File name:

PDF-723.msi

Full analysis: https://app.any.run/tasks/c0667dfb-0ec8-4001-a198-1bf2d7effd4a
Verdict: Malicious activity
Analysis date: January 13, 2025, 14:29:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
ateraagent
atera
tool
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

3A63239AE3F46DC8657A1D349C5E2C2B

SHA1:

0622AE18105253BBA50B08D8E64776BC5749B08F

SHA256:

CA557971DC71088EB5D51FCEBB64F9D0323C0B2A370163DB878AC1A71751855D

SSDEEP:

98304:pIZTffzvns6eLKLdpRwznfsJb+7J7ERXndiWaKzPtSjXmbABY/lT8vjkZBvrePVv:m3XP9No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ATERAAGENT has been detected (YARA)

      • msiexec.exe (PID: 6340)
      • msiexec.exe (PID: 6528)

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 1684)
      • net.exe (PID: 6836)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6596)
      • AteraAgent.exe (PID: 7156)
      • AteraAgent.exe (PID: 7080)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6340)
      • msiexec.exe (PID: 6528)
      • AteraAgent.exe (PID: 7156)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 4704)
      • rundll32.exe (PID: 5308)
      • rundll32.exe (PID: 5576)
      • rundll32.exe (PID: 5992)
      • AteraAgent.exe (PID: 7156)
      • SplashtopStreamer.exe (PID: 6152)
      • PreVerCheck.exe (PID: 6800)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 1684)

    • ATERAAGENT has been detected

      • AteraAgent.exe (PID: 7112)
      • AteraAgent.exe (PID: 7156)
      • AteraAgent.exe (PID: 7080)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 7156)
      • AteraAgent.exe (PID: 7080)

    • Restarts service on failure

      • sc.exe (PID: 424)
      • sc.exe (PID: 5256)

    • Potential Corporate Privacy Violation

      • AgentPackageAgentInformation.exe (PID: 3420)
      • rundll32.exe (PID: 5992)
      • AgentPackageAgentInformation.exe (PID: 1356)
      • AteraAgent.exe (PID: 7156)
      • AteraAgent.exe (PID: 7080)
      • AgentPackageMonitoring.exe (PID: 2084)
      • AgentPackageSTRemote.exe (PID: 7140)

    • Starts POWERSHELL.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 5268)

    • The process executes VB scripts

      • cmd.exe (PID: 7160)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2280)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2280)

    • The process bypasses the loading of PowerShell profile settings

      • AgentPackageAgentInformation.exe (PID: 5268)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 2280)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 5268)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 2280)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 2280)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 2280)

    • Executes application which crashes

      • cscript.exe (PID: 2280)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6340)

    • Manages system restore points

      • SrTasks.exe (PID: 3984)

    • Reads the software policy settings

      • msiexec.exe (PID: 6340)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6528)

    • The sample compiled with english language support

      • rundll32.exe (PID: 4704)
      • rundll32.exe (PID: 5308)
      • rundll32.exe (PID: 5576)
      • rundll32.exe (PID: 5992)
      • AteraAgent.exe (PID: 7156)
      • SplashtopStreamer.exe (PID: 6152)
      • PreVerCheck.exe (PID: 6800)
      • msiexec.exe (PID: 6528)

    • Sends debugging messages

      • SplashtopStreamer.exe (PID: 6152)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: AteraAgent
Author: Atera networks
Keywords: Installer
Comments: This installer database contains the logic and data required to install AteraAgent.
Template: Intel;1033
RevisionNumber: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}
CreateDate: 2024:02:28 10:52:02
ModifyDate: 2024:02:28 10:52:02
Pages: 200
Words: 6
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
45
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #ATERAAGENT msiexec.exe #ATERAAGENT msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs THREAT ateraagent.exe THREAT ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs THREAT ateraagent.exe sc.exe no specs conhost.exe no specs agentpackagestremote.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs agentpackagemonitoring.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe splashtopstreamer.exe prevercheck.exe msiexec.exe no specs msiexec.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAgentPackageAgentInformation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
424"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000C:\Windows\System32\sc.exeAteraAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
768"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f590e8d0-193e-4f88-8436-ebe198c1dcd5 "24041103-8fb7-49b7-a351-4039f552c9e0" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q3000005bkCOIAYC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeAteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageAgentInformation
Exit code:
0
Version:
38.8.0.0
Modules
Images
c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140"TaskKill.exe" /f /im AteraAgent.exeC:\Windows\SysWOW64\taskkill.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1356"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f590e8d0-193e-4f88-8436-ebe198c1dcd5 "aa59cc42-1c16-4852-ae6f-6ec02f47650a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAYC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageAgentInformation
Exit code:
0
Version:
38.8.0.0
Modules
Images
c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1684C:\Windows\syswow64\MsiExec.exe -Embedding 32352DF0467C30B92C05C6C2C629F342 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1828\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2084"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f590e8d0-193e-4f88-8436-ebe198c1dcd5 "8537c88a-365a-41da-bf82-e5154c500e61" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q3000005bkCOIAYC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
AteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageMonitoring
Exit code:
0
Version:
38.1.0.0
Modules
Images
c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
37 721
Read events
37 233
Write events
464
Delete events
24

