Malware analysis Documents-976709d2.exe Malicious activity

Add for printing

File name:	Documents-976709d2.exe
Full analysis:	https://app.any.run/tasks/a49677a9-0e0c-4299-8c73-9972a3333491
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	January 09, 2026, 21:02:53
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rat anti-evasion arch-scr arch-exec loader websocket delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	C7BA7DCED9C33D57491B026E61D5773B
SHA1:	52FC1EBDF313D32E094BAC737B8B272EA371FA48
SHA256:	B83E62FA4084BFF95AE93E3BE1D7D1AB61786273394981647D6DCACACA19F9B2
SSDEEP:	196608:tet4U65AYTsq6P66XfO5ER/Qnm3RvzMjb0NABuKShRa:wt4U65AD2sfswRvzMUNABuphRa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - vcredist_x86.exe (PID: 3036)
  - ScriptRunner.Installer.exe (PID: 4476)
  - MSP_Connect.exe (PID: 2612)
- Changes settings of System certificates
  - BASupSrvcCnfg.exe (PID: 7036)
  - winagent.exe (PID: 2740)
- Changes the Windows auto-update feature
  - PME.Agent.exe (PID: 8012)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Documents-976709d2.exe (PID: 7564)
  - agent.tmp (PID: 7636)
  - vcredist_x86.exe (PID: 3036)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - TCLauncherHelper.exe (PID: 1600)
  - BASupSrvcCnfg.exe (PID: 8088)
  - RequestHandlerAgent.exe (PID: 5728)
  - FileCacheServiceAgent.exe (PID: 6084)
  - PME.Agent.exe (PID: 7992)
  - NetworkManagement.exe (PID: 7384)
  - NetworkManagement.exe (PID: 864)
- Executable content was dropped or overwritten
  - Documents-976709d2.exe (PID: 7564)
  - agent.exe (PID: 7616)
  - agent.exe (PID: 7812)
  - agent.tmp (PID: 7836)
  - winagent.exe (PID: 8052)
  - vcredist_x86.exe (PID: 2232)
  - vcredist_x86.exe (PID: 3036)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 8168)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - ScriptRunner.Installer.exe (PID: 4476)
  - MSP_Connect.exe (PID: 2612)
  - winagent.exe (PID: 2740)
  - BASupSrvc.exe (PID: 5612)
  - PMESetup.exe (PID: 6684)
  - PMESetup.tmp (PID: 3236)
  - RequestHandlerAgentSetup.exe (PID: 5160)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - FileCacheServiceAgentSetup.exe (PID: 2336)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core-upgrade.exe (PID: 1840)
  - NetworkManagementInstall.exe (PID: 7460)
  - NetworkManagementInstall.tmp (PID: 7568)
- Reads the Windows owner or organization settings
  - agent.tmp (PID: 7836)
  - msiexec.exe (PID: 8144)
  - PMESetup.tmp (PID: 3236)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - NetworkManagementInstall.tmp (PID: 7568)
- Searches for installed software
  - winagent.exe (PID: 8052)
  - vcredist_x86.exe (PID: 2232)
  - vcredist_x86.exe (PID: 3036)
  - dllhost.exe (PID: 7204)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - ScriptRunner.Installer.exe (PID: 4476)
  - winagent.exe (PID: 2740)
  - assetscan.exe (PID: 8036)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
  - winagent.exe (PID: 7376)
  - NetworkManagementInstall.tmp (PID: 7568)
- Creates/Modifies COM task schedule object
  - winagent.exe (PID: 8052)
  - MSP_Connect.exe (PID: 2612)
- The process checks if it is being run in the virtual environment
  - winagent.exe (PID: 8052)
  - winagent.exe (PID: 2740)
  - fmplugin.exe (PID: 6596)
- Potential Corporate Privacy Violation
  - svchost.exe (PID: 2292)
- Process drops legitimate windows executable
  - agent.tmp (PID: 7836)
  - vcredist_x86.exe (PID: 2232)
  - winagent.exe (PID: 8052)
  - msiexec.exe (PID: 8144)
  - vcredist_x86.exe (PID: 3036)
  - MSP_Connect.exe (PID: 2612)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - PMESetup.tmp (PID: 3236)
  - NetworkManagementInstall.tmp (PID: 7568)
- Application launched itself
  - vcredist_x86.exe (PID: 3036)
  - TCLauncherHelper.exe (PID: 1600)
  - BASupSrvcCnfg.exe (PID: 7036)
- Using short paths in the command line
  - vcredist_x86.exe (PID: 3036)
  - winagent.exe (PID: 8052)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 8168)
  - winagent.exe (PID: 2740)
  - BASupSrvc.exe (PID: 5612)
  - PMESetup.exe (PID: 6684)
  - PMESetup.tmp (PID: 3236)
  - RequestHandlerAgentSetup.exe (PID: 5160)
  - FileCacheServiceAgentSetup.exe (PID: 2336)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - fmplugin.exe (PID: 6596)
  - NetworkManagementInstall.exe (PID: 7460)
- Executes as Windows Service
  - VSSVC.exe (PID: 7264)
  - winagent.exe (PID: 2740)
  - BASupSrvc.exe (PID: 5612)
  - BASupSrvcUpdater.exe (PID: 752)
  - RequestHandlerAgent.exe (PID: 7464)
  - FileCacheServiceAgent.exe (PID: 1524)
  - PME.Agent.exe (PID: 8012)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
  - NetworkManagement.exe (PID: 864)
- There is functionality for taking screenshot (YARA)
  - winagent.exe (PID: 8052)
  - winagent.exe (PID: 2740)
  - MSP_Connect.exe (PID: 2612)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 8144)
  - MSP_Connect.exe (PID: 2612)
- Using the short paths format
  - winagent.exe (PID: 8052)
  - msiexec.exe (PID: 8144)
  - assetscan.exe (PID: 8036)
  - conhost.exe (PID: 7056)
  - PMESetup.tmp (PID: 3236)
  - conhost.exe (PID: 8188)
  - conhost.exe (PID: 5016)
  - conhost.exe (PID: 7560)
  - fmplugin.exe (PID: 6596)
  - winagent.exe (PID: 2740)
- The process creates files with name similar to system file names
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - MSP_Connect.exe (PID: 2612)
- Starts itself from another location
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
- Uses TASKKILL.EXE to kill process
  - msiexec.exe (PID: 7200)
- Executes application which crashes
  - winagent.exe (PID: 8052)
- Drops 7-zip archiver for unpacking
  - msiexec.exe (PID: 8144)
- Adds/modifies Windows certificates
  - BASupSrvcCnfg.exe (PID: 7036)
  - winagent.exe (PID: 2740)
- Creates or modifies Windows services
  - BASupSrvc.exe (PID: 6240)
  - RequestHandlerAgent.exe (PID: 5728)
  - FileCacheServiceAgent.exe (PID: 6084)
  - PME.Agent.exe (PID: 7992)
  - NetworkManagement.exe (PID: 7384)
  - NetworkManagement.exe (PID: 864)
- The process executes via Task Scheduler
  - TCLauncherHelper.exe (PID: 1600)
- Windows service management via SC.EXE
  - sc.exe (PID: 1560)
  - sc.exe (PID: 756)
  - sc.exe (PID: 6148)
  - sc.exe (PID: 3204)
  - sc.exe (PID: 5104)
  - sc.exe (PID: 5492)
  - sc.exe (PID: 4788)
  - sc.exe (PID: 6536)
  - sc.exe (PID: 7212)
  - sc.exe (PID: 5788)
  - sc.exe (PID: 3348)
  - sc.exe (PID: 7300)
- Uses ICACLS.EXE to modify access control lists
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - PMESetup.tmp (PID: 3236)
- Restarts service on failure
  - sc.exe (PID: 6952)
  - sc.exe (PID: 5164)
  - sc.exe (PID: 5152)
  - sc.exe (PID: 7980)
- Starts SC.EXE for service management
  - FileCacheServiceAgent.exe (PID: 6084)
  - PME.Agent.exe (PID: 7992)
  - NetworkManagement.exe (PID: 7384)
- Starts CMD.EXE for commands execution
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
- Starts POWERSHELL.EXE for commands execution
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
- Gets system UUID (POWERSHELL)
  - powershell.exe (PID: 7232)
  - powershell.exe (PID: 1488)
INFO
- Process checks computer location settings
  - Documents-976709d2.exe (PID: 7564)
  - agent.tmp (PID: 7636)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - TCLauncherHelper.exe (PID: 1600)
  - fmplugin.exe (PID: 6596)
- Checks supported languages
  - Documents-976709d2.exe (PID: 7564)
  - agent.exe (PID: 7616)
  - agent.tmp (PID: 7636)
  - agent.exe (PID: 7812)
  - agent.tmp (PID: 7836)
  - unzip.exe (PID: 7864)
  - unzip.exe (PID: 7984)
  - winagent.exe (PID: 8052)
  - vcredist_x86.exe (PID: 3036)
  - vcredist_x86.exe (PID: 2232)
  - msiexec.exe (PID: 8144)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 8168)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - msiexec.exe (PID: 7200)
  - ScriptRunner.Installer.exe (PID: 4476)
  - winagent.exe (PID: 2740)
  - assetscan.exe (PID: 8036)
  - MSP_Connect.exe (PID: 2612)
  - TextInputHost.exe (PID: 6056)
  - BASupSrvc.exe (PID: 6240)
  - BASupSrvcCnfg.exe (PID: 7036)
  - TCSettingsHlp.exe (PID: 404)
  - BASupSrvc.exe (PID: 5612)
  - TCLauncherHelper.exe (PID: 7220)
  - TCLauncherHelper.exe (PID: 8092)
  - TCLauncherHelper.exe (PID: 1600)
  - TCLauncherHelper.exe (PID: 5040)
  - BASupSysInf.exe (PID: 6400)
  - BASupSrvcUpdater.exe (PID: 752)
  - BASupSysInf.exe (PID: 5356)
  - BASupSrvcCnfg.exe (PID: 8088)
  - PMESetup.tmp (PID: 3236)
  - PMESetup.exe (PID: 6684)
  - RequestHandlerAgentSetup.exe (PID: 5160)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - RequestHandlerAgent.exe (PID: 5728)
  - RequestHandlerAgent.exe (PID: 7464)
  - FileCacheServiceAgentSetup.exe (PID: 2336)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - FileCacheServiceAgent.exe (PID: 6084)
  - FileCacheServiceAgent.exe (PID: 1524)
  - PME.Agent.exe (PID: 8012)
  - PME.Agent.exe (PID: 7992)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7504)
  - fmplugin.exe (PID: 6596)
  - msp-agent-core.exe (PID: 2668)
  - msp-agent-core.exe (PID: 4752)
  - msp-agent-core-upgrade.exe (PID: 3032)
  - msp-agent-core-upgrade.exe (PID: 1840)
  - msp-agent-core.exe (PID: 7792)
  - msp-agent-core.exe (PID: 552)
  - msp-agent-core.exe (PID: 7648)
  - msp-agent-core.exe (PID: 2348)
  - msp-agent-core-upgrade.exe (PID: 1340)
  - winagent.exe (PID: 7376)
  - msp-agent-core.exe (PID: 5416)
  - msp-agent-core.exe (PID: 8108)
  - msp-agent-core.exe (PID: 4828)
  - NetworkManagementInstall.exe (PID: 7460)
  - NetworkManagementInstall.tmp (PID: 7568)
  - msp-agent-core.exe (PID: 8176)
  - NetworkManagement.exe (PID: 7384)
  - NetworkManagement.exe (PID: 8184)
  - NetworkManagement.exe (PID: 864)
  - msp-agent-core.exe (PID: 7400)
  - msp-agent-core.exe (PID: 5436)
  - msp-agent-core.exe (PID: 7472)
- Create files in a temporary directory
  - agent.exe (PID: 7616)
  - Documents-976709d2.exe (PID: 7564)
  - agent.exe (PID: 7812)
  - agent.tmp (PID: 7836)
  - vcredist_x86.exe (PID: 2232)
- Reads the computer name
  - Documents-976709d2.exe (PID: 7564)
  - agent.tmp (PID: 7636)
  - agent.tmp (PID: 7836)
  - winagent.exe (PID: 8052)
  - vcredist_x86.exe (PID: 3036)
  - vcredist_x86.exe (PID: 2232)
  - msiexec.exe (PID: 8144)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - ScriptRunner.Installer.exe (PID: 4476)
  - msiexec.exe (PID: 7200)
  - winagent.exe (PID: 2740)
  - assetscan.exe (PID: 8036)
  - MSP_Connect.exe (PID: 2612)
  - TextInputHost.exe (PID: 6056)
  - BASupSrvc.exe (PID: 6240)
  - BASupSrvcCnfg.exe (PID: 7036)
  - BASupSrvc.exe (PID: 5612)
  - TCLauncherHelper.exe (PID: 7220)
  - TCLauncherHelper.exe (PID: 1600)
  - TCLauncherHelper.exe (PID: 8092)
  - TCLauncherHelper.exe (PID: 5040)
  - BASupSrvcUpdater.exe (PID: 752)
  - BASupSysInf.exe (PID: 6400)
  - BASupSysInf.exe (PID: 5356)
  - PMESetup.exe (PID: 6684)
  - BASupSrvcCnfg.exe (PID: 8088)
  - PMESetup.tmp (PID: 3236)
  - RequestHandlerAgentSetup.exe (PID: 5160)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - RequestHandlerAgent.exe (PID: 7464)
  - FileCacheServiceAgentSetup.exe (PID: 2336)
  - RequestHandlerAgent.exe (PID: 5728)
  - FileCacheServiceAgent.exe (PID: 6084)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - fmplugin.exe (PID: 6596)
  - FileCacheServiceAgent.exe (PID: 1524)
  - PME.Agent.exe (PID: 7992)
  - PME.Agent.exe (PID: 8012)
  - msp-agent-core.exe (PID: 2668)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7504)
  - msp-agent-core.exe (PID: 4752)
  - msp-agent-core-upgrade.exe (PID: 1840)
  - msp-agent-core.exe (PID: 7792)
  - msp-agent-core.exe (PID: 552)
  - msp-agent-core.exe (PID: 7648)
  - msp-agent-core.exe (PID: 2348)
  - msp-agent-core.exe (PID: 8176)
  - msp-agent-core.exe (PID: 5416)
  - msp-agent-core.exe (PID: 8108)
  - msp-agent-core.exe (PID: 4828)
  - NetworkManagementInstall.tmp (PID: 7568)
  - NetworkManagement.exe (PID: 7384)
  - NetworkManagement.exe (PID: 8184)
  - msp-agent-core.exe (PID: 7400)
  - msp-agent-core.exe (PID: 7472)
  - msp-agent-core.exe (PID: 5436)
  - NetworkManagement.exe (PID: 864)
- The sample compiled with english language support
  - agent.tmp (PID: 7836)
  - vcredist_x86.exe (PID: 2232)
  - winagent.exe (PID: 8052)
  - vcredist_x86.exe (PID: 3036)
  - msiexec.exe (PID: 8144)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 8168)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - ScriptRunner.Installer.exe (PID: 4476)
  - MSP_Connect.exe (PID: 2612)
  - winagent.exe (PID: 2740)
  - PMESetup.tmp (PID: 3236)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core-upgrade.exe (PID: 1840)
  - NetworkManagementInstall.tmp (PID: 7568)
- Creates files in the program directory
  - agent.tmp (PID: 7836)
  - unzip.exe (PID: 7864)
  - winagent.exe (PID: 8052)
  - vcredist_x86.exe (PID: 2232)
  - vcredist_x86.exe (PID: 3036)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - ScriptRunner.Installer.exe (PID: 4476)
  - winagent.exe (PID: 2740)
  - assetscan.exe (PID: 8036)
  - MSP_Connect.exe (PID: 2612)
  - BASupSrvc.exe (PID: 6240)
  - TCLauncherHelper.exe (PID: 7220)
  - BASupSrvcCnfg.exe (PID: 7036)
  - TCSettingsHlp.exe (PID: 404)
  - TCLauncherHelper.exe (PID: 1600)
  - BASupSrvc.exe (PID: 5612)
  - BASupSrvcUpdater.exe (PID: 752)
  - BASupSysInf.exe (PID: 5356)
  - BASupSrvcCnfg.exe (PID: 8088)
  - PMESetup.tmp (PID: 3236)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - RequestHandlerAgent.exe (PID: 5728)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - FileCacheServiceAgent.exe (PID: 6084)
  - fmplugin.exe (PID: 6596)
  - FileCacheServiceAgent.exe (PID: 1524)
  - msiexec.exe (PID: 6376)
  - PME.Agent.exe (PID: 7992)
  - msp-agent-core.exe (PID: 2668)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core-upgrade.exe (PID: 1840)
  - msp-agent-core.exe (PID: 7792)
  - NetworkManagementInstall.tmp (PID: 7568)
  - NetworkManagement.exe (PID: 7384)
  - NetworkManagement.exe (PID: 864)
- Creates a software uninstall entry
  - agent.tmp (PID: 7836)
  - vcredist_x86.exe (PID: 3036)
  - msiexec.exe (PID: 8144)
  - ScriptRunner.Installer.exe (PID: 4476)
  - PMESetup.tmp (PID: 3236)
  - RequestHandlerAgentSetup.tmp (PID: 7212)
  - FileCacheServiceAgentSetup.tmp (PID: 3464)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
  - NetworkManagementInstall.tmp (PID: 7568)
- Reads product name
  - winagent.exe (PID: 8052)
  - winagent.exe (PID: 2740)
  - assetscan.exe (PID: 8036)
  - winagent.exe (PID: 7376)
- Reads Environment values
  - winagent.exe (PID: 8052)
  - assetscan.exe (PID: 8036)
  - winagent.exe (PID: 2740)
  - FileCacheServiceAgent.exe (PID: 6084)
  - FileCacheServiceAgent.exe (PID: 1524)
  - winagent.exe (PID: 7376)
  - NetworkManagement.exe (PID: 864)
- Launching a file from a Registry key
  - vcredist_x86.exe (PID: 3036)
  - ScriptRunner.Installer.exe (PID: 4476)
  - MSP_Connect.exe (PID: 2612)
- Creates files or folders in the user directory
  - vcredist_x86.exe (PID: 3036)
  - WerFault.exe (PID: 7616)
  - BASupSrvcCnfg.exe (PID: 8088)
- Reads the machine GUID from the registry
  - vcredist_x86.exe (PID: 3036)
  - msiexec.exe (PID: 8144)
  - ScriptRunnerInstaller-2.98.2.2.exe (PID: 1176)
  - ScriptRunner.Installer.exe (PID: 4476)
  - winagent.exe (PID: 2740)
  - TCLauncherHelper.exe (PID: 7220)
  - BASupSrvcCnfg.exe (PID: 7036)
  - TCLauncherHelper.exe (PID: 8092)
  - TCLauncherHelper.exe (PID: 1600)
  - TCLauncherHelper.exe (PID: 5040)
  - BASupSrvc.exe (PID: 5612)
  - BASupSysInf.exe (PID: 6400)
  - BASupSysInf.exe (PID: 5356)
  - BASupSrvcUpdater.exe (PID: 752)
  - BASupSrvcCnfg.exe (PID: 8088)
  - RequestHandlerAgent.exe (PID: 7464)
  - RequestHandlerAgent.exe (PID: 5728)
  - FileCacheServiceAgent.exe (PID: 6084)
  - FileCacheServiceAgent.exe (PID: 1524)
  - fmplugin.exe (PID: 6596)
  - PME.Agent.exe (PID: 8012)
  - PME.Agent.exe (PID: 7992)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
  - NetworkManagement.exe (PID: 8184)
  - NetworkManagement.exe (PID: 7384)
  - NetworkManagement.exe (PID: 864)
- Checks proxy server information
  - vcredist_x86.exe (PID: 3036)
  - WerFault.exe (PID: 7616)
  - BASupSrvcCnfg.exe (PID: 8088)
  - slui.exe (PID: 4020)
- Manages system restore points
  - SrTasks.exe (PID: 7632)
- The sample compiled with german language support
  - msiexec.exe (PID: 8144)
- Creating file in SysWOW64
  - msiexec.exe (PID: 8144)
- The sample compiled with russian language support
  - msiexec.exe (PID: 8144)
- The sample compiled with spanish language support
  - msiexec.exe (PID: 8144)
- The sample compiled with Italian language support
  - msiexec.exe (PID: 8144)
- The sample compiled with french language support
  - msiexec.exe (PID: 8144)
- The sample compiled with korean language support
  - msiexec.exe (PID: 8144)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 8144)
- The sample compiled with chinese language support
  - msiexec.exe (PID: 8144)
- Reads Windows Product ID
  - assetscan.exe (PID: 8036)
- Compiled with Borland Delphi (YARA)
  - MSP_Connect.exe (PID: 2612)
  - BASupSrvcCnfg.exe (PID: 7036)
  - BASupSrvc.exe (PID: 5612)
- Process checks whether UAC notifications are on
  - TCLauncherHelper.exe (PID: 7220)
  - BASupSrvcCnfg.exe (PID: 7036)
  - TCLauncherHelper.exe (PID: 8092)
  - TCLauncherHelper.exe (PID: 1600)
  - TCLauncherHelper.exe (PID: 5040)
  - BASupSrvcCnfg.exe (PID: 8088)
- Checks operating system version
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
- Drops encrypted JS script (Microsoft Script Encoder)
  - msp-agent-core.exe (PID: 6788)
  - msp-agent-core.exe (PID: 7792)
- Reads the time zone
  - fmplugin.exe (PID: 6596)
- Disables trace logs
  - FileCacheServiceAgent.exe (PID: 1524)
  - NetworkManagement.exe (PID: 864)
- SQLite executable
  - NetworkManagementInstall.tmp (PID: 7568)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2007:07:22 02:33:09+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	74752
InitializedDataSize:	21504
UninitializedDataSize:	-
EntryPoint:	0x11de6
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.2.0.715
ProductVersionNumber:	1.2.0.715
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	N-able Technologies
FileDescription:	Advanced Monitoring Agent Setup
FileVersion:	-
InternalName:	-
OriginalFileName:	-
ProductName:	Advanced Monitoring Agent
ProductVersion:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

