File name:

_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe

Full analysis: https://app.any.run/tasks/eef22b37-c22e-4d9c-bb2a-f4fdc18d14c7
Verdict: Malicious activity
Analysis date: March 05, 2026, 10:29:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
datto
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive, 7 sections
MD5:

0234FBA371F020E6A07CE214B07017CB

SHA1:

FB367104773A508B6589378C09D343DE9B443A85

SHA256:

BB299CA292D35BA826FAB67355C4D4EC9AEF3663F1E0910203747DBF027E16EF

SSDEEP:

98304:gAz6WTv7klWurdCNJkrMtrUTvDnsZi7Ix8o942YqpSvP0ctvpi0JHNoB9BNroaYU:KAM9z0Q/2YMgB/0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 6284)

    • DATTO has been detected

      • CagService.exe (PID: 6284)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)

    • The process creates files with name similar to system file names

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)

    • Executes as Windows Service

      • CagService.exe (PID: 6284)

    • Creates or modifies Windows services

      • CagService.exe (PID: 6284)

    • Searches for installed software

      • CagService.exe (PID: 6284)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2428)

  • INFO

    • Creates files in the program directory

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)
      • CagService.exe (PID: 6284)
      • Gui.exe (PID: 8892)

    • Checks supported languages

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)
      • CagService.exe (PID: 6284)
      • Gui.exe (PID: 8892)
      • Gui.exe (PID: 7684)

    • There is functionality for taking screenshot (YARA)

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)
      • Gui.exe (PID: 8892)

    • The sample compiled with english language support

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)

    • Reads the computer name

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)
      • CagService.exe (PID: 6284)
      • Gui.exe (PID: 8892)
      • Gui.exe (PID: 7684)

    • Reads security settings of Internet Explorer

      • CagService.exe (PID: 6284)
      • Gui.exe (PID: 8892)
      • Gui.exe (PID: 7684)

    • Create files in a temporary directory

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)

    • Launching a file from a Registry key

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)

    • Creates a software uninstall entry

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)
      • CagService.exe (PID: 6284)

    • DATTO has been detected

      • _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe (PID: 5168)
      • CagService.exe (PID: 6284)
      • CagService.exe (PID: 6284)
      • Gui.exe (PID: 8892)
      • Gui.exe (PID: 7684)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 6284)
      • Gui.exe (PID: 8892)
      • Gui.exe (PID: 7684)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 8892)

    • Checks proxy server information

      • CagService.exe (PID: 6284)
      • slui.exe (PID: 6904)

    • Reads Environment values

      • CagService.exe (PID: 6284)

    • Manual execution by a user

      • Gui.exe (PID: 7684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 01:27:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe cagservice.exe conhost.exe no specs gui.exe no specs regsvr32.exe no specs regsvr32.exe no specs gui.exe no specs slui.exe _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428 /s "C:\Program Files (x86)\CentraStage\scvncctrl.dll"C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5168"C:\Users\admin\Desktop\_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe" C:\Users\admin\Desktop\_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6284"C:\Program Files (x86)\CentraStage\CagService.exe"C:\Program Files (x86)\CentraStage\CagService.exe
services.exe
User:
SYSTEM
Company:
CentraStage
Integrity Level:
SYSTEM
Description:
CentraStage Service
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\cagservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6432"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\CentraStage\scvncctrl.dll"C:\Windows\System32\regsvr32.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6904C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7684"C:\Program Files (x86)\CentraStage\Gui.exe"C:\Program Files (x86)\CentraStage\Gui.exeexplorer.exe
User:
admin
Company:
CentraStage
Integrity Level:
MEDIUM
Description:
Agent Browser
Exit code:
0
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
8892"C:\Program Files (x86)\CentraStage\Gui.exe"C:\Program Files (x86)\CentraStage\Gui.exe_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe
User:
admin
Company:
CentraStage
Integrity Level:
HIGH
Description:
Agent Browser
Version:
4.4.10516.10516
Modules
Images
c:\program files (x86)\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
8952"C:\Users\admin\Desktop\_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe" C:\Users\admin\Desktop\_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
8976\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCagService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 585
Read events
17 549
Write events
36
Delete events
0

Modification events

(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CentraStage
Value:
C:\Program Files (x86)\CentraStage\Gui.exe
(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
CentraStage
(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\CentraStage\uninst.exe"
(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\CentraStage\CSIcon.ico
(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:URLInfoAbout
Value:
http://www.centrastage.com
(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:Publisher
Value:
CentraStage Limited
(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderLocation
Value:
C:\ProgramData\CentraStage
(PID) Process:(5168) _bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
(PID) Process:(6284) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cag
Operation:writeName:URL Protocol
Value:
(PID) Process:(6284) CagService.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001_Classes\cag
Operation:writeName:URL Protocol
Value:
Executable files
44
Suspicious files
6
Text files
64
Unknown types
2

Dropped files

PID
Process
Filename
Type
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\CSIcon.icoimage
MD5:2F6FD9AA57AA40728A65FA006C7E0F17
SHA256:B59A0E0570D2A22CD51FB51FC106913F9048F2889FC3BD94A5A51BE1A5D102F9
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\Core.XmlSerializers.dllbinary
MD5:234829A34A9D264DACD52C5B0CBDB95A
SHA256:0DF23B577E3CB2CF8B1FC356EB3A70FAEB89E3974871855E2C2FF33953053371
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\AxInterop.ViewerX.dllexecutable
MD5:EDC5E696C4AD70F0BE6301F703AB3672
SHA256:C6E5F17B2BC91202A1C6A9F3F0547CD7F208368B4CFEBB53F234A55F87C5ACD5
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\Core.dllexecutable
MD5:B0F179E4047B97F8DE9744743E878486
SHA256:87AF304C8FB7C84B15F160331E1A4C803EEB6F4632499875A7D8F438353DCC63
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\Microsoft.Threading.Tasks.Extensions.dllexecutable
MD5:6AA2393FF1FDE1A61D0CF51730428F74
SHA256:92F1D0D6CCFB0D030789F3C5C636FCDD08F6D0541A5A54F185E8ECD85592E3F9
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\Newtonsoft.Json.dllexecutable
MD5:8F6875148B45C300B95514CB40703C2E
SHA256:EA7FD75E2BB069699D4DA09F3601D70CA8E401F58949178CDBF2C5928720DAA1
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\nlog.configtext
MD5:B9FCB1CEE2D0E148EBFCB6E320DF79E0
SHA256:926A539315D76D6F0A9A434DFD94A3753D235E6F429ED8E93EB059DA201770F3
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\defaultbrand.zipcompressed
MD5:5DB82D5D934D6FF953D0BE925FF4F602
SHA256:1C223165DA67E6FD0B408F19428D4424012892D5684BA7149B58F5F5EB4FE6CE
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\FSharp.Core.dllexecutable
MD5:99A817A04B25690B98EDF3370ED2EB83
SHA256:9292EB06BF4CD100C94ABD2949A96351A0F3710008674993C7491DA578E1EDE1
5168_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exeC:\Program Files (x86)\CentraStage\ICSharpCode.SharpZipLib.dllexecutable
MD5:C8164876B6F66616D68387443621510C
SHA256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
29
DNS requests
15
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5520
RUXIMICS.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
5412
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5520
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5412
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5520
RUXIMICS.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5568
SearchApp.exe
POST
204
2.16.204.139:443
https://www.bing.com/threshold/xls.aspx?t=5&dl=1&wsbc=1
NL
whitelisted
POST
204
2.16.204.138:443
https://www.bing.com/threshold/xls.aspx?t=5&dl=1&wsbc=1
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5412
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5520
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5412
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5520
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5412
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5520
RUXIMICS.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
  • 52.182.143.215
whitelisted
google.com
  • 142.251.37.14
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
vidalcc.centrastage.net
  • 44.199.36.241
  • 44.196.50.36
unknown
www.bing.com
  • 2.16.204.139
  • 2.16.204.151
  • 2.16.204.148
  • 2.16.204.142
  • 2.16.204.138
  • 2.16.204.141
  • 2.16.204.147
  • 2.16.204.149
  • 2.16.204.146
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted

Threats

PID
Process
Class
Message
5412
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
6284
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
6284
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
6284
CagService.exe
Misc activity
ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_bb299ca292d35ba826fab67355c4d4ec9aef3663f1e0910203747dbf027e16ef.exe