Malware analysis https://silvercelebrationaccess.com/Windows/invite.php Malicious activity

Add for printing

URL:	https://silvercelebrationaccess.com/Windows/invite.php
Full analysis:	https://app.any.run/tasks/bbd38520-efbb-4d15-b5b5-0b8e4f9a7ef7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 25, 2026, 18:14:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	phishing datto rmm-tool loader
Indicators:
MD5:	F017FFEB9B5C6564ACAE6E49942079DF
SHA1:	0F32D11AA81B3B580F67730D19CD06CC3FCA470D
SHA256:	57E64E447F53FAFCB4F8DF2941DB6798554BDD8D7E53C3130977927E04FA20C4
SSDEEP:	3:N8BCpAsqAtdzDenhVn:2kpAsqghDez

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java(TM) SE Development Kit 25.0.2 (64-bit) (25.0.2.0)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- PHISHING has been detected (SURICATA)
  - msedge.exe (PID: 3120)
- Registers / Runs the DLL via REGSVR32.EXE
  - CagService.exe (PID: 7856)
- DATTO has been detected
  - CagService.exe (PID: 7856)
  - AEMAgent.exe (PID: 8944)
- Changes settings of System certificates
  - AEMAgent.exe (PID: 8944)
- Changes the autorun value in the registry
  - RMM.WebRemote.exe (PID: 2136)
  - PaperlessPost.exe (PID: 8948)
SUSPICIOUS
- Executes as Windows Service
  - CagService.exe (PID: 7856)
- Searches for installed software
  - CagService.exe (PID: 7856)
- Creates or modifies Windows services
  - CagService.exe (PID: 7856)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 8540)
- Executable content was dropped or overwritten
  - CagService.exe (PID: 7856)
  - AEMAgent.exe (PID: 8944)
  - PaperlessPost.exe (PID: 8948)
- Adds/modifies Windows certificates
  - AEMAgent.exe (PID: 8944)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - AEMAgent.exe (PID: 8944)
  - RMM.WebRemote.exe (PID: 2136)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - AEMAgent.exe (PID: 8944)
  - RMM.WebRemote.exe (PID: 2136)
- The process creates files with name similar to system file names
  - CagService.exe (PID: 7856)
  - PaperlessPost.exe (PID: 8948)
- Suspicious use of NETSH.EXE
  - AEMAgent.exe (PID: 8944)
- Malware-specific behavior (creating "System.dll" in Temp)
  - PaperlessPost.exe (PID: 8948)
INFO
- Checks supported languages
  - identity_helper.exe (PID: 5648)
  - CagService.exe (PID: 7856)
  - PaperlessPost.exe (PID: 8948)
  - Gui.exe (PID: 7096)
  - AEMAgent.exe (PID: 8944)
  - AEMAgent.exe (PID: 8840)
  - RMM.WebRemote.exe (PID: 2136)
- Application launched itself
  - msedge.exe (PID: 1456)
- The sample compiled with english language support
  - PaperlessPost.exe (PID: 8948)
  - CagService.exe (PID: 7856)
  - AEMAgent.exe (PID: 8944)
- Creates a software uninstall entry
  - PaperlessPost.exe (PID: 8948)
  - CagService.exe (PID: 7856)
- Launching a file from a Registry key
  - PaperlessPost.exe (PID: 8948)
  - RMM.WebRemote.exe (PID: 2136)
- DATTO has been detected
  - PaperlessPost.exe (PID: 8948)
  - PaperlessPost.exe (PID: 8948)
  - CagService.exe (PID: 7856)
  - CagService.exe (PID: 7856)
  - Gui.exe (PID: 7096)
  - CagService.exe (PID: 7856)
  - AEMAgent.exe (PID: 8840)
  - AEMAgent.exe (PID: 8944)
  - conhost.exe (PID: 9156)
  - conhost.exe (PID: 8252)
  - conhost.exe (PID: 4348)
  - AEMAgent.exe (PID: 8944)
  - conhost.exe (PID: 7624)
  - conhost.exe (PID: 8788)
  - conhost.exe (PID: 7224)
  - conhost.exe (PID: 672)
  - conhost.exe (PID: 1284)
  - conhost.exe (PID: 8928)
  - AEMAgent.exe (PID: 8944)
  - RMM.WebRemote.exe (PID: 2136)
  - conhost.exe (PID: 8248)
  - conhost.exe (PID: 8496)
  - conhost.exe (PID: 8252)
  - conhost.exe (PID: 6836)
  - conhost.exe (PID: 7720)
  - msedge.exe (PID: 1456)
- Reads Environment values
  - identity_helper.exe (PID: 5648)
  - CagService.exe (PID: 7856)
- Reads the computer name
  - identity_helper.exe (PID: 5648)
  - CagService.exe (PID: 7856)
  - Gui.exe (PID: 7096)
  - AEMAgent.exe (PID: 8944)
  - RMM.WebRemote.exe (PID: 2136)
  - PaperlessPost.exe (PID: 8948)
- Launching a file from the Downloads directory
  - msedge.exe (PID: 1456)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 1456)
- Create files in a temporary directory
  - PaperlessPost.exe (PID: 8948)
- Reads the machine GUID from the registry
  - CagService.exe (PID: 7856)
  - Gui.exe (PID: 7096)
  - AEMAgent.exe (PID: 8944)
- Reads security settings of Internet Explorer
  - CagService.exe (PID: 7856)
  - Gui.exe (PID: 7096)
  - netsh.exe (PID: 1400)
  - netsh.exe (PID: 8960)
  - netsh.exe (PID: 8256)
- Creates files or folders in the user directory
  - Gui.exe (PID: 7096)
- Disables trace logs
  - CagService.exe (PID: 7856)
- Process checks computer location settings
  - AEMAgent.exe (PID: 8944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

201

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

508

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3628,i,3195745500251989163,15239702415116423542,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

672

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1284

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1400

"C:\WINDOWS\system32\netsh.exe" advfirewall firewall show rule name=all

C:\Windows\System32\netsh.exe

—

AEMAgent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1432

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=1216,i,3195745500251989163,15239702415116423542,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1456

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-features=HttpsUpgrades,HttpsFirstModeV2,HttpsOnlyMode,HttpsFirstBalancedMode --no-first-run --no-default-browser-check https://silvercelebrationaccess.com/Windows/invite.php

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2136

"C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\14.9.1.11030\RMM.WebRemote.exe" --web-remote-daemon aemwr-a868b760-54c4-4de6-9faf-e66369de3ce1

C:\ProgramData\CentraStage\AEMAgent\RMM.WebRemote\14.9.1.11030\RMM.WebRemote.exe

AEMAgent.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Description:

RMM WebRemote Agent

Version:

14.9.1.11030

Modules

Images
c:\programdata\centrastage\aemagent\rmm.webremote\14.9.1.11030\rmm.webremote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2996

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CagService.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3120

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2532,i,3195745500251989163,15239702415116423542,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3276

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffe2392f208,0x7ffe2392f214,0x7ffe2392f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

16 411

Read events

16 302

Write events

Delete events

Modification events


(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	CentraStage
Value: C:\Program Files (x86)\CentraStage\Gui.exe
(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	DisplayName
Value: CentraStage
(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	UninstallString
Value: "C:\Program Files (x86)\CentraStage\uninst.exe"
(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files (x86)\CentraStage\CSIcon.ico
(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	URLInfoAbout
Value: http://www.centrastage.com
(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	Publisher
Value: CentraStage Limited
(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:	write	Name:	AgentFolderLocation
Value: C:\ProgramData\CentraStage
(PID) Process:	(8948) PaperlessPost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:	write	Name:	AgentFolderStatus
Value: 0
(PID) Process:	(7856) CagService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:	write	Name:	AgentFolderStatus
Value: 3
(PID) Process:	(7856) CagService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:	write	Name:	DisplayName
Value: Datto RMM

Add for printing

Executable files

328

Suspicious files

Text files

322

Unknown types

Dropped files

PID	Process	Filename		Type
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdfec3.TMP		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFdfee2.TMP		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFdfee2.TMP		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFdfee2.TMP		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdfed3.TMP		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—
1456	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFdff11.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3120	msedge.exe	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=NUisD%2Fk48iMXuvBAKZlBnR4LP3muj%2BgPTgoJF1uTgIP2foYQzy3hZNknWXOBdM%2Bl9TjDCzQAtQR39yW9K8M5RhRNjAqzVFmQ%2BNw1ol%2BMHhkIsS1syd76OH764vWCqQyiZB4owPXiOONsHw0rnjY%3D	US	—	—	unknown
—	—	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	NL	binary	312 b	whitelisted
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	959 b	whitelisted
3120	msedge.exe	GET	200	150.171.28.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:OHd5eTpjSTzrE8LvvYwPdEohxTAEupXYeUVH-WtS1Wg&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	101 b	whitelisted
3120	msedge.exe	GET	200	150.171.28.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	US	text	132 b	whitelisted
3120	msedge.exe	GET	200	150.171.22.17:443	https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0	US	text	4.28 Kb	whitelisted
3120	msedge.exe	GET	403	188.114.96.3:443	https://silvercelebrationaccess.com/Windows/invite.php	US	html	5.81 Kb	unknown
3120	msedge.exe	GET	200	104.18.22.222:443	https://copilot.microsoft.com/c/api/user/eligibility	US	text	25 b	whitelisted
3120	msedge.exe	GET	403	188.114.96.3:443	https://silvercelebrationaccess.com/Windows/invite.php	US	html	6.02 Kb	unknown
3120	msedge.exe	GET	200	188.114.96.3:443	https://silvercelebrationaccess.com/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=9f1f53a0aa6898c4	US	text	179 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
680	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.23.227.208:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.11.41.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3120	msedge.exe	150.171.22.17:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3120	msedge.exe	150.171.28.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
google.com	142.251.13.139 142.251.13.102 142.251.13.138 142.251.13.101 142.251.13.113 142.251.13.100	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
ocsp.digicert.com	23.11.41.157	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
edge.microsoft.com	150.171.28.11 150.171.27.11	whitelisted
config.edge.skype.com	150.171.22.17	whitelisted
silvercelebrationaccess.com	188.114.96.3 188.114.97.3	unknown
api.edgeoffer.microsoft.com	150.171.109.193	whitelisted
copilot.microsoft.com	104.18.22.222 104.18.23.222	whitelisted

Threats

PID	Process	Class	Message
3120	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3120	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3120	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
3120	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
3120	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
3120	msedge.exe	Possible Social Engineering Attempted	ET PHISHING Microsoft Phish Landing Page M3 2026-01-22
3120	msedge.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Challenge-Platform Page Request to cdn-cgi
3120	msedge.exe	Possible Social Engineering Attempted	ET PHISHING Microsoft Phish Landing Page M3 2026-01-22
3120	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3120	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)

Add for printing

No debug info

General Info

https://silvercelebrationaccess.com/Windows/invite.php

F017FFEB9B5C6564ACAE6E49942079DF

0F32D11AA81B3B580F67730D19CD06CC3FCA470D

57E64E447F53FAFCB4F8DF2941DB6798554BDD8D7E53C3130977927E04FA20C4

3:N8BCpAsqAtdzDenhVn:2kpAsqghDez

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PHISHING has been detected (SURICATA)

Registers / Runs the DLL via REGSVR32.EXE

DATTO has been detected

Changes settings of System certificates

Changes the autorun value in the registry

SUSPICIOUS

Executes as Windows Service

Searches for installed software

Creates or modifies Windows services

Creates/Modifies COM task schedule object

Executable content was dropped or overwritten

Adds/modifies Windows certificates

Uses NETSH.EXE to delete a firewall rule or allowed programs

Uses NETSH.EXE to add a firewall rule or allowed programs

The process creates files with name similar to system file names

Suspicious use of NETSH.EXE

Malware-specific behavior (creating "System.dll" in Temp)

INFO

Checks supported languages

Application launched itself

The sample compiled with english language support

Creates a software uninstall entry

Launching a file from a Registry key

DATTO has been detected

Reads Environment values

Reads the computer name

Launching a file from the Downloads directory

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Disables trace logs

Process checks computer location settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections