsigncertutil.exe slui.exe no specs agentpackageagentinformation.exe conhost.exe no specs _isb2e6.exe no specs powershell.exe no specs conhost.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs _isb2e6.exe no specs srservice.exe no specs conhost.exe no specs agentpackageheartbeat.exe conhost.exe no specs THREAT agentpackageinternalpoller.exe conhost.exe no specs THREAT agentpackagemonitoring.exe conhost.exe no specs agentpackagemarketplace.exe conhost.exe no specs agentpackageupgradeagent.exe conhost.exe no specs agentpackagesystemtools.exe no specs agentpackageticketing.exe conhost.exe no specs conhost.exe no specs agentpackageruntimeinstaller.exe _isbe41.exe no specs conhost.exe no specs _isbe41.exe no specs _isbe41.exe no specs _isbe41.exe no specs agentpackageadremote.exe no specs conhost.exe no specs _isbe41.exe no specs cmd.exe no specs conhost.exe no specs _isbe41.exe no specs _isbe41.exe no specs _isbe41.exe no specs _isbe41.exe no specs _isbe41.exe no specs srservice.exe no specs conhost.exe no specs srservice.exe no specs srmanager.exe agent.package.availability.exe conhost.exe no specs msiexec.exe no specs agent.package.software.exe conhost.exe no specs agent.package.watchdog.exe conhost.exe no specs agentpackageosupdates.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe csc.exe rundll32.exe cvtres.exe no specs srserver.exe sragent.exe no specs srapppb.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe srfeature.exe no specs srutility.exe no specs conhost.exe no specs rundll32.exe net.exe no specs conhost.exe no specs net1.exe no specs werfault.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe no specs bdepsdk.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs 8-0-11.exe 8-0-11.exe net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs dotnet-runtime-8.0.11-win-x64.exe THREAT ateraagent.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs rundll32.exe msiexec.exe no specs srvirtualdisplay.exe no specs msiexec.exe no specs msiexec.exe no specs cmd.exe no specs conhost.exe no specs dotnet.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs dotnet.exe no specs conhost.exe no specs agentpackageheartbeat.exe conhost.exe no specs agent.package.availability.exe conhost.exe no specs agent.package.software.exe conhost.exe no specs THREAT agentpackageinternalpoller.exe conhost.exe no specs agentpackageadremote.exe no specs conhost.exe no specs agentpackagestremote.exe conhost.exe no specs agentpackagemarketplace.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs srutility.exe no specs conhost.exe no specs agent.package.watchdog.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs agentpackageticketing.exe conhost.exe no specs agentpackageruntimeinstaller.exe conhost.exe no specs agentpackagesystemtools.exe no specs conhost.exe no specs THREAT agentpackagemonitoring.exe conhost.exe no specs agent.package.availability.exe cmd.exe no specs conhost.exe no specs dotnet.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664C:\Windows\syswow64\MsiExec.exe -Embedding 607B6C999ACBD0F6F512447ED439ADD0 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
668C:\WINDOWS\TEMP\{EE2D7DD4-03E0-4A40-B8B1-AC57C00E2EC2}\_isBE41.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F21FE1A-44DF-45D0-842E-F53461FD072D}C:\Windows\Temp\{EE2D7DD4-03E0-4A40-B8B1-AC57C00E2EC2}\_isBE41.exemsiexec.exe
User:
SYSTEM
Company:
Flexera
Integrity Level:
SYSTEM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.122
Modules
Images
c:\windows\temp\{ee2d7dd4-03e0-4a40-b8b1-ac57c00e2ec2}\_isbe41.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
684C:\Windows\syswow64\MsiExec.exe -Embedding 28877852E5ACC1FC45FAAA3972409140 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
732rundll32.exe "C:\WINDOWS\Installer\MSI21F3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1122859 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
744C:\WINDOWS\TEMP\{A5880080-D04E-462F-A8A8-6F1BBA60D3B8}\_is81E0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{750BC36D-138A-407A-A40B-058459DA27BD}C:\Windows\Temp\{A5880080-D04E-462F-A8A8-6F1BBA60D3B8}\_is81E0.exemsiexec.exe
User:
SYSTEM
Company:
Flexera
Integrity Level:
SYSTEM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.122
Modules
Images
c:\windows\temp\{a5880080-d04e-462f-a8a8-6f1bba60d3b8}\_is81e0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
780rundll32.exe "C:\WINDOWS\Installer\MSI9E0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1116828 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
856 -hC:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe
SRManager.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop® Streamer
Version:
3.72.4.150
Modules
Images
c:\program files (x86)\splashtop\splashtop remote\server\srserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAgentPackageSystemTools.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
904"C:\WINDOWS\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1C:\Windows\Temp\SplashtopStreamer.exe
AgentPackageSTRemote.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop® Streamer
Exit code:
0
Version:
3.72.4.150
Modules
Images
c:\windows\temp\splashtopstreamer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
138 006
Read events
135 865
Write events
1 918
Delete events
223

