| File name: | Online_IDSSA780785_S_Statement_pdf.EXE |
| Full analysis: | https://app.any.run/tasks/83b2b9aa-42b1-434d-bb7d-5ed6278d8a66 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | February 16, 2026, 00:20:56 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | 9A29FF3C9B3C542FE12106DF2D598D0C |
| SHA1: | F7B4D9617A19EC4B056749C05CDC37E0A49F014E |
| SHA256: | B0D728AC501612BFA23B473B484E71622B1B2F12AD87E39C4C20163732CB69DA |
| SSDEEP: | 98304:riTNTdz9luADXCI78UPI3AwhO36hCyfeYq1bB8SqJUndw67F31qojBXc5qwnrwAo:xtdjf9UhR7 |
MALICIOUS
Changes settings of System certificates
- winagent.exe (PID: 6664)
SUSPICIOUS
Reads the Windows owner or organization settings
- agent.tmp (PID: 2376)
- NetworkManagementInstall.tmp (PID: 3636)
The process checks if it is being run in the virtual environment
- winagent.exe (PID: 6784)
- winagent.exe (PID: 6664)
Searches for installed software
- winagent.exe (PID: 6784)
- assetscan.exe (PID: 4472)
- winagent.exe (PID: 6664)
- NetworkManagementInstall.tmp (PID: 3636)
Creates/Modifies COM task schedule object
- winagent.exe (PID: 6784)
Potential Corporate Privacy Violation
- svchost.exe (PID: 2292)
Executes as Windows Service
- winagent.exe (PID: 6664)
- NetworkManagement.exe (PID: 2760)
Using short paths in the command line
- winagent.exe (PID: 6664)
- NetworkManagementInstall.exe (PID: 3120)
Adds/modifies Windows certificates
- winagent.exe (PID: 6664)
Using the short paths format
- winagent.exe (PID: 6664)
- assetscan.exe (PID: 4472)
Starts SC.EXE for service management
- NetworkManagement.exe (PID: 4152)
Restarts service on failure
- sc.exe (PID: 8412)
Creates or modifies Windows services
- NetworkManagement.exe (PID: 4152)
- NetworkManagement.exe (PID: 2760)
INFO
Checks supported languages
- Online_IDSSA780785_S_Statement_pdf.EXE.exe (PID: 8732)
- agent.exe (PID: 6596)
- agent.tmp (PID: 1044)
- agent.exe (PID: 4368)
- agent.tmp (PID: 2376)
- unzip.exe (PID: 5920)
- unzip.exe (PID: 8632)
- winagent.exe (PID: 6664)
- winagent.exe (PID: 6784)
- assetscan.exe (PID: 4472)
- NetworkManagement.exe (PID: 4152)
- NetworkManagement.exe (PID: 4684)
- NetworkManagementInstall.exe (PID: 3120)
- NetworkManagementInstall.tmp (PID: 3636)
- NetworkManagement.exe (PID: 2760)
Process checks computer location settings
- Online_IDSSA780785_S_Statement_pdf.EXE.exe (PID: 8732)
- agent.tmp (PID: 1044)
Reads the computer name
- Online_IDSSA780785_S_Statement_pdf.EXE.exe (PID: 8732)
- agent.tmp (PID: 1044)
- agent.tmp (PID: 2376)
- winagent.exe (PID: 6784)
- winagent.exe (PID: 6664)
- assetscan.exe (PID: 4472)
- NetworkManagement.exe (PID: 4152)
- NetworkManagement.exe (PID: 4684)
- NetworkManagementInstall.tmp (PID: 3636)
- NetworkManagement.exe (PID: 2760)
Reads security settings of Internet Explorer
- Online_IDSSA780785_S_Statement_pdf.EXE.exe (PID: 8732)
- agent.tmp (PID: 1044)
- NetworkManagement.exe (PID: 4152)
Create files in a temporary directory
- Online_IDSSA780785_S_Statement_pdf.EXE.exe (PID: 8732)
- agent.exe (PID: 6596)
- agent.exe (PID: 4368)
- agent.tmp (PID: 2376)
Creates files in the program directory
- agent.tmp (PID: 2376)
- winagent.exe (PID: 6784)
- unzip.exe (PID: 8632)
- winagent.exe (PID: 6664)
- assetscan.exe (PID: 4472)
- NetworkManagement.exe (PID: 4152)
- NetworkManagement.exe (PID: 2760)
- NetworkManagementInstall.tmp (PID: 3636)
Creates a software uninstall entry
- agent.tmp (PID: 2376)
- NetworkManagementInstall.tmp (PID: 3636)
Drops script file
- agent.tmp (PID: 2376)
- winagent.exe (PID: 6784)
Reads the machine GUID from the registry
- winagent.exe (PID: 6784)
- winagent.exe (PID: 6664)
- NetworkManagement.exe (PID: 4152)
- NetworkManagementInstall.tmp (PID: 3636)
- NetworkManagement.exe (PID: 4684)
- NetworkManagement.exe (PID: 2760)
Archive extraction using unzip
- unzip.exe (PID: 8632)
Reads Windows Product ID
- assetscan.exe (PID: 4472)
Reads product name
- assetscan.exe (PID: 4472)
ULTRAVIEWER has been detected
- winagent.exe (PID: 6664)
Reads Environment values
- assetscan.exe (PID: 4472)
- NetworkManagement.exe (PID: 2760)
There is functionality for taking screenshot (YARA)
- winagent.exe (PID: 6664)
TEAMVIEWER has been detected
- winagent.exe (PID: 6664)
Checks proxy server information
- slui.exe (PID: 4804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2007:07:22 02:33:09+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 74752 |
| InitializedDataSize: | 21504 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11de6 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.2.0.715 |
| ProductVersionNumber: | 1.2.0.715 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | N-able Technologies |
| FileDescription: | Advanced Monitoring Agent Setup |
| FileVersion: | - |
| InternalName: | - |
| OriginalFileName: | - |
| ProductName: | Advanced Monitoring Agent |
| ProductVersion: | - |
Total processes
169
Monitored processes
23
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1044 | "C:\Users\admin\AppData\Local\Temp\is-6O3FC.tmp\agent.tmp" /SL5="$16038C,3241323,56832,C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /VERYSILENT /norestart | C:\Users\admin\AppData\Local\Temp\is-6O3FC.tmp\agent.tmp | — | agent.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2292 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2376 | "C:\Users\admin\AppData\Local\Temp\is-C0SGQ.tmp\agent.tmp" /SL5="$220374,3241323,56832,C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /SPAWNWND=$16038E /NOTIFYWND=$16038C /VERYSILENT /norestart | C:\Users\admin\AppData\Local\Temp\is-C0SGQ.tmp\agent.tmp | — | agent.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2760 | "C:\Program Files\Advanced Monitoring Agent Network Management\NetworkManagement.exe" | C:\Program Files\Advanced Monitoring Agent Network Management\NetworkManagement.exe | services.exe | ||||||||||||
User: SYSTEM Company: LogicNow Ltd Integrity Level: SYSTEM Description: Advanced Monitoring Network Management Service Version: 44.9.0.3 Modules
| |||||||||||||||
| 2788 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | unzip.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3120 | "C:\PROGRA~2\ADVANC~1\downloads\NetworkManagementInstall.exe" /verysilent /log="C:\PROGRA~2\ADVANC~1\\AveryInstall.log" /agent="a0c4f3ec-d27c-46fb-8d6f-34c61b712524" /key="672e5425-2f21-48b1-89d4-380350f07054" /agent_id="6774734" /webserver="avery-us-west-2-svc.logicnow.us" /scsvr="" /scport="0" /scuser="WORKGROUP\DESKTOP-JGLLJLDf7f81a39-5f63-5b42-9efd-1f13b5431005quot; /scpwd="" | C:\Program Files (x86)\Advanced Monitoring Agent\downloads\NetworkManagementInstall.exe | — | winagent.exe | |||||||||||
User: SYSTEM Company: N-able Technologies Ltd Integrity Level: SYSTEM Description: Advanced Monitoring Agent Network Management Setup Version: 44.9.0.3 Modules
| |||||||||||||||
| 3636 | "C:\WINDOWS\TEMP\is-TVA9S.tmp\NetworkManagementInstall.tmp" /SL5="$50054,10739918,121344,C:\PROGRA~2\ADVANC~1\downloads\NetworkManagementInstall.exe" /verysilent /log="C:\PROGRA~2\ADVANC~1\\AveryInstall.log" /agent="a0c4f3ec-d27c-46fb-8d6f-34c61b712524" /key="672e5425-2f21-48b1-89d4-380350f07054" /agent_id="6774734" /webserver="avery-us-west-2-svc.logicnow.us" /scsvr="" /scport="0" /scuser="WORKGROUP\DESKTOP-JGLLJLDf7f81a39-5f63-5b42-9efd-1f13b5431005quot; /scpwd="" | C:\Windows\Temp\is-TVA9S.tmp\NetworkManagementInstall.tmp | NetworkManagementInstall.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Description: Setup/Uninstall Version: 51.1052.0.0 Modules
| |||||||||||||||
| 4152 | "C:\Program Files\Advanced Monitoring Agent Network Management\NetworkManagement.exe" install a0c4f3ec-d27c-46fb-8d6f-34c61b712524 672e5425-2f21-48b1-89d4-380350f07054 6774734 avery-us-west-2-svc.logicnow.us | C:\Program Files\Advanced Monitoring Agent Network Management\NetworkManagement.exe | NetworkManagementInstall.tmp | ||||||||||||
User: SYSTEM Company: LogicNow Ltd Integrity Level: SYSTEM Description: Advanced Monitoring Network Management Service Exit code: 0 Version: 44.9.0.3 Modules
| |||||||||||||||
| 4368 | "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe" /SPAWNWND=$16038E /NOTIFYWND=$16038C /VERYSILENT /norestart | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe | agent.tmp | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: Advanced Monitoring Agent Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 4472 | "C:\PROGRA~2\ADVANC~1\assetscan.exe" -M SCAN | C:\Program Files (x86)\Advanced Monitoring Agent\assetscan.exe | — | winagent.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
Total events
28 321
Read events
28 245
Write events
71
Delete events
5
Modification events
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.5.3 (a) | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files (x86)\Advanced Monitoring Agent | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files (x86)\Advanced Monitoring Agent\ | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Advanced Monitoring Agent | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | Inno Setup: Language |
Value: UKEnglish | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | DisplayName |
Value: Advanced Monitoring Agent | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | UninstallString |
Value: "C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe" | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe" /SILENT | |||
| (PID) Process: | (2376) agent.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1 |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
337
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6596 | agent.exe | C:\Users\admin\AppData\Local\Temp\is-6O3FC.tmp\agent.tmp | binary | |
MD5:A2C4D52C66B4B399FACADB8CC8386745 | SHA256:6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A | |||
| 8732 | Online_IDSSA780785_S_Statement_pdf.EXE.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe | binary | |
MD5:A30EA7732FF19FF999CEABAFBA88D696 | SHA256:17F18F7231C66C0D9939858322029BC57393616AD7E930A88B221A21CE2D66EB | |||
| 2376 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-T73KM.tmp | binary | |
MD5:E26B08801588FC3708D00CC8D7F0161A | SHA256:C5CFD891EBCF58DE3AB603EEDCFBC7D142017AF8EC76ADC9D92CF2F3E053BBB2 | |||
| 2376 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-36NHR.tmp | binary | |
MD5:A0BC06AB1280DFD943517D70AD61F279 | SHA256:352CC8240C03972135D363437C429B54CE4B71DAF1920DFA68B65419F3BAFB0F | |||
| 2376 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-CPGND.tmp | binary | |
MD5:D7C918793B7F6EBFB34D34FCBF0A8749 | SHA256:9C2F4F7BDAB3FFD39EFAF9DD904CF031A38E1253B6645A61A2FA8364E0808299 | |||
| 4368 | agent.exe | C:\Users\admin\AppData\Local\Temp\is-C0SGQ.tmp\agent.tmp | binary | |
MD5:A2C4D52C66B4B399FACADB8CC8386745 | SHA256:6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A | |||
| 2376 | agent.tmp | C:\Users\admin\AppData\Local\Temp\is-QB8KD.tmp\_isetup\_setup64.tmp | binary | |
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89 | SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40 | |||
| 2376 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe | binary | |
MD5:D7C918793B7F6EBFB34D34FCBF0A8749 | SHA256:9C2F4F7BDAB3FFD39EFAF9DD904CF031A38E1253B6645A61A2FA8364E0808299 | |||
| 2376 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-H0UEB.tmp | binary | |
MD5:4EC5D844767EC166A990A4CEE50B5E38 | SHA256:27708C0619C4CAC96E0B1B5FC3475F31E9A23A951FF57AE428CE39D72E512F41 | |||
| 2376 | agent.tmp | C:\Program Files (x86)\Advanced Monitoring Agent\is-JUPIR.tmp | binary | |
MD5:E3FBA873F3E4EF822A908DB5F5360DAC | SHA256:E37200331C14BAB4B851C4CF9F5BD1A33065181896AEEDB7AAB61381C42096D1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
143
TCP/UDP connections
77
DNS requests
38
Threats
36
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | binary | 11.1 Kb | unknown |
5408 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | binary | 10.3 Kb | unknown |
— | — | POST | 200 | 20.190.160.130:443 | https://login.live.com/RST2.srf | US | binary | 10.3 Kb | unknown |
356 | svchost.exe | POST | 200 | 20.190.159.4:443 | https://login.live.com/RST2.srf | US | — | 10.3 Kb | whitelisted |
356 | svchost.exe | POST | 200 | 20.190.159.4:443 | https://login.live.com/RST2.srf | US | — | 10.3 Kb | whitelisted |
356 | svchost.exe | POST | 200 | 20.190.159.4:443 | https://login.live.com/RST2.srf | US | — | 10.3 Kb | whitelisted |
— | — | POST | 200 | 40.126.32.72:443 | https://login.live.com/RST2.srf | US | binary | 10.3 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 92.123.104.21:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
5408 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
356 | svchost.exe | 20.190.159.4:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5408 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
upload1.am.remote.management |
| unknown |
upload2.am.remote.management |
| whitelisted |
upload3.am.remote.management |
| unknown |
upload4.am.remote.management |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2292 | svchost.exe | Potential Corporate Privacy Violation | ET INFO Observed DNS Query for Suspicious TLD (.management) |
2292 | svchost.exe | Misc activity | ET INFO Observed RMM Domain in DNS Lookup (remote .management) |
6784 | winagent.exe | Misc activity | ET INFO Observed RMM Domain in TLS SNI (remote .management) |
2292 | svchost.exe | Potential Corporate Privacy Violation | ET INFO Observed DNS Query for Suspicious TLD (.management) |
6784 | winagent.exe | Misc activity | ET INFO Observed RMM Domain in TLS SNI (remote .management) |
2292 | svchost.exe | Misc activity | ET INFO Observed RMM Domain in DNS Lookup (remote .management) |
2292 | svchost.exe | Potential Corporate Privacy Violation | ET INFO Observed DNS Query for Suspicious TLD (.management) |
2292 | svchost.exe | Misc activity | ET INFO Observed RMM Domain in DNS Lookup (remote .management) |
6784 | winagent.exe | Misc activity | ET INFO Observed RMM Domain in TLS SNI (remote .management) |
2292 | svchost.exe | Potential Corporate Privacy Violation | ET INFO Observed DNS Query for Suspicious TLD (.management) |
Process | Message |
|---|---|
NetworkManagement.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Network Management\x64\SQLite.Interop.dll"...
|
NetworkManagement.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Network Management\x64\SQLite.Interop.dll"...
|