| File name: | darkguard_0.1.0_x64-setup.exe |
| Full analysis: | https://app.any.run/tasks/e21215e3-ed9c-48a9-9afe-785a95dde82e |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 03, 2026, 02:56:28 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 57963CD0C8613D7CEBB7216E5FC5CB2D |
| SHA1: | C8177AD2390A752F07202E1E74C29D15E664888B |
| SHA256: | 230B91DD4ECB22CA7333C3ED76032A392AC3EE1CE07813A12DD04665D58DB24D |
| SSDEEP: | 98304:x0z13sQ3jThjAGDbqYn8ho15qtKWSLBH8gq+gaPOKkDMwtAFZFSmCpP9bfTVHZO8:qxxy |
MALICIOUS
Changes settings of System certificates
- msiexec.exe (PID: 1368)
Run PowerShell with an invisible window
- powershell.exe (PID: 2288)
- powershell.exe (PID: 1092)
SUSPICIOUS
Malware-specific behavior (creating "System.dll" in Temp)
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
The process creates files with name similar to system file names
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
Searches for installed software
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- setup.exe (PID: 6332)
- msedgewebview2.exe (PID: 8320)
Executable content was dropped or overwritten
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- MicrosoftEdgeWebview2Setup.exe (PID: 3516)
- MicrosoftEdge_X64_144.0.3719.93.exe (PID: 5524)
- setup.exe (PID: 6332)
- powershell.exe (PID: 9072)
- wireguard.exe (PID: 752)
Starts a Microsoft application from unusual location
- MicrosoftEdgeWebview2Setup.exe (PID: 3516)
- MicrosoftEdgeUpdate.exe (PID: 3088)
Process drops legitimate windows executable
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- MicrosoftEdgeWebview2Setup.exe (PID: 3516)
- MicrosoftEdgeUpdate.exe (PID: 3088)
- MicrosoftEdge_X64_144.0.3719.93.exe (PID: 5524)
- setup.exe (PID: 6332)
Starts itself from another location
- MicrosoftEdgeUpdate.exe (PID: 3088)
Creates/Modifies COM task schedule object
- MicrosoftEdgeUpdate.exe (PID: 2760)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6920)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7476)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
Executes as Windows Service
- MicrosoftEdgeUpdate.exe (PID: 8572)
- wireguard.exe (PID: 7204)
- wireguard.exe (PID: 752)
Application launched itself
- MicrosoftEdgeUpdate.exe (PID: 8572)
- setup.exe (PID: 6332)
- msedgewebview2.exe (PID: 8320)
- msiexec.exe (PID: 1368)
- wireguard.exe (PID: 7204)
- wireguard.exe (PID: 8372)
- msedgewebview2.exe (PID: 8824)
The process bypasses the loading of PowerShell profile settings
- DarkGuard.exe (PID: 3636)
- DarkGuard.exe (PID: 8964)
Downloads file from URI via Powershell
- powershell.exe (PID: 9072)
Starts POWERSHELL.EXE for commands execution
- DarkGuard.exe (PID: 3636)
- DarkGuard.exe (PID: 8964)
Starts process via Powershell
- powershell.exe (PID: 6896)
- powershell.exe (PID: 2288)
- powershell.exe (PID: 1092)
Adds/modifies Windows certificates
- msiexec.exe (PID: 1368)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 1368)
Disables SEHOP
- MicrosoftEdgeUpdate.exe (PID: 3088)
Reads the date of Windows installation
- wireguard.exe (PID: 8372)
Drops a system driver (possible attempt to evade defenses)
- wireguard.exe (PID: 752)
- drvinst.exe (PID: 1128)
Starts SC.EXE for service management
- DarkGuard.exe (PID: 8964)
Windows service management via SC.EXE
- sc.exe (PID: 1084)
- sc.exe (PID: 4352)
- sc.exe (PID: 4728)
