URL:

https://store9.gofile.io/download/direct/bbda4454-3905-46c6-b5a5-9882a4cb113b/guestlist.exe

Full analysis: https://app.any.run/tasks/20a7fa62-8afe-4da0-9beb-6f6fc062e289
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 25, 2026, 16:07:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
fileshare
datto
rmm-tool
loader
arch-exec
arch-doc
Indicators:
MD5:

909DD3551CFEDD05BD673B04D98C60FF

SHA1:

5238F7555B14F7E88C7EDCB2D15BC3E037CDD5C3

SHA256:

A06C72C0B4BC1AF471E9D607A83CD06B500EC264A60733C2C00749B16A3A4A99

SSDEEP:

3:N8cMActDMJu1L8jRm42YGfwPeVOA:2cMXQkqtAbGeVv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • guestlist.exe (PID: 8632)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 8336)
      • RMM.WebRemote.exe (PID: 8232)
      • guestlist.exe (PID: 2120)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)

    • Registers / Runs the DLL via REGSVR32.EXE

      • CagService.exe (PID: 8940)

    • DATTO has been detected

      • CagService.exe (PID: 8940)
      • AEMAgent.exe (PID: 8052)

    • Changes settings of System certificates

      • AEMAgent.exe (PID: 8052)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • guestlist.exe (PID: 8632)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 8336)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)
      • guestlist.exe (PID: 2120)

    • The process creates files with name similar to system file names

      • guestlist.exe (PID: 8632)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8336)
      • guestlist.exe (PID: 8260)
      • CagService.exe (PID: 8940)
      • guestlist.exe (PID: 2120)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)

    • Executable content was dropped or overwritten

      • guestlist.exe (PID: 8632)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8336)
      • CagService.exe (PID: 8940)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 2120)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)
      • AEMAgent.exe (PID: 8052)
      • RMM.WebRemote.exe (PID: 8232)

    • Executes as Windows Service

      • CagService.exe (PID: 8940)

    • Searches for installed software

      • CagService.exe (PID: 8940)

    • Creates or modifies Windows services

      • CagService.exe (PID: 8940)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 8552)

    • Adds/modifies Windows certificates

      • AEMAgent.exe (PID: 8052)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • AEMAgent.exe (PID: 8052)
      • RMM.WebRemote.exe (PID: 8232)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • AEMAgent.exe (PID: 8052)
      • RMM.WebRemote.exe (PID: 8232)

    • Suspicious use of NETSH.EXE

      • AEMAgent.exe (PID: 8052)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 8008)

    • Reads Environment values

      • identity_helper.exe (PID: 3076)
      • CagService.exe (PID: 8940)

    • Reads the computer name

      • identity_helper.exe (PID: 3076)
      • guestlist.exe (PID: 8632)
      • CagService.exe (PID: 8940)
      • Gui.exe (PID: 9104)
      • guestlist.exe (PID: 9024)
      • Gui.exe (PID: 5704)
      • guestlist.exe (PID: 8260)
      • Gui.exe (PID: 8612)
      • Gui.exe (PID: 9184)
      • AEMAgent.exe (PID: 8052)
      • guestlist.exe (PID: 8336)
      • RMM.WebRemote.exe (PID: 8232)
      • guestlist.exe (PID: 2120)
      • Gui.exe (PID: 8412)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)
      • Gui.exe (PID: 8512)
      • Gui.exe (PID: 8452)

    • Checks supported languages

      • identity_helper.exe (PID: 3076)
      • guestlist.exe (PID: 8632)
      • guestlist.exe (PID: 9024)
      • Gui.exe (PID: 9104)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 8336)
      • CagService.exe (PID: 8940)
      • AEMAgent.exe (PID: 4712)
      • Gui.exe (PID: 5704)
      • Gui.exe (PID: 8612)
      • Gui.exe (PID: 9184)
      • AEMAgent.exe (PID: 8052)
      • guestlist.exe (PID: 2120)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)
      • RMM.WebRemote.exe (PID: 8232)
      • Gui.exe (PID: 8512)
      • Gui.exe (PID: 8412)
      • Gui.exe (PID: 8452)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 8008)

    • The sample compiled with english language support

      • guestlist.exe (PID: 8632)
      • CagService.exe (PID: 8940)
      • AEMAgent.exe (PID: 8052)

    • Creates files in the program directory

      • guestlist.exe (PID: 8632)
      • Gui.exe (PID: 9104)
      • CagService.exe (PID: 8940)
      • AEMAgent.exe (PID: 4712)
      • AEMAgent.exe (PID: 8052)
      • RMM.WebRemote.exe (PID: 8232)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3324)
      • msedge.exe (PID: 8008)

    • Launching a file from a Registry key

      • guestlist.exe (PID: 8632)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 8336)
      • RMM.WebRemote.exe (PID: 8232)
      • guestlist.exe (PID: 2120)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)

    • Creates a software uninstall entry

      • guestlist.exe (PID: 8632)
      • CagService.exe (PID: 8940)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 8336)
      • guestlist.exe (PID: 2120)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)

    • DATTO has been detected

      • guestlist.exe (PID: 8632)
      • CagService.exe (PID: 8940)
      • CagService.exe (PID: 8940)
      • Gui.exe (PID: 9104)
      • AEMAgent.exe (PID: 4712)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8336)
      • Gui.exe (PID: 8612)
      • Gui.exe (PID: 9184)
      • Gui.exe (PID: 5704)
      • AEMAgent.exe (PID: 8052)
      • conhost.exe (PID: 9080)
      • conhost.exe (PID: 9188)
      • conhost.exe (PID: 8864)
      • conhost.exe (PID: 6720)
      • AEMAgent.exe (PID: 8052)
      • conhost.exe (PID: 8628)
      • conhost.exe (PID: 1132)
      • conhost.exe (PID: 8888)
      • conhost.exe (PID: 8552)
      • conhost.exe (PID: 8876)
      • conhost.exe (PID: 6728)
      • RMM.WebRemote.exe (PID: 8232)
      • conhost.exe (PID: 4772)
      • conhost.exe (PID: 1132)
      • conhost.exe (PID: 8784)
      • guestlist.exe (PID: 2120)
      • guestlist.exe (PID: 8300)
      • Gui.exe (PID: 8512)
      • Gui.exe (PID: 8412)
      • guestlist.exe (PID: 6696)
      • Gui.exe (PID: 8452)
      • conhost.exe (PID: 8416)

    • Create files in a temporary directory

      • guestlist.exe (PID: 8632)
      • guestlist.exe (PID: 8336)
      • guestlist.exe (PID: 8260)
      • guestlist.exe (PID: 9024)
      • guestlist.exe (PID: 8300)
      • guestlist.exe (PID: 6696)
      • guestlist.exe (PID: 2120)

    • Reads security settings of Internet Explorer

      • CagService.exe (PID: 8940)
      • Gui.exe (PID: 9104)
      • Gui.exe (PID: 5704)
      • Gui.exe (PID: 8612)
      • Gui.exe (PID: 9184)
      • netsh.exe (PID: 8488)
      • netsh.exe (PID: 8464)
      • netsh.exe (PID: 8528)
      • Gui.exe (PID: 8412)
      • Gui.exe (PID: 8512)
      • Gui.exe (PID: 8452)

    • Reads the machine GUID from the registry

      • CagService.exe (PID: 8940)
      • Gui.exe (PID: 9104)
      • Gui.exe (PID: 5704)
      • Gui.exe (PID: 8612)
      • Gui.exe (PID: 9184)
      • AEMAgent.exe (PID: 8052)
      • Gui.exe (PID: 8412)
      • Gui.exe (PID: 8512)
      • Gui.exe (PID: 8452)

    • Creates files or folders in the user directory

      • Gui.exe (PID: 9104)

    • Disables trace logs

      • CagService.exe (PID: 8940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
235
Monitored processes
89
Malicious processes
3
Suspicious processes
8

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs guestlist.exe no specs guestlist.exe slui.exe cagservice.exe guestlist.exe no specs guestlist.exe conhost.exe no specs gui.exe no specs guestlist.exe no specs guestlist.exe no specs guestlist.exe guestlist.exe regsvr32.exe no specs regsvr32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs aemagent.exe no specs msedge.exe no specs gui.exe no specs gui.exe no specs gui.exe no specs aemagent.exe guestlist.exe no specs guestlist.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs guestlist.exe no specs guestlist.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs guestlist.exe no specs guestlist.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs rmm.webremote.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs gui.exe no specs gui.exe no specs gui.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6456,i,8259652888031074390,10269393286440028422,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=8144 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1428"C:\WINDOWS\system32\netsh.exe" advfirewall firewall delete rule name="RMM.WebRemote"C:\Windows\System32\netsh.exeAEMAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1504"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3700,i,8259652888031074390,10269393286440028422,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3720 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2120"C:\Users\admin\Downloads\guestlist.exe" C:\Users\admin\Downloads\guestlist.exe
msedge.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\downloads\guestlist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2156"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3712,i,8259652888031074390,10269393286440028422,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2316"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6012,i,8259652888031074390,10269393286440028422,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2332"netsh" advfirewall firewall delete rule name="RMM RTC Proxy"C:\Windows\System32\netsh.exeRMM.WebRemote.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2340"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6164,i,8259652888031074390,10269393286440028422,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
43 925
Read events
43 764
Write events
144
Delete events
17

Modification events

(PID) Process:(8788) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CentraStage
Value:
C:\Program Files (x86)\CentraStage\Gui.exe
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayName
Value:
CentraStage
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\CentraStage\uninst.exe"
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\CentraStage\CSIcon.ico
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:URLInfoAbout
Value:
http://www.centrastage.com
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CentraStage
Operation:writeName:Publisher
Value:
CentraStage Limited
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderLocation
Value:
C:\ProgramData\CentraStage
(PID) Process:(8632) guestlist.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
0
(PID) Process:(8940) CagService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage
Operation:writeName:AgentFolderStatus
Value:
3
Executable files
480
Suspicious files
131
Text files
400
Unknown types
0

Dropped files

PID
Process
Filename
Type
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe024d.TMP
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe024d.TMP
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFe025d.TMP
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe026d.TMP
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe026d.TMP
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
8008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
204
TCP/UDP connections
98
DNS requests
89
Threats
40

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3324
msedge.exe
GET
304
150.171.28.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
3324
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:WKqGUQS9T_tIinQrrRMthPgMFvc_FkYfyXGfErqhwmQ&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
102 b
whitelisted
3324
msedge.exe
GET
200
104.18.23.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
3324
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
US
text
4.59 Kb
whitelisted
3324
msedge.exe
GET
200
150.171.109.101:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
3324
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/extensionwebstorebase/v1/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=133.0.3065.92&lang=en-US&acceptformat=crx3,puff&x=id%3Djmjflgjpcpepeafmmgdpfkogkghcpiha%26v%3D1.2.1%26installedby%3Dother%26uc%26ping%3Dr%253D96%2526e%253D1
US
xml
413 b
whitelisted
3324
msedge.exe
GET
200
45.112.123.226:443
https://file-eu-par-7.gofile.io/download/direct/bbda4454-3905-46c6-b5a5-9882a4cb113b/guestlist.exe
FR
executable
5.00 Mb
unknown
3324
msedge.exe
POST
200
172.217.168.67:443
https://update.googleapis.com/service/update2/json?cup2key=14:65vilge29RTNJeWuH6L1QUM0m5MgNOjD4PMIPkwqep0&cup2hreq=1588bd9e14788665638dce5632f74e7d978de4caa2906c032374eb1df2079852
US
text
891 b
whitelisted
3324
msedge.exe
GET
200
184.86.251.27:443
https://www.bing.com/api/shopping/v1/user/shoppingsettings?EnabledServiceFeaturesv2=edgeServerUX.shopping.msEdgeShoppingCashbackDismissTimeout2s
NL
text
1.11 Kb
whitelisted
3324
msedge.exe
GET
200
172.217.168.65:443
https://clients2.googleusercontent.com/crx/blobs/Aa54OTBPHg7LBTU76vOzTQNIUupAVXz5Q2eW7qF4TsXH4Hc7_vrNXzTTa5ryY0P7ji3_aOD4k25_khutL8u4VKSn12qLf08hRwp3ROv7PbQMgrWSDW_hGCdwJXBj_GOljfcAxlKa5YIVkJ4_D6oEL1CJwPYec0fUjd1z/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_102_1_0.crx
US
binary
146 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7784
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.27:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5400
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3324
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3324
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3324
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3324
msedge.exe
94.139.32.9:443
store9.gofile.io
1GSERVERS
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 184.86.251.27
  • 184.86.251.28
  • 184.86.251.26
  • 184.86.251.5
  • 184.86.251.4
  • 184.86.251.7
  • 184.86.251.25
  • 184.86.251.30
  • 184.86.251.8
  • 92.123.104.21
  • 92.123.104.10
  • 92.123.104.14
  • 92.123.104.13
  • 92.123.104.18
  • 92.123.104.12
  • 92.123.104.16
  • 92.123.104.11
  • 92.123.104.22
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 172.217.16.174
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
store9.gofile.io
  • 94.139.32.9
unknown
api.edgeoffer.microsoft.com
  • 150.171.109.101
whitelisted
copilot.microsoft.com
  • 104.18.23.222
  • 104.18.22.222
whitelisted
file-eu-par-7.gofile.io
  • 45.112.123.226
unknown

Threats

PID
Process
Class
Message
3324
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3324
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3324
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
3324
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3324
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3324
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
3324
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Downloading from a file sharing service is observed
3324
msedge.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2232
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
2232
svchost.exe
Misc activity
ET REMOTE_ACCESS DNS Query to Remote Monitoring and Management Domain (centrastage .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://store9.gofile.io/download/direct/bbda4454-3905-46c6-b5a5-9882a4cb113b/guestlist.exe