File name:

AgentSetup_British+Business+Bank.exe

Full analysis: https://app.any.run/tasks/85bad972-7707-4c37-9815-73501fea8616
Verdict: Malicious activity
Analysis date: June 06, 2024, 14:08:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:

BC6461C94630D414E60340AD9ED8FF00

SHA1:

1E64C269DC7147C313A4E01C3B46DA82F0DB3C9B

SHA256:

F8D2BB2A7E4CAD97EDACE0AED665C4F948E721173BD92A0022FD81995DE1F693

SSDEEP:

98304:LAE6WTv7klWurdCLhMqhlNnxQPMtIwNpwlU/trYbvvGRC68a3pjyUkeqACWll+PC:fOBZLMjaj9Q/uYMg3sA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • RMM.WebRemote.exe (PID: 2848)
      • AEMAgent.exe (PID: 1936)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
      • CagService.exe (PID: 2036)

    • Changes the autorun value in the registry

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Creates a writable file in the system directory

      • CagService.exe (PID: 2036)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 2036)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • The process creates files with name similar to system file names

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Executable content was dropped or overwritten

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Process drops legitimate windows executable

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)

    • Creates a software uninstall entry

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Executes as Windows Service

      • CagService.exe (PID: 2036)

    • Reads the Internet Settings

      • Gui.exe (PID: 1292)

    • Reads security settings of Internet Explorer

      • Gui.exe (PID: 1292)
      • CagService.exe (PID: 2036)

    • Checks Windows Trust Settings

      • Gui.exe (PID: 1292)

    • Reads settings of System Certificates

      • Gui.exe (PID: 1292)

    • Creates or modifies Windows services

      • CagService.exe (PID: 2036)

    • Searches for installed software

      • CagService.exe (PID: 2036)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1660)

    • The process drops C-runtime libraries

      • CagService.exe (PID: 2036)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)

    • Adds/modifies Windows certificates

      • AEMAgent.exe (PID: 1936)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)

    • Uses WMIC.EXE

      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 3592)
      • cmd.exe (PID: 3600)
      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 3544)
      • cmd.exe (PID: 4044)
      • cmd.exe (PID: 4048)
      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 1848)
      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 3712)
      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 1996)
      • cmd.exe (PID: 2392)
      • cmd.exe (PID: 2776)
      • cmd.exe (PID: 2812)
      • cmd.exe (PID: 1064)
      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 2008)
      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 1948)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 1644)
      • cmd.exe (PID: 3028)
      • cmd.exe (PID: 3040)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 2456)
      • cmd.exe (PID: 3108)
      • cmd.exe (PID: 952)

    • Found strings related to reading or modifying Windows Defender settings

      • AEMAgent.exe (PID: 1936)

    • Starts CMD.EXE for commands execution

      • AEMAgent.exe (PID: 1936)

  • INFO

    • Checks supported languages

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • wmpnscfg.exe (PID: 1796)
      • AEMAgent.exe (PID: 2124)
      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)
      • Gui.exe (PID: 2268)
      • Gui.exe (PID: 1980)
      • CagService.exe (PID: 2036)
      • Gui.exe (PID: 1292)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
      • Gui.exe (PID: 2356)
      • AEMAgent.exe (PID: 1612)

    • Reads Environment values

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Reads the computer name

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • wmpnscfg.exe (PID: 1796)
      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)
      • Gui.exe (PID: 2268)
      • Gui.exe (PID: 1980)
      • Gui.exe (PID: 1292)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
      • Gui.exe (PID: 2356)

    • Creates files in the program directory

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • CagService.exe (PID: 2036)
      • Gui.exe (PID: 1292)
      • AEMAgent.exe (PID: 2124)
      • AEMAgent.exe (PID: 1936)
      • RMM.WebRemote.exe (PID: 2848)

    • Create files in a temporary directory

      • AgentSetup_British+Business+Bank.exe (PID: 1120)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 2036)
      • Gui.exe (PID: 1292)
      • RMM.WebRemote.exe (PID: 2848)
      • AEMAgent.exe (PID: 1936)
      • Gui.exe (PID: 2268)
      • Gui.exe (PID: 1980)
      • Gui.exe (PID: 2356)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 1292)

    • Reads the software policy settings

      • Gui.exe (PID: 1292)
      • CagService.exe (PID: 2036)
      • AEMAgent.exe (PID: 1936)

    • Disables trace logs

      • CagService.exe (PID: 2036)

    • Checks proxy server information

      • CagService.exe (PID: 2036)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1796)
      • Gui.exe (PID: 2268)
      • Gui.exe (PID: 1980)
      • AgentSetup_British+Business+Bank.exe (PID: 1280)
      • AgentSetup_British+Business+Bank.exe (PID: 3800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:27 01:27:51+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.26
CodeSize: 35328
InitializedDataSize: 38912
UninitializedDataSize: 154112
EntryPoint: 0x4167
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
93
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start agentsetup_british+business+bank.exe cagservice.exe gui.exe no specs regsvr32.exe no specs wmpnscfg.exe no specs aemagent.exe aemagent.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs rmm.webremote.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs gui.exe no specs gui.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs agentsetup_british+business+bank.exe no specs agentsetup_british+business+bank.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs gui.exe no specs aemagent.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs agentsetup_british+business+bank.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
920wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
924wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
952"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1028wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1064"C:\Windows\system32\cmd.exe" /c wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\cmd.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
2147749902
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1120"C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exe" C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\agentsetup_british+business+bank.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
1200wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1280"C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exe" C:\Users\admin\Desktop\AgentSetup_British+Business+Bank.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\agentsetup_british+business+bank.exe
c:\windows\system32\ntdll.dll
1292"C:\Program Files\CentraStage\Gui.exe"C:\Program Files\CentraStage\Gui.exeAgentSetup_British+Business+Bank.exe
User:
admin
Company:
CentraStage
Integrity Level:
HIGH
Description:
Agent Browser
Version:
4.4.2220.2220
Modules
Images
c:\program files\centrastage\gui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1296wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get /format:listC:\Windows\System32\wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
36 975
Read events
36 190
Write events
773
Delete events
12

Modification events

(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CentraStage
Value:
C:\Program Files\CentraStage\Gui.exe
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
CentraStage
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:UninstallString
Value:
"C:\Program Files\CentraStage\uninst.exe"
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayIcon
Value:
C:\Program Files\CentraStage\CSIcon.ico
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:URLInfoAbout
Value:
http://www.centrastage.com
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:Publisher
Value:
CentraStage Limited
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderLocation
Value:
C:\ProgramData\CentraStage
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
(PID) Process:(1120) AgentSetup_British+Business+Bank.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nse4123.tmp\nsProcess.dll
(PID) Process:(2036) CagService.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
470
Suspicious files
44
Text files
98
Unknown types
0

Dropped files

PID
Process
Filename
Type
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Core.XmlSerializers.dllexecutable
MD5:D19CC4F5AE445CA648C9020D9334C3F7
SHA256:F572F258A83E4368680564B248CF006B9A38752386106C65C8B3CD93A2073AB9
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\AxInterop.ViewerX.dllexecutable
MD5:EDC5E696C4AD70F0BE6301F703AB3672
SHA256:C6E5F17B2BC91202A1C6A9F3F0547CD7F208368B4CFEBB53F234A55F87C5ACD5
1120AgentSetup_British+Business+Bank.exeC:\Users\admin\AppData\Local\Temp\nse4123.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Common.dllexecutable
MD5:5EB01EC12C1D6F8A93C77750C6ACFB75
SHA256:627E4496060E075E3777CA77B22B93FF5011EE0607357AAC6DF1C4CB4C526F6B
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Gui.exeexecutable
MD5:85565EA373983DC1109C1A957D64638E
SHA256:2E7686E98CA5F3895855389B2825B48AF0EEF024AC485124055E4A3AEA9DA98D
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\FSharp.Core.dllexecutable
MD5:99A817A04B25690B98EDF3370ED2EB83
SHA256:9292EB06BF4CD100C94ABD2949A96351A0F3710008674993C7491DA578E1EDE1
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Microsoft.Threading.Tasks.dllexecutable
MD5:D01819BFE03222DFA9E35A36555B6B6C
SHA256:5F29E16EDFF5379E93D5BE9BEE4CDDF98132B84326027688511AC0F3157AAF94
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\ICSharpCode.SharpZipLib.dllexecutable
MD5:C8164876B6F66616D68387443621510C
SHA256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Gui.exe.configxml
MD5:29D78BFD9A4C0D4F850250C25CA8112D
SHA256:71B4F6772FE48A80281E0D112DCB0A2FCAF99DA736A07FCA4CAA3E8107BF4AB0
1120AgentSetup_British+Business+Bank.exeC:\Program Files\CentraStage\Microsoft.Threading.Tasks.Extensions.Desktop.dllexecutable
MD5:E548A93D16964E52868C47CEF1C98F2E
SHA256:F71621C47C610E0886846CF53D955FD0E7448951F99ECC22FACD47493EF97A87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
38
DNS requests
15
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
2036
CagService.exe
54.154.110.190:443
01cc.centrastage.net
AMAZON-02
IE
unknown
2036
CagService.exe
99.86.4.34:443
update.centrastage.net
AMAZON-02
US
unknown
2036
CagService.exe
34.243.43.239:443
features.pinotage.rmm.datto.com
AMAZON-02
IE
unknown
2036
CagService.exe
35.71.166.34:443
pinotage-agent.centrastage.net
AMAZON-02
US
unknown
2036
CagService.exe
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
1936
AEMAgent.exe
99.86.4.34:443
update.centrastage.net
AMAZON-02
US
unknown
1936
AEMAgent.exe
34.243.43.239:443
features.pinotage.rmm.datto.com
AMAZON-02
IE
unknown

DNS requests

Domain
IP
Reputation
01cc.centrastage.net
  • 54.154.110.190
  • 52.16.199.216
unknown
update.centrastage.net
  • 99.86.4.34
  • 99.86.4.86
  • 99.86.4.40
  • 99.86.4.110
  • 54.154.76.59
whitelisted
features.pinotage.rmm.datto.com
  • 34.243.43.239
  • 54.170.63.255
unknown
pinotage-agent.centrastage.net
  • 35.71.166.34
  • 52.223.27.83
unknown
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
agent-gateway.pinotage.rmm.datto.com
  • 15.197.229.100
  • 3.33.220.55
unknown
pinotage-agent-notifications.centrastage.net
  • 75.2.101.69
  • 99.83.237.20
unknown
pinotage-agent-comms.centrastage.net
  • 99.83.237.20
  • 75.2.101.69
unknown
pinotage-monitoring.centrastage.net
  • 75.2.101.69
  • 99.83.237.20
unknown

Threats

No threats detected
Process
Message
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2124. Message ID: [0x2509].
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1936. Message ID: [0x2509].
RMM.WebRemote.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2848. Message ID: [0x2509].
AEMAgent.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 1612. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AgentSetup_British+Business+Bank.exe