File name:	setup.exe
Full analysis:	https://app.any.run/tasks/cd5df27b-25a6-4237-bfed-d09d5f99e693
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	July 31, 2024, 18:37:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	antivm crypto-regex loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	78A218091D0B04AB3EA7DD6D18CD1823
SHA1:	FB0395085FC5AC9F2D25367B4E22634236B566B7
SHA256:	1B58C8A39519DC0B14E37F8D7C3DCAE7917A2F8C991C688B8D02D7633A2B961B
SSDEEP:	98304:qU9MYRNac5TmJHpbwEneE8LOsWaOhja/cIdgEo+bpveARgKaG1EgvELxUbPBH1sx:yfafY8BCpgkoQg6/Gy

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	3
CodeSize:	23433216
InitializedDataSize:	1644032
UninitializedDataSize:	-
EntryPoint:	0x7b840
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	delete value	Name:	eulaaccepted
Value:
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	path
Value: C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	UninstallCmdLine
Value: "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /uninstall
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:	write	Name:	pv
Value: 1.3.195.15
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:	write	Name:	name
Value: Microsoft Edge Update
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
Operation:	write	Name:	pv
Value: 1.3.195.15
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Microsoft Edge Update
Value: "C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateCore.exe"
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	edgeupdate_task_name_c
Value: MicrosoftEdgeUpdateTaskUserS-1-5-21-1693682860-607145093-2874071422-1001Core{C1AEFA6B-3132-4B63-8CB3-B41BFEE003BE}
(PID) Process:	(3864) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	edgeupdate_task_name_ua
Value: MicrosoftEdgeUpdateTaskUserS-1-5-21-1693682860-607145093-2874071422-1001UA{83ED7437-E783-4063-9092-8F6E73A9D69C}
(PID) Process:	(1984) MicrosoftEdgeUpdateComRegisterShell64.exe	Key:	HKEY_CLASSES_ROOT\CLSID\{81093D63-7825-417B-BFC8-ADC63FA4E53D}\InprocServer32
Operation:	write	Name:	ThreadingModel
Value: Both

PID	Process	Filename		Type
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\MicrosoftEdgeUpdateBroker.exe		executable
		MD5:31E1C773732A9CD1AB781205E39CF865	SHA256:3E90C66D0D00E294B9B51EC3ED7F846975D93736D424DA3C253A2238E63CFB33
2628	setup.exe	C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe		executable
		MD5:45E5CA74B9AE3C3FC6F6A63C609783B6	SHA256:B4AFD37B9087DF7E041AE749FD0FA342926D9CCE533BDE9CDC4283132C3820A9
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\MicrosoftEdgeUpdate.exe		executable
		MD5:136E8226D68856DA40A4F60E70581B72	SHA256:B4B8A2F87EE9C5F731189FE9F622CB9CD18FA3D55B0E8E0AE3C3A44A0833709F
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe		executable
		MD5:205590D4FB4B1914D2853AB7A9839CCF	SHA256:5F82471D58B6E700248D9602CE4A0A5CDA4D2E2863EF1EB9FEE4EFFCC07F3767
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\psmachine_64.dll		executable
		MD5:D8D6BE5B6DA998E0048955A7F5727AFE	SHA256:ADF25844A96EFA821CB5A5816CC61C3C41F0D6B57BCA2F4EF55DF808B67B7D40
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\MicrosoftEdgeComRegisterShellARM64.exe		executable
		MD5:B69894FC1C3F26C77B1826EF8B5A9FC5	SHA256:B91BAD4C618EB6049B19364F62827470095E30519D07F4E0F2CCC387DDD5F1BF
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\psuser_arm64.dll		executable
		MD5:8794441685051F17888531456541FA32	SHA256:A5E702A398C0890447E01047CD0360CAEAA6A3B8A92E0755B807858BEE4B9C0A
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\psuser.dll		executable
		MD5:C31C15567530C4B121EBEC83973C6F7D	SHA256:17762EFA738632BCD376456F9E0C2331CFFD875208F9AD8D428BFD09785EB240
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\MicrosoftEdgeUpdateOnDemand.exe		executable
		MD5:D0373E02A529653013865E392C417471	SHA256:D4CB47B4444BE38BB6DCADC8BC9CACC029CB73A66BC7AF152C1C4CA022446AA4
5104	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EU10CF.tmp\psmachine.dll		executable
		MD5:F1101C00EAAC144AA67F4A9334BB6F23	SHA256:40D41C46A3E927E98BEEAD383624EFBE2FAF2CCBD0FA8F08C012DFD5FE36913A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	301	23.35.229.160:443	https://go.microsoft.com/fwlink/p/?LinkId=2124703	unknown	—	—	—
6720	svchost.exe	HEAD	200	2.22.242.122:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/01a02d0e-9d8d-47a3-8c36-9bf38dabe21a?P1=1723055908&P2=404&P3=2&P4=Ohwaw0Gy0K78SBg1tEz8ccTadQmbJfbFuCc2J%2bZTSTegSlAQL2pggk6eJAeVYI1wLAVdM3vPN3SF0IDg5yzoxA%3d%3d	unknown	—	—	whitelisted
—	—	GET	304	13.107.42.16:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.15?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=-1&appInactivityBadgeApplied_webview=0&appInactivityBadgeCleared_webview=0&appInactivityBadgeDuration_webview=0&appInstallTimeDiffSec_webview=-86400&appIsPinnedSystem_webview=false&appLang_webview=en&appLastLaunchCount_webview=0&appLastLaunchTime_webview=0&appLastLaunchTimeJson_webview=0&appLastLaunchTimeDaysAgo_webview=0&appVersion_webview=126.0.2592.113&appUpdateCheckIsUpdateDisabled_webview=false&appUpdatesAllowedForMeteredNetworks_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=taggedmi&requestIsMachine=false&requestOmahaShellVersion=1.3.195.15&requestOmahaVersion=1.3.195.15	unknown	—	—	—
6720	svchost.exe	GET	200	2.22.242.122:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/01a02d0e-9d8d-47a3-8c36-9bf38dabe21a?P1=1723055908&P2=404&P3=2&P4=Ohwaw0Gy0K78SBg1tEz8ccTadQmbJfbFuCc2J%2bZTSTegSlAQL2pggk6eJAeVYI1wLAVdM3vPN3SF0IDg5yzoxA%3d%3d	unknown	—	—	whitelisted
—	—	GET	304	40.127.169.103:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
6720	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1722624388&P2=404&P3=2&P4=lLa1%2fW5OPNCaKhfayzGPZUFCQXuDJ6xnCcSitfBiR6xM6GKXYvu9WOO9pEMQsalVp%2fvb%2bnxgFF5txPXSgyqomg%3d%3d	unknown	—	—	whitelisted
6720	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1722624388&P2=404&P3=2&P4=lLa1%2fW5OPNCaKhfayzGPZUFCQXuDJ6xnCcSitfBiR6xM6GKXYvu9WOO9pEMQsalVp%2fvb%2bnxgFF5txPXSgyqomg%3d%3d	unknown	—	—	whitelisted
6720	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/dfeb2940-49d3-4f29-8fd8-d984a787dc6e?P1=1722624389&P2=404&P3=2&P4=Duxok7cFv092OJoHIMOcrzWovl0jcQQKJbJeCKvG58zXfb6OC8J5q%2bS34xV28HObnIFFeXYafPilCAAdfGpjXQ%3d%3d	unknown	—	—	whitelisted
6720	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1722624388&P2=404&P3=2&P4=lLa1%2fW5OPNCaKhfayzGPZUFCQXuDJ6xnCcSitfBiR6xM6GKXYvu9WOO9pEMQsalVp%2fvb%2bnxgFF5txPXSgyqomg%3d%3d	unknown	—	—	whitelisted
6720	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1722624388&P2=404&P3=2&P4=lLa1%2fW5OPNCaKhfayzGPZUFCQXuDJ6xnCcSitfBiR6xM6GKXYvu9WOO9pEMQsalVp%2fvb%2bnxgFF5txPXSgyqomg%3d%3d	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2628	setup.exe	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	unknown
2628	setup.exe	152.199.21.175:443	msedge.sf.dl.delivery.mp.microsoft.com	EDGECAST	DE	whitelisted
2180	MicrosoftEdgeUpdate.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6372	MicrosoftEdgeUpdate.exe	23.102.129.60:443	msedge.api.cdp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6720	svchost.exe	2.22.242.122:80	msedge.f.tlu.dl.delivery.mp.microsoft.com	Akamai International B.V.	DE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.181.238	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
msedge.sf.dl.delivery.mp.microsoft.com	152.199.21.175	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
msedge.api.cdp.microsoft.com	23.102.129.60	whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com	2.22.242.122 2.22.242.227	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com	199.232.214.172 199.232.210.172 23.48.23.66 23.48.23.43 23.48.23.7	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Request for EXE via GO HTTP Client
6720	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

setup.exe

78A218091D0B04AB3EA7DD6D18CD1823

FB0395085FC5AC9F2D25367B4E22634236B566B7

1B58C8A39519DC0B14E37F8D7C3DCAE7917A2F8C991C688B8D02D7633A2B961B

98304:qU9MYRNac5TmJHpbwEneE8LOsWaOhja/cIdgEo+bpveARgKaG1EgvELxUbPBH1sx:yfafY8BCpgkoQg6/Gy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Scans artifacts that could help determine the target

The DLL Hijacking

SUSPICIOUS

There is functionality for VM detection (VMWare)

There is functionality for VM detection (antiVM strings)

There is functionality for VM detection (VirtualBox)

Found regular expressions for crypto-addresses (YARA)

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Starts itself from another location

Creates/Modifies COM task schedule object

Reads the date of Windows installation

Reads security settings of Internet Explorer

Application launched itself

Potential Corporate Privacy Violation

Checks Windows Trust Settings

Searches for installed software

Creates a software uninstall entry

Read disk information to detect sandboxing environments

Uses WMIC.EXE to obtain a list of video controllers

Get information on the list of running processes

Accesses video controller name via WMI (SCRIPT)

The process executes via Task Scheduler

INFO

Reads the computer name

Checks supported languages

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Create files in a temporary directory

Creates files or folders in the user directory

Checks proxy server information

Drops the executable file immediately after the start

Process checks computer location settings

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules