File name:

rsvp.msi

Full analysis: https://app.any.run/tasks/f9345d5b-cd59-4f3d-aead-ea8e67a5e013
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 06, 2025, 00:02:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
atera
rmm-tool
splashtop
ransomware
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

9DE3BDEDEE118BD3D5D74AACB3DC8487

SHA1:

DC74F615944C5F8C5344E0A07017F4E10E36870D

SHA256:

B2F818195CA5E864E16491998C9ADEAFD4FD9A689C5A08181B4D5C230E35BB59

SSDEEP:

98304:uIZTffzvns6eLKLdpRwznfsJb+7J7ERXndiWaKzPtSjXmbABY/lT8vjkZBvrePVv:P3XP9No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 4724)
      • net.exe (PID: 5372)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7064)

    • Changes powershell execution policy (Bypass)

      • AgentPackageAgentInformation.exe (PID: 5764)

    • 7EV3N-HONE$T has been detected

      • powershell.exe (PID: 7064)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 2980)
      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 2112)
      • SRService.exe (PID: 5496)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4748)
      • msiexec.exe (PID: 4688)
      • AteraAgent.exe (PID: 6724)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4688)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 2728)
      • rundll32.exe (PID: 7064)
      • rundll32.exe (PID: 4036)
      • rundll32.exe (PID: 2964)
      • AteraAgent.exe (PID: 6724)
      • csc.exe (PID: 6292)
      • SplashtopStreamer.exe (PID: 4168)
      • PreVerCheck.exe (PID: 5500)
      • SetupUtil.exe (PID: 7732)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 4724)
      • cmd.exe (PID: 7912)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 7712)
      • cmd.exe (PID: 7812)
      • cmd.exe (PID: 8016)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 7188)
      • cmd.exe (PID: 7372)
      • cmd.exe (PID: 7468)

    • Reads security settings of Internet Explorer

      • AteraAgent.exe (PID: 6312)
      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 2112)
      • AgentPackageAgentInformation.exe (PID: 5764)
      • SplashtopStreamer.exe (PID: 4168)
      • SetupUtil.exe (PID: 7732)

    • ATERAAGENT has been detected

      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 6312)
      • AteraAgent.exe (PID: 2112)

    • Reads the date of Windows installation

      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 2112)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 2112)

    • Restarts service on failure

      • sc.exe (PID: 2976)
      • sc.exe (PID: 1096)

    • Starts POWERSHELL.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 5764)

    • The process bypasses the loading of PowerShell profile settings

      • AgentPackageAgentInformation.exe (PID: 5764)

    • The process executes Powershell scripts

      • AgentPackageAgentInformation.exe (PID: 5764)

    • The process hides Powershell's copyright startup banner

      • AgentPackageAgentInformation.exe (PID: 5764)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 5764)
      • msiexec.exe (PID: 3092)
      • SetupUtil.exe (PID: 7732)

    • The process executes VB scripts

      • cmd.exe (PID: 5684)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6292)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2664)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 2664)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 2664)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 2664)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 2664)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • cscript.exe (PID: 2664)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2664)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 2664)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 2664)

    • Searches for installed software

      • AgentPackageAgentInformation.exe (PID: 5764)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 4688)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 4688)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 3092)
      • SRService.exe (PID: 7400)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 3736)
      • msiexec.exe (PID: 4724)
      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 6312)
      • AgentPackageAgentInformation.exe (PID: 6412)
      • AgentPackageAgentInformation.exe (PID: 5764)
      • AgentPackageAgentInformation.exe (PID: 2292)
      • AgentPackageAgentInformation.exe (PID: 2356)
      • AgentPackageMonitoring.exe (PID: 5716)
      • AteraAgent.exe (PID: 2112)
      • AgentPackageSTRemote.exe (PID: 3688)
      • msiexec.exe (PID: 3092)
      • SplashtopStreamer.exe (PID: 4168)
      • _is6874.exe (PID: 4880)
      • _is6874.exe (PID: 7272)
      • _is6874.exe (PID: 2464)
      • _is6874.exe (PID: 7232)
      • _is6874.exe (PID: 2976)
      • _is6874.exe (PID: 7396)
      • _is6874.exe (PID: 7476)
      • _is6874.exe (PID: 7356)
      • _is6874.exe (PID: 7320)
      • _is6874.exe (PID: 7436)
      • _is7084.exe (PID: 7608)
      • _is7084.exe (PID: 7748)
      • _is7084.exe (PID: 7692)
      • _is7084.exe (PID: 7648)
      • _is7084.exe (PID: 7784)
      • _is7084.exe (PID: 7888)
      • _is7084.exe (PID: 7860)
      • _is7084.exe (PID: 7932)
      • _is7084.exe (PID: 7944)
      • _is83BF.exe (PID: 8168)
      • _is83BF.exe (PID: 8124)
      • _is83BF.exe (PID: 7252)
      • _is83BF.exe (PID: 7280)
      • _is83BF.exe (PID: 7432)
      • _is83BF.exe (PID: 7440)
      • _is7084.exe (PID: 7972)
      • _is83BF.exe (PID: 7492)
      • _is83BF.exe (PID: 7532)
      • _is83BF.exe (PID: 7472)
      • _is83BF.exe (PID: 7316)
      • SRSelfSignCertUtil.exe (PID: 7980)
      • SetupUtil.exe (PID: 7732)
      • _is9332.exe (PID: 3936)
      • _is9332.exe (PID: 5772)
      • _is9332.exe (PID: 7152)
      • _is9332.exe (PID: 8060)
      • _is9332.exe (PID: 8176)
      • _is9332.exe (PID: 8164)
      • _is9332.exe (PID: 7892)
      • _is9332.exe (PID: 2664)
      • _is9332.exe (PID: 7256)
      • _is9332.exe (PID: 7264)
      • _is9594.exe (PID: 7992)
      • _is9594.exe (PID: 7744)
      • _is9594.exe (PID: 7832)
      • _is9594.exe (PID: 7996)
      • SRService.exe (PID: 7400)
      • _is9594.exe (PID: 7568)
      • _is9594.exe (PID: 7340)
      • _is9594.exe (PID: 7632)
      • _is9594.exe (PID: 7660)
      • _is9594.exe (PID: 7800)
      • _is9594.exe (PID: 952)
      • SRManager.exe (PID: 1148)
      • SRService.exe (PID: 5496)
      • SRServer.exe (PID: 2464)
      • SRService.exe (PID: 7440)
      • SRAgent.exe (PID: 8164)
      • SRAppPB.exe (PID: 7296)
      • SRFeature.exe (PID: 7596)

    • Reads the software policy settings

      • msiexec.exe (PID: 4748)
      • msiexec.exe (PID: 4688)
      • rundll32.exe (PID: 7064)
      • AteraAgent.exe (PID: 6312)
      • rundll32.exe (PID: 2964)
      • AgentPackageAgentInformation.exe (PID: 6412)
      • AteraAgent.exe (PID: 6724)
      • AgentPackageAgentInformation.exe (PID: 2292)
      • AteraAgent.exe (PID: 2112)
      • AgentPackageSTRemote.exe (PID: 3688)
      • AgentPackageMonitoring.exe (PID: 5716)
      • cscript.exe (PID: 2664)
      • AgentPackageAgentInformation.exe (PID: 5764)
      • msiexec.exe (PID: 3092)
      • SRManager.exe (PID: 1148)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4748)

    • Checks supported languages

      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 3736)
      • msiexec.exe (PID: 4724)
      • AteraAgent.exe (PID: 6312)
      • AteraAgent.exe (PID: 6724)
      • AgentPackageAgentInformation.exe (PID: 6412)
      • AgentPackageAgentInformation.exe (PID: 2292)
      • AgentPackageAgentInformation.exe (PID: 2356)
      • AgentPackageAgentInformation.exe (PID: 5764)
      • AgentPackageMonitoring.exe (PID: 5716)
      • AgentPackageSTRemote.exe (PID: 3688)
      • AteraAgent.exe (PID: 2112)
      • cvtres.exe (PID: 5288)
      • csc.exe (PID: 6292)
      • SplashtopStreamer.exe (PID: 4168)
      • PreVerCheck.exe (PID: 5500)
      • msiexec.exe (PID: 3092)
      • _is6874.exe (PID: 7232)
      • _is6874.exe (PID: 2464)
      • _is6874.exe (PID: 7272)
      • _is6874.exe (PID: 2976)
      • _is6874.exe (PID: 4880)
      • _is6874.exe (PID: 7320)
      • _is6874.exe (PID: 7396)
      • _is6874.exe (PID: 7436)
      • _is6874.exe (PID: 7476)
      • _is6874.exe (PID: 7356)
      • _is7084.exe (PID: 7608)
      • _is7084.exe (PID: 7692)
      • _is7084.exe (PID: 7784)
      • _is7084.exe (PID: 7748)
      • _is7084.exe (PID: 7888)
      • _is7084.exe (PID: 7860)
      • _is7084.exe (PID: 7648)
      • _is7084.exe (PID: 7972)
      • _is83BF.exe (PID: 8168)
      • _is83BF.exe (PID: 7280)
      • _is83BF.exe (PID: 8124)
      • _is83BF.exe (PID: 7432)
      • _is83BF.exe (PID: 7252)
      • _is83BF.exe (PID: 7440)
      • _is7084.exe (PID: 7932)
      • _is7084.exe (PID: 7944)
      • _is83BF.exe (PID: 7532)
      • _is83BF.exe (PID: 7472)
      • _is83BF.exe (PID: 7316)
      • SetupUtil.exe (PID: 7688)
      • SetupUtil.exe (PID: 7668)
      • _is83BF.exe (PID: 7492)
      • SetupUtil.exe (PID: 7732)
      • _is9332.exe (PID: 7152)
      • _is9332.exe (PID: 2664)
      • _is9332.exe (PID: 5772)
      • _is9332.exe (PID: 3936)
      • _is9332.exe (PID: 8176)
      • _is9332.exe (PID: 8060)
      • SRSelfSignCertUtil.exe (PID: 7980)
      • _is9332.exe (PID: 7892)
      • _is9332.exe (PID: 7264)
      • SRService.exe (PID: 7400)
      • _is9332.exe (PID: 8164)
      • _is9332.exe (PID: 7256)
      • _is9594.exe (PID: 7992)
      • _is9594.exe (PID: 7996)
      • _is9594.exe (PID: 7568)
      • _is9594.exe (PID: 7744)
      • _is9594.exe (PID: 7800)
      • _is9594.exe (PID: 7660)
      • _is9594.exe (PID: 7632)
      • _is9594.exe (PID: 7340)
      • _is9594.exe (PID: 7832)
      • _is9594.exe (PID: 952)
      • SRService.exe (PID: 7440)
      • SRService.exe (PID: 5496)
      • SRManager.exe (PID: 1148)
      • SRServer.exe (PID: 2464)
      • SRFeature.exe (PID: 7596)
      • SRAgent.exe (PID: 8164)
      • SRUtility.exe (PID: 8112)
      • SRAppPB.exe (PID: 7296)
      • BdEpSDK.exe (PID: 7320)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4748)

    • Checks proxy server information

      • msiexec.exe (PID: 4748)
      • rundll32.exe (PID: 7064)
      • rundll32.exe (PID: 2964)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4688)
      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 6312)
      • AgentPackageAgentInformation.exe (PID: 6412)
      • AgentPackageAgentInformation.exe (PID: 2292)
      • AgentPackageAgentInformation.exe (PID: 5764)
      • AgentPackageSTRemote.exe (PID: 3688)
      • AgentPackageAgentInformation.exe (PID: 2356)
      • AgentPackageMonitoring.exe (PID: 5716)
      • AteraAgent.exe (PID: 2112)
      • csc.exe (PID: 6292)
      • msiexec.exe (PID: 3092)
      • SRSelfSignCertUtil.exe (PID: 7980)
      • SRManager.exe (PID: 1148)

    • Manages system restore points

      • SrTasks.exe (PID: 304)

    • Create files in a temporary directory

      • rundll32.exe (PID: 2728)
      • rundll32.exe (PID: 7064)
      • rundll32.exe (PID: 4036)
      • rundll32.exe (PID: 2964)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 3092)

    • The sample compiled with english language support

      • rundll32.exe (PID: 2728)
      • rundll32.exe (PID: 7064)
      • rundll32.exe (PID: 4036)
      • rundll32.exe (PID: 2964)
      • AteraAgent.exe (PID: 6724)
      • SplashtopStreamer.exe (PID: 4168)
      • PreVerCheck.exe (PID: 5500)
      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 3092)
      • SetupUtil.exe (PID: 7732)

    • Disables trace logs

      • rundll32.exe (PID: 7064)
      • AteraAgent.exe (PID: 6724)
      • rundll32.exe (PID: 2964)
      • AgentPackageAgentInformation.exe (PID: 6412)
      • AgentPackageAgentInformation.exe (PID: 2292)
      • AteraAgent.exe (PID: 2112)
      • AgentPackageSTRemote.exe (PID: 3688)
      • AgentPackageMonitoring.exe (PID: 5716)
      • AgentPackageAgentInformation.exe (PID: 5764)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4688)

    • Reads Environment values

      • AteraAgent.exe (PID: 6724)
      • AteraAgent.exe (PID: 6312)
      • AgentPackageAgentInformation.exe (PID: 6412)
      • AgentPackageAgentInformation.exe (PID: 2292)
      • AgentPackageAgentInformation.exe (PID: 2356)
      • AgentPackageAgentInformation.exe (PID: 5764)
      • AgentPackageSTRemote.exe (PID: 3688)
      • AgentPackageMonitoring.exe (PID: 5716)
      • AteraAgent.exe (PID: 2112)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 6312)
      • AteraAgent.exe (PID: 6724)
      • AgentPackageSTRemote.exe (PID: 3688)
      • AgentPackageMonitoring.exe (PID: 5716)
      • AgentPackageAgentInformation.exe (PID: 5764)
      • SetupUtil.exe (PID: 7732)
      • SRSelfSignCertUtil.exe (PID: 7980)
      • SRService.exe (PID: 7400)
      • SRManager.exe (PID: 1148)
      • SRAgent.exe (PID: 8164)

    • SPLASHTOP has been detected

      • AgentPackageSTRemote.exe (PID: 3688)
      • msiexec.exe (PID: 4688)
      • msiexec.exe (PID: 3092)
      • SetupUtil.exe (PID: 7688)
      • msiexec.exe (PID: 3092)
      • SetupUtil.exe (PID: 7688)
      • SetupUtil.exe (PID: 7668)
      • conhost.exe (PID: 7796)
      • cmd.exe (PID: 7792)
      • conhost.exe (PID: 7852)
      • cmd.exe (PID: 7832)
      • SRSelfSignCertUtil.exe (PID: 7980)
      • SetupUtil.exe (PID: 7668)
      • SetupUtil.exe (PID: 7732)
      • conhost.exe (PID: 7452)
      • SRService.exe (PID: 7400)
      • conhost.exe (PID: 1356)
      • SRService.exe (PID: 7440)
      • SRService.exe (PID: 5496)
      • SRService.exe (PID: 5496)
      • SRManager.exe (PID: 1148)
      • SRServer.exe (PID: 2464)
      • PreVerCheck.exe (PID: 5500)
      • SRManager.exe (PID: 1148)
      • SRServer.exe (PID: 2464)
      • SRAppPB.exe (PID: 7296)
      • SRFeature.exe (PID: 7596)
      • SRAppPB.exe (PID: 7296)
      • SRAgent.exe (PID: 8164)
      • SRAgent.exe (PID: 8164)
      • SRFeature.exe (PID: 7596)
      • conhost.exe (PID: 8064)
      • conhost.exe (PID: 7340)
      • SRUtility.exe (PID: 8112)
      • SRUtility.exe (PID: 8112)
      • AgentPackageSTRemote.exe (PID: 3688)
      • BdEpSDK.exe (PID: 7320)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7064)

    • The sample compiled with chinese language support

      • msiexec.exe (PID: 4688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: AteraAgent
Author: Atera networks
Keywords: Installer
Comments: This installer database contains the logic and data required to install AteraAgent.
Template: Intel;1033
RevisionNumber: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}
CreateDate: 2024:02:28 10:52:02
ModifyDate: 2024:02:28 10:52:02
Pages: 200
Words: 6
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
291
Monitored processes
149
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe THREAT ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs #7EV3N-HONE$T powershell.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs agentpackagestremote.exe conhost.exe no specs agentpackagemonitoring.exe conhost.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe splashtopstreamer.exe prevercheck.exe msiexec.exe no specs msiexec.exe _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs _is6874.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is7084.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs _is83bf.exe no specs setuputil.exe no specs setuputil.exe no specs setuputil.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs srselfsigncertutil.exe _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs _is9332.exe no specs srservice.exe no specs conhost.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs _is9594.exe no specs srservice.exe no specs conhost.exe no specs srservice.exe no specs srmanager.exe slui.exe no specs srserver.exe sragent.exe no specs srapppb.exe no specs srfeature.exe srutility.exe no specs conhost.exe no specs bdepsdk.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
952C:\WINDOWS\TEMP\{A9E1A0E6-AA19-4E6E-9638-0DB61AEF8FEF}\_is9594.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{17272463-FDC9-4558-9F10-D0F554C08464}C:\Windows\Temp\{A9E1A0E6-AA19-4E6E-9638-0DB61AEF8FEF}\_is9594.exemsiexec.exe
User:
SYSTEM
Company:
Flexera
Integrity Level:
SYSTEM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.122
Modules
Images
c:\windows\temp\{a9e1a0e6-aa19-4e6e-9638-0db61aef8fef}\_is9594.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1096"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000C:\Windows\System32\sc.exeAteraAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1148"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
SRService.exe
User:
SYSTEM
Company:
Splashtop Inc.
Integrity Level:
SYSTEM
Description:
Splashtop® Streamer SRManager
Version:
3.74.4.29
Modules
Images
c:\program files (x86)\splashtop\splashtop remote\server\srmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1204C:\WINDOWS\system32\net1 STOP AteraAgentC:\Windows\SysWOW64\net1.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSRService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2112"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Version:
1.8.7.2
Modules
Images
c:\program files (x86)\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2292"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f8d1b580-7572-4f35-8e25-fca5a1c1ff0f "57adccd5-128b-4357-a1ab-11481e595bfc" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000VGeNrIALC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageAgentInformation
Exit code:
0
Version:
40.8.0.0
Modules
Images
c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2356"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f8d1b580-7572-4f35-8e25-fca5a1c1ff0f "3feec532-3728-470d-9125-063a4eac85af" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000VGeNrIALC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeAteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageAgentInformation
Exit code:
0
Version:
40.8.0.0
Modules
Images
c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
58 891
Read events
57 827
Write events
1 028
Delete events
36

Modification events

(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000BE535B5E6506DC015012000080170000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000BE535B5E6506DC015012000080170000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000AFB57C5E6506DC015012000080170000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000AFB57C5E6506DC015012000080170000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000AFB57C5E6506DC015012000080170000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000AC69815E6506DC015012000080170000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000C4EDB55E6506DC015012000080170000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4688) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C651B85E6506DC01501200007C150000E803000001000000000000000000000060A477BA54155247B15456934FA4B1A300000000000000000000000000000000
(PID) Process:(2980) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000FECDC15E6506DC01A40B0000C00F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
294
Suspicious files
92
Text files
146
Unknown types
55

Dropped files

PID
Process
Filename
Type
4688msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
4748msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FCder
MD5:14CE649899F4BF983DA70BA4E9D17E44
SHA256:3B1DC668C03F2450543220076BF389DA7D72C04D6DCFE25985FA752DDB024E35
4748msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:23F88973910A4BD17C84D37E97284344
SHA256:168117C3DF8E4A0E6533FF145CBB2613EC4D988795157746D8AC47EF8A468633
4748msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:C3048E0E080B153E215D0848D558315F
SHA256:3A5283A424291304A6FC9FE8CD1956E350821F0C9ACC2917B8BA6E88395C9D55
4748msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:8F380E2AFD507983598E3EF557B0F1A9
SHA256:B1E46036E524AB20451E799FFA24ABE8179BBA557DFF66EF8930F5BC43D19706
4748msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:6F3A9565252D50F75DDFDD114F8CC555
SHA256:1F553981B54CB26601CF0488F2EF6B5E2C0FFBF4C70A247F1D70D74E3FC73BBF
2728rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIFBDF.tmp-\AlphaControlAgentInstallation.dllexecutable
MD5:AA1B9C5C685173FAD2DABEBEB3171F01
SHA256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
2728rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIFBDF.tmp-\System.Management.dllexecutable
MD5:878E361C41C05C0519BFC72C7D6E141C
SHA256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
2728rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIFBDF.tmp-\CustomAction.configxml
MD5:BC17E956CDE8DD5425F2B2A68ED919F8
SHA256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
2728rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIFBDF.tmp-\Newtonsoft.Json.dllexecutable
MD5:715A1FBEE4665E99E859EDA667FE8034
SHA256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
61
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4748
msiexec.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4748
msiexec.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAnTy%2FhDMohv9omwS69%2Fdow%3D
unknown
whitelisted
4748
msiexec.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
4800
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6312
AteraAgent.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6312
AteraAgent.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6312
AteraAgent.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
unknown
whitelisted
1636
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3480
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4748
msiexec.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4800
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4800
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.3
  • 20.190.159.128
  • 40.126.31.130
  • 40.126.31.0
  • 20.190.159.71
  • 20.190.159.131
  • 40.126.31.71
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
agent-api.atera.com
  • 40.119.152.241
whitelisted
ps.pndsn.com
  • 35.157.63.229
  • 35.157.63.227
unknown
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

No threats detected
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll"...
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUtility::OSInfo] OS 10.0(19045) x64:1 (Last=0)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::FindHeader] Name:C:\WINDOWS\TEMP\SplashtopStreamer.exe (Last=0)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::FindHeader] Sign Size:10376 (Last=0)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::FindHeader] Header offset:434176 (Last=183)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::UnPackFiles] FreeSpace:232981520384 FileSize:63187968 (Last=0)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\WINDOWS\TEMP\unpack\setup.msi (63187968) (Last=0)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::UnPackFiles] UnPack count:1 len:63187968 File:(null) (Last=0)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::UnPackFiles] FreeSpace:232918315008 FileSize:15 (Last=183)
SplashtopStreamer.exe
[4168]2025-08-06 00:02:52 [CUnPack::UnPackFiles] (2/5)UnPack file name:C:\WINDOWS\TEMP\unpack\run.bat (15) (Last=122)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rsvp.msi