| File name: | AGENT_715666_V10_14_3_RW.EXE |
| Full analysis: | https://app.any.run/tasks/e10c7c0b-79b5-458e-b7a3-4fa759dcf678 |
| Verdict: | Malicious activity |
| Analysis date: | April 08, 2025, 20:19:00 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | 2CDCA1372238415F2451E499680CB7E5 |
| SHA1: | C382639F530355C6CD38FD19E04EE2F13822B5BD |
| SHA256: | 4145F11F0228D56176802412D4B20E436C99C54A0271E9BEFA5FCC8D601879C6 |
| SSDEEP: | 196608:P4v9xVOU66AYTsq6P66XfOcfujqiGdA6nhRA:AvPVOU66AD2sfJfeqVNhRA |
MALICIOUS
Changes the autorun value in the registry
- vcredist_x86.exe (PID: 8148)
- ScriptRunner.Installer.exe (PID: 3332)
- winagent.exe (PID: 5728)
Starts NET.EXE to view/change users localgroup
- cmd.exe (PID: 8024)
- cmd.exe (PID: 7496)
- net.exe (PID: 7652)
- net.exe (PID: 6900)
Executing a file with an untrusted certificate
- rm.exe (PID: 3828)
SUSPICIOUS
Reads security settings of Internet Explorer
- AGENT_715666_V10_14_3_RW.EXE.exe (PID: 5024)
- agent.tmp (PID: 4652)
- vcredist_x86.exe (PID: 8148)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- RequestHandlerAgent.exe (PID: 3828)
- FileCacheServiceAgent.exe (PID: 6644)
- PME.Agent.exe (PID: 4408)
- ManagedAntivirus.exe (PID: 664)
- ManagedAntivirus.exe (PID: 4448)
- ManagedAntivirus.exe (PID: 4452)
- NetworkManagement.exe (PID: 7568)
- opswat_20200203_x64_s20240416.exe (PID: 7396)
- WebProtection.exe (PID: 1052)
- WebProtection.exe (PID: 2596)
- TrayIcon.exe (PID: 7628)
Executable content was dropped or overwritten
- AGENT_715666_V10_14_3_RW.EXE.exe (PID: 5024)
- agent.exe (PID: 6944)
- agent.exe (PID: 7324)
- agent.tmp (PID: 7372)
- winagent.exe (PID: 7784)
- vcredist_x86.exe (PID: 8180)
- vcredist_x86.exe (PID: 8148)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 6468)
- ScriptRunner.Installer.exe (PID: 3332)
- msp-agent-core.exe (PID: 7944)
- winagent.exe (PID: 5728)
- msp-agent-core-upgrade.exe (PID: 7516)
- PMESetup.exe (PID: 5740)
- PMESetup.tmp (PID: 6372)
- RequestHandlerAgentSetup.tmp (PID: 7936)
- RequestHandlerAgentSetup.exe (PID: 8024)
- FileCacheServiceAgentSetup.exe (PID: 7316)
- FileCacheServiceAgentSetup.tmp (PID: 6268)
- MAV-Installer.exe (PID: 7188)
- MAV-Installer.tmp (PID: 1760)
- NetworkManagementInstall.tmp (PID: 960)
- NetworkManagementInstall.exe (PID: 5176)
- ManagedAntivirus.exe (PID: 4452)
- opswat_20200203_x64_s20240416.exe (PID: 7396)
- FileCacheServiceAgent.exe (PID: 540)
- NetworkManagement.exe (PID: 2432)
- cmd.exe (PID: 3396)
- EchoInstall.tmp (PID: 840)
- EchoInstall.exe (PID: 680)
Reads the Windows owner or organization settings
- agent.tmp (PID: 7372)
- msiexec.exe (PID: 1328)
- FileCacheServiceAgentSetup.tmp (PID: 6268)
- EchoInstall.tmp (PID: 840)
- WebProtection.exe (PID: 1052)
Process drops legitimate windows executable
- agent.tmp (PID: 7372)
- winagent.exe (PID: 7784)
- vcredist_x86.exe (PID: 8180)
- vcredist_x86.exe (PID: 8148)
- msiexec.exe (PID: 1328)
- PMESetup.tmp (PID: 6372)
- RequestHandlerAgentSetup.tmp (PID: 7936)
- NetworkManagementInstall.tmp (PID: 960)
Searches for installed software
- winagent.exe (PID: 7784)
- vcredist_x86.exe (PID: 8180)
- vcredist_x86.exe (PID: 8148)
- dllhost.exe (PID: 1812)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- ScriptRunner.Installer.exe (PID: 3332)
- winagent.exe (PID: 5728)