Modification events

(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000006D7A13221DADDB014C1C00007C1C0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000006D7A13221DADDB014C1C00007C1C0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000062E666221DADDB014C1C00007C1C0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000062E666221DADDB014C1C00007C1C0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000EF4969221DADDB014C1C00007C1C0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000D4AD6B221DADDB014C1C00007C1C0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000031A806231DADDB014C1C00007C1C0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7244) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000E56E0B231DADDB014C1C0000401D0000E8030000010000000000000000000000605E7AF0BC98884A8E2560CB5BB60FFC00000000000000000000000000000000
(PID) Process:(7332) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000669912231DADDB01A41C0000641D0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
1 224
Suspicious files
327
Text files
278
Unknown types
0

Dropped files

PID
Process
Filename
Type
7244msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1512msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:290E260863726E0DFC70429F7C748FE3
SHA256:B7A80B86BB22355B9CD505516EC03874224AC1E905CA9EE5FF73A717B79FCA1A
1512msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:14898B1B0C32B62EAB25616ABE3F86E8
SHA256:438A37633E4A45B13644E724A2B7DAF8C3AADD5E3222DF1E602C4ACED8EC86D8
4120rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIDC9.tmp-\AlphaControlAgentInstallation.dllexecutable
MD5:AA1B9C5C685173FAD2DABEBEB3171F01
SHA256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
1512msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FCbinary
MD5:DC51FEFCB17D7403D7BB44041B3DC713
SHA256:585F62611E26E77D764C3AB0FFA4FDFD3EB444E740D34E425F47588524770B50
7244msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{f07a5e60-98bc-4a88-8e25-60cb5bb60ffc}_OnDiskSnapshotPropbinary
MD5:8831268A436716F91245EA39A1DB6F1B
SHA256:C5266DF28571BDC9DC25853ADDFDCC18E68657DA722316D5DCB37BB9CAA117AE
1512msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FCbinary
MD5:3853E6AC5D2B7ECC8DC1A83B2C24D325
SHA256:24EA52E3CBFAB8686C91D464EA2DBF27973A66491D211CFF42CA24A3387BF103
7244msiexec.exeC:\Windows\Installer\11057b.msiexecutable
MD5:E52455D67D3D45211AAE128BDA4F57E9
SHA256:7261E0C3D40BCAAB476D265D98935C23379E2536E459503F27ECDA30180DB7D9
780rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI9E0.tmp-\System.Management.dllexecutable
MD5:878E361C41C05C0519BFC72C7D6E141C
SHA256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
7244msiexec.exeC:\Windows\Installer\MSIDC9.tmpexecutable
MD5:88D29734F37BDCFFD202EAFCDD082F9D
SHA256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
106
DNS requests
53
Threats
59

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1512
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
1512
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAnTy%2FhDMohv9omwS69%2Fdow%3D
unknown
whitelisted
1512
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6248
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6248
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
3008
AteraAgent.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7460
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3008
AteraAgent.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1512
msiexec.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6248
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
6544
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 23.32.238.112
  • 23.32.238.107
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 23.215.0.132
  • 96.7.128.186
  • 23.215.0.133
  • 96.7.128.192
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
login.live.com
  • 20.190.160.3
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.72
  • 20.190.160.132
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.74
whitelisted

Threats

PID
Process
Class
Message
4120
rundll32.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
7324
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
7324
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
7324
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
1132
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
1132
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
1132
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
1660
AgentPackageAgentInformation.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
7324
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
7324
AteraAgent.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Possible Atera Remote Access Software Domain observed in TLS SNI (agent-api .atera .com)
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll"...
SplashtopStreamer.exe
[904]2025-04-14 09:11:42 [CUtility::OSInfo] OS 10.0(19045) x64:1 (Last=0)
SplashtopStreamer.exe
[904]2025-04-14 09:11:42 [CUnPack::FindHeader] Name:C:\WINDOWS\TEMP\SplashtopStreamer.exe (Last=0)
SplashtopStreamer.exe
[904]2025-04-14 09:11:42 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\WINDOWS\TEMP\unpack\setup.msi (53075456) (Last=0)
SplashtopStreamer.exe
[904]2025-04-14 09:11:42 [CUnPack::FindHeader] Sign Size:10240 (Last=0)
SplashtopStreamer.exe
[904]2025-04-14 09:11:42 [CUnPack::FindHeader] Header offset:434176 (Last=183)
SplashtopStreamer.exe
[904]2025-04-14 09:11:42 [CUnPack::UnPackFiles] FreeSpace:231881420800 FileSize:53075456 (Last=0)
SplashtopStreamer.exe
[904]2025-04-14 09:11:43 [CUnPack::UnPackFiles] (3/5)UnPack file name:C:\WINDOWS\TEMP\unpack\setup.ini (1528) (Last=122)
SplashtopStreamer.exe
[904]2025-04-14 09:11:43 [CUnPack::UnPackFiles] (2/5)UnPack file name:C:\WINDOWS\TEMP\unpack\run.bat (15) (Last=122)
SplashtopStreamer.exe
[904]2025-04-14 09:11:43 [CUnPack::UnPackFiles] UnPack count:2 len:15 File:(null) (Last=0)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ösztöndíjprogram.msi