File name:

AgentSetup_Megalabs+USA.exe

Full analysis: https://app.any.run/tasks/c23384c9-94f1-4e1b-b81d-d497d897d262
Verdict: Malicious activity
Analysis date: January 19, 2024, 22:34:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:

48AEBC66053B2D4DEBAF237FDBBA3B2E

SHA1:

B868DC50B4B6D4B5333A68DBDD7E2F86F6984551

SHA256:

06707E05F18CCE51E5F6672EDEB57B35E938FB710BFCD5BF862BF512A5B63FC0

SSDEEP:

98304:QA2a6WTv7klWurdCe8O0lENnVMNNFgN25udAL4ZB2u2jv+zj6YbYqOJeDcaB6Q07:p2ZixMj+2TCOQ/0bOgNM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Creates a writable file in the system directory

      • CagService.exe (PID: 1652)
      • powershell.exe (PID: 3284)
      • powershell.exe (PID: 3096)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 1652)

    • Changes the autorun value in the registry

      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3284)
      • powershell.exe (PID: 3096)
      • powershell.exe (PID: 4072)

    • Changes powershell execution policy (Bypass)

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • cscript.exe (PID: 3512)

    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 3512)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Process drops legitimate windows executable

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)

    • The process creates files with name similar to system file names

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)

    • Executable content was dropped or overwritten

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Executes as Windows Service

      • CagService.exe (PID: 1652)

    • Checks Windows Trust Settings

      • Gui.exe (PID: 1216)

    • Reads the Internet Settings

      • Gui.exe (PID: 1216)

    • Reads security settings of Internet Explorer

      • Gui.exe (PID: 1216)

    • Reads settings of System Certificates

      • Gui.exe (PID: 1216)

    • Searches for installed software

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)

    • Creates or modifies Windows services

      • CagService.exe (PID: 1652)

    • Creates a software uninstall entry

      • CagService.exe (PID: 1652)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • The process drops C-runtime libraries

      • CagService.exe (PID: 1652)

    • Executing commands from ".cmd" file

      • CagService.exe (PID: 1652)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Starts CMD.EXE for commands execution

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • cmd.exe (PID: 2888)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2508)

    • Get information on the list of running processes

      • cmd.exe (PID: 2508)

    • Uses WMIC.EXE

      • cmd.exe (PID: 3400)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 1424)
      • cmd.exe (PID: 1548)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 2060)
      • cmd.exe (PID: 2816)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 2448)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 3516)
      • cmd.exe (PID: 2480)
      • cmd.exe (PID: 2896)
      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 3412)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 880)
      • cmd.exe (PID: 2928)

    • Found strings related to reading or modifying Windows Defender settings

      • AEMAgent.exe (PID: 3012)

    • Starts POWERSHELL.EXE for commands execution

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • The process executes Powershell scripts

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • Unusual connection from system programs

      • powershell.exe (PID: 3096)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3096)

    • The process executes VB scripts

      • cmd.exe (PID: 2888)

    • Executing commands from a ".bat" file

      • CagService.exe (PID: 1652)

    • Application launched itself

      • cmd.exe (PID: 2888)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3284)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 3908)

  • INFO

    • Checks supported languages

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • Gui.exe (PID: 1768)
      • AEMAgent.exe (PID: 2316)
      • AEMAgent.exe (PID: 3012)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)

    • Reads the computer name

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • Gui.exe (PID: 1768)
      • AEMAgent.exe (PID: 3012)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)

    • Create files in a temporary directory

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Creates files in the program directory

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AEMAgent.exe (PID: 2316)
      • AEMAgent.exe (PID: 3012)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)
      • powershell.exe (PID: 3096)

    • Reads Environment values

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • AEMAgent.exe (PID: 3012)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • Gui.exe (PID: 1768)
      • AEMAgent.exe (PID: 3012)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 1216)

    • Manual execution by a user

      • AgentSetup_Megalabs+USA.exe (PID: 1892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 03:27:51+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
90
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start agentsetup_megalabs+usa.exe cagservice.exe gui.exe no specs agentsetup_megalabs+usa.exe regsvr32.exe no specs gui.exe no specs aemagent.exe netsh.exe no specs netsh.exe no specs cmd.exe no specs sc.exe no specs tasklist.exe no specs find.exe no specs sc.exe no specs aemagent.exe aria2c.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs rmm.webremote.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe powershell.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cscript.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs agentsetup_megalabs+usa.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\Desktop\AgentSetup_Megalabs+USA.exe" C:\Users\admin\Desktop\AgentSetup_Megalabs+USA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\agentsetup_megalabs+usa.exe
c:\windows\system32\ntdll.dll
532"netsh" advfirewall firewall add rule name="RMM RTC Proxy" dir=in action=allow program="C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.RTC.Proxy\RMM.RTC.Proxy.exe" enable=yesC:\Windows\System32\netsh.exeRMM.WebRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
560wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
632"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
668wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
712"netsh" advfirewall firewall add rule name="RMM RTO Proxy" dir=in action=allow program="C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.RTO.Proxy\RMM.RTO.Proxy.exe" enable=yesC:\Windows\System32\netsh.exeRMM.WebRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
880"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
920"netsh" advfirewall firewall delete rule name="RMM WINVNC"C:\Windows\System32\netsh.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
948wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1016"C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.WebRemote.exe" --web-remote-daemon c8b9c6b2-beb8-431b-a326-75084b95665bC:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.WebRemote.exe
AEMAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
RMM WebRemote Agent
Exit code:
0
Version:
12.6.0.2409
Modules
Images
c:\programdata\centrastage\aemagent\rmm.webremote\12.6.0.2409\rmm.webremote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
73 658
Read events
72 709
Write events
946
Delete events
3