- assetscan.exe (PID: 5280)
- MAV-Installer.tmp (PID: 1760)
- NetworkManagementInstall.tmp (PID: 960)
- winagent.exe (PID: 5740)
- assetscan.exe (PID: 7388)
- winagent.exe (PID: 7652)
- ManagedAntivirus.exe (PID: 4452)
Creates/Modifies COM task schedule object
- winagent.exe (PID: 7784)
Application launched itself
- vcredist_x86.exe (PID: 8148)
Executes as Windows Service
- VSSVC.exe (PID: 1512)
- winagent.exe (PID: 5728)
- msp-agent-core.exe (PID: 7944)
- msp-agent-core.exe (PID: 5596)
- RequestHandlerAgent.exe (PID: 4944)
- PME.Agent.exe (PID: 5124)
- FileCacheServiceAgent.exe (PID: 540)
- ManagedAntivirus.exe (PID: 4452)
- NetworkManagement.exe (PID: 2432)
- NetworkManagementAndControl.exe (PID: 7772)
- WebProtection.exe (PID: 7880)
There is functionality for taking screenshot (YARA)
- winagent.exe (PID: 7784)
Creates a software uninstall entry
- vcredist_x86.exe (PID: 8148)
- ScriptRunner.Installer.exe (PID: 3332)
- RequestHandlerAgentSetup.tmp (PID: 7936)
- PMESetup.tmp (PID: 6372)
- FileCacheServiceAgentSetup.tmp (PID: 6268)
- MAV-Installer.tmp (PID: 1760)
- NetworkManagementInstall.tmp (PID: 960)
- EchoInstall.tmp (PID: 840)
The process drops C-runtime libraries
- msiexec.exe (PID: 1328)
The process creates files with name similar to system file names
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
Starts itself from another location
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
Uses TASKKILL.EXE to kill process
- msiexec.exe (PID: 6240)
Executes application which crashes
- winagent.exe (PID: 7784)
The process checks if it is being run in the virtual environment
- winagent.exe (PID: 5728)
- fmplugin.exe (PID: 6240)
Starts CMD.EXE for commands execution
- msp-agent-core.exe (PID: 3768)
- msp-agent-core.exe (PID: 7944)
- msp-agent-core.exe (PID: 7612)
- msp-agent-core.exe (PID: 7196)
- msp-agent-core.exe (PID: 5596)
- opswat_20200203_x64_s20240416.exe (PID: 7396)
- WebProtection.exe (PID: 1052)
Windows service management via SC.EXE
- sc.exe (PID: 5136)
- sc.exe (PID: 2192)
- sc.exe (PID: 6744)
- sc.exe (PID: 864)
- sc.exe (PID: 7508)
- sc.exe (PID: 5720)
- sc.exe (PID: 3968)
- sc.exe (PID: 7368)
- sc.exe (PID: 5592)
- sc.exe (PID: 6564)
- sc.exe (PID: 5200)
- sc.exe (PID: 6028)
- sc.exe (PID: 7208)
Uses ICACLS.EXE to modify access control lists
- RequestHandlerAgentSetup.tmp (PID: 7936)
- FileCacheServiceAgentSetup.tmp (PID: 6268)
- PMESetup.tmp (PID: 6372)
Restarts service on failure
- sc.exe (PID: 3884)
- sc.exe (PID: 840)
- sc.exe (PID: 2140)
- sc.exe (PID: 4268)
- sc.exe (PID: 896)
- sc.exe (PID: 5408)
Creates or modifies Windows services
- RequestHandlerAgent.exe (PID: 3828)
- PME.Agent.exe (PID: 4408)
- ManagedAntivirus.exe (PID: 664)
- NetworkManagement.exe (PID: 7568)
- NetworkManagement.exe (PID: 2432)
- WebProtection.exe (PID: 1052)
Starts SC.EXE for service management
- FileCacheServiceAgent.exe (PID: 6644)
- PME.Agent.exe (PID: 4408)
- ManagedAntivirus.exe (PID: 664)
- NetworkManagement.exe (PID: 7568)
- cmd.exe (PID: 496)
- WebProtection.exe (PID: 1052)
Adds/modifies Windows certificates
- winagent.exe (PID: 5728)
Executing commands from a ".bat" file
- opswat_20200203_x64_s20240416.exe (PID: 7396)
Reads the date of Windows installation
- NetworkManagement.exe (PID: 2432)
- WebProtection.exe (PID: 1052)
Potential Corporate Privacy Violation
- svchost.exe (PID: 2196)
Drops a system driver (possible attempt to evade defenses)
- EchoInstall.tmp (PID: 840)
INFO
Checks supported languages
- AGENT_715666_V10_14_3_RW.EXE.exe (PID: 5024)
- agent.exe (PID: 6944)
- agent.exe (PID: 7324)
- agent.tmp (PID: 7372)
- agent.tmp (PID: 4652)
- winagent.exe (PID: 7784)
- unzip.exe (PID: 7648)
- unzip.exe (PID: 7712)
- vcredist_x86.exe (PID: 8148)
- vcredist_x86.exe (PID: 8180)
- msiexec.exe (PID: 1328)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 6468)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- ScriptRunner.Installer.exe (PID: 3332)
- msiexec.exe (PID: 6240)
- winagent.exe (PID: 5728)
- assetscan.exe (PID: 5280)
- msp-agent-core.exe (PID: 3768)
- msp-agent-core.exe (PID: 7944)
- msp-agent-core.exe (PID: 7612)
- msp-agent-core-upgrade.exe (PID: 5124)
- msp-agent-core-upgrade.exe (PID: 7516)
- msp-agent-core.exe (PID: 5596)
- RequestHandlerAgentSetup.exe (PID: 8024)
- msp-agent-core-upgrade.exe (PID: 7804)
- RequestHandlerAgent.exe (PID: 3828)
- RequestHandlerAgent.exe (PID: 4944)
- FileCacheServiceAgentSetup.tmp (PID: 6268)
- FileCacheServiceAgent.exe (PID: 6644)
- FileCacheServiceAgent.exe (PID: 540)
- fmplugin.exe (PID: 6240)
- PME.Agent.exe (PID: 4408)
- PME.Agent.exe (PID: 5124)
- msp-agent-core.exe (PID: 7348)
- MAV-Installer.exe (PID: 7188)
- MAV-Installer.tmp (PID: 1760)
- assetscan.exe (PID: 7388)
- ManagedAntivirus.exe (PID: 664)
- ManagedAntivirus.exe (PID: 4448)
- ManagedAntivirus.exe (PID: 4452)
- NetworkManagementInstall.tmp (PID: 960)
- NetworkManagementInstall.exe (PID: 5176)
- NetworkManagement.exe (PID: 4844)
- NetworkManagement.exe (PID: 7568)
- NetworkManagement.exe (PID: 2432)
- msp-agent-core.exe (PID: 300)
- opswat_20200203_x64_s20240416.exe (PID: 7396)
- msp-agent-core.exe (PID: 4464)
- winagent.exe (PID: 5740)
- msp-agent-core.exe (PID: 8188)
- msp-agent-core.exe (PID: 896)
- msp-agent-core.exe (PID: 5988)
- EchoInstall.exe (PID: 680)
- WebProtection.exe (PID: 1052)
- NetworkManagementAndControl.exe (PID: 872)
- WebProtection.exe (PID: 2596)
- WebProtection.exe (PID: 7880)
- winagent.exe (PID: 7652)
- msp-agent-core.exe (PID: 3888)
- msp-agent-core.exe (PID: 5364)
- msp-agent-core.exe (PID: 7828)
- msp-agent-core.exe (PID: 7376)
- msp-agent-core.exe (PID: 6676)
- msp-agent-core.exe (PID: 5244)
- winagent.exe (PID: 1676)
Process checks computer location settings
- AGENT_715666_V10_14_3_RW.EXE.exe (PID: 5024)
- agent.tmp (PID: 4652)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- fmplugin.exe (PID: 6240)
Reads the computer name
- AGENT_715666_V10_14_3_RW.EXE.exe (PID: 5024)
- agent.tmp (PID: 4652)
- agent.tmp (PID: 7372)
- winagent.exe (PID: 7784)
- vcredist_x86.exe (PID: 8148)
- vcredist_x86.exe (PID: 8180)
- msiexec.exe (PID: 1328)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- ScriptRunner.Installer.exe (PID: 3332)
- msiexec.exe (PID: 6240)
- winagent.exe (PID: 5728)
- assetscan.exe (PID: 5280)
- msp-agent-core.exe (PID: 3768)
- msp-agent-core.exe (PID: 7196)
- msp-agent-core.exe (PID: 5596)
- PMESetup.tmp (PID: 6372)
- RequestHandlerAgentSetup.exe (PID: 8024)
- RequestHandlerAgentSetup.tmp (PID: 7936)
- RequestHandlerAgent.exe (PID: 3828)
- FileCacheServiceAgentSetup.tmp (PID: 6268)
