URL:

https://gofile.io/d/CgG9kz

Full analysis: https://app.any.run/tasks/0d81a7bc-a037-45a1-b103-85075cc1dcb0
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: January 28, 2025, 19:29:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
fileshare
python
arch-exec
stealer
redline
metastealer
pyinstaller
Indicators:
MD5:

6709310323FE255ADDEE0A5D967FA51D

SHA1:

A8486D585B8A35C003360DD97A1F98F1AC31DAFF

SHA256:

4C377D183D16FF256156C51D4C42069FC5829F8760C1FEF6D2EEA232B502E13D

SSDEEP:

3:N8rxL1Sn:2Zsn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • setup.exe (PID: 8024)

    • Actions looks like stealing of personal data

      • newfile (1).exe (PID: 7700)
      • Fortnitevbucks.exe (PID: 7220)

    • Connects to the CnC server

      • Fortnitevbucks.exe (PID: 7220)

    • REDLINE has been detected (SURICATA)

      • Fortnitevbucks.exe (PID: 7220)

    • METASTEALER has been detected (SURICATA)

      • Fortnitevbucks.exe (PID: 7220)

    • Steals credentials from Web Browsers

      • Fortnitevbucks.exe (PID: 7220)

  • SUSPICIOUS

    • Process drops python dynamic module

      • newfile (1).exe (PID: 6056)

    • Executable content was dropped or overwritten

      • newfile (1).exe (PID: 6056)
      • updater.exe (PID: 6936)
      • updater.exe (PID: 6692)
      • setup.exe (PID: 8024)
      • 132.0.6834.111_chrome_installer.exe (PID: 7652)
      • newfile (1).exe (PID: 7700)

    • Process drops legitimate windows executable

      • newfile (1).exe (PID: 6056)

    • The process drops C-runtime libraries

      • newfile (1).exe (PID: 6056)

    • Application launched itself

      • newfile (1).exe (PID: 6056)
      • updater.exe (PID: 6936)
      • updater.exe (PID: 6692)
      • updater.exe (PID: 6768)
      • setup.exe (PID: 8024)
      • setup.exe (PID: 7056)
      • cmd.exe (PID: 7028)
      • cmd.exe (PID: 880)
      • cmd.exe (PID: 3736)
      • cmd.exe (PID: 7036)
      • cmd.exe (PID: 5208)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 7388)
      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 7648)
      • updater.exe (PID: 6748)

    • Loads Python modules

      • newfile (1).exe (PID: 7700)

    • Executes as Windows Service

      • updater.exe (PID: 6692)
      • updater.exe (PID: 6768)
      • updater.exe (PID: 6748)

    • Reads security settings of Internet Explorer

      • updater.exe (PID: 6936)

    • Checks Windows Trust Settings

      • updater.exe (PID: 6936)

    • Searches for installed software

      • setup.exe (PID: 8024)

    • Starts CMD.EXE for commands execution

      • newfile (1).exe (PID: 7700)
      • cmd.exe (PID: 5208)
      • cmd.exe (PID: 7028)
      • cmd.exe (PID: 880)
      • cmd.exe (PID: 3736)
      • cmd.exe (PID: 7036)
      • cmd.exe (PID: 6728)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 7388)
      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 7648)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7640)
      • cmd.exe (PID: 7972)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7640)
      • cmd.exe (PID: 7972)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 7932)
      • powershell.exe (PID: 7656)

    • Creates a software uninstall entry

      • setup.exe (PID: 8024)
      • chrome.exe (PID: 848)

    • Manipulates environment variables

      • powershell.exe (PID: 7932)
      • powershell.exe (PID: 7656)

    • Uses TASKKILL.EXE to kill Browsers

      • newfile (1).exe (PID: 7700)

    • The executable file from the user directory is run by the CMD process

      • Fortnitevbucks.exe (PID: 7220)

    • Connects to unusual port

      • Fortnitevbucks.exe (PID: 7220)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 6508)
      • msedge.exe (PID: 6848)
      • msedge.exe (PID: 4036)

    • Application launched itself

      • msedge.exe (PID: 6508)
      • msedge.exe (PID: 4520)
      • chrome.exe (PID: 848)
      • chrome.exe (PID: 4540)

    • Checks supported languages

      • identity_helper.exe (PID: 7932)
      • identity_helper.exe (PID: 4320)
      • newfile (1).exe (PID: 6056)
      • newfile (1).exe (PID: 7700)
      • chrome_installer.exe (PID: 836)
      • updater.exe (PID: 6980)
      • updater.exe (PID: 6936)
      • updater.exe (PID: 6692)
      • updater.exe (PID: 6748)
      • updater.exe (PID: 6708)
      • updater.exe (PID: 6768)
      • setup.exe (PID: 8024)
      • setup.exe (PID: 7056)
      • setup.exe (PID: 5568)
      • 132.0.6834.111_chrome_installer.exe (PID: 7652)
      • setup.exe (PID: 6656)
      • elevation_service.exe (PID: 5460)
      • chromedriver.exe (PID: 2260)
      • updater.exe (PID: 6748)
      • Fortnitevbucks.exe (PID: 7220)
      • ShellExperienceHost.exe (PID: 5564)

    • Reads Environment values

      • identity_helper.exe (PID: 7932)
      • identity_helper.exe (PID: 4320)

    • Reads the computer name

      • identity_helper.exe (PID: 7932)
      • identity_helper.exe (PID: 4320)
      • newfile (1).exe (PID: 6056)
      • updater.exe (PID: 6936)
      • chrome_installer.exe (PID: 836)
      • newfile (1).exe (PID: 7700)
      • updater.exe (PID: 6692)
      • updater.exe (PID: 6768)
      • 132.0.6834.111_chrome_installer.exe (PID: 7652)
      • setup.exe (PID: 8024)
      • setup.exe (PID: 7056)
      • elevation_service.exe (PID: 5460)
      • chromedriver.exe (PID: 2260)
      • updater.exe (PID: 6748)
      • ShellExperienceHost.exe (PID: 5564)

    • Manual execution by a user

      • newfile (1).exe (PID: 6056)
      • chrome.exe (PID: 848)

    • The sample compiled with english language support

      • newfile (1).exe (PID: 6056)
      • 132.0.6834.111_chrome_installer.exe (PID: 7652)
      • setup.exe (PID: 8024)
      • msedge.exe (PID: 4036)

    • Create files in a temporary directory

      • newfile (1).exe (PID: 6056)
      • newfile (1).exe (PID: 7700)
      • updater.exe (PID: 6936)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • newfile (1).exe (PID: 7700)

    • Checks proxy server information

      • newfile (1).exe (PID: 7700)
      • updater.exe (PID: 6936)

    • PyInstaller has been detected (YARA)

      • newfile (1).exe (PID: 7700)
      • newfile (1).exe (PID: 6056)

    • Creates files in the program directory

      • chrome_installer.exe (PID: 836)
      • updater.exe (PID: 6936)
      • updater.exe (PID: 6980)
      • updater.exe (PID: 6692)
      • updater.exe (PID: 6768)
      • setup.exe (PID: 8024)
      • setup.exe (PID: 7056)
      • updater.exe (PID: 6748)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 6936)
      • updater.exe (PID: 6692)
      • updater.exe (PID: 6768)
      • updater.exe (PID: 6748)

    • Creates files or folders in the user directory

      • updater.exe (PID: 6936)
      • newfile (1).exe (PID: 7700)

    • Reads the software policy settings

      • updater.exe (PID: 6936)
      • updater.exe (PID: 6768)
      • updater.exe (PID: 6748)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 6936)
      • Fortnitevbucks.exe (PID: 7220)

    • Executes as Windows Service

      • elevation_service.exe (PID: 5460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
314
Monitored processes
177
Malicious processes
8
Suspicious processes
13

