Malware analysis AgentSetup_Managed.exe Malicious activity

Add for printing

File name:	AgentSetup_Managed.exe
Full analysis:	https://app.any.run/tasks/795b5f21-bbe8-4a71-a47f-df45f099d3a9
Verdict:	Malicious activity
Analysis date:	January 17, 2026, 20:45:43
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	datto rmm-tool arch-exec arch-doc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive, 7 sections
MD5:	A5D3B5C4F3E6BCF4D88045900726B9DD
SHA1:	74E8FCFA16902EA5AB29181BB07558DC2B3F8A9D
SHA256:	CCFA122CDED8CB993164B2BF8940CF5CAE3B9769246D13CC0F53660DE8A65BC8
SSDEEP:	98304:4Av6WTv7klWurdCyJkrMtrUTvDnsZi7Ix8o942YqpSvP0ctvpi0JHNoB9BNroaYy:JAM9z0Q/2YMgB/S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - AgentSetup_Managed.exe (PID: 7764)
  - RMM.WebRemote.exe (PID: 5168)
- Registers / Runs the DLL via REGSVR32.EXE
  - CagService.exe (PID: 8048)
- DATTO has been detected
  - CagService.exe (PID: 8048)
  - AEMAgent.exe (PID: 7908)
- Changes settings of System certificates
  - AEMAgent.exe (PID: 7908)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - AgentSetup_Managed.exe (PID: 7764)
- The process creates files with name similar to system file names
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
- There is functionality for taking screenshot (YARA)
  - AgentSetup_Managed.exe (PID: 7764)
  - Gui.exe (PID: 8136)
  - RMM.WebRemote.exe (PID: 5168)
- Process drops legitimate windows executable
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
  - AEMAgent.exe (PID: 7908)
- Executes as Windows Service
  - CagService.exe (PID: 8048)
- Executable content was dropped or overwritten
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
  - AEMAgent.exe (PID: 7908)
  - RMM.WebRemote.exe (PID: 5168)
- Reads security settings of Internet Explorer
  - CagService.exe (PID: 8048)
  - Gui.exe (PID: 8136)
- Creates or modifies Windows services
  - CagService.exe (PID: 8048)
- Searches for installed software
  - CagService.exe (PID: 8048)
  - AEMAgent.exe (PID: 7908)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 6544)
- Adds/modifies Windows certificates
  - AEMAgent.exe (PID: 7908)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - AEMAgent.exe (PID: 7908)
  - RMM.WebRemote.exe (PID: 5168)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - AEMAgent.exe (PID: 7908)
  - RMM.WebRemote.exe (PID: 5168)
- Suspicious use of NETSH.EXE
  - AEMAgent.exe (PID: 7908)
INFO
- Checks supported languages
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
  - Gui.exe (PID: 8136)
  - AEMAgent.exe (PID: 7440)
  - AEMAgent.exe (PID: 7908)
  - RMM.WebRemote.exe (PID: 5168)
- Creates files in the program directory
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
  - Gui.exe (PID: 8136)
  - AEMAgent.exe (PID: 7440)
  - AEMAgent.exe (PID: 7908)
  - RMM.WebRemote.exe (PID: 5168)
- Create files in a temporary directory
  - AgentSetup_Managed.exe (PID: 7764)
- Launching a file from a Registry key
  - AgentSetup_Managed.exe (PID: 7764)
  - RMM.WebRemote.exe (PID: 5168)
- The sample compiled with english language support
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
  - AEMAgent.exe (PID: 7908)
- Reads the computer name
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
  - Gui.exe (PID: 8136)
  - AEMAgent.exe (PID: 7908)
  - RMM.WebRemote.exe (PID: 5168)
- Creates a software uninstall entry
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
- Reads the machine GUID from the registry
  - CagService.exe (PID: 8048)
  - Gui.exe (PID: 8136)
  - AEMAgent.exe (PID: 7908)
- DATTO has been detected
  - AgentSetup_Managed.exe (PID: 7764)
  - CagService.exe (PID: 8048)
  - Gui.exe (PID: 8136)
  - CagService.exe (PID: 8048)
  - AEMAgent.exe (PID: 7440)
  - AEMAgent.exe (PID: 7908)
  - conhost.exe (PID: 6600)
  - conhost.exe (PID: 6156)
  - conhost.exe (PID: 6212)
  - conhost.exe (PID: 6904)
  - conhost.exe (PID: 5392)
  - AEMAgent.exe (PID: 7908)
  - conhost.exe (PID: 6444)
  - conhost.exe (PID: 2308)
  - conhost.exe (PID: 7424)
  - conhost.exe (PID: 1184)
  - conhost.exe (PID: 3136)
  - RMM.WebRemote.exe (PID: 5168)
  - conhost.exe (PID: 3044)
  - conhost.exe (PID: 4088)
  - conhost.exe (PID: 5036)
  - conhost.exe (PID: 412)
- Creates files or folders in the user directory
  - Gui.exe (PID: 8136)
- Checks proxy server information
  - CagService.exe (PID: 8048)
  - slui.exe (PID: 2096)
- Reads Environment values
  - CagService.exe (PID: 8048)
  - AEMAgent.exe (PID: 7908)
- Disables trace logs
  - CagService.exe (PID: 8048)
- Process checks computer location settings
  - AEMAgent.exe (PID: 7908)
- Reads security settings of Internet Explorer
  - netsh.exe (PID: 7356)
  - netsh.exe (PID: 8020)
  - netsh.exe (PID: 7568)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:04:27 01:27:51+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.26
CodeSize:	35328
InitializedDataSize:	38912
UninitializedDataSize:	154112
EntryPoint:	0x4167
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

