File name:

_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe

Full analysis: https://app.any.run/tasks/04b673f0-43cd-4bf7-b4ac-e797dd3583a5
Verdict: Malicious activity
Analysis date: February 03, 2026, 17:45:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
datto
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive, 7 sections
MD5:

F4406CD10AA719B452370FEAA6A77688

SHA1:

02781D646115CEA395A34FE7F8431024B7716192

SHA256:

682CF5E0F3142D3C993780F5CB50C313B4B353021E5F9EEAF43D97B77120D476

SSDEEP:

98304:TAFF6WTv7klWurdC/JkrMtrUTvDnsZi7Ix8o942YqpSvP0ctvpi0JHNoB9BNroaz:8CAM9z0Q/2YMgB/8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 2432)

    • DATTO has been detected

      • CagService.exe (PID: 2432)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)

    • The process creates files with name similar to system file names

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)

    • Executes as Windows Service

      • CagService.exe (PID: 2432)

    • Searches for installed software

      • CagService.exe (PID: 2432)

    • Creates or modifies Windows services

      • CagService.exe (PID: 2432)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1136)

  • INFO

    • Creates files in the program directory

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)
      • CagService.exe (PID: 2432)
      • Gui.exe (PID: 8100)

    • Create files in a temporary directory

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)

    • Checks supported languages

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)
      • CagService.exe (PID: 2432)
      • Gui.exe (PID: 8100)
      • Gui.exe (PID: 3192)

    • The sample compiled with english language support

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)

    • There is functionality for taking screenshot (YARA)

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)
      • Gui.exe (PID: 8100)

    • Launching a file from a Registry key

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)

    • Creates a software uninstall entry

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)
      • CagService.exe (PID: 2432)

    • Reads the computer name

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)
      • CagService.exe (PID: 2432)
      • Gui.exe (PID: 8100)
      • Gui.exe (PID: 3192)

    • DATTO has been detected

      • _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe (PID: 7772)
      • CagService.exe (PID: 2432)
      • Gui.exe (PID: 8100)
      • CagService.exe (PID: 2432)
      • Gui.exe (PID: 3192)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 2432)
      • Gui.exe (PID: 8100)
      • Gui.exe (PID: 3192)

    • Reads security settings of Internet Explorer

      • Gui.exe (PID: 8100)
      • CagService.exe (PID: 2432)
      • Gui.exe (PID: 3192)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 8100)

    • Reads Environment values

      • CagService.exe (PID: 2432)

    • Checks proxy server information

      • CagService.exe (PID: 2432)
      • slui.exe (PID: 5216)

    • Manual execution by a user

      • Gui.exe (PID: 3192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 01:27:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe cagservice.exe conhost.exe no specs gui.exe no specs regsvr32.exe no specs regsvr32.exe no specs gui.exe no specs slui.exe _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1136 /s "C:\Program Files (x86)\CentraStage\scvncctrl.dll"C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2432"C:\Program Files (x86)\CentraStage\CagService.exe"C:\Program Files (x86)\CentraStage\CagService.exe
services.exe
User:
SYSTEM
Company:
CentraStage
Integrity Level:
SYSTEM
Description:
CentraStage Service
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\cagservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2824"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\CentraStage\scvncctrl.dll"C:\Windows\System32\regsvr32.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3192"C:\Program Files (x86)\CentraStage\Gui.exe"C:\Program Files (x86)\CentraStage\Gui.exeexplorer.exe
User:
admin
Company:
CentraStage
Integrity Level:
MEDIUM
Description:
Agent Browser
Exit code:
0
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
5216C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6852"C:\Users\admin\Desktop\_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe" C:\Users\admin\Desktop\_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7772"C:\Users\admin\Desktop\_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe" C:\Users\admin\Desktop\_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
8100"C:\Program Files (x86)\CentraStage\Gui.exe"C:\Program Files (x86)\CentraStage\Gui.exe_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe
User:
admin
Company:
CentraStage
Integrity Level:
HIGH
Description:
Agent Browser
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
16 676
Read events
16 640
Write events
36
Delete events
0

Modification events

(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CentraStage
Value:
C:\Program Files (x86)\CentraStage\Gui.exe
(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
CentraStage
(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\CentraStage\uninst.exe"
(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\CentraStage\CSIcon.ico
(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:URLInfoAbout
Value:
http://www.centrastage.com
(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:Publisher
Value:
CentraStage Limited
(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderLocation
Value:
C:\ProgramData\CentraStage
(PID) Process:(7772) _682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
(PID) Process:(2432) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
3
(PID) Process:(2432) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
Datto RMM
Executable files
45
Suspicious files
5
Text files
68
Unknown types
1

Dropped files

PID
Process
Filename
Type
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\AxInterop.ViewerX.dllexecutable
MD5:EDC5E696C4AD70F0BE6301F703AB3672
SHA256:C6E5F17B2BC91202A1C6A9F3F0547CD7F208368B4CFEBB53F234A55F87C5ACD5
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\defaultbrand.zipcompressed
MD5:BE0A3C9E7408BDD9A9D9D004CA01ABF2
SHA256:865CC74F5B77E1DDFFA260084633236186F16139E08B4FB81DB4AAD2442BDC34
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Users\admin\AppData\Local\Temp\nsv6754.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\AxInterop.MSTSCLib.dllexecutable
MD5:0F581E56ED5BA500CE5D98D105B04A37
SHA256:F041747B5B6B20B6620CA13A7B276C9E9070E54CDA8C29F6ADD54CBA9A42A2F5
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\CagService.exeexecutable
MD5:05BC5532D193DD7D8C9809EEFE5F6717
SHA256:74C94094F7FE86C9969093456C4C167F129F9E1943C29C669B8E57CCE3B3B07D
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\Core.XmlSerializers.dllbinary
MD5:234829A34A9D264DACD52C5B0CBDB95A
SHA256:0DF23B577E3CB2CF8B1FC356EB3A70FAEB89E3974871855E2C2FF33953053371
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\CagService.exe.configxml
MD5:0767014F789B4A4ECA3203857031BE9B
SHA256:C80E382A7C5FBFC9CA579989DB48A77A11FD190992001CBD822303A9EE4208F4
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\Common.dllexecutable
MD5:997DC0EB0F031A6B5B0F5BBCFA45A056
SHA256:AB94B6AACE3B74ED0FA4A70A199606E1BF8C312B81D1C075F1B3A40E47922CBA
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\Microsoft.Threading.Tasks.Extensions.Desktop.dllexecutable
MD5:E548A93D16964E52868C47CEF1C98F2E
SHA256:F71621C47C610E0886846CF53D955FD0E7448951F99ECC22FACD47493EF97A87
7772_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exeC:\Program Files (x86)\CentraStage\Core.dllexecutable
MD5:B0F179E4047B97F8DE9744743E878486
SHA256:87AF304C8FB7C84B15F160331E1A4C803EEB6F4632499875A7D8F438353DCC63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
49
DNS requests
20
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5160
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5160
SIHClient.exe
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
5160
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
5160
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7304
svchost.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5160
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
2.16.204.139:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
23.53.41.90:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7304
svchost.exe
23.53.41.90:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.53.41.90:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
356
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7304
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.139
  • 2.16.204.145
  • 2.16.204.141
  • 2.16.204.138
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.148
  • 2.16.204.160
  • 2.16.204.153
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.251.141.110
whitelisted
crl.microsoft.com
  • 23.53.41.90
  • 23.53.40.178
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.130
  • 40.126.32.134
  • 20.190.160.66
  • 40.126.32.68
  • 20.190.160.2
  • 20.190.160.14
  • 20.190.160.22
whitelisted
vidalcc.centrastage.net
  • 44.199.36.241
  • 44.196.50.36
unknown
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
2432
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
2432
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
2432
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_682cf5e0f3142d3c993780f5cb50c313b4b353021e5f9eeaf43d97b77120d476.exe