File name:

setup.msi

Full analysis: https://app.any.run/tasks/b3aa6256-ae4b-47b1-865b-93cb8bbdd1dd
Verdict: Malicious activity
Analysis date: March 28, 2024, 17:37:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

0F5A0D43C84FAD764AA85D6E9AF11170

SHA1:

E3849246A21EE8A685B452B571ADFA66F306EBF4

SHA256:

7D6DFB0D287283638DBB136455586036BC410C71E76FFACE0B62DB5FE0AD228E

SSDEEP:

98304:ZIZTffzvns6eLKLdpRwznfsJb+7J7ERXndiWaKzPtSjXmbABY/lT8vjkZBvrePVv:23XP9No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 2120)
      • AteraAgent.exe (PID: 952)
      • AgentPackageUpgradeAgent.exe (PID: 1656)
      • AgentPackageTicketing.exe (PID: 2244)
      • AteraAgent.exe (PID: 3868)
      • PreVerCheck.exe (PID: 3888)
      • SplashtopStreamer.exe (PID: 3072)
      • uninst.exe (PID: 3172)
      • Au_.exe (PID: 3936)

    • Creates a writable file in the system directory

      • AteraAgent.exe (PID: 952)
      • SRManager.exe (PID: 2044)
      • SRServer.exe (PID: 3200)

    • Accesses system services(Win32_Service) via WMI (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 3276)
      • AteraAgent.exe (PID: 952)
      • AteraAgent.exe (PID: 3868)
      • SSUService.exe (PID: 3024)
      • SRService.exe (PID: 840)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 952)
      • AteraAgent.exe (PID: 3868)
      • cmd.exe (PID: 1388)
      • cmd.exe (PID: 1804)

    • Reads security settings of Internet Explorer

      • AteraAgent.exe (PID: 952)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • SplashtopStreamer.exe (PID: 3072)
      • SRServer.exe (PID: 3200)

    • Searches for installed software

      • AgentPackageAgentInformation.exe (PID: 2536)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageProgramManagement.exe (PID: 3928)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • SRServer.exe (PID: 3200)

    • The process executes VB scripts

      • cmd.exe (PID: 3912)
      • cmd.exe (PID: 3776)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 3440)
      • cmd.exe (PID: 2088)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)
      • cscript.exe (PID: 3744)
      • cscript.exe (PID: 3020)
      • cscript.exe (PID: 2124)

    • Process drops legitimate windows executable

      • AteraAgent.exe (PID: 952)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageUpgradeAgent.exe (PID: 1656)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • cscript.exe (PID: 3072)
      • cscript.exe (PID: 2072)

    • Starts itself from another location

      • AgentPackageUpgradeAgent.exe (PID: 1656)
      • uninst.exe (PID: 3172)

    • The process creates files with name similar to system file names

      • AteraAgent.exe (PID: 3868)
      • Au_.exe (PID: 3936)

    • Checks Windows Trust Settings

      • SRManager.exe (PID: 2044)

    • Creates or modifies Windows services

      • SRManager.exe (PID: 2044)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2120)

    • Reads the software policy settings

      • msiexec.exe (PID: 2120)
      • AteraAgent.exe (PID: 952)
      • AgentPackageAgentInformation.exe (PID: 2868)
      • AgentPackageAgentInformation.exe (PID: 2268)
      • AgentPackageAgentInformation.exe (PID: 1428)
      • AgentPackageAgentInformation.exe (PID: 3600)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageMonitoring.exe (PID: 2108)
      • AgentPackageMonitoring.exe (PID: 2808)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AgentPackageSTRemote.exe (PID: 1020)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageProgramManagement.exe (PID: 3928)
      • AgentPackageInternalPoller.exe (PID: 3344)
      • AgentPackageTicketing.exe (PID: 2244)
      • AgentPackageHeartbeat.exe (PID: 3044)
      • AgentPackageMarketplace.exe (PID: 3996)
      • AgentPackageMonitoring.exe (PID: 3944)
      • AgentPackageHeartbeat.exe (PID: 2640)
      • AgentPackageHeartbeat.exe (PID: 2036)
      • SRManager.exe (PID: 2044)
      • AgentPackageHeartbeat.exe (PID: 896)
      • AgentPackageHeartbeat.exe (PID: 2952)
      • AgentPackageHeartbeat.exe (PID: 2332)
      • AgentPackageHeartbeat.exe (PID: 3284)

    • Checks supported languages

      • AteraAgent.exe (PID: 952)
      • AgentPackageAgentInformation.exe (PID: 1428)
      • AgentPackageAgentInformation.exe (PID: 3600)
      • AgentPackageAgentInformation.exe (PID: 2268)
      • AgentPackageAgentInformation.exe (PID: 2868)
      • AgentPackageAgentInformation.exe (PID: 3732)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageMonitoring.exe (PID: 2808)
      • AgentPackageMonitoring.exe (PID: 2108)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageUpgradeAgent.exe (PID: 1656)
      • AgentPackageSTRemote.exe (PID: 1020)
      • AgentPackageTicketing.exe (PID: 2244)
      • AgentPackageUpgradeAgent.exe (PID: 2524)
      • AgentPackageInternalPoller.exe (PID: 3344)
      • AgentPackageOsUpdates.exe (PID: 2956)
      • AgentPackageHeartbeat.exe (PID: 3044)
      • AgentPackageProgramManagement.exe (PID: 3928)
      • AgentPackageADRemote.exe (PID: 1216)
      • AgentPackageSystemTools.exe (PID: 2848)
      • AgentPackageMonitoring.exe (PID: 3944)
      • AgentPackageHeartbeat.exe (PID: 2036)
      • AgentPackageMarketplace.exe (PID: 3996)
      • AgentPackageRuntimeInstaller.exe (PID: 3484)
      • AgentPackageHeartbeat.exe (PID: 2640)
      • SSUService.exe (PID: 3024)
      • SRService.exe (PID: 840)
      • SplashtopStreamer.exe (PID: 3072)
      • PreVerCheck.exe (PID: 3888)
      • SRServer.exe (PID: 3200)
      • SRAgent.exe (PID: 3716)
      • SRAppPB.exe (PID: 2112)
      • SRManager.exe (PID: 2044)
      • uninst.exe (PID: 3172)
      • Au_.exe (PID: 3936)
      • SRDetect.exe (PID: 296)
      • SRUtility.exe (PID: 3312)
      • SRFeature.exe (PID: 3256)
      • AgentPackageMonitoring.exe (PID: 1384)
      • AgentPackageHeartbeat.exe (PID: 896)
      • BdEpSDK_x86.exe (PID: 1836)
      • SRUtility.exe (PID: 3644)
      • AgentPackageSTRemote.exe (PID: 3464)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageInternalPoller.exe (PID: 3056)
      • AgentPackageHeartbeat.exe (PID: 2952)
      • SRVirtualDisplay.exe (PID: 980)
      • AgentPackageSTRemote.exe (PID: 3264)
      • AgentPackageHeartbeat.exe (PID: 2332)
      • AgentPackageMonitoring.exe (PID: 2788)
      • AgentPackageHeartbeat.exe (PID: 3284)

