File name:

AgentSetup_Megalabs+USA.exe

Full analysis: https://app.any.run/tasks/c23384c9-94f1-4e1b-b81d-d497d897d262
Verdict: Malicious activity
Analysis date: January 19, 2024, 22:34:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:

48AEBC66053B2D4DEBAF237FDBBA3B2E

SHA1:

B868DC50B4B6D4B5333A68DBDD7E2F86F6984551

SHA256:

06707E05F18CCE51E5F6672EDEB57B35E938FB710BFCD5BF862BF512A5B63FC0

SSDEEP:

98304:QA2a6WTv7klWurdCe8O0lENnVMNNFgN25udAL4ZB2u2jv+zj6YbYqOJeDcaB6Q07:p2ZixMj+2TCOQ/0bOgNM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)
      • CagService.exe (PID: 1652)

    • Creates a writable file in the system directory

      • CagService.exe (PID: 1652)
      • powershell.exe (PID: 3284)
      • powershell.exe (PID: 3096)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 1652)

    • Changes the autorun value in the registry

      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3096)
      • powershell.exe (PID: 3284)
      • powershell.exe (PID: 4072)

    • Changes powershell execution policy (Bypass)

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 3512)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • cscript.exe (PID: 3512)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • The process creates files with name similar to system file names

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)

    • Process drops legitimate windows executable

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)

    • Executable content was dropped or overwritten

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Executes as Windows Service

      • CagService.exe (PID: 1652)

    • Reads the Internet Settings

      • Gui.exe (PID: 1216)

    • Checks Windows Trust Settings

      • Gui.exe (PID: 1216)

    • Reads security settings of Internet Explorer

      • Gui.exe (PID: 1216)

    • Reads settings of System Certificates

      • Gui.exe (PID: 1216)

    • Searches for installed software

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)

    • Creates or modifies Windows services

      • CagService.exe (PID: 1652)

    • Creates a software uninstall entry

      • CagService.exe (PID: 1652)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • CagService.exe (PID: 1652)
      • RMM.WebRemote.exe (PID: 1016)
      • AEMAgent.exe (PID: 3012)

    • The process drops C-runtime libraries

      • CagService.exe (PID: 1652)

    • Executing commands from ".cmd" file

      • CagService.exe (PID: 1652)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Starts CMD.EXE for commands execution

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • cmd.exe (PID: 2888)

    • Get information on the list of running processes

      • cmd.exe (PID: 2508)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2508)

    • Found strings related to reading or modifying Windows Defender settings

      • AEMAgent.exe (PID: 3012)

    • Uses WMIC.EXE

      • cmd.exe (PID: 2928)
      • cmd.exe (PID: 1548)
      • cmd.exe (PID: 3400)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 2816)
      • cmd.exe (PID: 2060)
      • cmd.exe (PID: 1424)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 880)
      • cmd.exe (PID: 3412)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 2448)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 3516)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 2896)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 2480)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3180)

    • Starts POWERSHELL.EXE for commands execution

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • The process executes Powershell scripts

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • Unusual connection from system programs

      • powershell.exe (PID: 3096)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3096)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 3908)

    • Executing commands from a ".bat" file

      • CagService.exe (PID: 1652)

    • The process executes VB scripts

      • cmd.exe (PID: 2888)

    • Application launched itself

      • cmd.exe (PID: 2888)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3284)

  • INFO

    • Creates files in the program directory

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AEMAgent.exe (PID: 2316)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)
      • AEMAgent.exe (PID: 3012)
      • powershell.exe (PID: 3096)

    • Reads the computer name

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • Gui.exe (PID: 1768)
      • AEMAgent.exe (PID: 3012)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)

    • Checks supported languages

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • Gui.exe (PID: 1768)
      • AEMAgent.exe (PID: 2316)
      • AEMAgent.exe (PID: 3012)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)

    • Create files in a temporary directory

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Reads Environment values

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • AEMAgent.exe (PID: 3012)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • Gui.exe (PID: 1768)
      • aria2c.exe (PID: 2648)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 1216)

    • Manual execution by a user

      • AgentSetup_Megalabs+USA.exe (PID: 1892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 03:27:51+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
90
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start agentsetup_megalabs+usa.exe cagservice.exe gui.exe no specs agentsetup_megalabs+usa.exe regsvr32.exe no specs gui.exe no specs aemagent.exe netsh.exe no specs netsh.exe no specs cmd.exe no specs sc.exe no specs tasklist.exe no specs find.exe no specs sc.exe no specs aemagent.exe aria2c.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs rmm.webremote.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe powershell.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cscript.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs agentsetup_megalabs+usa.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\Desktop\AgentSetup_Megalabs+USA.exe" C:\Users\admin\Desktop\AgentSetup_Megalabs+USA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\agentsetup_megalabs+usa.exe
c:\windows\system32\ntdll.dll
532"netsh" advfirewall firewall add rule name="RMM RTC Proxy" dir=in action=allow program="C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.RTC.Proxy\RMM.RTC.Proxy.exe" enable=yesC:\Windows\System32\netsh.exeRMM.WebRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
560wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
632"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
668wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
712"netsh" advfirewall firewall add rule name="RMM RTO Proxy" dir=in action=allow program="C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.RTO.Proxy\RMM.RTO.Proxy.exe" enable=yesC:\Windows\System32\netsh.exeRMM.WebRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
880"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
920"netsh" advfirewall firewall delete rule name="RMM WINVNC"C:\Windows\System32\netsh.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
948wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1016"C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.WebRemote.exe" --web-remote-daemon c8b9c6b2-beb8-431b-a326-75084b95665bC:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.WebRemote.exe
AEMAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
RMM WebRemote Agent
Exit code:
0
Version:
12.6.0.2409
Modules
Images
c:\programdata\centrastage\aemagent\rmm.webremote\12.6.0.2409\rmm.webremote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
73 658
Read events
72 709
Write events
946
Delete events
3