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs newfile (1).exe conhost.exe no specs newfile (1).exe msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome_installer.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs 132.0.6834.111_chrome_installer.exe setup.exe setup.exe no specs msedge.exe no specs setup.exe no specs setup.exe no specs chrome.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs chrome.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs chrome.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs chromedriver.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs updater.exe updater.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskkill.exe no specs cmd.exe no specs #REDLINE fortnitevbucks.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\WINDOWS\SystemTemp\scoped_dir2260_1657151687" --enable-dinosaur-easter-egg-alt-images --enable-automation --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4296,i,7091719202022148074,16066033494866851331,262144 --variations-seed-version --enable-logging=handle --log-file=4316 --log-level=0 --mojo-platform-channel-handle=4312 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
132.0.6834.111
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\132.0.6834.111\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
188"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\WINDOWS\SystemTemp\scoped_dir2260_1657151687 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\SystemTemp\scoped_dir2260_1657151687\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=132.0.6834.111 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff81f58dcf8,0x7ff81f58dd04,0x7ff81f58dd10C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
132.0.6834.111
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
420"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4956 --field-trial-handle=2688,i,380573842231731327,15397607467759442169,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
836C:\Users\admin\AppData\Local\Temp\chrome_installer.exeC:\Users\admin\AppData\Local\Temp\chrome_installer.exenewfile (1).exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer
Exit code:
0
Version:
131.0.6776.0
Modules
Images
c:\users\admin\appdata\local\temp\chrome_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
848"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installerC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
1
Version:
132.0.6834.111
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
880C:\WINDOWS\system32\cmd.exe /c "(dir 2>&1 *`|echo CMD);&<# rem #>echo powershell"C:\Windows\System32\cmd.exenewfile (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
936"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=7084,i,2346638001520927497,11584432257196100056,262144 --variations-seed-version --mojo-platform-channel-handle=7092 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
132.0.6834.111
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\132.0.6834.111\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1020"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --field-trial-handle=6864,i,2346638001520927497,11584432257196100056,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
132.0.6834.111
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1200"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4972,i,2346638001520927497,11584432257196100056,262144 --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
1
Version:
132.0.6834.111
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\132.0.6834.111\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1356"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2900 --field-trial-handle=2688,i,380573842231731327,15397607467759442169,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
46 293
Read events
46 001
Write events
259
Delete events
33

Modification events

(PID) Process:(6508) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
F2F07A805F8B2F00
(PID) Process:(6508) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
E0CF82805F8B2F00
(PID) Process:(6508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6508) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B32AC9805F8B2F00
(PID) Process:(6508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\Profiles
Operation:writeName:EnhancedLinkOpeningDefault
Value:
Default
(PID) Process:(6508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328372
Operation:writeName:WindowTabManagerFileMappingId
Value:
{3E482220-6BB0-4078-BB45-C4C22E05149D}
(PID) Process:(6508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328372
Operation:writeName:WindowTabManagerFileMappingId
Value:
{35AAE091-88B9-4F0E-B64E-1CD660B2C0C3}
Executable files
106
Suspicious files
528
Text files
211
Unknown types
1

Dropped files

PID
Process
Filename
Type
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135cc9.TMP
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135cc9.TMP
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135ce8.TMP
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135cd9.TMP
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135cd9.TMP
MD5:
SHA256:
6508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
108
DNS requests
116
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7052
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7052
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6936
updater.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
6936
updater.exe
GET
200
142.250.186.67:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
7160
svchost.exe
HEAD
200
2.19.11.122:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6ca9004c-2afd-40c0-a9b1-4fec460952e5?P1=1738133231&P2=404&P3=2&P4=EVQEfk94jg9Ww0RQ%2fa0%2bfqelfnADkRbNCm1CZ08AqHJhTGrNmyKv7QHBqebhOWcL0Y3Refk7vtRXXNqFnyDw9w%3d%3d
unknown
whitelisted
6936
updater.exe
GET
200
142.250.186.67:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEENj6GAUNBVpEvo20UE38mc%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.37.237.227:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5160
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.16.204.135:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
6508
msedge.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 23.37.237.227
whitelisted
www.bing.com
  • 2.16.204.135
  • 2.16.204.153
  • 2.16.204.152
  • 2.16.204.138
  • 2.16.204.161
  • 2.16.204.158
  • 2.16.204.146
  • 2.16.204.141
  • 2.21.65.132
  • 2.21.65.153
  • 2.21.65.149
  • 2.21.65.130
  • 2.21.65.154
  • 2.21.65.146
  • 2.21.65.159
  • 2.21.65.157
  • 2.21.65.137
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.17.190.73
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
gofile.io
  • 51.91.7.6
  • 45.112.123.126
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

PID
Process
Class
Message
6848
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6848
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6848
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
6848
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6848
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6848
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6848
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6848
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
6848
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
6848
msedge.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\WINDOWS\SystemTemp\scoped_dir2260_1657151687 directory exists )
Fortnitevbucks.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://gofile.io/d/CgG9kz