File name:

LAGSTER_0.15.6_x64_en-US.msi

Full analysis: https://app.any.run/tasks/42ce5869-c499-462d-93af-3645cae3631e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 17, 2025, 20:37:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
loader
github
evasion
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: LAGSTER, Author: crimzonware, Keywords: Installer, Comments: This installer database contains the logic and data required to install LAGSTER., Template: x64;0, Revision Number: {09969B0B-CD72-44F6-8FC6-73D06C225C43}, Create Time/Date: Sat Apr 12 09:04:26 2025, Last Saved Time/Date: Sat Apr 12 09:04:26 2025, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

1173B43C963C91B8704187E4D41C2663

SHA1:

510A2E6F1E181FF2F2430890B95769BC87ED040F

SHA256:

A87503D90C9BAC0D9AF96A83F86BB954A06E32702871F4CA497BBE5A13FD8622

SSDEEP:

98304:JDyhR+GLLWsuhmgdKJCUrmYH0AT9siiI8rRnmE8qv0bavgF/0QMDGfDBOY39d9/k:54xECDgtMa49F0MG+1Q0yYajA++s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 5452)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6252)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 4884)
      • msedgewebview2.exe (PID: 7228)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 5072)

  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 6252)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6480)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6736)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6736)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6252)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6252)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 5084)
      • MicrosoftEdgeUpdate.exe (PID: 5452)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6252)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5084)
      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • MicrosoftEdge_X64_135.0.3179.85.exe (PID: 7908)
      • setup.exe (PID: 7932)
      • msedgewebview2.exe (PID: 6068)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6252)
      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5084)
      • MicrosoftEdge_X64_135.0.3179.85.exe (PID: 7908)
      • setup.exe (PID: 7932)
      • msedgewebview2.exe (PID: 6068)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 5452)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1532)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5352)
      • MicrosoftEdgeUpdate.exe (PID: 960)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4220)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • LAGSTER.exe (PID: 5132)
      • msedgewebview2.exe (PID: 5072)
      • LAGSTER.exe (PID: 2236)
      • msedgewebview2.exe (PID: 5084)

    • Application launched itself

      • setup.exe (PID: 7932)
      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • LAGSTER.exe (PID: 5132)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 5084)

    • Searches for installed software

      • setup.exe (PID: 7932)
      • msedgewebview2.exe (PID: 5084)

    • Creates a software uninstall entry

      • setup.exe (PID: 7932)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 6736)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6736)

    • Manipulates environment variables

      • powershell.exe (PID: 6252)

    • Reads the date of Windows installation

      • LAGSTER.exe (PID: 5132)
      • LAGSTER.exe (PID: 2236)

    • The process checks if it is being run in the virtual environment

      • msiexec.exe (PID: 6736)

    • Checks for external IP

      • LAGSTER.exe (PID: 7200)
      • svchost.exe (PID: 2196)

  • INFO

    • The sample compiled with english language support

      • msiexec.exe (PID: 5176)
      • powershell.exe (PID: 6252)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5084)
      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • MicrosoftEdge_X64_135.0.3179.85.exe (PID: 7908)
      • setup.exe (PID: 7932)
      • msiexec.exe (PID: 6736)
      • msedgewebview2.exe (PID: 6068)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5176)
      • msiexec.exe (PID: 6736)

    • Reads the computer name

      • msiexec.exe (PID: 6736)
      • msiexec.exe (PID: 5124)
      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5352)
      • MicrosoftEdgeUpdate.exe (PID: 856)
      • MicrosoftEdgeUpdate.exe (PID: 960)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1532)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4220)
      • MicrosoftEdgeUpdate.exe (PID: 4528)
      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • setup.exe (PID: 7932)
      • MicrosoftEdge_X64_135.0.3179.85.exe (PID: 7908)
      • MicrosoftEdgeUpdate.exe (PID: 4868)
      • LAGSTER.exe (PID: 5132)
      • LAGSTER.exe (PID: 2236)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 4884)
      • msedgewebview2.exe (PID: 5744)
      • LAGSTER.exe (PID: 7200)
      • msedgewebview2.exe (PID: 5084)
      • msedgewebview2.exe (PID: 7228)
      • msedgewebview2.exe (PID: 7264)
      • msedgewebview2.exe (PID: 1704)

    • Checks supported languages

      • msiexec.exe (PID: 6736)
      • msiexec.exe (PID: 5124)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5084)
      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • MicrosoftEdgeUpdate.exe (PID: 960)
      • MicrosoftEdgeUpdate.exe (PID: 856)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5352)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1532)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4220)
      • MicrosoftEdgeUpdate.exe (PID: 4528)
      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • MicrosoftEdge_X64_135.0.3179.85.exe (PID: 7908)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 7956)
      • LAGSTER.exe (PID: 5132)
      • MicrosoftEdgeUpdate.exe (PID: 4868)
      • LAGSTER.exe (PID: 2236)
      • msedgewebview2.exe (PID: 6388)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 4884)
      • msedgewebview2.exe (PID: 1096)
      • msedgewebview2.exe (PID: 5744)
      • msedgewebview2.exe (PID: 7680)
      • msedgewebview2.exe (PID: 5084)
      • msedgewebview2.exe (PID: 2516)
      • msedgewebview2.exe (PID: 728)
      • LAGSTER.exe (PID: 7200)
      • msedgewebview2.exe (PID: 7228)
      • msedgewebview2.exe (PID: 7784)
      • msedgewebview2.exe (PID: 4976)
      • msedgewebview2.exe (PID: 1704)
      • msedgewebview2.exe (PID: 7496)
      • msedgewebview2.exe (PID: 7492)
      • msedgewebview2.exe (PID: 744)
      • msedgewebview2.exe (PID: 1600)
      • msedgewebview2.exe (PID: 7264)
      • msedgewebview2.exe (PID: 6068)
      • msedgewebview2.exe (PID: 1132)
      • msedgewebview2.exe (PID: 3012)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6736)

    • Manages system restore points

      • SrTasks.exe (PID: 968)
      • SrTasks.exe (PID: 8156)

    • Checks proxy server information

      • powershell.exe (PID: 6252)
      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • MicrosoftEdgeUpdate.exe (PID: 856)
      • slui.exe (PID: 7528)
      • MicrosoftEdgeUpdate.exe (PID: 4868)
      • msedgewebview2.exe (PID: 5072)
      • LAGSTER.exe (PID: 2236)
      • LAGSTER.exe (PID: 7200)
      • msedgewebview2.exe (PID: 5084)

    • Disables trace logs

      • powershell.exe (PID: 6252)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5084)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 5084)
      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • LAGSTER.exe (PID: 2236)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 5084)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • MicrosoftEdge_X64_135.0.3179.85.exe (PID: 7908)
      • setup.exe (PID: 7956)
      • setup.exe (PID: 7932)
      • msedgewebview2.exe (PID: 6388)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 5744)
      • msedgewebview2.exe (PID: 5084)
      • msedgewebview2.exe (PID: 7264)
      • LAGSTER.exe (PID: 7200)
      • msedgewebview2.exe (PID: 1704)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 856)
      • MicrosoftEdgeUpdate.exe (PID: 4868)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 5084)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 5452)
      • setup.exe (PID: 7932)
      • LAGSTER.exe (PID: 5132)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 728)
      • msedgewebview2.exe (PID: 7680)
      • msedgewebview2.exe (PID: 5084)
      • LAGSTER.exe (PID: 2236)
      • msedgewebview2.exe (PID: 1600)
      • msedgewebview2.exe (PID: 7784)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • MicrosoftEdgeUpdate.exe (PID: 856)
      • MicrosoftEdgeUpdate.exe (PID: 4868)
      • slui.exe (PID: 7528)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 7208)
      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 5084)
      • msedgewebview2.exe (PID: 1704)

    • Manual execution by a user

      • mspaint.exe (PID: 7744)

    • Reads CPU info

      • msedgewebview2.exe (PID: 5072)
      • msedgewebview2.exe (PID: 5084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: LAGSTER
Author: crimzonware
Keywords: Installer
Comments: This installer database contains the logic and data required to install LAGSTER.
Template: x64;0
RevisionNumber: {09969B0B-CD72-44F6-8FC6-73D06C225C43}
CreateDate: 2025:04:12 09:04:26
ModifyDate: 2025:04:12 09:04:26
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
263
Monitored processes
115
Malicious processes
9
Suspicious processes
5