Modification events

(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C9D2C5AAC765DB01C4190000E4190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C9D2C5AAC765DB01C4190000501A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C9D2C5AAC765DB01C4190000E0190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C9D2C5AAC765DB01C4190000581A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
480000000000000009A6CAAAC765DB01C4190000581A0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:(6596) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:delete keyName:(default)
Value:
Executable files
66
Suspicious files
36
Text files
30
Unknown types
16

Dropped files

PID
Process
Filename
Type
6528msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6340msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:8D000B51D23264B1CDB18982DDA9389E
SHA256:FA584C1D35C317E430E8DAAE9B212ADDBC1DE2BD7F5D1FA945DD1EA6FDC3F5D6
6340msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:40482C80CBDB2016F964A54E6C803C08
SHA256:D63A105634357B3E49D24C7E69B0B0BC5529859A71A93CFFF85528C7802A53DD
4704rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAFCB.tmp-\Newtonsoft.Json.dllexecutable
MD5:715A1FBEE4665E99E859EDA667FE8034
SHA256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
6528msiexec.exeC:\Windows\Installer\13abe3.msiexecutable
MD5:3A63239AE3F46DC8657A1D349C5E2C2B
SHA256:CA557971DC71088EB5D51FCEBB64F9D0323C0B2A370163DB878AC1A71751855D
6340msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944binary
MD5:408B8FAFC56C17C5253CEEB5BE35A190
SHA256:2C6D906B04993F76D38791227C93B3625CCDE5D8F6744C8EDE152620424AC218
6340msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:0DFF8D0B680487E03E4074FD2BFE67B6
SHA256:2EDD030797F68831AEED75001E19C1BE6752E5EAE58BDDAA7600301FD4A86EED
6340msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:7B16980B1E7CA8F2ACEA28D4D3C06350
SHA256:958B569A28CCF9D7F470442A8E9A57A0098836644975C9D9AC7E18B21A29D56A
4704rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIAFCB.tmp-\AlphaControlAgentInstallation.dllexecutable
MD5:AA1B9C5C685173FAD2DABEBEB3171F01
SHA256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
6528msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:D6C5B546CDD29E06A269D519BAAA3D3D
SHA256:911680595779AD7E827E21EBD6C0928B57729F9B5F2C4914426FF383A87DB810
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
57
DNS requests
23
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4976
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7112
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7112
AteraAgent.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4976
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2280
cscript.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5064
SearchApp.exe
2.23.227.199:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 52.167.17.97
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.23.227.199
  • 2.23.227.198
  • 2.23.227.208
  • 2.23.227.221
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.23
  • 40.126.31.73
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
agent-api.atera.com
  • 40.119.152.241
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
7140
AgentPackageSTRemote.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
2192
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
7140
AgentPackageSTRemote.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
16 ETPRO signatures available at the full report
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll"...
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::FindHeader] Header offset:434176 (Last=183)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::UnPackFiles] FreeSpace:231947898880 FileSize:53075456 (Last=0)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::FindHeader] Sign Size:10240 (Last=0)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::FindHeader] Name:C:\WINDOWS\TEMP\SplashtopStreamer.exe (Last=0)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUtility::OSInfo] OS 10.0(19045) x64:1 (Last=0)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\WINDOWS\TEMP\unpack\setup.msi (53075456) (Last=0)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::UnPackFiles] UnPack count:2 len:15 File:(null) (Last=0)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::UnPackFiles] UnPack count:1 len:53075456 File:(null) (Last=0)
SplashtopStreamer.exe
[6152]2025-01-13 14:31:10 [CUnPack::UnPackFiles] FreeSpace:231894806528 FileSize:1528 (Last=183)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDF-723.msi