File name:

_472693_M10__HEW.EXE

Full analysis: https://app.any.run/tasks/91b4294d-9f77-4597-951c-4b404442117b
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: February 17, 2026, 17:17:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
anti-evasion
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

51BCE54A6CD4FB0C27B1AB25131114B2

SHA1:

CCB0A3E404D123C4D25D035AE96E3D01100B7CD7

SHA256:

16116F9602E5EFB74E3043014C4F352B2120CDAFA1E810B965B7E4F2A077D219

SSDEEP:

196608:5et4U65AYTsq6P66XfO5ER/Qnm3RvzMjb0NABuKShR6:kt4U65AD2sfswRvzMUNABuphR6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 4616)
      • ScriptRunner.Installer.exe (PID: 7244)

    • Executing a file with an untrusted certificate

      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 7256)
      • vcredist_x86.exe (PID: 4616)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • _472693_M10__HEW.EXE.exe (PID: 7732)
      • agent.exe (PID: 8144)
      • agent.tmp (PID: 6472)
      • agent.exe (PID: 6336)
      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 4352)
      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 7256)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 8132)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)
      • ScriptRunner.Installer.exe (PID: 7244)
      • ScriptRunner.Installer.exe (PID: 4060)

    • Process drops legitimate windows executable

      • agent.tmp (PID: 6472)
      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 4352)
      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 7256)
      • msiexec.exe (PID: 4712)

    • Reads the Windows owner or organization settings

      • agent.tmp (PID: 6472)
      • msiexec.exe (PID: 4712)

    • The process checks if it is being run in the virtual environment

      • winagent.exe (PID: 1464)
      • winagent.exe (PID: 3916)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2292)

    • Using short paths in the command line

      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 7788)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 8132)
      • winagent.exe (PID: 3916)

    • Searches for installed software

      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 4352)
      • vcredist_x86.exe (PID: 5660)
      • dllhost.exe (PID: 5508)
      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 7256)
      • vcredist_x86.exe (PID: 4616)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)
      • ScriptRunner.Installer.exe (PID: 7244)
      • ScriptRunner.Installer.exe (PID: 4060)
      • ScriptRunner.Installer.exe (PID: 8432)
      • winagent.exe (PID: 3916)
      • assetscan.exe (PID: 3056)

    • Creates/Modifies COM task schedule object

      • winagent.exe (PID: 1464)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8704)
      • winagent.exe (PID: 3916)

    • Application launched itself

      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 7256)
      • ScriptRunner.Installer.exe (PID: 3276)
      • ScriptRunner.Installer.exe (PID: 8432)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4712)

    • Using the short paths format

      • winagent.exe (PID: 1464)
      • msiexec.exe (PID: 4712)
      • assetscan.exe (PID: 3056)

    • Starts itself from another location

      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)

    • The process creates files with name similar to system file names

      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 2212)

    • Drops 7-zip archiver for unpacking

      • msiexec.exe (PID: 4712)

    • Executes application which crashes

      • winagent.exe (PID: 1464)

  • INFO

    • Create files in a temporary directory

      • _472693_M10__HEW.EXE.exe (PID: 7732)
      • agent.exe (PID: 8144)
      • agent.exe (PID: 6336)
      • agent.tmp (PID: 6472)
      • vcredist_x86.exe (PID: 4352)
      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 7256)
      • ScriptRunner.Installer.exe (PID: 4060)

    • Reads the computer name

      • _472693_M10__HEW.EXE.exe (PID: 7732)
      • agent.tmp (PID: 1068)
      • agent.tmp (PID: 6472)
      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 4352)
      • msiexec.exe (PID: 4712)
      • vcredist_x86.exe (PID: 7256)
      • vcredist_x86.exe (PID: 4616)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)
      • msiexec.exe (PID: 2212)
      • ScriptRunner.Installer.exe (PID: 7244)
      • ScriptRunner.Installer.exe (PID: 4060)
      • winagent.exe (PID: 3916)
      • assetscan.exe (PID: 3056)

    • Checks supported languages

      • _472693_M10__HEW.EXE.exe (PID: 7732)
      • agent.exe (PID: 8144)
      • agent.tmp (PID: 1068)
      • unzip.exe (PID: 8156)
      • unzip.exe (PID: 4368)
      • agent.exe (PID: 6336)
      • agent.tmp (PID: 6472)
      • vcredist_x86.exe (PID: 5660)
      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 4352)
      • msiexec.exe (PID: 4712)
      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 7256)
      • vcredist_x86.exe (PID: 4616)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 8132)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)
      • msiexec.exe (PID: 2212)
      • ScriptRunner.Installer.exe (PID: 8432)
      • ScriptRunner.Installer.exe (PID: 7244)
      • ScriptRunner.Installer.exe (PID: 4060)
      • winagent.exe (PID: 3916)
      • ScriptRunner.Installer.exe (PID: 3276)
      • assetscan.exe (PID: 3056)

    • Reads security settings of Internet Explorer

      • _472693_M10__HEW.EXE.exe (PID: 7732)
      • agent.tmp (PID: 1068)
      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 7256)
      • vcredist_x86.exe (PID: 4616)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)

    • Process checks computer location settings

      • _472693_M10__HEW.EXE.exe (PID: 7732)
      • agent.tmp (PID: 1068)
      • vcredist_x86.exe (PID: 7256)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)

    • Archive extraction using unzip

      • unzip.exe (PID: 4368)

    • The sample compiled with english language support

      • agent.tmp (PID: 6472)
      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 4352)
      • vcredist_x86.exe (PID: 7788)
      • vcredist_x86.exe (PID: 5660)
      • msiexec.exe (PID: 4712)
      • vcredist_x86.exe (PID: 7256)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 8132)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)
      • ScriptRunner.Installer.exe (PID: 7244)
      • ScriptRunner.Installer.exe (PID: 4060)

    • Drops script file

      • agent.tmp (PID: 6472)
      • winagent.exe (PID: 1464)

    • Creates a software uninstall entry

      • agent.tmp (PID: 6472)
      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 4616)
      • msiexec.exe (PID: 4712)
      • ScriptRunner.Installer.exe (PID: 7244)

    • Creates files in the program directory

      • unzip.exe (PID: 4368)
      • agent.tmp (PID: 6472)
      • winagent.exe (PID: 1464)
      • vcredist_x86.exe (PID: 4352)
      • vcredist_x86.exe (PID: 5660)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)
      • ScriptRunner.Installer.exe (PID: 7244)
      • winagent.exe (PID: 3916)
      • assetscan.exe (PID: 3056)

    • Reads the machine GUID from the registry

      • winagent.exe (PID: 1464)
      • msiexec.exe (PID: 4712)
      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 4616)
      • ScriptRunnerInstaller-2.98.2.2.exe (PID: 7868)
      • ScriptRunner.Installer.exe (PID: 7244)
      • ScriptRunner.Installer.exe (PID: 4060)
      • winagent.exe (PID: 3916)

    • There is functionality for taking screenshot (YARA)

      • winagent.exe (PID: 1464)

    • Reads Environment values

      • winagent.exe (PID: 1464)
      • winagent.exe (PID: 3916)
      • assetscan.exe (PID: 3056)

    • Reads product name

      • winagent.exe (PID: 1464)
      • winagent.exe (PID: 3916)
      • assetscan.exe (PID: 3056)

    • Manages system restore points

      • SrTasks.exe (PID: 1424)

    • Launching a file from a Registry key

      • vcredist_x86.exe (PID: 5660)
      • vcredist_x86.exe (PID: 4616)
      • ScriptRunner.Installer.exe (PID: 7244)

    • Checks proxy server information

      • vcredist_x86.exe (PID: 5660)
      • slui.exe (PID: 5460)
      • WerFault.exe (PID: 6424)

    • Creates files or folders in the user directory

      • vcredist_x86.exe (PID: 5660)
      • WerFault.exe (PID: 6424)

    • Manual execution by a user

      • vcredist_x86.exe (PID: 7788)
      • ScriptRunner.Installer.exe (PID: 8432)

    • The sample compiled with Italian language support

      • msiexec.exe (PID: 4712)

    • The sample compiled with spanish language support

      • msiexec.exe (PID: 4712)

    • The sample compiled with french language support

      • msiexec.exe (PID: 4712)

    • The sample compiled with german language support

      • msiexec.exe (PID: 4712)

    • The sample compiled with chinese language support

      • msiexec.exe (PID: 4712)

    • Creating file in SysWOW64

      • msiexec.exe (PID: 4712)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4712)

    • The sample compiled with korean language support

      • msiexec.exe (PID: 4712)

    • The sample compiled with japanese language support

      • msiexec.exe (PID: 4712)

    • The sample compiled with russian language support

      • msiexec.exe (PID: 4712)

    • Reads Windows Product ID

      • assetscan.exe (PID: 3056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:07:22 02:33:09+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 74752
InitializedDataSize: 21504
UninitializedDataSize: -
EntryPoint: 0x11de6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.715
ProductVersionNumber: 1.2.0.715
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: N-able Technologies
FileDescription: Advanced Monitoring Agent Setup
FileVersion: -
InternalName: -
OriginalFileName: -
ProductName: Advanced Monitoring Agent
ProductVersion: -
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
196
Monitored processes
35
Malicious processes
7
Suspicious processes
5

Behavior graph

Click at the process to see the details
start _472693_m10__hew.exe.exe agent.exe agent.tmp no specs agent.exe agent.tmp unzip.exe no specs conhost.exe no specs unzip.exe no specs conhost.exe no specs winagent.exe svchost.exe slui.exe vcredist_x86.exe vcredist_x86.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe vcredist_x86.exe vcredist_x86.exe vcredist_x86.exe scriptrunnerinstaller-2.98.2.2.exe scriptrunnerinstaller-2.98.2.2.exe scriptrunner.installer.exe msiexec.exe no specs taskkill.exe no specs conhost.exe no specs scriptrunner.installer.exe no specs scriptrunner.installer.exe no specs scriptrunner.installer.exe winagent.exe werfault.exe assetscan.exe no specs tiworker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeunzip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068"C:\Users\admin\AppData\Local\Temp\is-DPI9L.tmp\agent.tmp" /SL5="$220374,14350441,56832,C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /VERYSILENT /norestartC:\Users\admin\AppData\Local\Temp\is-DPI9L.tmp\agent.tmpagent.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-dpi9l.tmp\agent.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1424C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1464"C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe" /autoinstallC:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
agent.tmp
User:
admin
Company:
Remote Monitoring
Integrity Level:
HIGH
Description:
winagent
Exit code:
3221225477
Version:
10.14.4
Modules
Images
c:\program files (x86)\advanced monitoring agent\winagent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
1568C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2212C:\Windows\syswow64\MsiExec.exe -Embedding 05E97F11160A036E73B42A2319DF85EDC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3056"C:\PROGRA~2\ADVANC~1\assetscan.exe" -M SCANC:\Program Files (x86)\Advanced Monitoring Agent\assetscan.exewinagent.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files (x86)\advanced monitoring agent\assetscan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
3276"C:\ProgramData\Package Cache\{453ebf40-12e8-45ff-9b3f-05cd1a25e839}\ScriptRunner.Installer.exe" C:\ProgramData\Package Cache\{453ebf40-12e8-45ff-9b3f-05cd1a25e839}\ScriptRunner.Installer.exeScriptRunner.Installer.exe
User:
admin
Company:
N-able
Integrity Level:
MEDIUM
Description:
ScriptRunner Bootstrap Installer
Exit code:
0
Version:
2.98.2.2
Modules
Images
c:\programdata\package cache\{453ebf40-12e8-45ff-9b3f-05cd1a25e839}\scriptrunner.installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3916"C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe"C:\Program Files (x86)\Advanced Monitoring Agent\winagent.exe
services.exe
User:
SYSTEM
Company:
Remote Monitoring
Integrity Level:
SYSTEM
Description:
winagent
Version:
10.14.4
Modules
Images
c:\program files (x86)\advanced monitoring agent\winagent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\psapi.dll
Total events
74 630
Read events
73 799
Write events
740
Delete events
91

Modification events

(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.3 (a)
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\Advanced Monitoring Agent
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Advanced Monitoring Agent\
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Advanced Monitoring Agent
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:Inno Setup: Language
Value:
UKEnglish
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:DisplayName
Value:
Advanced Monitoring Agent
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe"
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe" /SILENT
(PID) Process:(6472) agent.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:writeName:NoModify
Value:
1
Executable files
177
Suspicious files
107
Text files
226
Unknown types
4

Dropped files

PID
Process
Filename
Type
7732_472693_M10__HEW.EXE.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\package.zipcompressed
MD5:41A1443AF86F4DB573551AD2817C7CE6
SHA256:079358EC2DA0E231C4C4D339AC508FC7AA83BEA350731D1820408C75E4B6E740
6336agent.exeC:\Users\admin\AppData\Local\Temp\is-1CNEL.tmp\agent.tmpexecutable
MD5:A2C4D52C66B4B399FACADB8CC8386745
SHA256:6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A
7732_472693_M10__HEW.EXE.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exeexecutable
MD5:3A64AD48A8D03E7ECC9F58355B8E393F
SHA256:08CAF67A3DC4036552D26B87773B63620B2FC12455C8477F130FAE58EA77D0E4
6472agent.tmpC:\Users\admin\AppData\Local\Temp\is-ER7I1.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
8144agent.exeC:\Users\admin\AppData\Local\Temp\is-DPI9L.tmp\agent.tmpexecutable
MD5:A2C4D52C66B4B399FACADB8CC8386745
SHA256:6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A
6472agent.tmpC:\Program Files (x86)\Advanced Monitoring Agent\is-L96UD.tmpexecutable
MD5:D7C918793B7F6EBFB34D34FCBF0A8749
SHA256:9C2F4F7BDAB3FFD39EFAF9DD904CF031A38E1253B6645A61A2FA8364E0808299
6472agent.tmpC:\Users\admin\AppData\Local\Temp\is-ER7I1.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
6472agent.tmpC:\Program Files (x86)\Advanced Monitoring Agent\is-BVKLF.tmptext
MD5:E4361DEF38811D2F295B5686BD2C2B5B
SHA256:0E5882114864D4A708B472D524063867FA770958B770B67FC0AF7F8ED4757AD2
6472agent.tmpC:\Program Files (x86)\Advanced Monitoring Agent\1.lngtext
MD5:E4361DEF38811D2F295B5686BD2C2B5B
SHA256:0E5882114864D4A708B472D524063867FA770958B770B67FC0AF7F8ED4757AD2
6472agent.tmpC:\Program Files (x86)\Advanced Monitoring Agent\is-B1AH9.tmptext
MD5:1190EE81B83F5CEA64FD4942D76C03CF
SHA256:D5D7923A30EE8BA3071AD0D74359362F116C4D914E154103F27A909CF842CCA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
101
TCP/UDP connections
68
DNS requests
33
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7544
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7564
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1464
winagent.exe
POST
200
104.18.39.236:443
https://upload1.am.remote.management/command/agentprocessor_v2.php
unknown
xml
155 b
unknown
POST
200
172.64.148.20:443
https://upload1.am.remote.management/command/agentprocessor_v2.php
unknown
xml
155 b
unknown
1464
winagent.exe
POST
200
104.18.39.236:443
https://upload2.am.remote.management/command/agentprocessor_v2.php
unknown
binary
297 b
unknown
POST
200
172.64.148.20:443
https://upload2.am.remote.management/command/agentprocessor_v2.php
unknown
binary
297 b
unknown
7412
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
POST
204
2.16.204.135:443
https://www.bing.com/threshold/xls.aspx?t=5&dl=1&wsbc=1
unknown
whitelisted
5568
SearchApp.exe
POST
204
2.16.204.159:443
https://www.bing.com/threshold/xls.aspx?t=5&dl=1&wsbc=1
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7564
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
7544
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7544
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7564
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7564
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.189.173.26
  • 20.42.65.93
whitelisted
google.com
  • 142.250.187.206
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.49
  • 184.24.77.37
  • 184.24.77.35
whitelisted
upload1.am.remote.management
  • 104.18.39.236
  • 172.64.148.20
unknown
upload2.am.remote.management
  • 104.18.39.236
  • 172.64.148.20
whitelisted
www.bing.com
  • 2.16.204.159
  • 2.16.204.158
  • 2.16.204.142
  • 2.16.204.151
  • 2.16.204.152
  • 2.16.204.145
  • 2.16.204.144
  • 2.16.204.150
  • 2.16.204.160
whitelisted
upload3.am.remote.management
  • 172.64.148.20
  • 104.18.39.236
unknown
rm-downloads.logicnow.com
  • 130.117.53.100
unknown
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Potential Corporate Privacy Violation
ET INFO Observed DNS Query for Suspicious TLD (.management)
2292
svchost.exe
Misc activity
ET INFO Observed RMM Domain in DNS Lookup (remote .management)
1464
winagent.exe
Misc activity
ET INFO Observed RMM Domain in TLS SNI (remote .management)
2292
svchost.exe
Potential Corporate Privacy Violation
ET INFO Observed DNS Query for Suspicious TLD (.management)
2292
svchost.exe
Misc activity
ET INFO Observed RMM Domain in DNS Lookup (remote .management)
1464
winagent.exe
Misc activity
ET INFO Observed RMM Domain in TLS SNI (remote .management)
2292
svchost.exe
Potential Corporate Privacy Violation
ET INFO Observed DNS Query for Suspicious TLD (.management)
1464
winagent.exe
Misc activity
ET INFO Observed RMM Domain in TLS SNI (remote .management)
2292
svchost.exe
Misc activity
ET INFO Observed RMM Domain in DNS Lookup (remote .management)
Attempted Information Leak
HUNTING [ANY.RUN] Windows PC hostname observed in outbound connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_472693_M10__HEW.EXE