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe slui.exe mspaint.exe no specs microsoftedge_x64_135.0.3179.85.exe setup.exe setup.exe no specs microsoftedgeupdate.exe lagster.exe no specs lagster.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msiexec.exe no specs srtasks.exe no specs conhost.exe no specs lagster.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs svchost.exe ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs msedgewebview2.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs msedgewebview2.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.crimzonware.lagster\EBWebView" --webview-exe-name=LAGSTER.exe --webview-exe-version=0.15.6 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=1868,i,11343295254951722189,17921580820089034059,262144 --enable-features=ForceSWDCompWhenDCompFallbackRequired,msAggressiveCacheTrimming,msCustomDataPartition,msWebView2NoTabForScreenShare,msWindowsTaskManager --disable-features=BackForwardCache,BackgroundTabLoadingFromPerformanceManager,CloseOmniboxPopupOnInactiveAreaClick,CollectAVProductsInfo,CollectCodeIntegrityInfo,EnableHangWatcher,FilterAdsOnAbusiveSites,GetWifiProtocol,LoginDetection,MediaFoundationCameraUsageMonitoring,PreconnectToSearch,SafetyHub,SegmentationPlatform,SpareRendererForSitePerProcess,Ukm,WebPayments,msAITrackerClassification,msAbydosForWindowlessWV2,msAffirmVirtualCard,msAllowChromeWebstore,msAllowMSAPrtSSOForNonMSAProfile,msApplicationGuard,msAskBeforeClosingMultipleTabs,msAutoToggleAADPrtSSOForNonAADProfile,msAutofillEdgeCoupons,msAutofillEdgeCouponsAutoApply,msAutofillEdgeServiceRequest,msAutomaticTabFreeze,msBrowserSettingsSupported,msCoarseGeolocationService,msDataProtection,msDesktopMode,msDesktopRewards,msDisableVariationsSeedFetchThrottling,msEEProactiveHistory,msETFOffstoreExtensionFileDataCollection,msETFPasswordTheftDNRActionSignals,msEdgeAdPlatformUI,msEdgeAddWebCapturetoCollections,msEdgeAutofillAdvancedSuggestionsBasic,msEdgeAutofillOneClickAutocomplete,msEdgeAutofillSaveGSPR100InDb,msEdgeAutofillShowDeployedPassword,msEdgeAutofillSs,msEdgeBrowserEssentialsShowUpdateSection,msEdgeCloudConfigService,msEdgeCloudConfigServiceV2,msEdgeCohorts,msEdgeCollectionsPrismExperiment1,msEdgeCollectionsPrismOverallMigration,msEdgeComposeNext,msEdgeEnableNurturingFramework,msEdgeEnclavePrefsBasic,msEdgeEnclavePrefsNotification,msEdgeFaviconService,msEdgeHJTelemetry,msEdgeHubAppSkype,msEdgeImageEditorUI,msEdgeLinkDoctor,msEdgeMouseGestureDefaultEnabled,msEdgeMouseGestureSupported,msEdgeNewDeviceFre,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgePDFCMHighlightUX,msEdgePasswordIris,msEdgePasswordIrisSaveBubble,msEdgeProngPersonalization,msEdgeReadingView,msEdgeRose,msEdgeSendTabToSelf,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingPersistentStorage,msEdgeShoppingUI,msEdgeSmartFind,msEdgeSuperDragDefaultEnabled,msEdgeSuperDragDropSupported,msEdgeTipping,msEdgeTranslate,msEdgeUseCaptivePortalService,msEdgeWebContentFilteringFeedback,msEdgeWorkSearchBanner,msEnableCustomJobMemoryLimitsOnXbox,msEnableMIPForPDF,msEnablePdfUpsell,msEnableThirdPartyScanning,msEnableWebSignInCta,msEnableWebToBrowserSignIn,msEndpointDlp,msEntityExtraction,msExtensionTelemetryFramework,msExternalTaskManager,msFileSystemAccessDirectoryIterationBlocklistCheck,msForceBrowserSignIn,msForeignSessionsPage,msGeolocationAccessService,msGeolocationOSLocationPermissionFallback,msGeolocationSQMService,msGeolocationService,msGrowthInfraLaunchSourceLogging,msGuidedSwitchAllowed,msHubPinPersist,msImplicitSignin,msIrm,msIrmv2,msKlarnaVirtualCard,msLoadStatistics,msLogIsEdgePinnedToTaskbarOnLaunch,msMIPCrossTenantPdfViewSupport,msMdatpWebSiteDlp,msNotificationPermissionForPWA,msOnHoverSearchInSidebar,msOpenOfficeDocumentsInWebViewer,msPasswordBreachDetection,msPdfAnnotationsVisibility,msPdfDataRecovery,msPdfDigitalSignatureRead,msPdfFreeText,msPdfFreeTextForCJK,msPdfHighlightMode,msPdfInking,msPdfKeyphraseSupport,msPdfOOUI,msPdfPopupMarkerRenderer,msPdfShare,msPdfSharedLibrary,msPdfTextNote,msPdfTextNoteMoreMenu,msPdfThumbnailCache,msPdfUnderside,msPdfViewRestore,msPersonalizationUMA,msPriceComparison,msPromptDefaultHandlerForPDF,msReactiveSearch,msReadAloud,msReadAloudPdf,msRedirectToShoreline,msRevokeExtensions,msSaasDlp,msShoppingTrigger,msShorelineSearch,msShorelineSearchFindOnPageWebUI,msShowOfflineGameEntrance,msShowReadAloudIconInAddressBar,msShowUXForAADPrtSSOForNonAADProfile,msSmartScreenProtection,msSuspendMessageForNewSessionWhenHavingPendingNavigation,msSyncEdgeCollections,msTabResourceStats,msTokenizationAutofillInlineEnabled,msTouchMode,msTriggeringSignalGenerator,msUserUnderstanding,msVideoSuperResolutionUI,msWalletBuyNow,msWalletCheckout,msWalletDiagnosticDataLogger,msWalletHubEntry,msWalletHubIntlP3,msWalletPartialCard,msWalletPasswordCategorization,msWalletPasswordCategorizationPlatformExpansion,msWalletTokenizationCardMetadata,msWalletTokenizedAutofill,msWebAssist,msWebAssistHistorySearchService,msWebOOUI,msWindowsUserActivities,msZipPayVirtualCard --variations-seed-version --mojo-platform-channel-handle=3924 /prefetch:1C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
135.0.3179.85
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\135.0.3179.85\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\135.0.3179.85\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
744"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.crimzonware.lagster\EBWebView" --webview-exe-name=LAGSTER.exe --webview-exe-version=0.15.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=1756,i,4848453151808294811,8136248327287258572,262144 --enable-features=ForceSWDCompWhenDCompFallbackRequired,msAggressiveCacheTrimming,msCustomDataPartition,msWebView2NoTabForScreenShare,msWindowsTaskManager --disable-features=BackForwardCache,BackgroundTabLoadingFromPerformanceManager,CloseOmniboxPopupOnInactiveAreaClick,CollectAVProductsInfo,CollectCodeIntegrityInfo,EnableHangWatcher,FilterAdsOnAbusiveSites,GetWifiProtocol,LoginDetection,PreconnectToSearch,SafetyHub,SegmentationPlatform,SpareRendererForSitePerProcess,Ukm,WebPayments,msAITrackerClassification,msAbydosForWindowlessWV2,msAffirmVirtualCard,msAllowChromeWebstore,msAllowMSAPrtSSOForNonMSAProfile,msApplicationGuard,msAskBeforeClosingMultipleTabs,msAutoToggleAADPrtSSOForNonAADProfile,msAutofillEdgeCoupons,msAutofillEdgeCouponsAutoApply,msAutofillEdgeServiceRequest,msAutomaticTabFreeze,msBrowserSettingsSupported,msCoarseGeolocationService,msDataProtection,msDesktopMode,msDesktopRewards,msDisableVariationsSeedFetchThrottling,msEEProactiveHistory,msETFOffstoreExtensionFileDataCollection,msETFPasswordTheftDNRActionSignals,msEdgeAdPlatformUI,msEdgeAddWebCapturetoCollections,msEdgeAutofillAdvancedSuggestionsBasic,msEdgeAutofillOneClickAutocomplete,msEdgeAutofillSaveGSPR100InDb,msEdgeAutofillShowDeployedPassword,msEdgeAutofillSs,msEdgeBrowserEssentialsShowUpdateSection,msEdgeCloudConfigService,msEdgeCloudConfigServiceV2,msEdgeCohorts,msEdgeCollectionsPrismExperiment1,msEdgeCollectionsPrismOverallMigration,msEdgeComposeNext,msEdgeEnableNurturingFramework,msEdgeEnclavePrefsBasic,msEdgeEnclavePrefsNotification,msEdgeFaviconService,msEdgeHJTelemetry,msEdgeHubAppSkype,msEdgeImageEditorUI,msEdgeLinkDoctor,msEdgeMouseGestureDefaultEnabled,msEdgeMouseGestureSupported,msEdgeNewDeviceFre,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgePDFCMHighlightUX,msEdgePasswordIris,msEdgePasswordIrisSaveBubble,msEdgeProngPersonalization,msEdgeReadingView,msEdgeRose,msEdgeSendTabToSelf,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingPersistentStorage,msEdgeShoppingUI,msEdgeSmartFind,msEdgeSuperDragDefaultEnabled,msEdgeSuperDragDropSupported,msEdgeTipping,msEdgeTranslate,msEdgeUseCaptivePortalService,msEdgeWebContentFilteringFeedback,msEdgeWorkSearchBanner,msEnableCustomJobMemoryLimitsOnXbox,msEnableMIPForPDF,msEnablePdfUpsell,msEnableThirdPartyScanning,msEnableWebSignInCta,msEnableWebToBrowserSignIn,msEndpointDlp,msEntityExtraction,msExtensionTelemetryFramework,msExternalTaskManager,msFileSystemAccessDirectoryIterationBlocklistCheck,msForceBrowserSignIn,msForeignSessionsPage,msGeolocationAccessService,msGeolocationOSLocationPermissionFallback,msGeolocationSQMService,msGeolocationService,msGrowthInfraLaunchSourceLogging,msGuidedSwitchAllowed,msHubPinPersist,msImplicitSignin,msIrm,msIrmv2,msKlarnaVirtualCard,msLoadStatistics,msLogIsEdgePinnedToTaskbarOnLaunch,msMIPCrossTenantPdfViewSupport,msMdatpWebSiteDlp,msNotificationPermissionForPWA,msOnHoverSearchInSidebar,msOpenOfficeDocumentsInWebViewer,msPasswordBreachDetection,msPdfAnnotationsVisibility,msPdfDataRecovery,msPdfDigitalSignatureRead,msPdfFreeText,msPdfFreeTextForCJK,msPdfHighlightMode,msPdfInking,msPdfKeyphraseSupport,msPdfOOUI,msPdfPopupMarkerRenderer,msPdfShare,msPdfSharedLibrary,msPdfTextNote,msPdfTextNoteMoreMenu,msPdfThumbnailCache,msPdfUnderside,msPdfViewRestore,msPersonalizationUMA,msPriceComparison,msPromptDefaultHandlerForPDF,msReactiveSearch,msReadAloud,msReadAloudPdf,msRedirectToShoreline,msRevokeExtensions,msSaasDlp,msShoppingTrigger,msShorelineSearch,msShorelineSearchFindOnPageWebUI,msShowOfflineGameEntrance,msShowReadAloudIconInAddressBar,msShowUXForAADPrtSSOForNonAADProfile,msSmartScreenProtection,msSuspendMessageForNewSessionWhenHavingPendingNavigation,msSyncEdgeCollections,msTabResourceStats,msTokenizationAutofillInlineEnabled,msTouchMode,msTriggeringSignalGenerator,msUserUnderstanding,msVideoSuperResolutionUI,msWalletBuyNow,msWalletCheckout,msWalletDiagnosticDataLogger,msWalletHubEntry,msWalletHubIntlP3,msWalletPartialCard,msWalletPasswordCategorization,msWalletPasswordCategorizationPlatformExpansion,msWalletTokenizationCardMetadata,msWalletTokenizedAutofill,msWebAssist,msWebAssistHistorySearchService,msWebOOUI,msWindowsUserActivities,msZipPayVirtualCard --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
135.0.3179.85
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\135.0.3179.85\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\135.0.3179.85\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812"ping" -n 2 -w 500 uksouth.monitoring.azure.comC:\Windows\System32\PING.EXELAGSTER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
856"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7ODI2NEVERTUtMjk2QS00MjEzLUE3QTEtNDY4MDIzMkFGNEY0fSIgdXNlcmlkPSJ7NjdBRTZERkQtNjlCOS00QjAxLTlBRTgtNjNEREI0MTg2NjMxfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFMjM3NDY3RS1ENkRGLTQzODUtOTI2RC1BNTEwQTEwQkVFODF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40OSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAwMjc3Mjk3MzMiIGluc3RhbGxfdGltZV9tcz0iNTYzIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.49
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
920"ping" -n 2 -w 500 polandcentral.monitoring.azure.comC:\Windows\System32\PING.EXELAGSTER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
960"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.49
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
968C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePING.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"ping" -n 2 -w 500 dynamodb.af-south-1.amazonaws.comC:\Windows\System32\PING.EXELAGSTER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
1096"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.crimzonware.lagster\EBWebView" --webview-exe-name=LAGSTER.exe --webview-exe-version=0.15.6 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=1868,i,11343295254951722189,17921580820089034059,262144 --enable-features=ForceSWDCompWhenDCompFallbackRequired,msAggressiveCacheTrimming,msCustomDataPartition,msWebView2NoTabForScreenShare,msWindowsTaskManager --disable-features=BackForwardCache,BackgroundTabLoadingFromPerformanceManager,CloseOmniboxPopupOnInactiveAreaClick,CollectAVProductsInfo,CollectCodeIntegrityInfo,EnableHangWatcher,FilterAdsOnAbusiveSites,GetWifiProtocol,LoginDetection,MediaFoundationCameraUsageMonitoring,PreconnectToSearch,SafetyHub,SegmentationPlatform,SpareRendererForSitePerProcess,Ukm,WebPayments,msAITrackerClassification,msAbydosForWindowlessWV2,msAffirmVirtualCard,msAllowChromeWebstore,msAllowMSAPrtSSOForNonMSAProfile,msApplicationGuard,msAskBeforeClosingMultipleTabs,msAutoToggleAADPrtSSOForNonAADProfile,msAutofillEdgeCoupons,msAutofillEdgeCouponsAutoApply,msAutofillEdgeServiceRequest,msAutomaticTabFreeze,msBrowserSettingsSupported,msCoarseGeolocationService,msDataProtection,msDesktopMode,msDesktopRewards,msDisableVariationsSeedFetchThrottling,msEEProactiveHistory,msETFOffstoreExtensionFileDataCollection,msETFPasswordTheftDNRActionSignals,msEdgeAdPlatformUI,msEdgeAddWebCapturetoCollections,msEdgeAutofillAdvancedSuggestionsBasic,msEdgeAutofillOneClickAutocomplete,msEdgeAutofillSaveGSPR100InDb,msEdgeAutofillShowDeployedPassword,msEdgeAutofillSs,msEdgeBrowserEssentialsShowUpdateSection,msEdgeCloudConfigService,msEdgeCloudConfigServiceV2,msEdgeCohorts,msEdgeCollectionsPrismExperiment1,msEdgeCollectionsPrismOverallMigration,msEdgeComposeNext,msEdgeEnableNurturingFramework,msEdgeEnclavePrefsBasic,msEdgeEnclavePrefsNotification,msEdgeFaviconService,msEdgeHJTelemetry,msEdgeHubAppSkype,msEdgeImageEditorUI,msEdgeLinkDoctor,msEdgeMouseGestureDefaultEnabled,msEdgeMouseGestureSupported,msEdgeNewDeviceFre,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgePDFCMHighlightUX,msEdgePasswordIris,msEdgePasswordIrisSaveBubble,msEdgeProngPersonalization,msEdgeReadingView,msEdgeRose,msEdgeSendTabToSelf,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingPersistentStorage,msEdgeShoppingUI,msEdgeSmartFind,msEdgeSuperDragDefaultEnabled,msEdgeSuperDragDropSupported,msEdgeTipping,msEdgeTranslate,msEdgeUseCaptivePortalService,msEdgeWebContentFilteringFeedback,msEdgeWorkSearchBanner,msEnableCustomJobMemoryLimitsOnXbox,msEnableMIPForPDF,msEnablePdfUpsell,msEnableThirdPartyScanning,msEnableWebSignInCta,msEnableWebToBrowserSignIn,msEndpointDlp,msEntityExtraction,msExtensionTelemetryFramework,msExternalTaskManager,msFileSystemAccessDirectoryIterationBlocklistCheck,msForceBrowserSignIn,msForeignSessionsPage,msGeolocationAccessService,msGeolocationOSLocationPermissionFallback,msGeolocationSQMService,msGeolocationService,msGrowthInfraLaunchSourceLogging,msGuidedSwitchAllowed,msHubPinPersist,msImplicitSignin,msIrm,msIrmv2,msKlarnaVirtualCard,msLoadStatistics,msLogIsEdgePinnedToTaskbarOnLaunch,msMIPCrossTenantPdfViewSupport,msMdatpWebSiteDlp,msNotificationPermissionForPWA,msOnHoverSearchInSidebar,msOpenOfficeDocumentsInWebViewer,msPasswordBreachDetection,msPdfAnnotationsVisibility,msPdfDataRecovery,msPdfDigitalSignatureRead,msPdfFreeText,msPdfFreeTextForCJK,msPdfHighlightMode,msPdfInking,msPdfKeyphraseSupport,msPdfOOUI,msPdfPopupMarkerRenderer,msPdfShare,msPdfSharedLibrary,msPdfTextNote,msPdfTextNoteMoreMenu,msPdfThumbnailCache,msPdfUnderside,msPdfViewRestore,msPersonalizationUMA,msPriceComparison,msPromptDefaultHandlerForPDF,msReactiveSearch,msReadAloud,msReadAloudPdf,msRedirectToShoreline,msRevokeExtensions,msSaasDlp,msShoppingTrigger,msShorelineSearch,msShorelineSearchFindOnPageWebUI,msShowOfflineGameEntrance,msShowReadAloudIconInAddressBar,msShowUXForAADPrtSSOForNonAADProfile,msSmartScreenProtection,msSuspendMessageForNewSessionWhenHavingPendingNavigation,msSyncEdgeCollections,msTabResourceStats,msTokenizationAutofillInlineEnabled,msTouchMode,msTriggeringSignalGenerator,msUserUnderstanding,msVideoSuperResolutionUI,msWalletBuyNow,msWalletCheckout,msWalletDiagnosticDataLogger,msWalletHubEntry,msWalletHubIntlP3,msWalletPartialCard,msWalletPasswordCategorization,msWalletPasswordCategorizationPlatformExpansion,msWalletTokenizationCardMetadata,msWalletTokenizedAutofill,msWebAssist,msWebAssistHistorySearchService,msWebOOUI,msWindowsUserActivities,msZipPayVirtualCard --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
135.0.3179.85
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\135.0.3179.85\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\135.0.3179.85\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
38 692
Read events
35 462
Write events
2 995
Delete events
235