- RequestHandlerAgent.exe (PID: 4944)
- FileCacheServiceAgent.exe (PID: 6644)
- fmplugin.exe (PID: 6240)
- MAV-Installer.exe (PID: 7188)
- assetscan.exe (PID: 7388)
- PME.Agent.exe (PID: 5124)
- ManagedAntivirus.exe (PID: 4448)
- ManagedAntivirus.exe (PID: 4452)
- NetworkManagement.exe (PID: 4844)
- NetworkManagement.exe (PID: 2432)
- winagent.exe (PID: 5740)
- opswat_20200203_x64_s20240416.exe (PID: 7396)
- NetworkManagementAndControl.exe (PID: 7772)
- EchoInstall.exe (PID: 680)
- WebProtection.exe (PID: 1052)
- NetworkManagementAndControl.exe (PID: 872)
- rm.exe (PID: 3828)
- WebProtection.exe (PID: 2596)
- WebProtection.exe (PID: 7880)
- winagent.exe (PID: 1676)
- winagent.exe (PID: 7652)
Create files in a temporary directory
- AGENT_715666_V10_14_3_RW.EXE.exe (PID: 5024)
- agent.exe (PID: 6944)
- agent.exe (PID: 7324)
- agent.tmp (PID: 7372)
- vcredist_x86.exe (PID: 8180)
- ManagedAntivirus.exe (PID: 4452)
The sample compiled with english language support
- agent.tmp (PID: 7372)
- winagent.exe (PID: 7784)
- vcredist_x86.exe (PID: 8180)
- msiexec.exe (PID: 1328)
- vcredist_x86.exe (PID: 8148)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 6468)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- ScriptRunner.Installer.exe (PID: 3332)
- msp-agent-core.exe (PID: 7944)
- msp-agent-core-upgrade.exe (PID: 7516)
- PMESetup.tmp (PID: 6372)
- MAV-Installer.tmp (PID: 1760)
- NetworkManagementInstall.tmp (PID: 960)
- opswat_20200203_x64_s20240416.exe (PID: 7396)
- cmd.exe (PID: 3396)
- ManagedAntivirus.exe (PID: 4452)
- EchoInstall.tmp (PID: 840)
Creates a software uninstall entry
- agent.tmp (PID: 7372)
- msiexec.exe (PID: 1328)
Creates files in the program directory
- unzip.exe (PID: 7648)
- winagent.exe (PID: 7784)
- agent.tmp (PID: 7372)
- vcredist_x86.exe (PID: 8180)
- vcredist_x86.exe (PID: 8148)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- ScriptRunner.Installer.exe (PID: 3332)
- winagent.exe (PID: 5728)
- assetscan.exe (PID: 5280)
- msiexec.exe (PID: 5156)
- msp-agent-core.exe (PID: 3768)
- msp-agent-core.exe (PID: 7944)
- msp-agent-core-upgrade.exe (PID: 7516)
- msp-agent-core.exe (PID: 5596)
- RequestHandlerAgentSetup.tmp (PID: 7936)
- RequestHandlerAgent.exe (PID: 3828)
- PMESetup.tmp (PID: 6372)
- FileCacheServiceAgentSetup.tmp (PID: 6268)
- FileCacheServiceAgent.exe (PID: 6644)
- fmplugin.exe (PID: 6240)
- PME.Agent.exe (PID: 4408)
- FileCacheServiceAgent.exe (PID: 540)
- MAV-Installer.tmp (PID: 1760)
- ManagedAntivirus.exe (PID: 664)
- ManagedAntivirus.exe (PID: 4452)
- NetworkManagementInstall.tmp (PID: 960)
- NetworkManagement.exe (PID: 7568)
- opswat_20200203_x64_s20240416.exe (PID: 7396)
- cmd.exe (PID: 3396)
- NetworkManagement.exe (PID: 2432)
- NetworkManagementAndControl.exe (PID: 7772)
- EchoInstall.tmp (PID: 840)
- WebProtection.exe (PID: 1052)
- WebProtection.exe (PID: 7880)
Reads Environment values
- winagent.exe (PID: 7784)
- winagent.exe (PID: 5728)
- assetscan.exe (PID: 5280)
- FileCacheServiceAgent.exe (PID: 540)
- ManagedAntivirus.exe (PID: 4448)
- assetscan.exe (PID: 7388)
- ManagedAntivirus.exe (PID: 4452)
- NetworkManagement.exe (PID: 2432)
- winagent.exe (PID: 5740)
- WebProtection.exe (PID: 1052)
- WebProtection.exe (PID: 2596)
- winagent.exe (PID: 7652)
- winagent.exe (PID: 1676)
Reads the software policy settings
- winagent.exe (PID: 7784)
- vcredist_x86.exe (PID: 8148)
- msiexec.exe (PID: 1328)
- winagent.exe (PID: 5728)
- slui.exe (PID: 7276)
- msp-agent-core.exe (PID: 7944)
- msp-agent-core.exe (PID: 5596)
- RequestHandlerAgent.exe (PID: 3828)
- FileCacheServiceAgent.exe (PID: 6644)
- PME.Agent.exe (PID: 4408)
- ManagedAntivirus.exe (PID: 4452)
- slui.exe (PID: 5780)
- NetworkManagementInstall.tmp (PID: 960)
- NetworkManagement.exe (PID: 7568)
- winagent.exe (PID: 5740)
- NetworkManagement.exe (PID: 2432)
- WebProtection.exe (PID: 1052)
- WebProtection.exe (PID: 2596)
- WebProtection.exe (PID: 7880)
- winagent.exe (PID: 1676)
Reads product name
- winagent.exe (PID: 7784)
- winagent.exe (PID: 5728)
- assetscan.exe (PID: 5280)
- assetscan.exe (PID: 7388)
- winagent.exe (PID: 5740)
- winagent.exe (PID: 7652)
- winagent.exe (PID: 1676)
Manual execution by a user
- mspaint.exe (PID: 8044)
- WINWORD.EXE (PID: 5436)
- WINWORD.EXE (PID: 1116)
- WINWORD.EXE (PID: 5244)
- WINWORD.EXE (PID: 5360)
- WINWORD.EXE (PID: 5868)
- WINWORD.EXE (PID: 4976)
- WINWORD.EXE (PID: 7864)
- winagent.exe (PID: 1128)
- winagent.exe (PID: 1676)
Manages system restore points
- SrTasks.exe (PID: 6148)
Reads the machine GUID from the registry
- vcredist_x86.exe (PID: 8148)
- msiexec.exe (PID: 1328)
- ScriptRunnerInstaller-2.97.0.1.exe (PID: 8020)
- ScriptRunner.Installer.exe (PID: 3332)
- msp-agent-core.exe (PID: 7944)
- winagent.exe (PID: 5728)
- RequestHandlerAgent.exe (PID: 3828)
- RequestHandlerAgent.exe (PID: 4944)
- fmplugin.exe (PID: 6240)
- FileCacheServiceAgent.exe (PID: 6644)
- PME.Agent.exe (PID: 4408)
- PME.Agent.exe (PID: 5124)
- FileCacheServiceAgent.exe (PID: 540)
- ManagedAntivirus.exe (PID: 664)
- ManagedAntivirus.exe (PID: 4452)
- NetworkManagement.exe (PID: 4844)
- NetworkManagement.exe (PID: 7568)
- NetworkManagement.exe (PID: 2432)
- WebProtection.exe (PID: 1052)
- WebProtection.exe (PID: 7880)
- WebProtection.exe (PID: 2596)
- TrayIcon.exe (PID: 7628)
Checks proxy server information
- vcredist_x86.exe (PID: 8148)
- slui.exe (PID: 5780)
- NetworkManagement.exe (PID: 2432)
Creates files or folders in the user directory
- vcredist_x86.exe (PID: 8148)
- WerFault.exe (PID: 8068)
Executable content was dropped or overwritten
- msiexec.exe (PID: 1328)
The sample compiled with chinese language support
- msiexec.exe (PID: 1328)
The sample compiled with spanish language support
- msiexec.exe (PID: 1328)
The sample compiled with Italian language support
- msiexec.exe (PID: 1328)
The sample compiled with french language support
- msiexec.exe (PID: 1328)
The sample compiled with japanese language support
- msiexec.exe (PID: 1328)
The sample compiled with russian language support
- msiexec.exe (PID: 1328)
The sample compiled with german language support
- msiexec.exe (PID: 1328)
The sample compiled with korean language support
- msiexec.exe (PID: 1328)
Reads Windows Product ID
- assetscan.exe (PID: 5280)
- assetscan.exe (PID: 7388)
Checks operating system version
- msp-agent-core.exe (PID: 3768)
- msp-agent-core.exe (PID: 7944)
- msp-agent-core.exe (PID: 7612)
- msp-agent-core.exe (PID: 7196)
- msp-agent-core.exe (PID: 5596)
Drops encrypted JS script (Microsoft Script Encoder)
- msp-agent-core.exe (PID: 7944)
Disables trace logs
- FileCacheServiceAgent.exe (PID: 540)
- NetworkManagement.exe (PID: 2432)
- WebProtection.exe (PID: 1052)
SQLite executable
- NetworkManagementInstall.tmp (PID: 960)
- EchoInstall.tmp (PID: 840)
Reads CPU info
- WebProtection.exe (PID: 1052)
Reads the time zone
- fmplugin.exe (PID: 6240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2007:07:22 02:33:09+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 74752 |
| InitializedDataSize: | 21504 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11de6 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.2.0.715 |
| ProductVersionNumber: | 1.2.0.715 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | N-able Technologies |
| FileDescription: | Advanced Monitoring Agent Setup |
| FileVersion: | - |
| InternalName: | - |
| OriginalFileName: | - |
| ProductName: | Advanced Monitoring Agent |
| ProductVersion: | - |
Total processes
358
Monitored processes
206
Malicious processes
29
Suspicious processes
14
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 300 | "C:\Program Files (x86)\MSP Agent\msp-agent-core.exe" --provisioning_state | C:\Program Files (x86)\Msp Agent\msp-agent-core.exe | — | winagent.exe | |||||||||||
User: SYSTEM Company: N-able Technologies, Ltd. Integrity Level: SYSTEM Description: N-able MSP Agent Core Exit code: 0 Modules
| |||||||||||||||
| 300 | "C:\Program Files (x86)\MSP Agent\msp-agent-core.exe" --provisioning_state | C:\Program Files (x86)\Msp Agent\msp-agent-core.exe | — | winagent.exe | |||||||||||
User: SYSTEM Company: N-able Technologies, Ltd. Integrity Level: SYSTEM Description: N-able MSP Agent Core Exit code: 0 Modules
| |||||||||||||||
| 496 | "C:\Windows\System32\cmd.exe" /C sc delete AppRunningChecker | C:\Windows\System32\cmd.exe | — | WebProtection.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1060 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | "C:\Program Files (x86)\Advanced Monitoring Agent\FileCacheServiceAgent\FileCacheServiceAgent.exe" | C:\Program Files (x86)\Advanced Monitoring Agent\FileCacheServiceAgent\FileCacheServiceAgent.exe | services.exe | ||||||||||||
User: LOCAL SERVICE Company: N-able Integrity Level: SYSTEM Description: FileCacheServiceAgent Version: 2.13.0.5051 Modules
| |||||||||||||||
| 644 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | icacls.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 664 | "C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\ManagedAntivirus.exe" install cfea85e0-1d25-459a-8866-702b738a899f cdda3ca2-bc59-4562-8ace-0979dd9155da 3937605 webservice.uswe2.prd.cdo.system-monitor.com /avinstall | C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\ManagedAntivirus.exe | MAV-Installer.tmp | ||||||||||||
User: SYSTEM Company: N-able Technologies Integrity Level: SYSTEM Description: Managed Antivirus Master Service Exit code: 0 Version: 57.6.1.22 Modules
| |||||||||||||||
| 680 | "C:\PROGRA~2\ADVANC~1\downloads\EchoInstall.exe" /verysilent /agent="65690f52-330d-495a-901e-efc664bb1303" /key="f4e44fe3-fc9b-4908-a05c-cb303ba277c5" /agent_id="1395710" /webserver="echo-us-west-2-svc.logicnow.us" /agent="65690f52-330d-495a-901e-efc664bb1303" /key="f4e44fe3-fc9b-4908-a05c-cb303ba277c5" /agent_id="1395710" /webserver="echo-us-west-2-svc.logicnow.us" /log="C:\PROGRA~2\ADVANC~1\Feature_12_Install.log" | C:\Program Files (x86)\Advanced Monitoring Agent\downloads\EchoInstall.exe | winagent.exe | ||||||||||||
User: SYSTEM Company: N-able Technologies, LTD Integrity Level: SYSTEM Description: Advanced Monitoring Agent Web Protection Setup Exit code: 0 Version: 5.36.3.3 Modules
| |||||||||||||||
| 736 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | msp-agent-core.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 840 | "sc.exe" failure "SolarWinds.MSP.CacheService" actions= restart/20000/restart/60000// reset= 240 | C:\Windows\System32\sc.exe | — | FileCacheServiceAgent.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Service Control Manager Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 840 | "C:\WINDOWS\TEMP\is-VQSK9.tmp\EchoInstall.tmp" /SL5="$B0084,6445637,845824,C:\PROGRA~2\ADVANC~1\downloads\EchoInstall.exe" /verysilent /agent="65690f52-330d-495a-901e-efc664bb1303" /key="f4e44fe3-fc9b-4908-a05c-cb303ba277c5" /agent_id="1395710" /webserver="echo-us-west-2-svc.logicnow.us" /agent="65690f52-330d-495a-901e-efc664bb1303" /key="f4e44fe3-fc9b-4908-a05c-cb303ba277c5" /agent_id="1395710" /webserver="echo-us-west-2-svc.logicnow.us" /log="C:\PROGRA~2\ADVANC~1\Feature_12_Install.log" | C:\Windows\Temp\is-VQSK9.tmp\EchoInstall.tmp | EchoInstall.exe | ||||||||||||
User: SYSTEM Company: N-able Technologies, LTD Integrity Level: SYSTEM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
205 143
Read events
201 307
Write events
3 524
Delete events
312
Modification events
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.5.3 (a) | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files (x86)\Advanced Monitoring Agent | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files (x86)\Advanced Monitoring Agent\ | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Advanced Monitoring Agent | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: Language |
Value: UKEnglish | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | DisplayName |
Value: Advanced Monitoring Agent | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | UninstallString |
Value: "C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe" | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe" /SILENT | |||
| (PID) Process: | (7372) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
Executable files
634
Suspicious files
1 135
Text files
235
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7324 | agent.exe | C:\Users\admin\AppData\Local\Temp\is-DF31Q.tmp\agent.tmp | executable | |
MD5:A2C4D52C66B4B399FACADB8CC8386745 | SHA256:6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A | |||
| 6944 | agent.exe | C:\Users\admin\AppData\Local\Temp\is-0E56C.tmp\agent.tmp | executable | |
MD5:A2C4D52C66B4B399FACADB8CC8386745 | SHA256:6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A | |||
| 5024 | AGENT_715666_V10_14_3_RW.EXE.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\package.zip | compressed | |
MD5:0DC90A02E9C736D93F7F06D69260C682 | SHA256:AA4B0977F163A3B0230DC57B36D1A5DFED7D47752522C3D3F65DB0D6C5AD3337 | |||
| 7372 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\3.lng | text | |
MD5:25ACC83AC6AEEBFE0BC6BDB16BD18654 | SHA256:3A21D91CB744AE5A380194E63F2B31A659867DF8927B9023526C3AB865E62848 | |||
| 7372 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-NAJE0.tmp | text | |
MD5:AE2624E65E959A3CC5BFD1C90F85231F | SHA256:999EB14EABFBDAF625E5BBCC5237318B2DB016CDDCFB3827E3A262064589666C | |||
| 7372 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-LHBIL.tmp | text | |
MD5:25ACC83AC6AEEBFE0BC6BDB16BD18654 | SHA256:3A21D91CB744AE5A380194E63F2B31A659867DF8927B9023526C3AB865E62848 | |||
| 5024 | AGENT_715666_V10_14_3_RW.EXE.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe | executable | |
MD5:7B0F0611E3C24C2E97F046C3146BD3FC | SHA256:BE772B1BC5E3534ED3A96BB5B1D842DC84B07EB03DF35AC6A89680E958D7BC5C | |||
| 7372 | agent.tmp | C:\Users\admin\AppData\Local\Temp\is-B3VH8.tmp\_isetup\_setup64.tmp | executable | |
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89 | SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40 | |||
| 7372 | agent.tmp | C:\Users\admin\AppData\Local\Temp\is-B3VH8.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 7372 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-J3ERU.tmp | executable | |
MD5:D7C918793B7F6EBFB34D34FCBF0A8749 | SHA256:9C2F4F7BDAB3FFD39EFAF9DD904CF031A38E1253B6645A61A2FA8364E0808299 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
183
DNS requests
124
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6184 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6184 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
8148 | vcredist_x86.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl | unknown | — | — | whitelisted |
8148 | vcredist_x86.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
8148 | vcredist_x86.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | — | — | whitelisted |
8148 | vcredist_x86.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown | — | — | whitelisted |
5436 | WINWORD.EXE | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | whitelisted |
8148 | vcredist_x86.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.19.11.105:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
2112 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7784 | winagent.exe | 104.18.42.15:443 | upload1.systemmonitor.us | CLOUDFLARENET | — | whitelisted |
6544 | svchost.exe | 20.190.160.65:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
upload1.systemmonitor.us |
| whitelisted |
upload2.systemmonitor.us |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
upload3.systemmonitor.us |
| whitelisted |
upload4.systemmonitor.us |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potential Corporate Privacy Violation | ET INFO Observed DNS Query for Suspicious TLD (.management) |
Process | Message |
|---|---|
ManagedAntivirus.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\x64\SQLite.Interop.dll"...
|
ManagedAntivirus.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\x64\SQLite.Interop.dll"...
|
NetworkManagement.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Network Management\x64\SQLite.Interop.dll"...
|
NetworkManagement.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Network Management\x64\SQLite.Interop.dll"...
|
WebProtection.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Web Protection\x64\SQLite.Interop.dll"...
|
WebProtection.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Web Protection\x64\SQLite.Interop.dll"...
|