File name:

Datto26TR.exe

Full analysis: https://app.any.run/tasks/1f0dd58b-9cff-4043-883f-85bcb0482d27
Verdict: Malicious activity
Analysis date: December 25, 2025, 06:21:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
datto
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive, 7 sections
MD5:

20C01EBACF86B721569B03E67334ECAE

SHA1:

9A70E42266916C9CDFEC203D7B9BA0ADC795D8C4

SHA256:

AA230280B27A8E092E0298453A5579944EB0315BF51B0624C52B66D9FD7BE32F

SSDEEP:

98304:TA06WTv7klWurdCgJkrMtrUTvDnsZi7Ix8o942YqpSvP0ctvpi0JHNoB9BNroaYk:bAM9z0Q/2YMgB/E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Datto26TR.exe (PID: 7928)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 7504)

    • DATTO has been detected

      • CagService.exe (PID: 7504)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Datto26TR.exe (PID: 7928)

    • Executable content was dropped or overwritten

      • Datto26TR.exe (PID: 7928)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Datto26TR.exe (PID: 7928)

    • Process drops legitimate windows executable

      • Datto26TR.exe (PID: 7928)

    • There is functionality for taking screenshot (YARA)

      • Datto26TR.exe (PID: 7928)
      • Gui.exe (PID: 4476)

    • Executes as Windows Service

      • CagService.exe (PID: 7504)

    • Creates or modifies Windows services

      • CagService.exe (PID: 7504)

    • Searches for installed software

      • CagService.exe (PID: 7504)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1164)

    • Reads security settings of Internet Explorer

      • CagService.exe (PID: 7504)
      • Gui.exe (PID: 4476)
      • Gui.exe (PID: 2252)

  • INFO

    • Creates files in the program directory

      • Datto26TR.exe (PID: 7928)
      • CagService.exe (PID: 7504)
      • Gui.exe (PID: 4476)

    • Create files in a temporary directory

      • Datto26TR.exe (PID: 7928)

    • Checks supported languages

      • Datto26TR.exe (PID: 7928)
      • CagService.exe (PID: 7504)
      • Gui.exe (PID: 4476)
      • Gui.exe (PID: 2252)

    • The sample compiled with english language support

      • Datto26TR.exe (PID: 7928)

    • Reads the computer name

      • Datto26TR.exe (PID: 7928)
      • CagService.exe (PID: 7504)
      • Gui.exe (PID: 4476)
      • Gui.exe (PID: 2252)

    • Launching a file from a Registry key

      • Datto26TR.exe (PID: 7928)

    • DATTO has been detected

      • Datto26TR.exe (PID: 7928)
      • CagService.exe (PID: 7504)
      • Gui.exe (PID: 4476)
      • CagService.exe (PID: 7504)
      • Gui.exe (PID: 2252)

    • Creates a software uninstall entry

      • Datto26TR.exe (PID: 7928)
      • CagService.exe (PID: 7504)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 7504)
      • Gui.exe (PID: 4476)
      • Gui.exe (PID: 2252)

    • Manual execution by a user

      • Gui.exe (PID: 2252)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 4476)

    • Reads Environment values

      • CagService.exe (PID: 7504)

    • Checks proxy server information

      • CagService.exe (PID: 7504)
      • slui.exe (PID: 7536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 01:27:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start datto26tr.exe cagservice.exe conhost.exe no specs gui.exe no specs gui.exe no specs regsvr32.exe no specs regsvr32.exe no specs slui.exe datto26tr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1164 /s "C:\Program Files (x86)\CentraStage\scvncctrl.dll"C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2252"C:\Program Files (x86)\CentraStage\Gui.exe"C:\Program Files (x86)\CentraStage\Gui.exeexplorer.exe
User:
admin
Company:
CentraStage
Integrity Level:
MEDIUM
Description:
Agent Browser
Exit code:
0
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
4476"C:\Program Files (x86)\CentraStage\Gui.exe"C:\Program Files (x86)\CentraStage\Gui.exeDatto26TR.exe
User:
admin
Company:
CentraStage
Integrity Level:
HIGH
Description:
Agent Browser
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5408"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\CentraStage\scvncctrl.dll"C:\Windows\System32\regsvr32.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7504"C:\Program Files (x86)\CentraStage\CagService.exe"C:\Program Files (x86)\CentraStage\CagService.exe
services.exe
User:
SYSTEM
Company:
CentraStage
Integrity Level:
SYSTEM
Description:
CentraStage Service
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\cagservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7536C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7748"C:\Users\admin\Desktop\Datto26TR.exe" C:\Users\admin\Desktop\Datto26TR.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\datto26tr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7928"C:\Users\admin\Desktop\Datto26TR.exe" C:\Users\admin\Desktop\Datto26TR.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\datto26tr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
16 665
Read events
16 629
Write events
36
Delete events
0

Modification events

(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CentraStage
Value:
C:\Program Files (x86)\CentraStage\Gui.exe
(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
CentraStage
(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\CentraStage\uninst.exe"
(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\CentraStage\CSIcon.ico
(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:URLInfoAbout
Value:
http://www.centrastage.com
(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:Publisher
Value:
CentraStage Limited
(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderLocation
Value:
C:\ProgramData\CentraStage
(PID) Process:(7928) Datto26TR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
(PID) Process:(7504) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
3
(PID) Process:(7504) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
Datto RMM
Executable files
46
Suspicious files
5
Text files
65
Unknown types
0

Dropped files

PID
Process
Filename
Type
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\AxInterop.MSTSCLib.dllexecutable
MD5:0F581E56ED5BA500CE5D98D105B04A37
SHA256:F041747B5B6B20B6620CA13A7B276C9E9070E54CDA8C29F6ADD54CBA9A42A2F5
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\CagService.exe.configxml
MD5:6FBB5FCC0492CDEDB212D11F6A1A4E78
SHA256:789BCD8161005DAAD1FFAFA8FCCD58093B7A0400E73DE7AD4ED47FCD7F1F1BAE
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\CSIcon.icoimage
MD5:2F6FD9AA57AA40728A65FA006C7E0F17
SHA256:B59A0E0570D2A22CD51FB51FC106913F9048F2889FC3BD94A5A51BE1A5D102F9
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\AxInterop.ViewerX.dllexecutable
MD5:EDC5E696C4AD70F0BE6301F703AB3672
SHA256:C6E5F17B2BC91202A1C6A9F3F0547CD7F208368B4CFEBB53F234A55F87C5ACD5
7928Datto26TR.exeC:\Users\admin\AppData\Local\Temp\nsp542.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\defaultbrand.zipcompressed
MD5:BE0A3C9E7408BDD9A9D9D004CA01ABF2
SHA256:865CC74F5B77E1DDFFA260084633236186F16139E08B4FB81DB4AAD2442BDC34
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\FsLexYacc.Runtime.dllexecutable
MD5:06B971620BDA7960F7D8E43CE69E3BBE
SHA256:B635BA89E9CC8455F252B7E24E5D2838F50AAF75121CA7D070BB7D6CF41A6235
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\Microsoft.Threading.Tasks.dllexecutable
MD5:D01819BFE03222DFA9E35A36555B6B6C
SHA256:5F29E16EDFF5379E93D5BE9BEE4CDDF98132B84326027688511AC0F3157AAF94
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\nlog.configtext
MD5:B9FCB1CEE2D0E148EBFCB6E320DF79E0
SHA256:926A539315D76D6F0A9A434DFD94A3753D235E6F429ED8E93EB059DA201770F3
7928Datto26TR.exeC:\Program Files (x86)\CentraStage\Common.dllexecutable
MD5:997DC0EB0F031A6B5B0F5BBCFA45A056
SHA256:AB94B6AACE3B74ED0FA4A70A199606E1BF8C312B81D1C075F1B3A40E47922CBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
24
DNS requests
12
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4300
RUXIMICS.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=562&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4300
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4300
RUXIMICS.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
1836
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
unknown
7536
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4300
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3520
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4300
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4300
RUXIMICS.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
vidalcc.centrastage.net
  • 34.193.53.123
  • 44.196.50.36
whitelisted
self.events.data.microsoft.com
  • 51.104.15.253
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
7504
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
7504
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
7504
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Datto26TR.exe