Modification events

(PID) Process:(6736) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000000A723791D8AFDB01501A00004C1B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6736) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000000A723791D8AFDB01501A00004C1B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6736) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000D3D88A91D8AFDB01501A00004C1B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6736) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000050118691D8AFDB01501A00004C1B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6736) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000050118691D8AFDB01501A00004C1B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6736) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000001A3D8D91D8AFDB01501A00004C1B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6480) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000009A4E1C92D8AFDB0150190000300F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6480) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000009A4E1C92D8AFDB015019000044050000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6480) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000087B21E92D8AFDB015019000028080000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6480) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000087B21E92D8AFDB0150190000FC030000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
223
Suspicious files
286
Text files
58
Unknown types
2

Dropped files

PID
Process
Filename
Type
6736msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6736msiexec.exeC:\Windows\Installer\11270d.msi
MD5:
SHA256:
6736msiexec.exeC:\Windows\Installer\11270f.msi
MD5:
SHA256:
6736msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:BBD3579F7A634446E97340D75FA2DECE
SHA256:D1672F25FC87839EF9A39C95C41AA3D6656FE94044A675D663336B7C598C64F2
6736msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\LAGSTER\~AGSTER.tmpbinary
MD5:8D73DB04D821F1E3DA074AA65F3D06D9
SHA256:9AE6BED7D1EE968535F88DB978E0FF10919B8F6B2D7ED1186AA4917308A74326
5176msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIDB1F.tmpexecutable
MD5:CFBB8568BD3711A97E6124C56FCFA8D9
SHA256:7F47D98AB25CFEA9B3A2E898C3376CC9BA1CD893B4948B0C27CAA530FD0E34CC
6736msiexec.exeC:\Windows\Installer\MSI2E21.tmpbinary
MD5:FC9DD669CAEE06CEB193D6DA547EEE42
SHA256:347B1C7418FD6ABC5E289CDD6A2C37437FCE42E0401EE3D221D2F0271D29FF24
6736msiexec.exeC:\Program Files\LAGSTER\LAGSTER.exeexecutable
MD5:B5995DC830171201EE5E15B13591FBCB
SHA256:7739ED7B8E6BF79ADC14F815C170C6DE3FD4A51C4582DFBD41C3E07CF2BF398A
6736msiexec.exeC:\Windows\Installer\{AB9D4705-BBEC-479E-8FDB-1EC2E2DFA231}\ProductIconbinary
MD5:7BACC9A125C1A1BF67F00BC452846431
SHA256:3EBCE3FBD24AC82ADD9047BF1C0E79BA13F6C469FF16C7DC76456058EBD45593
6736msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:A5724B10B631B885E5EEAE29F9B3E578
SHA256:21F3D6F3296710F9BD084A00AE895746F21947FE8794E1A0D9CACA7D8437DD9D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
55
DNS requests
54
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7296
svchost.exe
HEAD
200
2.22.242.122:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/821829a5-e0d2-4f3c-b4d9-1df49411de7e?P1=1745527091&P2=404&P3=2&P4=e66ceBdQ7NLoVT5wam6VsLbymZNxAqZy3ATKJJ1JJ3QRW8hn7j5tMn4TPDEEAOIH9oI5PQrTuCuNm16%2bVPODPQ%3d%3d
unknown
whitelisted
7296
svchost.exe
GET
200
2.22.242.122:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/821829a5-e0d2-4f3c-b4d9-1df49411de7e?P1=1745527091&P2=404&P3=2&P4=e66ceBdQ7NLoVT5wam6VsLbymZNxAqZy3ATKJJ1JJ3QRW8hn7j5tMn4TPDEEAOIH9oI5PQrTuCuNm16%2bVPODPQ%3d%3d
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7296
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1745357331&P2=404&P3=2&P4=Go9vTBkSFkSAzDfry5PLMubUPXnCybw2T5AqnRjIljnQBMbf9C%2f%2bls6jVeEYOgKrHZtxvZ2hGKBYQPvHFUE6Gw%3d%3d
unknown
whitelisted
7200
LAGSTER.exe
GET
200
208.95.112.1:80
http://208.95.112.1:80/json/?fields=status,message,country,countryCode,regionName,city,isp,org,as,query,timezone,lat,lon
unknown
unknown
7296
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1745357331&P2=404&P3=2&P4=Go9vTBkSFkSAzDfry5PLMubUPXnCybw2T5AqnRjIljnQBMbf9C%2f%2bls6jVeEYOgKrHZtxvZ2hGKBYQPvHFUE6Gw%3d%3d
unknown
whitelisted
7296
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1745357331&P2=404&P3=2&P4=Go9vTBkSFkSAzDfry5PLMubUPXnCybw2T5AqnRjIljnQBMbf9C%2f%2bls6jVeEYOgKrHZtxvZ2hGKBYQPvHFUE6Gw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5392
svchost.exe
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
6132
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6132
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6132
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.8
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.15
  • 23.216.77.18
  • 23.216.77.22
  • 23.216.77.16
  • 23.216.77.7
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.22.242.129
  • 2.22.242.107
whitelisted
config.edge.skype.com
  • 13.107.42.16
  • 52.123.243.202
  • 52.123.224.69
  • 52.123.224.75
  • 52.123.243.73
  • 52.123.243.213
  • 52.123.224.64
  • 52.123.243.69
  • 52.123.224.70
whitelisted

Threats

PID
Process
Class
Message
7296
svchost.exe
Misc activity
ET INFO Packed Executable Download
5744
msedgewebview2.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
5744
msedgewebview2.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
5744
msedgewebview2.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
5744
msedgewebview2.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
7200
LAGSTER.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7200
LAGSTER.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LAGSTER_0.15.6_x64_en-US.msi