File name:

review.one

Full analysis: https://app.any.run/tasks/64a0c856-709f-4aec-8a34-94162f0f4a8b
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: November 03, 2024, 22:19:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
metastealer
stealer
Indicators:
MIME: application/onenote
File info: Microsoft OneNote
MD5:

6E18A1EC53D190CC1D5C52908C7C54AA

SHA1:

9BDEBAF83EF113A4187221884C826202CC3CC3B4

SHA256:

1AD3662BD1D6F59DB2C6875873EFB388980359E1AF16C355BC5EEE190704456C

SSDEEP:

49152:ZpdSlZmy0YGrxnwhzGMPuD3CNfIXuDvN9/vNeWjSc/eMn5WcPP:Zp2rynwh6MPuD3CNweDv/v1jSJMnwcX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Metastealer has been detected

      • ONENOTE.EXE (PID: 300)

    • Executable content was dropped or overwritten

      • ONENOTE.EXE (PID: 300)

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • ONENOTE.EXE (PID: 300)

    • Creates file in the systems drive root

      • ONENOTE.EXE (PID: 300)

  • INFO

    • Checks supported languages

      • ONENOTEM.EXE (PID: 2888)

    • Sends debugging messages

      • ONENOTE.EXE (PID: 300)

    • Reads Microsoft Office registry keys

      • ONENOTEM.EXE (PID: 2888)

    • Reads the computer name

      • ONENOTEM.EXE (PID: 2888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.one | Microsoft OneNote note (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #METASTEALER onenote.exe onenotem.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" C:\Users\admin\Desktop\review.oneC:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneNote
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\onenote.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
2888/tsrC:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXEONENOTE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Send to OneNote Tool
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\onenotem.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
Total events
8 925
Read events
8 681
Write events
216
Delete events
28

Modification events

(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:12
Value:
012C19000000001000B24E9A3E02000000000000000200000000000000
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\ONENOTE\300
Operation:writeName:0
Value:
0B0E10D5502994314FD346988C0F3B929B7F6B230046AB92DADFE6C7CBED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC9062E225763446C494E41384C537237784C67357549303451703444396E4730426B415A4C6B6C6361656270562B303D22CA0DC2190000C91003783634C511AC02D2120B6F006E0065006E006F00740065002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(300) ONENOTE.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
8
Suspicious files
6
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
300ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{59EFFA72-4617-430B-8F1F-8E69398227F6}executable
MD5:93ABD548C5A42D6CAEE374C355E68DE6
SHA256:9A181E1F73F017322FB204B4F39B3787A206E83DF9F7161D311F7E1A9513EF73
300ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{20E26FF4-20B1-4298-8BD5-670FE9C93599}image
MD5:A47F96DF85678E6CCCA6856B413B0489
SHA256:A964F6323416A60AA23C5F4B7639F077BE96E03103032FE424074C293382565B
300ONENOTE.EXEC:\Users\admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.binexecutable
MD5:93ABD548C5A42D6CAEE374C355E68DE6
SHA256:9A181E1F73F017322FB204B4F39B3787A206E83DF9F7161D311F7E1A9513EF73
300ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{FBD82306-90E3-48B2-BBD6-9A8F2B76693F}executable
MD5:93ABD548C5A42D6CAEE374C355E68DE6
SHA256:9A181E1F73F017322FB204B4F39B3787A206E83DF9F7161D311F7E1A9513EF73
300ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{4E5AF70C-A6FA-42EF-BBA8-3AD95D1F32EC}executable
MD5:93ABD548C5A42D6CAEE374C355E68DE6
SHA256:9A181E1F73F017322FB204B4F39B3787A206E83DF9F7161D311F7E1A9513EF73
300ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{722D26D8-FE9E-4FB6-973D-CAE5EB044A95}executable
MD5:93ABD548C5A42D6CAEE374C355E68DE6
SHA256:9A181E1F73F017322FB204B4F39B3787A206E83DF9F7161D311F7E1A9513EF73
300ONENOTE.EXEC:\Users\admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.binimage
MD5:A47F96DF85678E6CCCA6856B413B0489
SHA256:A964F6323416A60AA23C5F4B7639F077BE96E03103032FE424074C293382565B
300ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\{12B8C3EC-DCA1-4BDA-8CF5-16CBB11DA002}image
MD5:D1FE97206D64C04EBCF134F55E490ED6
SHA256:00A2E9C495FA190AAB9B4717EABB80824A62B30FF1FC5CD8595F720907A890AB
300ONENOTE.EXEC:\Users\admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.binexecutable
MD5:93ABD548C5A42D6CAEE374C355E68DE6
SHA256:9A181E1F73F017322FB204B4F39B3787A206E83DF9F7161D311F7E1A9513EF73
300ONENOTE.EXEC:\Users\admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.binimage
MD5:A47F96DF85678E6CCCA6856B413B0489
SHA256:A964F6323416A60AA23C5F4B7639F077BE96E03103032FE424074C293382565B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5984
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5984
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
52.109.89.18:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
176 Kb
whitelisted
POST
200
20.42.73.26:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
10 b
whitelisted
POST
204
104.126.37.137:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/onenote/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=onenote&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=onenote.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=OneNoteFreeRetail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b942950D5-4F31-46D3-988C-0F3B929B7F6B%7d&LabMachine=false
unknown
binary
350 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5984
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5984
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
300
ONENOTE.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
  • 20.44.10.122
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.133
whitelisted

Threats

No threats detected
Process
Message
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
ONENOTE.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
review.one