    • Reads the computer name

      • AteraAgent.exe (PID: 952)
      • AgentPackageAgentInformation.exe (PID: 1428)
      • AgentPackageAgentInformation.exe (PID: 3600)
      • AgentPackageAgentInformation.exe (PID: 2868)
      • AgentPackageAgentInformation.exe (PID: 2268)
      • AgentPackageAgentInformation.exe (PID: 3732)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageMonitoring.exe (PID: 2108)
      • AgentPackageMonitoring.exe (PID: 2808)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageUpgradeAgent.exe (PID: 1656)
      • AgentPackageTicketing.exe (PID: 2244)
      • AgentPackageUpgradeAgent.exe (PID: 2524)
      • AgentPackageSTRemote.exe (PID: 1020)
      • AgentPackageInternalPoller.exe (PID: 3344)
      • AgentPackageOsUpdates.exe (PID: 2956)
      • AgentPackageProgramManagement.exe (PID: 3928)
      • AgentPackageHeartbeat.exe (PID: 3044)
      • AgentPackageMonitoring.exe (PID: 3944)
      • AgentPackageADRemote.exe (PID: 1216)
      • AgentPackageSystemTools.exe (PID: 2848)
      • AgentPackageRuntimeInstaller.exe (PID: 3484)
      • AgentPackageHeartbeat.exe (PID: 2036)
      • AgentPackageMarketplace.exe (PID: 3996)
      • AgentPackageHeartbeat.exe (PID: 2640)
      • SSUService.exe (PID: 3024)
      • SplashtopStreamer.exe (PID: 3072)
      • SRManager.exe (PID: 2044)
      • SRAgent.exe (PID: 3716)
      • SRServer.exe (PID: 3200)
      • SRService.exe (PID: 840)
      • SRAppPB.exe (PID: 2112)
      • SRFeature.exe (PID: 3256)
      • uninst.exe (PID: 3172)
      • Au_.exe (PID: 3936)
      • AgentPackageHeartbeat.exe (PID: 896)
      • AgentPackageSTRemote.exe (PID: 3464)
      • AgentPackageMonitoring.exe (PID: 1384)
      • AgentPackageHeartbeat.exe (PID: 2952)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageInternalPoller.exe (PID: 3056)
      • AgentPackageMonitoring.exe (PID: 2788)
      • AgentPackageHeartbeat.exe (PID: 2332)
      • AgentPackageHeartbeat.exe (PID: 3284)
      • AgentPackageSTRemote.exe (PID: 3264)

    • Reads Environment values

      • AteraAgent.exe (PID: 952)
      • AgentPackageAgentInformation.exe (PID: 2868)
      • AgentPackageAgentInformation.exe (PID: 2268)
      • AgentPackageAgentInformation.exe (PID: 1428)
      • AgentPackageAgentInformation.exe (PID: 3732)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageAgentInformation.exe (PID: 3600)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageMonitoring.exe (PID: 2808)
      • AgentPackageMonitoring.exe (PID: 2108)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageUpgradeAgent.exe (PID: 1656)
      • AgentPackageUpgradeAgent.exe (PID: 2524)
      • AgentPackageSTRemote.exe (PID: 1020)
      • AgentPackageTicketing.exe (PID: 2244)
      • AgentPackageInternalPoller.exe (PID: 3344)
      • AgentPackageOsUpdates.exe (PID: 2956)
      • AgentPackageProgramManagement.exe (PID: 3928)
      • AgentPackageHeartbeat.exe (PID: 3044)
      • AgentPackageSystemTools.exe (PID: 2848)
      • AgentPackageMonitoring.exe (PID: 3944)
      • AgentPackageADRemote.exe (PID: 1216)
      • AgentPackageMarketplace.exe (PID: 3996)
      • AgentPackageHeartbeat.exe (PID: 2036)
      • AgentPackageHeartbeat.exe (PID: 2640)
      • AgentPackageSTRemote.exe (PID: 3464)
      • SRManager.exe (PID: 2044)
      • AgentPackageMonitoring.exe (PID: 1384)
      • AgentPackageInternalPoller.exe (PID: 3056)
      • AgentPackageHeartbeat.exe (PID: 2952)
      • AgentPackageHeartbeat.exe (PID: 896)
      • AgentPackageMonitoring.exe (PID: 2788)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageHeartbeat.exe (PID: 2332)
      • AgentPackageHeartbeat.exe (PID: 3284)
      • AgentPackageSTRemote.exe (PID: 3264)

    • Reads the machine GUID from the registry

      • AteraAgent.exe (PID: 952)
      • AgentPackageAgentInformation.exe (PID: 2868)
      • AgentPackageAgentInformation.exe (PID: 1428)
      • AgentPackageAgentInformation.exe (PID: 3600)
      • AgentPackageAgentInformation.exe (PID: 2268)
      • AgentPackageAgentInformation.exe (PID: 3732)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageMonitoring.exe (PID: 2808)
      • AgentPackageMonitoring.exe (PID: 2108)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageUpgradeAgent.exe (PID: 1656)
      • AgentPackageSTRemote.exe (PID: 1020)
      • AgentPackageTicketing.exe (PID: 2244)
      • AgentPackageUpgradeAgent.exe (PID: 2524)
      • AgentPackageOsUpdates.exe (PID: 2956)
      • AgentPackageInternalPoller.exe (PID: 3344)
      • AgentPackageHeartbeat.exe (PID: 3044)
      • AgentPackageProgramManagement.exe (PID: 3928)
      • AgentPackageMonitoring.exe (PID: 3944)
      • AgentPackageADRemote.exe (PID: 1216)
      • AgentPackageSystemTools.exe (PID: 2848)
      • AgentPackageRuntimeInstaller.exe (PID: 3484)
      • AgentPackageMarketplace.exe (PID: 3996)
      • AgentPackageHeartbeat.exe (PID: 2640)
      • AgentPackageHeartbeat.exe (PID: 2036)
      • SRManager.exe (PID: 2044)
      • SSUService.exe (PID: 3024)
      • SRAgent.exe (PID: 3716)
      • AgentPackageSTRemote.exe (PID: 3464)
      • AgentPackageMonitoring.exe (PID: 1384)
      • AgentPackageHeartbeat.exe (PID: 2952)
      • AgentPackageHeartbeat.exe (PID: 896)
      • AgentPackageInternalPoller.exe (PID: 3056)
      • AgentPackageMonitoring.exe (PID: 2788)
      • AgentPackageSTRemote.exe (PID: 1604)
      • AgentPackageHeartbeat.exe (PID: 2332)
      • AgentPackageHeartbeat.exe (PID: 3284)
      • AgentPackageSTRemote.exe (PID: 3264)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 952)
      • AgentPackageMonitoring.exe (PID: 2108)
      • AgentPackageMonitoring.exe (PID: 2808)
      • AteraAgent.exe (PID: 3868)
      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageInternalPoller.exe (PID: 3344)
      • AgentPackageSTRemote.exe (PID: 1020)
      • AgentPackageAgentInformation.exe (PID: 3888)
      • AgentPackageOsUpdates.exe (PID: 2956)
      • AgentPackageTicketing.exe (PID: 2244)
      • AgentPackageProgramManagement.exe (PID: 3928)
      • AgentPackageMonitoring.exe (PID: 3944)
      • AgentPackageRuntimeInstaller.exe (PID: 3484)
      • SRServer.exe (PID: 3200)
      • SRAgent.exe (PID: 3716)
      • SRManager.exe (PID: 2044)
      • AgentPackageMonitoring.exe (PID: 1384)
      • AgentPackageMonitoring.exe (PID: 2788)
      • SRVirtualDisplay.exe (PID: 980)

    • Reads Microsoft Office registry keys

      • AgentPackageAgentInformation.exe (PID: 3740)
      • AgentPackageAgentInformation.exe (PID: 2536)
      • AgentPackageAgentInformation.exe (PID: 3888)

    • Reads product name

      • SRManager.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: AteraAgent
Author: Atera networks
Keywords: Installer
Comments: This installer database contains the logic and data required to install AteraAgent.
Template: Intel;1033
RevisionNumber: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}
CreateDate: 2024:02:28 10:52:02
ModifyDate: 2024:02:28 10:52:02
Pages: 200
Words: 6
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
215
Monitored processes
73
Malicious processes
19
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe no specs vssvc.exe no specs ateraagent.exe sc.exe no specs agentpackageagentinformation.exe agentpackageagentinformation.exe agentpackageagentinformation.exe agentpackageagentinformation.exe agentpackageagentinformation.exe no specs agentpackageagentinformation.exe agentpackageagentinformation.exe ateraagent.exe sc.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs agentpackagemonitoring.exe agentpackagemonitoring.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs agentpackageagentinformation.exe cmd.exe no specs cscript.exe no specs agentpackageupgradeagent.exe no specs agentpackageupgradeagent.exe no specs agentpackagestremote.exe agentpackageticketing.exe agentpackageinternalpoller.exe agentpackageosupdates.exe no specs agentpackageprogrammanagement.exe agentpackageheartbeat.exe agentpackagesystemtools.exe no specs agentpackagemonitoring.exe agentpackageadremote.exe no specs agentpackagemarketplace.exe agentpackageruntimeinstaller.exe no specs agentpackageheartbeat.exe splashtopstreamer.exe prevercheck.exe msiexec.exe no specs agentpackageheartbeat.exe ssuservice.exe no specs srservice.exe no specs srmanager.exe srserver.exe cmd.exe no specs sc.exe no specs sragent.exe no specs srapppb.exe no specs cmd.exe no specs sc.exe no specs srfeature.exe cmd.exe no specs uninst.exe no specs au_.exe no specs srdetect.exe no specs srutility.exe no specs srutility.exe no specs bdepsdk_x86.exe no specs agentpackagestremote.exe no specs agentpackagemonitoring.exe agentpackageheartbeat.exe agentpackageinternalpoller.exe no specs agentpackageheartbeat.exe agentpackagestremote.exe no specs agentpackageheartbeat.exe agentpackagemonitoring.exe srvirtualdisplay.exe no specs agentpackagestremote.exe no specs agentpackageheartbeat.exe

Process information

PID
CMD
Path
Indicators
Parent process
296"C:\Program Files\Splashtop\Splashtop Remote\Server\SRDetect.exe"C:\Program Files\Splashtop\Splashtop Remote\Server\SRDetect.exeSRFeature.exe
User:
admin
Company:
Splashtop Inc.
Integrity Level:
MEDIUM
Description:
Splashtop® SRDetect
Exit code:
0
Version:
3.64.1.122
Modules
Images
c:\program files\splashtop\splashtop remote\server\srdetect.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
840"C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exeservices.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop® Streamer Service
Version:
3.64.1.122
Modules
Images
c:\program files\splashtop\splashtop remote\server\srservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
896"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" ebd3f175-5ad0-4a5d-81a6-448f3935da6a "fa405e49-42fd-4640-b29b-ff37ef746f23" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000ADqhNIATC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageHeartbeat
Exit code:
0
Version:
17.14.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
952"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
0
Version:
1.8.7.2
Modules
Images
c:\program files\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
980"C:\Program Files\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"C:\Program Files\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeSRManager.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop Streamer Virtual Monitor Utility
Version:
3.64.1.122
Modules
Images
c:\program files\splashtop\splashtop remote\server\srvirtualdisplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
1020"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" ebd3f175-5ad0-4a5d-81a6-448f3935da6a "073b9b33-9512-46db-bf25-ee48a380c567" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000ADqhNIATC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageSTRemote
Exit code:
0
Version:
21.3.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1124"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000C:\Windows\System32\sc.exeAteraAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" ebd3f175-5ad0-4a5d-81a6-448f3935da6a "2f48a9e9-6ac8-4485-bc63-682c72b36465" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiI3LjAuMTUifQ==" 001Q300000ADqhNIATC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeAteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageADRemote
Exit code:
0
Version:
6.0.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1384"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" ebd3f175-5ad0-4a5d-81a6-448f3935da6a "27407ba2-c26d-4990-80d4-f840dd28fb95" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000ADqhNIATC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
AteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageMonitoring
Exit code:
0
Version:
36.4.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1388"C:\Windows\System32\cmd.exe" /c sc stop SSUServiceC:\Windows\System32\cmd.exeSRServer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
154 362
Read events
153 368
Write events
894
Delete events
100

Modification events

(PID) Process:(2120) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000FC83399E3681DA01CC0C0000A00F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000FC83399E3681DA01CC0C00007C0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000FC83399E3681DA01CC0C00005C0B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000B0483E9E3681DA01CC0C00005C0B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000B0483E9E3681DA01CC0C0000A00F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B0483E9E3681DA01CC0C0000500B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000B0483E9E3681DA01CC0C00007C0F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
40000000000000000AAB409E3681DA01CC0C0000500B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3276) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Enter)
Value:
4000000000000000989511A03681DA01CC0C0000500B0000010400000100000000000000000000004905D810A637564A9C0964CE0F0150710000000000000000
Executable files
351
Suspicious files
21
Text files
63
Unknown types
81

Dropped files

PID
Process
Filename
Type
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zipcompressed
MD5:
SHA256:
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeexecutable
MD5:
SHA256:
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.configxml
MD5:
SHA256:
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.initext
MD5:
SHA256:
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllexecutable
MD5:
SHA256:
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllexecutable
MD5:
SHA256:
952AteraAgent.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1binary
MD5:
SHA256:
952AteraAgent.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1binary
MD5:
SHA256:
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zipcompressed
MD5:
SHA256:
952AteraAgent.exeC:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
81
DNS requests
35
Threats
73

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
448
AteraAgent.exe
GET
304
23.32.238.154:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?19838b2ae250760d
unknown
unknown
448
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
unknown
448
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
unknown
952
AteraAgent.exe
GET
200
192.229.221.95:80
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
unknown
unknown
448
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
unknown
unknown
2044
SRManager.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAx%2B7MjF4dH7UpJWotMQ8HE%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1368
rundll32.exe
40.119.152.241:443
agent-api.atera.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
448
AteraAgent.exe
23.32.238.154:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
448
AteraAgent.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
952
AteraAgent.exe
40.119.152.241:443
agent-api.atera.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2984
rundll32.exe
40.119.152.241:443
agent-api.atera.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
952
AteraAgent.exe
35.157.63.228:443
ps.pndsn.com
AMAZON-02
DE
unknown

DNS requests

Domain
IP
Reputation
agent-api.atera.com
  • 40.119.152.241
unknown
ctldl.windowsupdate.com
  • 23.32.238.154
  • 23.32.238.113
  • 2.19.198.57
  • 23.32.238.144
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ps.pndsn.com
  • 35.157.63.228
  • 35.157.63.229
unknown
ps.atera.com
  • 13.35.58.7
  • 13.35.58.59
  • 13.35.58.104
  • 13.35.58.124
unknown
cacerts.digicert.com
  • 192.229.221.95
whitelisted
my.splashtop.com
  • 52.223.39.232
  • 35.71.184.3
unknown
download.splashtop.com
  • 13.35.58.31
  • 13.35.58.107
  • 13.35.58.89
  • 13.35.58.57
unknown
api.nuget.org
  • 13.107.213.67
  • 13.107.246.67
whitelisted
atera-agent-heartbeat.servicebus.windows.net
  • 20.86.89.202
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
1020
AgentPackageSTRemote.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
1020
AgentPackageSTRemote.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
2044
SRManager.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
2044
SRManager.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
33 ETPRO signatures available at the full report
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll"...
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll"...
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll"...
SplashtopStreamer.exe
[3072]2024-03-28 17:39:34 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\Windows\TEMP\unpack\setup.msi (51506176) (Last=0)
SplashtopStreamer.exe
[3072]2024-03-28 17:39:34 [CUnPack::FindHeader] Name:C:\Windows\TEMP\SplashtopStreamer.exe (Last=0)
SplashtopStreamer.exe
[3072]2024-03-28 17:39:34 [CUnPack::FindHeader] Header offset:434176 (Last=183)
SplashtopStreamer.exe
[3072]2024-03-28 17:39:34 [CUnPack::UnPackFiles] FreeSpace:233164181504 FileSize:51506176 (Last=0)
SplashtopStreamer.exe
[3072]2024-03-28 17:39:34 [CUnPack::FindHeader] Sign Size:10248 (Last=0)
SplashtopStreamer.exe
[3072]2024-03-28 17:39:34 [CUtility::OSInfo] OS 6.1(7601) Service Pack 1 x64:0 (Last=0)
SplashtopStreamer.exe
[3072]2024-03-28 17:39:34 [CUnPack::UnPackFiles] (2/5)UnPack file name:C:\Windows\TEMP\unpack\run.bat (15) (Last=122)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.msi