URL:

https://set.servicedesk.atera.com/GetAgent/Msi/?customerId=35&integratorLogin=chris%40solutionsextreme.com&customerName=Centerpoint&accountId=0013z00002LHg1NAAT

Full analysis: https://app.any.run/tasks/58b17a34-7fa6-4a5d-91ff-5271707e63e3
Verdict: Malicious activity
Threats:

Pikabot is a trojan malware with a focus on loader capabilities. Pikabot is also used for other activities, such as executing commands on the infected system. The earlier versions of the malware made use of extensive code obfuscation to evade detection. Upon infection, it collects system information and sends it to command-and-control servers.

Malware Trends Tracker     >>>
Analysis date: February 06, 2024, 18:40:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
pikabot
Indicators:
MD5:

1515478962BBF03627A22463E95C3FCD

SHA1:

87AAA779D4BE8225D45551604940F1E6EECE732F

SHA256:

CBCDBF9DE432A99EB0DCA675636EE6A2B8E1D3B5D317F7E82B11E78FA93F0B26

SSDEEP:

3:N8NZVJJUyG6lK1s9kGl0c8sjbtuGKIyRMAIALuRyV1ka4pf//Vx:2/6yblKu9kWKybthyRMAIALuQ1kL/Vx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Pikabot has been detected

      • rundll32.exe (PID: 2660)

    • Drops the executable file immediately after the start

      • AteraAgent.exe (PID: 3720)
      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • AgentPackageTicketing.exe (PID: 4900)
      • AteraAgent.exe (PID: 980)
      • SplashtopStreamer.exe (PID: 2564)
      • PreVerCheck.exe (PID: 2468)
      • uninst.exe (PID: 2308)
      • Au_.exe (PID: 2192)

    • Creates a writable file in the system directory

      • AteraAgent.exe (PID: 3720)
      • SRManager.exe (PID: 5664)
      • SRServer.exe (PID: 5924)

    • Accesses system services(Win32_Service) via WMI (SCRIPT)

      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 2660)
      • AteraAgent.exe (PID: 3720)
      • AteraAgent.exe (PID: 980)
      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • AgentPackageTicketing.exe (PID: 4900)
      • PreVerCheck.exe (PID: 2468)
      • SplashtopStreamer.exe (PID: 2564)
      • uninst.exe (PID: 2308)
      • Au_.exe (PID: 2192)

    • Process drops legitimate windows executable

      • rundll32.exe (PID: 2660)
      • AteraAgent.exe (PID: 3720)
      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • AteraAgent.exe (PID: 980)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 3720)
      • AteraAgent.exe (PID: 980)
      • cmd.exe (PID: 5452)
      • cmd.exe (PID: 5856)

    • Executes as Windows Service

      • AteraAgent.exe (PID: 3720)
      • AteraAgent.exe (PID: 980)
      • SSUService.exe (PID: 4684)
      • SRService.exe (PID: 5824)

    • Searches for installed software

      • AgentPackageAgentInformation.exe (PID: 1348)
      • AgentPackageAgentInformation.exe (PID: 3504)
      • AgentPackageAgentInformation.exe (PID: 5220)
      • AgentPackageProgramManagement.exe (PID: 5488)

    • The process executes VB scripts

      • cmd.exe (PID: 2808)
      • cmd.exe (PID: 376)
      • cmd.exe (PID: 4376)
      • cmd.exe (PID: 4528)
      • cmd.exe (PID: 5264)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 3504)
      • AgentPackageAgentInformation.exe (PID: 1348)
      • AgentPackageAgentInformation.exe (PID: 5220)
      • SRServer.exe (PID: 5924)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Gets the drive type (SCRIPT)

      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Gets a collection of all available drive names (SCRIPT)

      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 2356)
      • cscript.exe (PID: 4412)
      • cscript.exe (PID: 4568)
      • cscript.exe (PID: 5304)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • cscript.exe (PID: 3204)
      • cscript.exe (PID: 2356)

    • Starts itself from another location

      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • uninst.exe (PID: 2308)

    • The process creates files with name similar to system file names

      • AteraAgent.exe (PID: 980)
      • Au_.exe (PID: 2192)

    • Creates or modifies Windows services

      • SRManager.exe (PID: 5664)

    • Checks Windows Trust Settings

      • SRManager.exe (PID: 5664)

  • INFO

    • Manual execution by a user

      • msiexec.exe (PID: 3308)

    • Application launched itself

      • firefox.exe (PID: 572)
      • firefox.exe (PID: 1264)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3308)

    • The process uses the downloaded file

      • firefox.exe (PID: 1264)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 1264)

    • Drops the executable file immediately after the start

      • rundll32.exe (PID: 2660)
      • firefox.exe (PID: 1264)

    • Reads the computer name

      • AteraAgent.exe (PID: 3720)
      • AgentPackageAgentInformation.exe (PID: 2000)
      • AgentPackageAgentInformation.exe (PID: 916)
      • AgentPackageAgentInformation.exe (PID: 2108)
      • AgentPackageAgentInformation.exe (PID: 3768)
      • AteraAgent.exe (PID: 980)
      • AgentPackageAgentInformation.exe (PID: 3504)
      • AgentPackageAgentInformation.exe (PID: 1348)
      • AgentPackageMonitoring.exe (PID: 2124)
      • AgentPackageMonitoring.exe (PID: 2296)
      • AgentPackageSTRemote.exe (PID: 4820)
      • AgentPackageUpgradeAgent.exe (PID: 4780)
      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • AgentPackageTicketing.exe (PID: 4900)
      • AgentPackageADRemote.exe (PID: 4932)
      • AgentPackageInternalPoller.exe (PID: 5012)
      • AgentPackageAgentInformation.exe (PID: 5220)
      • AgentPackageOsUpdates.exe (PID: 5136)
      • AgentPackageMonitoring.exe (PID: 5360)
      • AgentPackageProgramManagement.exe (PID: 5488)
      • AgentPackageHeartbeat.exe (PID: 5520)
      • AgentPackageSystemTools.exe (PID: 5756)
      • AgentPackageRuntimeInstaller.exe (PID: 5876)
      • AgentPackageHeartbeat.exe (PID: 6092)
      • AgentPackageMarketplace.exe (PID: 5596)
      • AgentPackageMonitoring.exe (PID: 920)
      • AgentPackageHeartbeat.exe (PID: 4392)
      • AgentPackageInternalPoller.exe (PID: 4424)
      • AgentPackageHeartbeat.exe (PID: 1928)
      • SplashtopStreamer.exe (PID: 2564)
      • SSUService.exe (PID: 4684)
      • SRService.exe (PID: 5824)
      • SRManager.exe (PID: 5664)
      • SRServer.exe (PID: 5924)
      • SRAgent.exe (PID: 5400)
      • SRAppPB.exe (PID: 5952)
      • SRFeature.exe (PID: 3032)
      • uninst.exe (PID: 2308)
      • Au_.exe (PID: 2192)

    • Checks supported languages

      • AteraAgent.exe (PID: 3720)
      • AgentPackageAgentInformation.exe (PID: 916)
      • AgentPackageAgentInformation.exe (PID: 3768)
      • AgentPackageAgentInformation.exe (PID: 2000)
      • AgentPackageAgentInformation.exe (PID: 2108)
      • AteraAgent.exe (PID: 980)
      • AgentPackageAgentInformation.exe (PID: 3504)
      • AgentPackageAgentInformation.exe (PID: 1348)
      • AgentPackageMonitoring.exe (PID: 2124)
      • AgentPackageMonitoring.exe (PID: 2296)
      • AgentPackageUpgradeAgent.exe (PID: 4780)
      • AgentPackageSTRemote.exe (PID: 4820)
      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • AgentPackageADRemote.exe (PID: 4932)
      • AgentPackageTicketing.exe (PID: 4900)
      • AgentPackageInternalPoller.exe (PID: 5012)
      • AgentPackageOsUpdates.exe (PID: 5136)
      • AgentPackageAgentInformation.exe (PID: 5220)
      • AgentPackageMonitoring.exe (PID: 5360)
      • AgentPackageMarketplace.exe (PID: 5596)
      • AgentPackageProgramManagement.exe (PID: 5488)
      • AgentPackageHeartbeat.exe (PID: 5520)
      • AgentPackageRuntimeInstaller.exe (PID: 5876)
      • AgentPackageHeartbeat.exe (PID: 6092)
      • AgentPackageSystemTools.exe (PID: 5756)
      • AgentPackageMonitoring.exe (PID: 920)
      • AgentPackageInternalPoller.exe (PID: 4424)
      • AgentPackageHeartbeat.exe (PID: 4392)
      • AgentPackageHeartbeat.exe (PID: 1928)
      • PreVerCheck.exe (PID: 2468)
      • SSUService.exe (PID: 4684)
      • SRManager.exe (PID: 5664)
      • SRService.exe (PID: 5824)
      • SplashtopStreamer.exe (PID: 2564)
      • SRServer.exe (PID: 5924)
      • SRAgent.exe (PID: 5400)
      • SRAppPB.exe (PID: 5952)
      • SRDetect.exe (PID: 4316)
      • uninst.exe (PID: 2308)
      • SRUtility.exe (PID: 1956)
      • Au_.exe (PID: 2192)
      • SRUtility.exe (PID: 6132)
      • BdEpSDK_x86.exe (PID: 6116)
      • SRFeature.exe (PID: 3032)

    • Reads Environment values

      • AteraAgent.exe (PID: 3720)
      • AgentPackageAgentInformation.exe (PID: 916)
      • AgentPackageAgentInformation.exe (PID: 2000)
      • AgentPackageAgentInformation.exe (PID: 3768)
      • AgentPackageAgentInformation.exe (PID: 2108)
      • AgentPackageAgentInformation.exe (PID: 3504)
      • AteraAgent.exe (PID: 980)
      • AgentPackageAgentInformation.exe (PID: 1348)
      • AgentPackageMonitoring.exe (PID: 2124)
      • AgentPackageMonitoring.exe (PID: 2296)
      • AgentPackageUpgradeAgent.exe (PID: 4780)
      • AgentPackageSTRemote.exe (PID: 4820)
      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • AgentPackageTicketing.exe (PID: 4900)
      • AgentPackageADRemote.exe (PID: 4932)
      • AgentPackageInternalPoller.exe (PID: 5012)
      • AgentPackageOsUpdates.exe (PID: 5136)
      • AgentPackageAgentInformation.exe (PID: 5220)
      • AgentPackageMonitoring.exe (PID: 5360)
      • AgentPackageProgramManagement.exe (PID: 5488)
      • AgentPackageHeartbeat.exe (PID: 5520)
      • AgentPackageMarketplace.exe (PID: 5596)
      • AgentPackageSystemTools.exe (PID: 5756)
      • AgentPackageMonitoring.exe (PID: 920)
      • AgentPackageHeartbeat.exe (PID: 4392)
      • AgentPackageHeartbeat.exe (PID: 6092)
      • AgentPackageHeartbeat.exe (PID: 1928)
      • AgentPackageInternalPoller.exe (PID: 4424)

    • Create files in a temporary directory

      • rundll32.exe (PID: 2660)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 3720)
      • AgentPackageMonitoring.exe (PID: 2296)
      • AgentPackageMonitoring.exe (PID: 2124)
      • AgentPackageAgentInformation.exe (PID: 1348)
      • AteraAgent.exe (PID: 980)
      • AgentPackageAgentInformation.exe (PID: 3504)
      • AgentPackageInternalPoller.exe (PID: 5012)
      • AgentPackageTicketing.exe (PID: 4900)
      • AgentPackageSTRemote.exe (PID: 4820)
      • AgentPackageOsUpdates.exe (PID: 5136)
      • AgentPackageMonitoring.exe (PID: 5360)
      • AgentPackageProgramManagement.exe (PID: 5488)
      • AgentPackageRuntimeInstaller.exe (PID: 5876)
      • AgentPackageAgentInformation.exe (PID: 5220)
      • AgentPackageMonitoring.exe (PID: 920)
      • SRServer.exe (PID: 5924)
      • SRAgent.exe (PID: 5400)
      • SRManager.exe (PID: 5664)

    • Reads the machine GUID from the registry

      • AteraAgent.exe (PID: 3720)
      • AgentPackageAgentInformation.exe (PID: 916)
      • AgentPackageAgentInformation.exe (PID: 2000)
      • AgentPackageAgentInformation.exe (PID: 3768)
      • AgentPackageAgentInformation.exe (PID: 2108)
      • AteraAgent.exe (PID: 980)
      • AgentPackageAgentInformation.exe (PID: 3504)
      • AgentPackageAgentInformation.exe (PID: 1348)
      • AgentPackageMonitoring.exe (PID: 2124)
      • AgentPackageMonitoring.exe (PID: 2296)
      • AgentPackageUpgradeAgent.exe (PID: 4780)
      • AgentPackageSTRemote.exe (PID: 4820)
      • AgentPackageUpgradeAgent.exe (PID: 4748)
      • AgentPackageTicketing.exe (PID: 4900)
      • AgentPackageADRemote.exe (PID: 4932)
      • AgentPackageInternalPoller.exe (PID: 5012)
      • AgentPackageOsUpdates.exe (PID: 5136)
      • AgentPackageAgentInformation.exe (PID: 5220)
      • AgentPackageProgramManagement.exe (PID: 5488)
      • AgentPackageHeartbeat.exe (PID: 5520)
      • AgentPackageMonitoring.exe (PID: 5360)
      • AgentPackageMarketplace.exe (PID: 5596)
      • AgentPackageSystemTools.exe (PID: 5756)
      • AgentPackageRuntimeInstaller.exe (PID: 5876)
      • AgentPackageMonitoring.exe (PID: 920)
      • AgentPackageHeartbeat.exe (PID: 6092)
      • AgentPackageHeartbeat.exe (PID: 1928)
      • AgentPackageHeartbeat.exe (PID: 4392)
      • AgentPackageInternalPoller.exe (PID: 4424)
      • SSUService.exe (PID: 4684)
      • SRManager.exe (PID: 5664)
      • SRAgent.exe (PID: 5400)

    • Reads Microsoft Office registry keys

      • AgentPackageAgentInformation.exe (PID: 3504)
      • AgentPackageAgentInformation.exe (PID: 1348)
      • AgentPackageAgentInformation.exe (PID: 5220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
76
Malicious processes
20
Suspicious processes
8

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msiexec.exe no specs #PIKABOT rundll32.exe ateraagent.exe sc.exe no specs agentpackageagentinformation.exe agentpackageagentinformation.exe agentpackageagentinformation.exe agentpackageagentinformation.exe no specs ateraagent.exe agentpackageagentinformation.exe agentpackageagentinformation.exe sc.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs agentpackagemonitoring.exe agentpackagemonitoring.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs agentpackageupgradeagent.exe agentpackageupgradeagent.exe no specs agentpackagestremote.exe agentpackageticketing.exe agentpackageadremote.exe no specs agentpackageinternalpoller.exe agentpackageosupdates.exe no specs agentpackageagentinformation.exe cmd.exe no specs cscript.exe no specs agentpackagemonitoring.exe agentpackageprogrammanagement.exe agentpackageheartbeat.exe agentpackagemarketplace.exe agentpackagesystemtools.exe no specs agentpackageruntimeinstaller.exe no specs agentpackageheartbeat.exe agentpackageheartbeat.exe agentpackagemonitoring.exe agentpackageheartbeat.exe agentpackageinternalpoller.exe no specs splashtopstreamer.exe prevercheck.exe msiexec.exe no specs cmd.exe no specs cmd.exe no specs ssuservice.exe no specs srservice.exe no specs srmanager.exe srserver.exe cmd.exe no specs sc.exe no specs sragent.exe no specs srapppb.exe no specs cmd.exe no specs sc.exe no specs srfeature.exe cmd.exe no specs srdetect.exe no specs uninst.exe srutility.exe no specs au_.exe srutility.exe no specs bdepsdk_x86.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /dstatusC:\Windows\System32\cmd.exeAgentPackageAgentInformation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
572"C:\Program Files\Mozilla Firefox\firefox.exe" "https://set.servicedesk.atera.com/GetAgent/Msi/?customerId=35&integratorLogin=chris%40solutionsextreme.com&customerName=Centerpoint&accountId=0013z00002LHg1NAAT"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
916"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 99694ce7-4e33-492e-825c-4312a2d2933c "0a98b9bf-54b1-40a2-b5aa-6a475935599f" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageAgentInformation
Exit code:
0
Version:
36.0.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
920"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 99694ce7-4e33-492e-825c-4312a2d2933c "11829445-d132-463d-9a97-ba76980d707b" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
AteraAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
AgentPackageMonitoring
Exit code:
0
Version:
36.3.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
980"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
0
Version:
1.8.6.7
Modules
Images
c:\program files\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1072"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1264.0.711760780\150868849" -parentBuildID 20230710165010 -prefsHandle 1124 -prefMapHandle 1116 -prefsLen 28523 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eadd62e8-3524-450c-8615-b1cb249f4f29} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" 1196 daac1a0 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1264"C:\Program Files\Mozilla Firefox\firefox.exe" https://set.servicedesk.atera.com/GetAgent/Msi/?customerId=35&integratorLogin=chris%40solutionsextreme.com&customerName=Centerpoint&accountId=0013z00002LHg1NAATC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1348"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 99694ce7-4e33-492e-825c-4312a2d2933c "fc9e09da-bd35-4523-83b7-a52f1234c68c" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageAgentInformation
Exit code:
0
Version:
36.0.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1824"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000C:\Windows\System32\sc.exeAteraAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1928"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 99694ce7-4e33-492e-825c-4312a2d2933c "982c33e7-c431-4a53-9300-c609b4065f80" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
AteraAgent.exe
User:
SYSTEM
Company:
Atera Networks
Integrity Level:
SYSTEM
Description:
AgentPackageHeartbeat
Exit code:
0
Version:
17.11.0.0
Modules
Images
c:\program files\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
101 476
Read events
101 000
Write events
468
Delete events
8

Modification events

(PID) Process:(572) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
2166C0A101000000
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
044CC1A101000000
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Enabled
Value:
1
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
1
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent
Value:
0
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|SetDefaultBrowserUserChoice
Value:
1
(PID) Process:(1264) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|AppLastRunTime
Value:
D14E5F3C23B0D901
Executable files
441
Suspicious files
229
Text files
103
Unknown types
3

Dropped files

PID
Process
Filename
Type
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.jstext
MD5:4C2B86263D45AF8D9CFB3E8B677F9B8F
SHA256:EBA507A22A506819B3C8104DA66604A94F85CB746293F4F34201D9897A4B058F
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\protections.sqlite-journalbinary
MD5:9B125F32931D400A1C48BF6C8120CE82
SHA256:696428B0425C23C23209606B48E26A2467A8ADEFF6C601BEAAD69FAA11B22956
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1264firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
116
DNS requests
200
Threats
35

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1264
firefox.exe
POST
200
184.24.77.65:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
1264
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
unknown
1264
firefox.exe
POST
200
184.24.77.76:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
1264
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
unknown
1264
firefox.exe
POST
200
184.24.77.76:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
1264
firefox.exe
POST
200
184.24.77.65:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
1264
firefox.exe
POST
200
184.24.77.65:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
1264
firefox.exe
POST
200
184.24.77.65:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
1264
firefox.exe
POST
200
184.24.77.76:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
1264
firefox.exe
POST
200
184.24.77.76:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1264
firefox.exe
142.250.185.202:443
safebrowsing.googleapis.com
GOOGLE
US
whitelisted
1264
firefox.exe
20.101.44.219:443
set.servicedesk.atera.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1264
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
1264
firefox.exe
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1264
firefox.exe
34.107.243.93:443
push.services.mozilla.com
unknown
1264
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
unknown
1264
firefox.exe
184.24.77.76:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
set.servicedesk.atera.com
  • 20.101.44.219
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
contile.services.mozilla.com
  • 34.117.237.239
whitelisted
spocs.getpocket.com
  • 34.49.99.171
shared
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
safebrowsing.googleapis.com
  • 142.250.185.202
  • 2a00:1450:4001:806::200a
whitelisted
push.services.mozilla.com
  • 34.107.243.93
whitelisted
servicedesk-eu.westeurope.cloudapp.azure.com
  • 20.101.44.219
unknown
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
4820
AgentPackageSTRemote.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
4820
AgentPackageSTRemote.exe
Misc activity
ET INFO Splashtop Domain (splashtop .com) in TLS SNI
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
1080
svchost.exe
Misc activity
ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
29 ETPRO signatures available at the full report
Process
Message
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll"...
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll"...
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll"...
AgentPackageMonitoring.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll"...
SplashtopStreamer.exe
[2564]2024-02-06 18:45:00 [CUtility::OSInfo] OS 6.1(7601) Service Pack 1 x64:0 (Last=0)
SplashtopStreamer.exe
[2564]2024-02-06 18:45:00 [CUnPack::FindHeader] Name:C:\Windows\TEMP\SplashtopStreamer.exe (Last=0)
SplashtopStreamer.exe
[2564]2024-02-06 18:45:00 [CUnPack::FindHeader] Sign Size:10248 (Last=0)
SplashtopStreamer.exe
[2564]2024-02-06 18:45:00 [CUnPack::FindHeader] Header offset:433664 (Last=183)
SplashtopStreamer.exe
[2564]2024-02-06 18:45:00 [CUnPack::UnPackFiles] FreeSpace:233127555072 FileSize:51532288 (Last=0)
SplashtopStreamer.exe
[2564]2024-02-06 18:45:00 [CUnPack::UnPackFiles] (1/5)UnPack file name:C:\Windows\TEMP\unpack\setup.msi (51532288) (Last=0)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://set.servicedesk.atera.com/GetAgent/Msi/?customerId=35&integratorLogin=chris%40solutionsextreme.com&customerName=Centerpoint&accountId=0013z00002LHg1NAAT