Modification events

(PID) Process:(2016) AgentSetup_Megalabs+USA.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsy3E5.tmp\nsProcess.dll
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1216) Gui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1652) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
Executable files
476
Suspicious files
84
Text files
179
Unknown types
0

Dropped files

PID
Process
Filename
Type
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\AxInterop.MSTSCLib.dllexecutable
MD5:0F581E56ED5BA500CE5D98D105B04A37
SHA256:F041747B5B6B20B6620CA13A7B276C9E9070E54CDA8C29F6ADD54CBA9A42A2F5
2016AgentSetup_Megalabs+USA.exeC:\Users\admin\AppData\Local\Temp\nsy3E5.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\defaultbrand.zipcompressed
MD5:BE0A3C9E7408BDD9A9D9D004CA01ABF2
SHA256:865CC74F5B77E1DDFFA260084633236186F16139E08B4FB81DB4AAD2442BDC34
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\CSIcon.icoimage
MD5:2F6FD9AA57AA40728A65FA006C7E0F17
SHA256:B59A0E0570D2A22CD51FB51FC106913F9048F2889FC3BD94A5A51BE1A5D102F9
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\CagService.exe.configxml
MD5:ADBF1381C4BD54BD681A095A95E0D8CE
SHA256:FBEEAF6E9FB96D33E74B8631BCE0FC88352DE5D241611E13A349F6F89D2E2730
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Core.XmlSerializers.dllexecutable
MD5:A63585435C0939CD87A2CC30BE7DD987
SHA256:E04D2FDB0FCF243E47DA40C9DA55F925C9A46DD176A6F935244AF076126F5E09
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Common.dllexecutable
MD5:461512677DF70D4F5DD79C5EBC93581B
SHA256:4B0D0DD963320AEE3E7766578C1E7C5A09FC97F37232846316646FE2A204B46D
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Gui.exeexecutable
MD5:662EB4BCD2E039CC9D5F31AF268CFB01
SHA256:9AAB6B35F26B77F4205868A6D1D1CAC62B7C19E36F8B01AD445AE656AEC8EDC8
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\CagService.exeexecutable
MD5:037DFCD0BF0EA59F0CA84754B84CB454
SHA256:59D0CAC3452893491D0CB3A07C13476FBBAA432A89E13AE8627B1F6E77DD5F71
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Gui.exe.configxml
MD5:29D78BFD9A4C0D4F850250C25CA8112D
SHA256:71B4F6772FE48A80281E0D112DCB0A2FCAF99DA736A07FCA4CAA3E8107BF4AB0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
61
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
488
lsass.exe
GET
304
23.32.238.192:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fa455765e490287c
unknown
unknown
488
lsass.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
binary
1.49 Kb
unknown
488
lsass.exe
GET
200
13.32.26.76:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAzJ2HMRXZ9fh2bdFC4AxME%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
108.138.2.107:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
unknown
488
lsass.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
binary
1.37 Kb
unknown
488
lsass.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAE79EFCzkbsC5kkahtMoSM%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1652
CagService.exe
34.232.189.146:443
vidalcc.centrastage.net
AMAZON-AES
US
unknown
1652
CagService.exe
13.32.99.103:443
update-vidal.centrastage.net
AMAZON-02
US
unknown
1652
CagService.exe
99.83.220.89:443
vidal-agent.centrastage.net
AMAZON-02
US
unknown
1652
CagService.exe
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
3012
AEMAgent.exe
13.32.99.78:443
update-vidal.centrastage.net
AMAZON-02
US
unknown
3012
AEMAgent.exe
100.24.149.210:443
features.vidal.rmm.datto.com
AMAZON-AES
US
unknown
3012
AEMAgent.exe
3.33.190.122:443
agent-gateway.vidal.rmm.datto.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
vidalcc.centrastage.net
  • 34.232.189.146
unknown
update-vidal.centrastage.net
  • 13.32.99.103
  • 13.32.99.78
  • 13.32.99.10
  • 13.32.99.109
unknown
vidal-agent.centrastage.net
  • 99.83.220.89
  • 75.2.34.181
unknown
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
features.vidal.rmm.datto.com
  • 100.24.149.210
  • 52.207.60.242
unknown
agent-gateway.vidal.rmm.datto.com
  • 3.33.190.122
  • 15.197.187.175
unknown
vidal-agent-notifications.centrastage.net
  • 35.71.189.82
  • 52.223.51.142
unknown
vidal-agent-comms.centrastage.net
  • 52.223.51.142
  • 35.71.189.82
unknown
vidal-monitoring.centrastage.net
  • 35.71.189.82
  • 52.223.51.142
unknown
webrtc.rmm.datto.com
  • 18.157.202.135
unknown

Threats

No threats detected
Process
Message
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2316. Message ID: [0x2509].
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 3012. Message ID: [0x2509].
RMM.WebRemote.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1016. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AgentSetup_Megalabs+USA.exe