320

Monitored processes

158

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

144

"icacls" "C:\ProgramData\MspPlatform\PME\ThirdPartyPatch" /remove:g *S-1-1-0

C:\Windows\SysWOW64\icacls.exe

—

PMESetup.tmp

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

144

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

NetworkManagement.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

404

"C:\Program Files (x86)\Take Control Agent\TCSettingsHlp.exe" -a -i LOGICnow

C:\Program Files (x86)\Take Control Agent\TCSettingsHlp.exe

—

MSP_Connect.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Description:

TCSettingsHlp

Exit code:

Version:

7.50.26.1526

Modules

Images
c:\program files (x86)\take control agent\tcsettingshlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

552

"C:\Program Files (x86)\MSP Agent\msp-agent-core.exe" --provisioning_state

C:\Program Files (x86)\Msp Agent\msp-agent-core.exe

—

winagent.exe

User:

SYSTEM

Company:

N-able Technologies, Ltd.

Integrity Level:

SYSTEM

Description:

N-able MSP Agent Core

Exit code:

Modules

Images
c:\program files (x86)\msp agent\msp-agent-core.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

752

"C:\Program Files (x86)\Take Control Agent\BASupSrvcUpdater.exe"

C:\Program Files (x86)\Take Control Agent\BASupSrvcUpdater.exe

services.exe

User:

SYSTEM

Company:

N-able Take Control

Integrity Level:

SYSTEM

Description:

N-able Take Control Agent

Version:

7.50.26.1526

Modules

Images
c:\program files (x86)\take control agent\basupsrvcupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

756

"C:\WINDOWS\system32\sc.exe" qdescription SolarWinds.MSP.PME.Agent.PmeService

C:\Windows\SysWOW64\sc.exe

—

PMESetup.tmp

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

792

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

800

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

icacls.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

800

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

816

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

msp-agent-core.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

132 716

Read events

131 672

Write events

950

Delete events

Modification events


(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 5.5.3 (a)
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files (x86)\Advanced Monitoring Agent
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files (x86)\Advanced Monitoring Agent\
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: Advanced Monitoring Agent
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	Inno Setup: Language
Value: UKEnglish
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	DisplayName
Value: Advanced Monitoring Agent
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	UninstallString
Value: "C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe"
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	QuietUninstallString
Value: "C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe" /SILENT
(PID) Process:	(7836) agent.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Monitoring Agent_is1
Operation:	write	Name:	NoModify
Value: 1

Add for printing

Executable files

679

Suspicious files

242

Text files

384

Unknown types

Dropped files

PID	Process	Filename		Type
7564	Documents-976709d2.exe	C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\agent.exe		executable
		MD5:3A64AD48A8D03E7ECC9F58355B8E393F	SHA256:08CAF67A3DC4036552D26B87773B63620B2FC12455C8477F130FAE58EA77D0E4
7836	agent.tmp	C:\Users\admin\AppData\Local\Temp\is-HBINL.tmp\_isetup\_setup64.tmp		executable
		MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89	SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
7564	Documents-976709d2.exe	C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\package.zip		compressed
		MD5:8D169351432BBFF5EABF9D1896828EF6	SHA256:5EDA46EE2E2793B8D5B3302A909567324BF9ED309B5265D4E3E2712F7FA22F43
7616	agent.exe	C:\Users\admin\AppData\Local\Temp\is-H1H7E.tmp\agent.tmp		executable
		MD5:A2C4D52C66B4B399FACADB8CC8386745	SHA256:6C0465CE64C07E729C399A338705941D77727C7D089430957DF3E91A416E9D2A
7836	agent.tmp	C:\Program Files (x86)\Advanced Monitoring Agent\is-848OE.tmp		text
		MD5:E4361DEF38811D2F295B5686BD2C2B5B	SHA256:0E5882114864D4A708B472D524063867FA770958B770B67FC0AF7F8ED4757AD2
7836	agent.tmp	C:\Program Files (x86)\Advanced Monitoring Agent\is-LHGSO.tmp		executable
		MD5:D7C918793B7F6EBFB34D34FCBF0A8749	SHA256:9C2F4F7BDAB3FFD39EFAF9DD904CF031A38E1253B6645A61A2FA8364E0808299
7836	agent.tmp	C:\Program Files (x86)\Advanced Monitoring Agent\unins000.exe		executable
		MD5:D7C918793B7F6EBFB34D34FCBF0A8749	SHA256:9C2F4F7BDAB3FFD39EFAF9DD904CF031A38E1253B6645A61A2FA8364E0808299
7836	agent.tmp	C:\Program Files (x86)\Advanced Monitoring Agent\1.lng		text
		MD5:E4361DEF38811D2F295B5686BD2C2B5B	SHA256:0E5882114864D4A708B472D524063867FA770958B770B67FC0AF7F8ED4757AD2
7836	agent.tmp	C:\Program Files (x86)\Advanced Monitoring Agent\2.lng		text
		MD5:94566142FEDCB1289CCD8E5D67D36EC5	SHA256:8922C25B3A4D394F4AF801F469493D8B0941C6ED03D31C00A616E53D930D8934
7836	agent.tmp	C:\Program Files (x86)\Advanced Monitoring Agent\4.lng		text
		MD5:AE2624E65E959A3CC5BFD1C90F85231F	SHA256:999EB14EABFBDAF625E5BBCC5237318B2DB016CDDCFB3827E3A262064589666C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

381

TCP/UDP connections

144

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8052	winagent.exe	POST	200	104.18.39.236:443	https://upload1.am.remote.management/command/agentprocessor_v2.php	US	xml	155 b	unknown
8052	winagent.exe	POST	200	104.18.39.236:443	https://upload2.am.remote.management/command/agentprocessor_v2.php	US	xml	297 b	unknown
2216	svchost.exe	GET	200	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	text	5.51 Kb	whitelisted
2216	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
2216	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
8052	winagent.exe	POST	200	104.18.39.236:443	https://upload3.am.remote.management/command/agentprocessor_v2.php	US	xml	661 b	unknown
2216	svchost.exe	GET	200	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	text	1.43 Kb	whitelisted
8052	winagent.exe	GET	200	149.13.75.67:443	https://rm-downloads.logicnow.com/fmplugin_binaries/fmplugin_core-release_1.5.59-65503b57-1.zip	US	compressed	128 Kb	unknown
3036	vcredist_x86.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	US	binary	1.05 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
2216	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3488	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
8052	winagent.exe	104.18.39.236:443	upload1.am.remote.management	CLOUDFLARENET	US	whitelisted
2216	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2216	svchost.exe	2.16.241.12:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
2216	svchost.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
8052	winagent.exe	149.13.75.67:443	rm-downloads.logicnow.com	I-3	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.185.206	whitelisted
upload1.am.remote.management	104.18.39.236 172.64.148.20	unknown
upload2.am.remote.management	104.18.39.236 172.64.148.20	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	23.59.18.102 88.221.169.152	whitelisted
upload3.am.remote.management	104.18.39.236 172.64.148.20	unknown
rm-downloads.logicnow.com	149.13.75.67	whitelisted
login.live.com	40.126.31.129 40.126.31.128 40.126.31.130 20.190.159.128 20.190.159.75 20.190.159.64 40.126.31.67 40.126.31.2 20.190.159.129 40.126.31.73 40.126.31.0 40.126.31.69 20.190.159.4 40.126.31.1	whitelisted
ocsp.digicert.com	23.63.118.230 184.30.131.245	whitelisted

Threats

PID	Process	Class	Message
2292	svchost.exe	Potential Corporate Privacy Violation	ET INFO Observed DNS Query for Suspicious TLD (.management)
2292	svchost.exe	Misc activity	ET INFO Observed RMM Domain in DNS Lookup (remote .management)
8052	winagent.exe	Misc activity	ET INFO Observed RMM Domain in TLS SNI (remote .management)
2292	svchost.exe	Potential Corporate Privacy Violation	ET INFO Observed DNS Query for Suspicious TLD (.management)
2292	svchost.exe	Misc activity	ET INFO Observed RMM Domain in DNS Lookup (remote .management)
8052	winagent.exe	Misc activity	ET INFO Observed RMM Domain in TLS SNI (remote .management)
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292	svchost.exe	Potential Corporate Privacy Violation	ET INFO Observed DNS Query for Suspicious TLD (.management)
8052	winagent.exe	Misc activity	ET INFO Observed RMM Domain in TLS SNI (remote .management)
2292	svchost.exe	Misc activity	ET INFO Observed RMM Domain in DNS Lookup (remote .management)

Add for printing

Process	Message
NetworkManagement.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Network Management\x64\SQLite.Interop.dll"...
NetworkManagement.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Advanced Monitoring Agent Network Management\x64\SQLite.Interop.dll"...

General Info

Documents-976709d2.exe

C7BA7DCED9C33D57491B026E61D5773B

52FC1EBDF313D32E094BAC737B8B272EA371FA48

B83E62FA4084BFF95AE93E3BE1D7D1AB61786273394981647D6DCACACA19F9B2

196608:tet4U65AYTsq6P66XfO5ER/Qnm3RvzMjb0NABuKShRa:wt4U65AD2sfswRvzMUNABuphRa

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Changes settings of System certificates

Changes the Windows auto-update feature

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Searches for installed software

Creates/Modifies COM task schedule object

The process checks if it is being run in the virtual environment

Potential Corporate Privacy Violation

Process drops legitimate windows executable

Application launched itself

Using short paths in the command line

Executes as Windows Service

There is functionality for taking screenshot (YARA)

The process drops C-runtime libraries

Using the short paths format

The process creates files with name similar to system file names

Starts itself from another location

Uses TASKKILL.EXE to kill process

Executes application which crashes

Drops 7-zip archiver for unpacking

Adds/modifies Windows certificates

Creates or modifies Windows services

The process executes via Task Scheduler

Windows service management via SC.EXE

Uses ICACLS.EXE to modify access control lists

Restarts service on failure

Starts SC.EXE for service management

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Gets system UUID (POWERSHELL)

INFO

Process checks computer location settings

Checks supported languages

Create files in a temporary directory

Reads the computer name

The sample compiled with english language support

Creates files in the program directory

Creates a software uninstall entry

Reads product name

Reads Environment values

Launching a file from a Registry key

Creates files or folders in the user directory

Reads the machine GUID from the registry

Checks proxy server information

Manages system restore points

The sample compiled with german language support

Creating file in SysWOW64

The sample compiled with russian language support

The sample compiled with spanish language support

The sample compiled with Italian language support

The sample compiled with french language support

The sample compiled with korean language support

Executable content was dropped or overwritten

The sample compiled with chinese language support

Reads Windows Product ID

Compiled with Borland Delphi (YARA)

Process checks whether UAC notifications are on

Checks operating system version

Drops encrypted JS script (Microsoft Script Encoder)

Reads the time zone

Disables trace logs

SQLite executable

Malware configuration

Static information

TRiD