- sc.exe (PID: 1760)
- sc.exe (PID: 7704)
- sc.exe (PID: 148)
- sc.exe (PID: 3548)
- sc.exe (PID: 3436)
- sc.exe (PID: 8340)
- sc.exe (PID: 3048)
- sc.exe (PID: 2288)
- sc.exe (PID: 8740)
- sc.exe (PID: 5356)
- sc.exe (PID: 5180)
- sc.exe (PID: 4140)
- sc.exe (PID: 3048)
- sc.exe (PID: 4696)
- sc.exe (PID: 7156)
- sc.exe (PID: 1524)
- sc.exe (PID: 7280)
- sc.exe (PID: 1792)
- sc.exe (PID: 6552)
- sc.exe (PID: 7524)
- sc.exe (PID: 8824)
- sc.exe (PID: 7724)
- sc.exe (PID: 4024)
- sc.exe (PID: 3032)
- sc.exe (PID: 1868)
- sc.exe (PID: 2232)
- sc.exe (PID: 6404)
- sc.exe (PID: 8032)
- sc.exe (PID: 2148)
- sc.exe (PID: 9064)
- sc.exe (PID: 6036)
INFO
The sample compiled with english language support
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- MicrosoftEdgeWebview2Setup.exe (PID: 3516)
- MicrosoftEdgeUpdate.exe (PID: 3088)
- setup.exe (PID: 6332)
- MicrosoftEdge_X64_144.0.3719.93.exe (PID: 5524)
- powershell.exe (PID: 9072)
- msiexec.exe (PID: 1368)
- wireguard.exe (PID: 752)
- drvinst.exe (PID: 1128)
Checks supported languages
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- MicrosoftEdgeWebview2Setup.exe (PID: 3516)
- MicrosoftEdgeUpdate.exe (PID: 1044)
- MicrosoftEdgeUpdate.exe (PID: 2760)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6920)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7476)
- MicrosoftEdgeUpdate.exe (PID: 3088)
- MicrosoftEdgeUpdate.exe (PID: 7664)
- MicrosoftEdgeUpdate.exe (PID: 8824)
- MicrosoftEdgeUpdate.exe (PID: 8788)
- MicrosoftEdgeUpdate.exe (PID: 8572)
- MicrosoftEdge_X64_144.0.3719.93.exe (PID: 5524)
- setup.exe (PID: 4804)
- MicrosoftEdgeUpdate.exe (PID: 5780)
- setup.exe (PID: 6332)
- msedgewebview2.exe (PID: 8556)
- DarkGuard.exe (PID: 3636)
- msedgewebview2.exe (PID: 8320)
- msedgewebview2.exe (PID: 2252)
- msedgewebview2.exe (PID: 7636)
- msedgewebview2.exe (PID: 6352)
- msedgewebview2.exe (PID: 2248)
- msiexec.exe (PID: 1368)
- msiexec.exe (PID: 7448)
- msiexec.exe (PID: 1836)
- wireguard.exe (PID: 7304)
- wireguard.exe (PID: 5448)
- wireguard.exe (PID: 7204)
- wireguard.exe (PID: 8372)
- DarkGuard.exe (PID: 8964)
- msedgewebview2.exe (PID: 6848)
- msedgewebview2.exe (PID: 8824)
- msedgewebview2.exe (PID: 5484)
- msedgewebview2.exe (PID: 4728)
- msedgewebview2.exe (PID: 5392)
- msedgewebview2.exe (PID: 1400)
- wireguard.exe (PID: 752)
- drvinst.exe (PID: 1824)
- wireguard.exe (PID: 3552)
- drvinst.exe (PID: 1128)
- wg.exe (PID: 8428)
- wg.exe (PID: 8400)
- wg.exe (PID: 2220)
- wg.exe (PID: 8536)
- wg.exe (PID: 5160)
- wg.exe (PID: 4760)
- wg.exe (PID: 1856)
- wg.exe (PID: 8520)
- wg.exe (PID: 3988)
- wg.exe (PID: 3644)
- wg.exe (PID: 4072)
- wg.exe (PID: 9068)
- wg.exe (PID: 2340)
- wg.exe (PID: 2220)
- wg.exe (PID: 8436)
- msedgewebview2.exe (PID: 1340)
- wg.exe (PID: 8660)
- wg.exe (PID: 5580)
- wg.exe (PID: 8264)
- wg.exe (PID: 8196)
- wg.exe (PID: 3188)
- wg.exe (PID: 7992)
- wg.exe (PID: 6992)
- wg.exe (PID: 7860)
- wg.exe (PID: 6804)
- wg.exe (PID: 6440)
- wg.exe (PID: 7280)
- wg.exe (PID: 5680)
- wg.exe (PID: 8408)
- msedgewebview2.exe (PID: 1876)
- wg.exe (PID: 4604)
- wg.exe (PID: 6392)
- curl.exe (PID: 8140)
- wireguard.exe (PID: 6332)
Reads the computer name
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- MicrosoftEdgeUpdate.exe (PID: 3088)
- MicrosoftEdgeUpdate.exe (PID: 1044)
- MicrosoftEdgeUpdate.exe (PID: 2760)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6920)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6644)
- MicrosoftEdgeUpdate.exe (PID: 7664)
- MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7476)
- MicrosoftEdgeUpdate.exe (PID: 8824)
- MicrosoftEdgeUpdate.exe (PID: 8572)
- MicrosoftEdgeUpdate.exe (PID: 8788)
- MicrosoftEdge_X64_144.0.3719.93.exe (PID: 5524)
- setup.exe (PID: 6332)
- MicrosoftEdgeUpdate.exe (PID: 5780)
- DarkGuard.exe (PID: 3636)
- msedgewebview2.exe (PID: 8320)
- msedgewebview2.exe (PID: 2252)
- msedgewebview2.exe (PID: 7636)
- msiexec.exe (PID: 1368)
- msiexec.exe (PID: 7448)
- msiexec.exe (PID: 1836)
- wireguard.exe (PID: 5448)
- wireguard.exe (PID: 7204)
- wireguard.exe (PID: 7304)
- wireguard.exe (PID: 8372)
- DarkGuard.exe (PID: 8964)
- msedgewebview2.exe (PID: 8824)
- wireguard.exe (PID: 3552)
- wireguard.exe (PID: 752)
- drvinst.exe (PID: 1128)
- drvinst.exe (PID: 1824)
- curl.exe (PID: 8140)
- msedgewebview2.exe (PID: 1876)
- wireguard.exe (PID: 6332)
Create files in a temporary directory
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- MicrosoftEdgeUpdate.exe (PID: 3088)
- msedgewebview2.exe (PID: 8320)
- DarkGuard.exe (PID: 8964)
Checks proxy server information
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- MicrosoftEdgeUpdate.exe (PID: 7664)
- msedgewebview2.exe (PID: 8320)
- powershell.exe (PID: 9072)
- slui.exe (PID: 5164)
Creates files in the program directory
- MicrosoftEdgeWebview2Setup.exe (PID: 3516)
- MicrosoftEdge_X64_144.0.3719.93.exe (PID: 5524)
- setup.exe (PID: 6332)
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- wireguard.exe (PID: 7204)
- DarkGuard.exe (PID: 8964)
Process checks computer location settings
- MicrosoftEdgeUpdate.exe (PID: 3088)
- setup.exe (PID: 6332)
- msedgewebview2.exe (PID: 8320)
- msedgewebview2.exe (PID: 2248)
- wireguard.exe (PID: 8372)
- msedgewebview2.exe (PID: 5484)
Reads Environment values
- MicrosoftEdgeUpdate.exe (PID: 7664)
- MicrosoftEdgeUpdate.exe (PID: 8788)
- MicrosoftEdgeUpdate.exe (PID: 5780)
- msedgewebview2.exe (PID: 8320)
There is functionality for taking screenshot (YARA)
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
Reads security settings of Internet Explorer
- MicrosoftEdgeUpdate.exe (PID: 3088)
- msedgewebview2.exe (PID: 8320)
- wireguard.exe (PID: 8372)
Drops script file
- setup.exe (PID: 6332)
- powershell.exe (PID: 9072)
- powershell.exe (PID: 6896)
- powershell.exe (PID: 2288)
- powershell.exe (PID: 1092)
Creates a software uninstall entry
- setup.exe (PID: 6332)
- darkguard_0.1.0_x64-setup.exe (PID: 7392)
- msiexec.exe (PID: 1368)
Creates files or folders in the user directory
- msedgewebview2.exe (PID: 8320)
- msedgewebview2.exe (PID: 8556)
- msedgewebview2.exe (PID: 7636)
- msiexec.exe (PID: 1368)
- msedgewebview2.exe (PID: 1876)
Reads the machine GUID from the registry
- msedgewebview2.exe (PID: 8320)
- msiexec.exe (PID: 1368)
- wireguard.exe (PID: 7204)
- wireguard.exe (PID: 8372)
- drvinst.exe (PID: 1128)
- msedgewebview2.exe (PID: 1876)
Disables trace logs
- powershell.exe (PID: 9072)
The sample compiled with chinese language support
- powershell.exe (PID: 9072)
- msiexec.exe (PID: 1368)
Executable content was dropped or overwritten
- msiexec.exe (PID: 1368)
Manual execution by a user
- DarkGuard.exe (PID: 8964)
- cmd.exe (PID: 8400)