Modification events

(PID) Process:(2016) AgentSetup_Megalabs+USA.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsy3E5.tmp\nsProcess.dll
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1216) Gui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1652) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
Executable files
476
Suspicious files
84
Text files
179
Unknown types
0

Dropped files

PID
Process
Filename
Type
2016AgentSetup_Megalabs+USA.exeC:\Users\admin\AppData\Local\Temp\nsy3E5.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\AxInterop.ViewerX.dllexecutable
MD5:EDC5E696C4AD70F0BE6301F703AB3672
SHA256:C6E5F17B2BC91202A1C6A9F3F0547CD7F208368B4CFEBB53F234A55F87C5ACD5
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\CagService.exeexecutable
MD5:037DFCD0BF0EA59F0CA84754B84CB454
SHA256:59D0CAC3452893491D0CB3A07C13476FBBAA432A89E13AE8627B1F6E77DD5F71
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\CSIcon.icoimage
MD5:2F6FD9AA57AA40728A65FA006C7E0F17
SHA256:B59A0E0570D2A22CD51FB51FC106913F9048F2889FC3BD94A5A51BE1A5D102F9
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\AxInterop.MSTSCLib.dllexecutable
MD5:0F581E56ED5BA500CE5D98D105B04A37
SHA256:F041747B5B6B20B6620CA13A7B276C9E9070E54CDA8C29F6ADD54CBA9A42A2F5
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\defaultbrand.zipcompressed
MD5:BE0A3C9E7408BDD9A9D9D004CA01ABF2
SHA256:865CC74F5B77E1DDFFA260084633236186F16139E08B4FB81DB4AAD2442BDC34
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Gui.exe.configxml
MD5:29D78BFD9A4C0D4F850250C25CA8112D
SHA256:71B4F6772FE48A80281E0D112DCB0A2FCAF99DA736A07FCA4CAA3E8107BF4AB0
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Microsoft.Threading.Tasks.dllexecutable
MD5:D01819BFE03222DFA9E35A36555B6B6C
SHA256:5F29E16EDFF5379E93D5BE9BEE4CDDF98132B84326027688511AC0F3157AAF94
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Microsoft.Threading.Tasks.Extensions.dllexecutable
MD5:6AA2393FF1FDE1A61D0CF51730428F74
SHA256:92F1D0D6CCFB0D030789F3C5C636FCDD08F6D0541A5A54F185E8ECD85592E3F9
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\ICSharpCode.SharpZipLib.dllexecutable
MD5:C8164876B6F66616D68387443621510C
SHA256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
61
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
488
lsass.exe
GET
304
23.32.238.192:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fa455765e490287c
unknown
unknown
488
lsass.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
binary
1.49 Kb
unknown
488
lsass.exe
GET
200
13.32.26.76:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAzJ2HMRXZ9fh2bdFC4AxME%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
binary
1.37 Kb
unknown
488
lsass.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAE79EFCzkbsC5kkahtMoSM%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
108.138.2.107:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1652
CagService.exe
34.232.189.146:443
vidalcc.centrastage.net
AMAZON-AES
US
unknown
1652
CagService.exe
13.32.99.103:443
update-vidal.centrastage.net
AMAZON-02
US
unknown
1652
CagService.exe
99.83.220.89:443
vidal-agent.centrastage.net
AMAZON-02
US
unknown
1652
CagService.exe
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
3012
AEMAgent.exe
13.32.99.78:443
update-vidal.centrastage.net
AMAZON-02
US
unknown
3012
AEMAgent.exe
100.24.149.210:443
features.vidal.rmm.datto.com
AMAZON-AES
US
unknown
3012
AEMAgent.exe
3.33.190.122:443
agent-gateway.vidal.rmm.datto.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
vidalcc.centrastage.net
  • 34.232.189.146
unknown
update-vidal.centrastage.net
  • 13.32.99.103
  • 13.32.99.78
  • 13.32.99.10
  • 13.32.99.109
unknown
vidal-agent.centrastage.net
  • 99.83.220.89
  • 75.2.34.181
unknown
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
features.vidal.rmm.datto.com
  • 100.24.149.210
  • 52.207.60.242
unknown
agent-gateway.vidal.rmm.datto.com
  • 3.33.190.122
  • 15.197.187.175
unknown
vidal-agent-notifications.centrastage.net
  • 35.71.189.82
  • 52.223.51.142
unknown
vidal-agent-comms.centrastage.net
  • 52.223.51.142
  • 35.71.189.82
unknown
vidal-monitoring.centrastage.net
  • 35.71.189.82
  • 52.223.51.142
unknown
webrtc.rmm.datto.com
  • 18.157.202.135
unknown

Threats

No threats detected
Process
Message
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2316. Message ID: [0x2509].
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 3012. Message ID: [0x2509].
RMM.WebRemote.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1016. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AgentSetup_Megalabs+USA.exe