File name:

AgentSetup_British+Business+Bank.exe

Full analysis: https://app.any.run/tasks/85bad972-7707-4c37-9815-73501fea8616
Verdict: Malicious activity
Analysis date: June 06, 2024, 14:08:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:

BC6461C94630D414E60340AD9ED8FF00

SHA1:

1E64C269DC7147C313A4E01C3B46DA82F0DB3C9B

SHA256:

F8D2BB2A7E4CAD97EDACE0AED665C4F948E721173BD92A0022FD81995DE1F693

SSDEEP:

98304:LAE6WTv7klWurdCLhMqhlNnxQPMtIwNpwlU/trYbvvGRC68a3pjyUkeqACWll+PC:fOBZLMjaj9Q/uYMg3sA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • RMM.WebRemote.exe (PID: 2848)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)

    • Changes the autorun value in the registry

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Creates a writable file in the system directory

      • CagService.exe (PID: 2036)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 2036)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • The process creates files with name similar to system file names

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Executable content was dropped or overwritten

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Process drops legitimate windows executable

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)

    • Creates a software uninstall entry

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Executes as Windows Service

      • CagService.exe (PID: 2036)

    • Reads security settings of Internet Explorer

      • Gui.exe (PID: 1292)
      • CagService.exe (PID: 2036)

    • Reads the Internet Settings

      • Gui.exe (PID: 1292)

    • Checks Windows Trust Settings

      • Gui.exe (PID: 1292)

    • Reads settings of System Certificates

      • Gui.exe (PID: 1292)

    • Searches for installed software

      • CagService.exe (PID: 2036)

    • Creates or modifies Windows services

      • CagService.exe (PID: 2036)

    • The process drops C-runtime libraries

      • CagService.exe (PID: 2036)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1660)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)

    • Adds/modifies Windows certificates

      • AEMAgent.exe (PID: 1936)

    • Uses WMIC.EXE

      • cmd.exe (PID: 3600)
      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 3592)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 3544)
      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 4048)
      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 1848)
      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 1996)
      • cmd.exe (PID: 3712)
      • cmd.exe (PID: 2392)
      • cmd.exe (PID: 2812)
      • cmd.exe (PID: 2776)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 1948)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 2008)
      • cmd.exe (PID: 1064)
      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 1644)
      • cmd.exe (PID: 2456)
      • cmd.exe (PID: 3028)
      • cmd.exe (PID: 3040)
      • cmd.exe (PID: 3108)
      • cmd.exe (PID: 952)
      • cmd.exe (PID: 2436)

    • Starts CMD.EXE for commands execution

      • AEMAgent.exe (PID: 1936)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)

    • Found strings related to reading or modifying Windows Defender settings

      • AEMAgent.exe (PID: 1936)

  • INFO

    • Checks supported languages

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • Gui.exe (PID: 1292)
      • wmpnscfg.exe (PID: 1796)
      • AEMAgent.exe (PID: 2124)
      • AEMAgent.exe (PID: 1936)
      • Gui.exe (PID: 2268)
      • RMM.WebRemote.exe (PID: 2848)
      • Gui.exe (PID: 1980)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
      • Gui.exe (PID: 2356)
      • AEMAgent.exe (PID: 1612)

    • Reads the computer name

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • Gui.exe (PID: 1292)
      • wmpnscfg.exe (PID: 1796)
      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)
      • Gui.exe (PID: 2268)
      • Gui.exe (PID: 1980)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
      • Gui.exe (PID: 2356)

    • Reads Environment values

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Creates files in the program directory

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • Gui.exe (PID: 1292)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 2124)
      • RMM.WebRemote.exe (PID: 2848)
      • AEMAgent.exe (PID: 1936)

    • Create files in a temporary directory

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 1292)

    • Reads the software policy settings

      • Gui.exe (PID: 1292)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 2036)
      • Gui.exe (PID: 1292)
      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)
      • Gui.exe (PID: 2268)
      • Gui.exe (PID: 1980)
      • Gui.exe (PID: 2356)

    • Checks proxy server information

      • CagService.exe (PID: 2036)

    • Disables trace logs

      • CagService.exe (PID: 2036)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1796)
      • Gui.exe (PID: 2268)
      • Gui.exe (PID: 1980)
      • AgentSetup_British+Business+Bank.exe (PID: 1280)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 01:27:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
93
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start agentsetup_british+business+bank.exe cagservice.exe gui.exe no specs regsvr32.exe no specs wmpnscfg.exe no specs aemagent.exe aemagent.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs rmm.webremote.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs gui.exe no specs gui.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs agentsetup_british+business+bank.exe no specs agentsetup_british+business+bank.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs gui.exe no specs aemagent.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs agentsetup_british+business+bank.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
920wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
924wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
952"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1028wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1064"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1120"C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exe" C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\agentsetup_british+business+bank.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
1200wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1280"C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exe" C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\agentsetup_british+business+bank.exe
c:\windows\system32\ntdll.dll
1292"C:\Program Files\CentraStage\Gui.exe"C:\Program Files\CentraStage\Gui.exeAgentSetup_British+Business+Bank.exe
User:
admin
Company:
CentraStage
Integrity Level:
HIGH
Description:
Agent Browser
Version:
4.4.2220.2220
Modules
Images
c:\program files\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1296wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
36 975
Read events
36 190
Write events
773
Delete events
12

Modification events

(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CentraStage
Value:
C:\Program Files\CentraStage\Gui.exe
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
CentraStage
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:UninstallString
Value:
"C:\Program Files\CentraStage\uninst.exe"
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayIcon
Value:
C:\Program Files\CentraStage\CSIcon.ico
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:URLInfoAbout
Value:
http://www.centrastage.com
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:Publisher
Value:
CentraStage Limited
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderLocation
Value:
C:\ProgramData\CentraStage
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nse4123.tmp\nsProcess.dll
(PID) Process:(2036) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
470
Suspicious files
44
Text files
98
Unknown types
0

Dropped files

PID
Process
Filename
Type
1120AgentSetup_British+Business+Bank.exeC:\Users\admin\AppData\Local\Temp\nse4123.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Common.dllexecutable
MD5:5EB01EC12C1D6F8A93C77750C6ACFB75
SHA256:627E4496060E075E3777CA77B22B93FF5011EE0607357AAC6DF1C4CB4C526F6B
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\AxInterop.MSTSCLib.dllexecutable
MD5:0F581E56ED5BA500CE5D98D105B04A37
SHA256:F041747B5B6B20B6620CA13A7B276C9E9070E54CDA8C29F6ADD54CBA9A42A2F5
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\CSIcon.icoimage
MD5:2F6FD9AA57AA40728A65FA006C7E0F17
SHA256:B59A0E0570D2A22CD51FB51FC106913F9048F2889FC3BD94A5A51BE1A5D102F9
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\CagService.exeexecutable
MD5:27B9189AEE0583ABD0A8C9F1FFC03EAA
SHA256:6C956354FD02500A6FE357DEA12DB2D12E39D136D15ED7F4E42027466E7D3426
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Microsoft.Threading.Tasks.Extensions.dllexecutable
MD5:6AA2393FF1FDE1A61D0CF51730428F74
SHA256:92F1D0D6CCFB0D030789F3C5C636FCDD08F6D0541A5A54F185E8ECD85592E3F9
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\FSharp.Core.dllexecutable
MD5:99A817A04B25690B98EDF3370ED2EB83
SHA256:9292EB06BF4CD100C94ABD2949A96351A0F3710008674993C7491DA578E1EDE1
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\CagService.exe.configxml
MD5:F82322EB44239B48F74AB075CEEAAD5D
SHA256:28B92CC7AD1262A9557E01BE7166D7B61ACA92E13D6152EE38E37651FAADEA27
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\FsLexYacc.Runtime.dllexecutable
MD5:06B971620BDA7960F7D8E43CE69E3BBE
SHA256:B635BA89E9CC8455F252B7E24E5D2838F50AAF75121CA7D070BB7D6CF41A6235
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Newtonsoft.Json.dllexecutable
MD5:8F6875148B45C300B95514CB40703C2E
SHA256:EA7FD75E2BB069699D4DA09F3601D70CA8E401F58949178CDBF2C5928720DAA1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
38
DNS requests
15
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
2036
CagService.exe
54.154.110.190:443
01cc.centrastage.net
AMAZON-02
IE
unknown
2036
CagService.exe
99.86.4.34:443
update.centrastage.net
AMAZON-02
US
unknown
2036
CagService.exe
34.243.43.239:443
features.pinotage.rmm.datto.com
AMAZON-02
IE
unknown
2036
CagService.exe
35.71.166.34:443
pinotage-agent.centrastage.net
AMAZON-02
US
unknown
2036
CagService.exe
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
1936
AEMAgent.exe
99.86.4.34:443
update.centrastage.net
AMAZON-02
US
unknown
1936
AEMAgent.exe
34.243.43.239:443
features.pinotage.rmm.datto.com
AMAZON-02
IE
unknown

DNS requests

Domain
IP
Reputation
01cc.centrastage.net
  • 54.154.110.190
  • 52.16.199.216
unknown
update.centrastage.net
  • 99.86.4.34
  • 99.86.4.86
  • 99.86.4.40
  • 99.86.4.110
  • 54.154.76.59
whitelisted
features.pinotage.rmm.datto.com
  • 34.243.43.239
  • 54.170.63.255
unknown
pinotage-agent.centrastage.net
  • 35.71.166.34
  • 52.223.27.83
unknown
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
agent-gateway.pinotage.rmm.datto.com
  • 15.197.229.100
  • 3.33.220.55
unknown
pinotage-agent-notifications.centrastage.net
  • 75.2.101.69
  • 99.83.237.20
unknown
pinotage-agent-comms.centrastage.net
  • 99.83.237.20
  • 75.2.101.69
unknown
pinotage-monitoring.centrastage.net
  • 75.2.101.69
  • 99.83.237.20
unknown

Threats

No threats detected
Process
Message
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2124. Message ID: [0x2509].
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1936. Message ID: [0x2509].
RMM.WebRemote.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2848. Message ID: [0x2509].
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1612. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AgentSetup_British+Business+Bank.exe