Execution of CURL command
- cmd.exe (PID: 8400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:08 23:05:20+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 139776 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x369f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.1.0.0 |
| ProductVersionNumber: | 0.1.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| FileDescription: | darkguard |
| FileVersion: | 0.1.0 |
| LegalCopyright: | - |
| ProductName: | darkguard |
| ProductVersion: | 0.1.0 |
Total processes
350
Monitored processes
188
Malicious processes
4
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 148 | "sc" query WireGuardTunnel$cloudflare | C:\Windows\System32\sc.exe | — | DarkGuard.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 752 | "C:\Program Files\WireGuard\wireguard.exe" /tunnelservice C:\Users\admin\AppData\Local\Temp\cloudflare.conf | C:\Program Files\WireGuard\wireguard.exe | services.exe | ||||||||||||
User: SYSTEM Company: WireGuard LLC Integrity Level: SYSTEM Description: WireGuard: Fast, Modern, Secure VPN Tunnel Exit code: 0 Version: 0.5.3 Modules
| |||||||||||||||
| 876 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 888 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1044 | "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | — | MicrosoftEdgeUpdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Update Exit code: 0 Version: 1.3.217.3 Modules
| |||||||||||||||
| 1084 | "sc" query WireGuardTunnel$cloudflare | C:\Windows\System32\sc.exe | — | DarkGuard.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1092 | "powershell" -NoProfile -Command "Start-Process 'C:\Program Files\WireGuard\wireguard.exe' -ArgumentList '/uninstalltunnelservice', 'cloudflare' -Verb RunAs -WindowStyle Hidden -Wait" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | DarkGuard.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1128 | DrvInst.exe "4" "9" "C:\WINDOWS\Temp\20fd762521a3b73c22f36d3fa26728d7cf2cb03caa0b4be4bab0b5a6fd696395\wireguard.inf" "9" "43f3a2977" "00000000000001CC" "Service-0x0-3e7$\Default" "00000000000001D4" "208" "C:\WINDOWS\Temp\20fd762521a3b73c22f36d3fa26728d7cf2cb03caa0b4be4bab0b5a6fd696395" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1128 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | sc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1340 | "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\144.0.3719.93\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\systems.banat.darkguard\EBWebView" --webview-exe-name=DarkGuard.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --skip-read-main-dll --metrics-shmem-handle=4120,i,11456158096244038381,11692542832399373015,524288 --field-trial-handle=1860,i,9190552724943748697,17610928704542699058,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --trace-process-track-uuid=3190708995682289984 --mojo-platform-channel-handle=4108 /prefetch:8 | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\144.0.3719.93\msedgewebview2.exe | — | msedgewebview2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge WebView2 Exit code: 0 Version: 144.0.3719.93 Modules
| |||||||||||||||
Total events
53 162
Read events
50 735
Write events
2 262
Delete events
165
Modification events
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe |
| Operation: | write | Name: | AppID |
Value: {CECDDD22-2E72-4832-9606-A9B0E5E344B2} | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2} |
| Operation: | write | Name: | LocalService |
Value: edgeupdate | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2} |
| Operation: | write | Name: | ServiceParameters |
Value: /comsvc | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\edgeupdate |
| Operation: | write | Name: | EventMessageFile |
Value: C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.217.3\msedgeupdate.dll | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1044) MicrosoftEdgeUpdate.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2} |
| Operation: | write | Name: | AppID |
Value: {CECDDD22-2E72-4832-9606-A9B0E5E344B2} | |||
Executable files
231
Suspicious files
118
Text files
140
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7392 | darkguard_0.1.0_x64-setup.exe | C:\Users\admin\AppData\Local\Temp\nsw50B0.tmp\modern-wizard.bmp | image | |
MD5:631227DF085BA169C1EC73327757EE1D | SHA256:E92EC1F4F133E41F1A2010788F05D567DE720A809D5091BBD762EB29FDE8F17C | |||
| 3516 | MicrosoftEdgeWebview2Setup.exe | C:\Program Files (x86)\Microsoft\Temp\EU5FF0.tmp\MicrosoftEdgeUpdateOnDemand.exe | executable | |
MD5:AFF93DDDA4796969CCC666B27FFEBC2E | SHA256:C0FA7B89F6A590D27AF4EE253920663CE9B10B0384DCE16AF666B0186B165F9C | |||
| 3516 | MicrosoftEdgeWebview2Setup.exe | C:\Program Files (x86)\Microsoft\Temp\EU5FF0.tmp\MicrosoftEdgeUpdate.exe | executable | |
MD5:EC013A26B4CEEA8505B5E06645A4CBF4 | SHA256:DCA43FDE8ABDB0C0782F2777E03605C7030A8F415702C48ADDE64A44E07A0711 | |||
| 7392 | darkguard_0.1.0_x64-setup.exe | C:\Users\admin\AppData\Local\Temp\nsw50B0.tmp\nsDialogs.dll | executable | |
MD5:8F0E7415F33843431DF308BB8E06AF81 | SHA256:BB49F15FA83452370047A7801E39FC7F64E70C7545B8999BB85AA4749EAA048B | |||
| 3516 | MicrosoftEdgeWebview2Setup.exe | C:\Program Files (x86)\Microsoft\Temp\EU5FF0.tmp\CopilotUpdate.exe | executable | |
MD5:3C709C9F20D2817BA2595B7B22A743B0 | SHA256:EEEA69973B36D977F80E5BBBEF3B0B3B914C5E9E52236E4057FBC5EB001FC913 | |||
| 7392 | darkguard_0.1.0_x64-setup.exe | C:\Users\admin\AppData\Local\Temp\nsw50B0.tmp\NSISdl.dll | executable | |
MD5:8EABBE36E8B52E69322780D0F541FD19 | SHA256:DDF40229DD9D6B268902D8DEA88C8A04AACF1AF218DD29F6DCD35BABC54AC08D | |||
| 3516 | MicrosoftEdgeWebview2Setup.exe | C:\Program Files (x86)\Microsoft\Temp\EU5FF0.tmp\msedgeupdate.dll | executable | |
MD5:05A084F88F628C5EAD832619EB9E5E77 | SHA256:275F6BF9750EDED145E37B11DFA7C0580C88036E80C21395E8A4A77C66D51090 | |||
| 7392 | darkguard_0.1.0_x64-setup.exe | C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe | executable | |
MD5:2A03C75247273698224AEECC32D71735 | SHA256:D75E4FB20D4E8AB50AB77D43C139AA0F654ECCA9C504552761EFB435917A01E5 | |||
| 3516 | MicrosoftEdgeWebview2Setup.exe | C:\Program Files (x86)\Microsoft\Temp\EU5FF0.tmp\MicrosoftEdgeComRegisterShellARM64.exe | executable | |
MD5:0F03C139157B7EB1800B348ED6AA8EE2 | SHA256:F6380AA1F4694AD5B413504E326C06EA72C2F9A2398FD30E0CE99A5F21479DD9 | |||
| 3516 | MicrosoftEdgeWebview2Setup.exe | C:\Program Files (x86)\Microsoft\Temp\EU5FF0.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe | executable | |
MD5:36C60AC823BFF242FA1D4242D3FF6142 | SHA256:3CD8B4669F1E9EB22CBA842E79CE8A35F19E278D38E2D042D66752AD8EA75317 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
54
DNS requests
40
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | GET | 304 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
7428 | svchost.exe | GET | 304 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | — | — | whitelisted |
4544 | SIHClient.exe | GET | 304 | 74.178.240.61:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
4544 | SIHClient.exe | GET | 200 | 40.69.42.241:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
4544 | SIHClient.exe | GET | 200 | 74.178.240.61:443 | https://slscr.update.microsoft.com/sls/ping | US | — | — | whitelisted |
4544 | SIHClient.exe | GET | 304 | 74.178.240.61:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
7392 | darkguard_0.1.0_x64-setup.exe | GET | 301 | 88.221.169.205:80 | http://go.microsoft.com/fwlink/p/?LinkId=2124703 | US | — | — | whitelisted |
7392 | darkguard_0.1.0_x64-setup.exe | GET | 200 | 199.232.210.172:80 | http://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/6610a652-5edd-4c88-99ad-6d23094fd465/MicrosoftEdgeWebview2Setup.exe | US | executable | 1.60 Mb | whitelisted |
7664 | MicrosoftEdgeUpdate.exe | GET | 200 | 150.171.22.17:443 | https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.217.3?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.217.3&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=6&hwPhysmemory=6&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=true&requestOmahaShellVersion=1.3.217.3&requestOmahaVersion=1.3.217.3 | US | text | 430 b | unknown |
8788 | MicrosoftEdgeUpdate.exe | GET | 200 | 150.171.22.17:443 | https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.217.3?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4 | US | text | 415 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
7428 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
876 | RUXIMICS.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3412 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
7392 | darkguard_0.1.0_x64-setup.exe | 88.221.169.205:80 | go.microsoft.com | AKAMAI-AS | US | whitelisted |
7392 | darkguard_0.1.0_x64-setup.exe | 199.232.210.172:80 | msedge.sf.dl.delivery.mp.microsoft.com | FASTLY | US | whitelisted |
7664 | MicrosoftEdgeUpdate.exe | 150.171.22.17:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8788 | MicrosoftEdgeUpdate.exe | 150.171.22.17:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
self.events.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
msedge.sf.dl.delivery.mp.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
msedge.api.cdp.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7392 | darkguard_0.1.0_x64-setup.exe | Misc activity | ET INFO Packed Executable Download |
7428 | svchost.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
6756 | svchost.exe | Misc activity | ET INFO Packed Executable Download |
9072 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
Process | Message |
|---|---|
msedgewebview2.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\systems.banat.darkguard directory exists )
|
msedgewebview2.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\systems.banat.darkguard\EBWebView directory exists )
|
msedgewebview2.exe | [0202/215847.875:ERROR:third_party\crashpad\crashpad\util\win\exception_handler_server.cc:529] ConnectNamedPipe: The pipe is being closed. (0xE8)
|