187

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

412

"C:\WINDOWS\system32\netsh.exe" advfirewall firewall add rule name="AEMAgent" dir=out action=allow program="C:\ProgramData\CentraStage\AEMAgent\AEMAgent.exe" enable=yes

C:\Windows\System32\netsh.exe

—

AEMAgent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

412

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

816

"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\CentraStage\scvncctrl.dll"

C:\Windows\System32\regsvr32.exe

—

CagService.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1184

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2096

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2308

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3044

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3136

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3688

"C:\WINDOWS\system32\netsh.exe" advfirewall firewall delete rule name="RMM.WebRemote 14.7.0.3791"

C:\Windows\System32\netsh.exe

—

AEMAgent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4088

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

23 175

Read events

23 080

Write events

Delete events

Modification events


(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	CentraStage
Value: C:\Program Files (x86)\CentraStage\Gui.exe
(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	DisplayName
Value: CentraStage
(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	UninstallString
Value: "C:\Program Files (x86)\CentraStage\uninst.exe"
(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files (x86)\CentraStage\CSIcon.ico
(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	URLInfoAbout
Value: http://www.centrastage.com
(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	Publisher
Value: CentraStage Limited
(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:	write	Name:	AgentFolderLocation
Value: C:\ProgramData\CentraStage
(PID) Process:	(7764) AgentSetup_Managed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:	write	Name:	AgentFolderStatus
Value: 0
(PID) Process:	(8048) CagService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:	write	Name:	AgentFolderStatus
Value: 3
(PID) Process:	(8048) CagService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	DisplayName
Value: Datto RMM

Add for printing

Executable files

416

Suspicious files

Text files

105

Unknown types

Dropped files

PID	Process	Filename		Type
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\defaultbrand.zip		compressed
		MD5:BE0A3C9E7408BDD9A9D9D004CA01ABF2	SHA256:865CC74F5B77E1DDFFA260084633236186F16139E08B4FB81DB4AAD2442BDC34
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\CSIcon.ico		image
		MD5:2F6FD9AA57AA40728A65FA006C7E0F17	SHA256:B59A0E0570D2A22CD51FB51FC106913F9048F2889FC3BD94A5A51BE1A5D102F9
7764	AgentSetup_Managed.exe	C:\Users\admin\AppData\Local\Temp\nsrE372.tmp\System.dll		executable
		MD5:C17103AE9072A06DA581DEC998343FC1	SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\FsLexYacc.Runtime.dll		executable
		MD5:06B971620BDA7960F7D8E43CE69E3BBE	SHA256:B635BA89E9CC8455F252B7E24E5D2838F50AAF75121CA7D070BB7D6CF41A6235
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\FSharp.Core.dll		executable
		MD5:99A817A04B25690B98EDF3370ED2EB83	SHA256:9292EB06BF4CD100C94ABD2949A96351A0F3710008674993C7491DA578E1EDE1
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\AxInterop.ViewerX.dll		executable
		MD5:EDC5E696C4AD70F0BE6301F703AB3672	SHA256:C6E5F17B2BC91202A1C6A9F3F0547CD7F208368B4CFEBB53F234A55F87C5ACD5
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\AxInterop.MSTSCLib.dll		executable
		MD5:0F581E56ED5BA500CE5D98D105B04A37	SHA256:F041747B5B6B20B6620CA13A7B276C9E9070E54CDA8C29F6ADD54CBA9A42A2F5
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\Core.dll		executable
		MD5:B0F179E4047B97F8DE9744743E878486	SHA256:87AF304C8FB7C84B15F160331E1A4C803EEB6F4632499875A7D8F438353DCC63
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\Gui.exe.config		xml
		MD5:29D78BFD9A4C0D4F850250C25CA8112D	SHA256:71B4F6772FE48A80281E0D112DCB0A2FCAF99DA736A07FCA4CAA3E8107BF4AB0
7764	AgentSetup_Managed.exe	C:\Program Files (x86)\CentraStage\CagService.exe.config		xml
		MD5:FBDF7891BC2905D316477A68397F0DD5	SHA256:5CBBB2DCE006F16403657C306A10AB4766AF5512F59B5D0F4D1A3D03B3B9EB34

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4300	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
4300	svchost.exe	POST	200	40.126.32.74:443	https://login.live.com/RST2.srf	US	xml	10.3 Kb	whitelisted
4300	svchost.exe	POST	200	40.126.32.74:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	whitelisted
1156	svchost.exe	GET	200	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	text	5.58 Kb	whitelisted
1156	svchost.exe	GET	200	23.216.77.18:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
8048	CagService.exe	GET	200	13.32.99.109:443	https://update-vidal.centrastage.net/putty/version	US	text	5 b	unknown
1156	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
8048	CagService.exe	POST	—	75.2.34.181:443	https://vidal-agent.centrastage.net/cs/services/CentraStage	US	—	—	unknown
6768	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6768	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
1156	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4744	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3412	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4300	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4300	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
1156	svchost.exe	23.216.77.18:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
1156	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.251.141.110	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
login.live.com	40.126.32.74 20.190.160.20 20.190.160.4 20.190.160.65 40.126.32.133 20.190.160.132 20.190.160.3 40.126.32.68	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
crl.microsoft.com	23.216.77.18 23.216.77.10 23.216.77.22 23.216.77.16 23.216.77.23 23.216.77.29 23.216.77.8 23.216.77.21 23.216.77.12	whitelisted
www.microsoft.com	88.221.169.152 23.52.181.212	whitelisted
vidalcc.centrastage.net	52.0.158.138	whitelisted
update-vidal.centrastage.net	13.32.99.109 13.32.99.78 13.32.99.103 13.32.99.10	whitelisted
vidal-agent.centrastage.net	75.2.34.181 99.83.220.89	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292	svchost.exe	Misc activity	ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
2292	svchost.exe	Misc activity	ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
8048	CagService.exe	Misc activity	ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
8048	CagService.exe	Misc activity	ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292	svchost.exe	Misc activity	ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
8048	CagService.exe	Misc activity	ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
2292	svchost.exe	Misc activity	ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
8048	CagService.exe	Misc activity	ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)
8048	CagService.exe	Misc activity	ET REMOTE_ACCESS Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI)

Add for printing

No debug info

General Info

AgentSetup_Managed.exe

A5D3B5C4F3E6BCF4D88045900726B9DD

74E8FCFA16902EA5AB29181BB07558DC2B3F8A9D

CCFA122CDED8CB993164B2BF8940CF5CAE3B9769246D13CC0F53660DE8A65BC8

98304:4Av6WTv7klWurdCyJkrMtrUTvDnsZi7Ix8o942YqpSvP0ctvpi0JHNoB9BNroaYy:JAM9z0Q/2YMgB/S

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Registers / Runs the DLL via REGSVR32.EXE

DATTO has been detected

Changes settings of System certificates

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

There is functionality for taking screenshot (YARA)

Process drops legitimate windows executable

Executes as Windows Service

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Creates or modifies Windows services

Searches for installed software

Creates/Modifies COM task schedule object

Adds/modifies Windows certificates

Uses NETSH.EXE to delete a firewall rule or allowed programs

Uses NETSH.EXE to add a firewall rule or allowed programs

Suspicious use of NETSH.EXE

INFO

Checks supported languages

Creates files in the program directory

Create files in a temporary directory

Launching a file from a Registry key

The sample compiled with english language support

Reads the computer name

Creates a software uninstall entry

Reads the machine GUID from the registry

DATTO has been detected

Creates files or folders in the user directory

Checks proxy server information

Reads Environment values

Disables trace logs

Process checks computer location settings

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity