File name:

AgentSetup_Megalabs+USA.exe

Full analysis: https://app.any.run/tasks/c23384c9-94f1-4e1b-b81d-d497d897d262
Verdict: Malicious activity
Analysis date: January 19, 2024, 22:34:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:

48AEBC66053B2D4DEBAF237FDBBA3B2E

SHA1:

B868DC50B4B6D4B5333A68DBDD7E2F86F6984551

SHA256:

06707E05F18CCE51E5F6672EDEB57B35E938FB710BFCD5BF862BF512A5B63FC0

SSDEEP:

98304:QA2a6WTv7klWurdCe8O0lENnVMNNFgN25udAL4ZB2u2jv+zj6YbYqOJeDcaB6Q07:p2ZixMj+2TCOQ/0bOgNM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)
      • RMM.WebRemote.exe (PID: 1016)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 1652)

    • Creates a writable file in the system directory

      • CagService.exe (PID: 1652)
      • powershell.exe (PID: 3096)
      • powershell.exe (PID: 3284)

    • Changes the autorun value in the registry

      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3096)
      • powershell.exe (PID: 3284)
      • powershell.exe (PID: 4072)

    • Changes powershell execution policy (Bypass)

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • cscript.exe (PID: 3512)

    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 3512)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Process drops legitimate windows executable

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)

    • The process creates files with name similar to system file names

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)

    • Executable content was dropped or overwritten

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Executes as Windows Service

      • CagService.exe (PID: 1652)

    • Checks Windows Trust Settings

      • Gui.exe (PID: 1216)

    • Reads the Internet Settings

      • Gui.exe (PID: 1216)

    • Reads security settings of Internet Explorer

      • Gui.exe (PID: 1216)

    • Creates or modifies Windows services

      • CagService.exe (PID: 1652)

    • Creates a software uninstall entry

      • CagService.exe (PID: 1652)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Searches for installed software

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)

    • Reads settings of System Certificates

      • Gui.exe (PID: 1216)

    • Starts CMD.EXE for commands execution

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • cmd.exe (PID: 2888)

    • The process drops C-runtime libraries

      • CagService.exe (PID: 1652)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)
      • RMM.WebRemote.exe (PID: 1016)

    • Executing commands from ".cmd" file

      • CagService.exe (PID: 1652)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2508)

    • Get information on the list of running processes

      • cmd.exe (PID: 2508)

    • Found strings related to reading or modifying Windows Defender settings

      • AEMAgent.exe (PID: 3012)

    • Uses WMIC.EXE

      • cmd.exe (PID: 1424)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 2928)
      • cmd.exe (PID: 1548)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 2060)
      • cmd.exe (PID: 3400)
      • cmd.exe (PID: 2816)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 2448)
      • cmd.exe (PID: 3412)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 3516)
      • cmd.exe (PID: 2896)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 880)
      • cmd.exe (PID: 2480)

    • Starts POWERSHELL.EXE for commands execution

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3096)

    • Unusual connection from system programs

      • powershell.exe (PID: 3096)

    • The process executes Powershell scripts

      • AEMAgent.exe (PID: 3012)
      • CagService.exe (PID: 1652)

    • The process executes VB scripts

      • cmd.exe (PID: 2888)

    • Application launched itself

      • cmd.exe (PID: 2888)

    • Executing commands from a ".bat" file

      • CagService.exe (PID: 1652)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3284)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 3908)

  • INFO

    • Checks supported languages

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • Gui.exe (PID: 1768)
      • AEMAgent.exe (PID: 2316)
      • AEMAgent.exe (PID: 3012)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)

    • Reads the computer name

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • AEMAgent.exe (PID: 3012)
      • Gui.exe (PID: 1768)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)

    • Reads Environment values

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)
      • CagService.exe (PID: 1652)
      • AEMAgent.exe (PID: 3012)

    • Create files in a temporary directory

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • AgentSetup_Megalabs+USA.exe (PID: 1892)

    • Creates files in the program directory

      • AgentSetup_Megalabs+USA.exe (PID: 2016)
      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • AEMAgent.exe (PID: 2316)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)
      • AEMAgent.exe (PID: 3012)
      • powershell.exe (PID: 3096)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 1652)
      • Gui.exe (PID: 1216)
      • Gui.exe (PID: 1768)
      • aria2c.exe (PID: 2648)
      • RMM.WebRemote.exe (PID: 1016)
      • AEMAgent.exe (PID: 3012)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 1216)

    • Manual execution by a user

      • AgentSetup_Megalabs+USA.exe (PID: 1892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 03:27:51+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
90
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start agentsetup_megalabs+usa.exe cagservice.exe gui.exe no specs agentsetup_megalabs+usa.exe regsvr32.exe no specs gui.exe no specs aemagent.exe netsh.exe no specs netsh.exe no specs cmd.exe no specs sc.exe no specs tasklist.exe no specs find.exe no specs sc.exe no specs aemagent.exe aria2c.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs rmm.webremote.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe powershell.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cscript.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs agentsetup_megalabs+usa.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\Desktop\AgentSetup_Megalabs+USA.exe" C:\Users\admin\Desktop\AgentSetup_Megalabs+USA.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\agentsetup_megalabs+usa.exe
c:\windows\system32\ntdll.dll
532"netsh" advfirewall firewall add rule name="RMM RTC Proxy" dir=in action=allow program="C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.RTC.Proxy\RMM.RTC.Proxy.exe" enable=yesC:\Windows\System32\netsh.exeRMM.WebRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
560wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
632"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
668wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
712"netsh" advfirewall firewall add rule name="RMM RTO Proxy" dir=in action=allow program="C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.RTO.Proxy\RMM.RTO.Proxy.exe" enable=yesC:\Windows\System32\netsh.exeRMM.WebRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
880"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
920"netsh" advfirewall firewall delete rule name="RMM WINVNC"C:\Windows\System32\netsh.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
948wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1016"C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.WebRemote.exe" --web-remote-daemon c8b9c6b2-beb8-431b-a326-75084b95665bC:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\12.6.0.2409\RMM.WebRemote.exe
AEMAgent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
RMM WebRemote Agent
Exit code:
0
Version:
12.6.0.2409
Modules
Images
c:\programdata\centrastage\aemagent\rmm.webremote\12.6.0.2409\rmm.webremote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
73 658
Read events
72 709
Write events
946
Delete events
3

Modification events

(PID) Process:(2016) AgentSetup_Megalabs+USA.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsy3E5.tmp\nsProcess.dll
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1652) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1216) Gui.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1216) Gui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1652) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
Executable files
476
Suspicious files
84
Text files
179
Unknown types
0

Dropped files

PID
Process
Filename
Type
2016AgentSetup_Megalabs+USA.exeC:\Users\admin\AppData\Local\Temp\nsy3E5.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\AxInterop.ViewerX.dllexecutable
MD5:EDC5E696C4AD70F0BE6301F703AB3672
SHA256:C6E5F17B2BC91202A1C6A9F3F0547CD7F208368B4CFEBB53F234A55F87C5ACD5
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\CagService.exeexecutable
MD5:037DFCD0BF0EA59F0CA84754B84CB454
SHA256:59D0CAC3452893491D0CB3A07C13476FBBAA432A89E13AE8627B1F6E77DD5F71
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\defaultbrand.zipcompressed
MD5:BE0A3C9E7408BDD9A9D9D004CA01ABF2
SHA256:865CC74F5B77E1DDFFA260084633236186F16139E08B4FB81DB4AAD2442BDC34
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\FsLexYacc.Runtime.dllexecutable
MD5:06B971620BDA7960F7D8E43CE69E3BBE
SHA256:B635BA89E9CC8455F252B7E24E5D2838F50AAF75121CA7D070BB7D6CF41A6235
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Common.dllexecutable
MD5:461512677DF70D4F5DD79C5EBC93581B
SHA256:4B0D0DD963320AEE3E7766578C1E7C5A09FC97F37232846316646FE2A204B46D
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Gui.exeexecutable
MD5:662EB4BCD2E039CC9D5F31AF268CFB01
SHA256:9AAB6B35F26B77F4205868A6D1D1CAC62B7C19E36F8B01AD445AE656AEC8EDC8
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\CagService.exe.configxml
MD5:ADBF1381C4BD54BD681A095A95E0D8CE
SHA256:FBEEAF6E9FB96D33E74B8631BCE0FC88352DE5D241611E13A349F6F89D2E2730
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Core.XmlSerializers.dllexecutable
MD5:A63585435C0939CD87A2CC30BE7DD987
SHA256:E04D2FDB0FCF243E47DA40C9DA55F925C9A46DD176A6F935244AF076126F5E09
2016AgentSetup_Megalabs+USA.exeC:\Program Files\CentraStage\Core.dllexecutable
MD5:B64DCC032A34B5E1AB117E4DD8567794
SHA256:C482D745198D0B28479F863CE8FC84A33C0069BE05AE39238AF041A8358C1C04
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
61
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
488
lsass.exe
GET
304
23.32.238.192:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fa455765e490287c
unknown
unknown
488
lsass.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
binary
1.49 Kb
unknown
488
lsass.exe
GET
200
108.138.2.107:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
unknown
488
lsass.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
13.32.26.76:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAzJ2HMRXZ9fh2bdFC4AxME%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAE79EFCzkbsC5kkahtMoSM%3D
unknown
binary
471 b
unknown
488
lsass.exe
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
binary
1.37 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1652
CagService.exe
34.232.189.146:443
vidalcc.centrastage.net
AMAZON-AES
US
unknown
1652
CagService.exe
13.32.99.103:443
update-vidal.centrastage.net
AMAZON-02
US
unknown
1652
CagService.exe
99.83.220.89:443
vidal-agent.centrastage.net
AMAZON-02
US
unknown
1652
CagService.exe
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
3012
AEMAgent.exe
13.32.99.78:443
update-vidal.centrastage.net
AMAZON-02
US
unknown
3012
AEMAgent.exe
100.24.149.210:443
features.vidal.rmm.datto.com
AMAZON-AES
US
unknown
3012
AEMAgent.exe
3.33.190.122:443
agent-gateway.vidal.rmm.datto.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
vidalcc.centrastage.net
  • 34.232.189.146
unknown
update-vidal.centrastage.net
  • 13.32.99.103
  • 13.32.99.78
  • 13.32.99.10
  • 13.32.99.109
unknown
vidal-agent.centrastage.net
  • 99.83.220.89
  • 75.2.34.181
unknown
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
features.vidal.rmm.datto.com
  • 100.24.149.210
  • 52.207.60.242
unknown
agent-gateway.vidal.rmm.datto.com
  • 3.33.190.122
  • 15.197.187.175
unknown
vidal-agent-notifications.centrastage.net
  • 35.71.189.82
  • 52.223.51.142
unknown
vidal-agent-comms.centrastage.net
  • 52.223.51.142
  • 35.71.189.82
unknown
vidal-monitoring.centrastage.net
  • 35.71.189.82
  • 52.223.51.142
unknown
webrtc.rmm.datto.com
  • 18.157.202.135
unknown

Threats

No threats detected
Process
Message
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2316. Message ID: [0x2509].
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 3012. Message ID: [0x2509].
RMM.WebRemote.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1016. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AgentSetup_Megalabs+USA.exe