Malware analysis https://download.cdn.viber.com/desktop/windows/ViberSetup.exe Malicious activity

Add for printing

URL:	https://download.cdn.viber.com/desktop/windows/ViberSetup.exe
Full analysis:	https://app.any.run/tasks/a1fc3a45-ec11-4d8b-9ff8-761d947b5dc8
Verdict:	Malicious activity
Analysis date:	August 14, 2024, 05:37:30
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
Indicators:
MD5:	6527E2DE4447AF13B8E47BAE24C10727
SHA1:	85000708389B92AB9C78D45DFDA3EC9665304EE6
SHA256:	058CC7CA604060639D6E12DFAFBBE5289D0BB40FB4887A3A0E9484749AA31189
SSDEEP:	3:N8SElMLAg8W1VKSMq6lA:2SKMLj82f6lA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - ViberSetup.exe (PID: 3980)
  - ie4uinit.exe (PID: 8156)
SUSPICIOUS
- Process drops legitimate windows executable
  - ViberSetup.exe (PID: 3980)
  - msiexec.exe (PID: 7484)
- Drops the executable file immediately after the start
  - ViberSetup.exe (PID: 3980)
  - msiexec.exe (PID: 7484)
- The process creates files with name similar to system file names
  - ViberSetup.exe (PID: 3980)
- Executable content was dropped or overwritten
  - ViberSetup.exe (PID: 3980)
- Reads security settings of Internet Explorer
  - ViberBA.exe (PID: 7592)
  - msiexec.exe (PID: 2132)
  - Viber.exe (PID: 2080)
- Searches for installed software
  - ViberSetup.exe (PID: 3980)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 7484)
  - msiexec.exe (PID: 2132)
  - Viber.exe (PID: 2080)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 7484)
- Creates a software uninstall entry
  - ViberSetup.exe (PID: 3980)
- Checks for external IP
  - msiexec.exe (PID: 2132)
  - Viber.exe (PID: 2080)
- Potential Corporate Privacy Violation
  - msiexec.exe (PID: 2132)
  - Viber.exe (PID: 2080)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 7484)
- Uses RUNDLL32.EXE to load library
  - ie4uinit.exe (PID: 3692)
- Detected use of alternative data streams (AltDS)
  - Viber.exe (PID: 2080)
- Connects to unusual port
  - Viber.exe (PID: 2080)
INFO
- Reads the computer name
  - identity_helper.exe (PID: 5292)
  - ViberSetup.exe (PID: 3980)
  - ViberBA.exe (PID: 7592)
  - msiexec.exe (PID: 7484)
  - msiexec.exe (PID: 2132)
  - Viber.exe (PID: 2080)
  - TextInputHost.exe (PID: 7308)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 6400)
- Reads Environment values
  - identity_helper.exe (PID: 5292)
  - ViberBA.exe (PID: 7592)
  - msiexec.exe (PID: 7484)
- Checks supported languages
  - identity_helper.exe (PID: 5292)
  - ViberSetup.exe (PID: 3980)
  - ViberBA.exe (PID: 7592)
  - msiexec.exe (PID: 7484)
  - msiexec.exe (PID: 2132)
  - Viber.exe (PID: 2080)
  - TextInputHost.exe (PID: 7308)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 6400)
  - msiexec.exe (PID: 7484)
- Create files in a temporary directory
  - ViberSetup.exe (PID: 3980)
  - Viber.exe (PID: 2080)
- The process uses the downloaded file
  - msedge.exe (PID: 6668)
  - msedge.exe (PID: 6400)
- Reads the machine GUID from the registry
  - ViberBA.exe (PID: 7592)
  - msiexec.exe (PID: 7484)
  - ViberSetup.exe (PID: 3980)
  - Viber.exe (PID: 2080)
  - msiexec.exe (PID: 2132)
- Application launched itself
  - msedge.exe (PID: 6400)
- Creates files or folders in the user directory
  - ViberBA.exe (PID: 7592)
  - ViberSetup.exe (PID: 3980)
  - msiexec.exe (PID: 2132)
  - ie4uinit.exe (PID: 8156)
  - msiexec.exe (PID: 7484)
  - Viber.exe (PID: 2080)
- Creates files in the program directory
  - ViberBA.exe (PID: 7592)
- Reads the software policy settings
  - msiexec.exe (PID: 7484)
  - ViberBA.exe (PID: 7592)
  - msiexec.exe (PID: 2132)
  - Viber.exe (PID: 2080)
- Checks proxy server information
  - msiexec.exe (PID: 2132)
  - ViberBA.exe (PID: 7592)
  - Viber.exe (PID: 2080)
- Disables trace logs
  - ViberBA.exe (PID: 7592)
- Reads security settings of Internet Explorer
  - ie4uinit.exe (PID: 3692)
  - ie4uinit.exe (PID: 8156)
- Reads the time zone
  - Viber.exe (PID: 2080)
- Creates a software uninstall entry
  - msiexec.exe (PID: 7484)
- Process checks computer location settings
  - Viber.exe (PID: 2080)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

189

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

460

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4336 --field-trial-handle=2464,i,17787229233437154323,14598874333575950602,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

904

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6060 --field-trial-handle=2464,i,17787229233437154323,14598874333575950602,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1812

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5844 --field-trial-handle=2464,i,17787229233437154323,14598874333575950602,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1984

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2464,i,17787229233437154323,14598874333575950602,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2080

"C:\Users\admin\AppData\Local\Viber\Viber.exe" AfterInstallation BurnInstaller

C:\Users\admin\AppData\Local\Viber\Viber.exe

ViberBA.exe

User:

admin

Company:

Viber Media S.Ã r.l.

Integrity Level:

MEDIUM

Description:

Viber

Version:

23.3.0-0-gf3ef465f55

Modules

Images
c:\users\admin\appdata\local\viber\viber.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll

2132

C:\Windows\syswow64\MsiExec.exe -Embedding 1BF46F09ABC3A9404A9350B23B1074F1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2324

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5600 --field-trial-handle=2464,i,17787229233437154323,14598874333575950602,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3008

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4084 --field-trial-handle=2464,i,17787229233437154323,14598874333575950602,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3692

ie4uinit.exe -ClearIconCache

C:\Windows\System32\ie4uinit.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IE Per-User Initialization Utility

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ie4uinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3720

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

143 805

Read events

141 923

Write events

1 862

Delete events

Modification events


(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6400) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge
Operation:	write	Name:	UsageStatsInSample
Value: 1
(PID) Process:	(6400) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(6400) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	urlstats
Value: 0

Add for printing

Executable files

282

Suspicious files

380

Text files

593

Unknown types

Dropped files

PID	Process	Filename		Type
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe5407.TMP		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe5407.TMP		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe5407.TMP		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFe5417.TMP		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe5417.TMP		—
		MD5:—	SHA256:—
6400	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2208	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2208	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7988	svchost.exe	HEAD	200	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724139666&P2=404&P3=2&P4=loZ1YEyCdqIhxDwZ7WTenKqGHsH2cSNJCCOWnK4XQcfuDuDTaOp3QjaNi268KbZHn%2f6Y39vkNswwakybsIZnZA%3d%3d	unknown	—	—	whitelisted
7700	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7988	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724139666&P2=404&P3=2&P4=loZ1YEyCdqIhxDwZ7WTenKqGHsH2cSNJCCOWnK4XQcfuDuDTaOp3QjaNi268KbZHn%2f6Y39vkNswwakybsIZnZA%3d%3d	unknown	—	—	whitelisted
7644	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7988	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724139666&P2=404&P3=2&P4=loZ1YEyCdqIhxDwZ7WTenKqGHsH2cSNJCCOWnK4XQcfuDuDTaOp3QjaNi268KbZHn%2f6Y39vkNswwakybsIZnZA%3d%3d	unknown	—	—	whitelisted
7988	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724139666&P2=404&P3=2&P4=loZ1YEyCdqIhxDwZ7WTenKqGHsH2cSNJCCOWnK4XQcfuDuDTaOp3QjaNi268KbZHn%2f6Y39vkNswwakybsIZnZA%3d%3d	unknown	—	—	whitelisted
7988	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724139666&P2=404&P3=2&P4=loZ1YEyCdqIhxDwZ7WTenKqGHsH2cSNJCCOWnK4XQcfuDuDTaOp3QjaNi268KbZHn%2f6Y39vkNswwakybsIZnZA%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5116	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3900	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6400	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
6764	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6764	msedge.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6764	msedge.exe	23.32.238.91:443	bzib.nelreports.net	Akamai International B.V.	DE	unknown
6764	msedge.exe	18.66.122.96:443	download.cdn.viber.com	AMAZON-02	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.185.238	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
download.cdn.viber.com	18.66.122.96 18.66.122.119 18.66.122.59 18.66.122.76	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
update.googleapis.com	142.250.186.99	whitelisted
edgeservices.bing.com	184.86.251.26 184.86.251.28 184.86.251.25 184.86.251.24 184.86.251.31 184.86.251.30 184.86.251.27 184.86.251.20 184.86.251.18	whitelisted
bzib.nelreports.net	23.32.238.91 2.19.198.56 23.32.238.138	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2132	msiexec.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2080	Viber.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI

2 ETPRO signatures available at the full report

Add for printing

Process	Message
Viber.exe	qt.qml.typeregistration: Invalid QML element name "ViberAdsItem"; value type names should begin with a lowercase letter

General Info

https://download.cdn.viber.com/desktop/windows/ViberSetup.exe

6527E2DE4447AF13B8E47BAE24C10727

85000708389B92AB9C78D45DFDA3EC9665304EE6

058CC7CA604060639D6E12DFAFBBE5289D0BB40FB4887A3A0E9484749AA31189

3:N8SElMLAg8W1VKSMq6lA:2SKMLj82f6lA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Process drops legitimate windows executable

Drops the executable file immediately after the start

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Searches for installed software

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Creates a software uninstall entry

Checks for external IP

Potential Corporate Privacy Violation

The process drops C-runtime libraries

Uses RUNDLL32.EXE to load library

Detected use of alternative data streams (AltDS)

Connects to unusual port

INFO

Reads the computer name

Reads Microsoft Office registry keys

Reads Environment values

Checks supported languages

Executable content was dropped or overwritten

Create files in a temporary directory

The process uses the downloaded file

Reads the machine GUID from the registry

Application launched itself

Creates files or folders in the user directory

Creates files in the program directory

Reads the software policy settings

Checks proxy server information

Disables trace logs

Reads security settings of Internet Explorer

Reads the time zone

Creates a software uninstall entry

Process checks computer location settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity