analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

static.adtidy.org/windows/setup.exe

Full analysis: https://app.any.run/tasks/2be21e96-9095-42d7-8966-7e6166d5ad26
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: July 08, 2024, 05:00:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netreactor
metastealer
crypto-regex
Indicators:
MD5:

466EC73FE0737549E42470D31F185C55

SHA1:

092E4220B6C5BE03B446DA925331DBF8116DE2A8

SHA256:

50C38F5C4BAD17295102F465676F03083BC48ECB936E779262B1BA6EC482BC35

SSDEEP:

3:NrMgXJIDAyL4A:1MgXSD7L4A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 2776)
      • setup.exe (PID: 2780)
      • adgSetup.exe (PID: 3004)
      • msiexec.exe (PID: 1404)
      • AdguardSvc.exe (PID: 2020)

    • Changes the autorun value in the registry

      • adgSetup.exe (PID: 3004)

    • METASTEALER has been detected (YARA)

      • setup.exe (PID: 2780)
      • AdguardSvc.exe (PID: 3036)
      • Adguard.exe (PID: 1892)
      • AdguardSvc.exe (PID: 2908)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2840)
      • net.exe (PID: 3872)

    • Creates a writable file in the system directory

      • AdguardSvc.exe (PID: 2908)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • setup.exe (PID: 2780)
      • rundll32.exe (PID: 3356)
      • rundll32.exe (PID: 2956)
      • rundll32.exe (PID: 2740)
      • msiexec.exe (PID: 1404)
      • rundll32.exe (PID: 4040)
      • rundll32.exe (PID: 1596)
      • rundll32.exe (PID: 3764)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 2776)
      • setup.exe (PID: 2780)
      • adgSetup.exe (PID: 3004)
      • rundll32.exe (PID: 3356)
      • rundll32.exe (PID: 2956)
      • rundll32.exe (PID: 2740)
      • rundll32.exe (PID: 4040)
      • rundll32.exe (PID: 1596)
      • AdguardSvc.exe (PID: 2020)
      • rundll32.exe (PID: 3764)

    • The process creates files with name similar to system file names

      • setup.exe (PID: 2780)
      • msiexec.exe (PID: 1404)

    • Searches for installed software

      • setup.exe (PID: 2780)
      • adgSetup.exe (PID: 3004)

    • Adds/modifies Windows certificates

      • setup.exe (PID: 2780)
      • msiexec.exe (PID: 1404)
      • AdguardSvc.exe (PID: 2908)

    • Reads settings of System Certificates

      • setup.exe (PID: 2780)

    • Process requests binary or script from the Internet

      • setup.exe (PID: 2780)

    • Starts itself from another location

      • setup.exe (PID: 2780)

    • Reads the Internet Settings

      • setup.exe (PID: 2780)
      • Adguard.exe (PID: 1892)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 2780)
      • Adguard.exe (PID: 1892)
      • AdguardSvc.exe (PID: 2908)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 1404)
      • AdguardSvc.exe (PID: 2020)
      • AdguardSvc.exe (PID: 3036)
      • AdguardSvc.exe (PID: 3620)
      • AdguardSvc.exe (PID: 2908)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1404)

    • Uses RUNDLL32.EXE to load library

      • msiexec.exe (PID: 3284)

    • Creates a software uninstall entry

      • adgSetup.exe (PID: 3004)

    • There is functionality for taking screenshot (YARA)

      • setup.exe (PID: 2780)
      • AdguardSvc.exe (PID: 3036)
      • Adguard.exe (PID: 1892)
      • AdguardSvc.exe (PID: 2908)

    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 1596)

    • Drops a system driver (possible attempt to evade defenses)

      • AdguardSvc.exe (PID: 2020)

    • Executes as Windows Service

      • AdguardSvc.exe (PID: 2020)
      • AdguardSvc.exe (PID: 3620)
      • AdguardSvc.exe (PID: 3036)
      • AdguardSvc.exe (PID: 2908)

    • Starts SC.EXE for service management

      • setup.exe (PID: 2780)
      • Adguard.exe (PID: 1892)
      • AdguardSvc.exe (PID: 2908)

    • Creates files in the driver directory

      • AdguardSvc.exe (PID: 2908)

    • Found regular expressions for crypto-addresses (YARA)

      • AdguardSvc.exe (PID: 2908)

  • INFO

    • Checks supported languages

      • setup.exe (PID: 2776)
      • wmpnscfg.exe (PID: 3584)
      • setup.exe (PID: 2780)
      • adgSetup.exe (PID: 3004)
      • msiexec.exe (PID: 1404)
      • msiexec.exe (PID: 3284)
      • msiexec.exe (PID: 2764)
      • AdguardSvc.exe (PID: 2020)
      • AdguardSvc.exe (PID: 3620)
      • AdguardSvc.exe (PID: 3036)
      • Adguard.exe (PID: 1892)
      • Adguard.Tools.exe (PID: 2388)
      • AdguardSvc.exe (PID: 2908)
      • Adguard.BrowserExtensionHost.exe (PID: 3712)
      • Adguard.Tools.exe (PID: 2792)

    • Reads the computer name

      • setup.exe (PID: 2780)
      • wmpnscfg.exe (PID: 3584)
      • adgSetup.exe (PID: 3004)
      • msiexec.exe (PID: 1404)
      • msiexec.exe (PID: 3284)
      • msiexec.exe (PID: 2764)
      • AdguardSvc.exe (PID: 2020)
      • AdguardSvc.exe (PID: 3620)
      • AdguardSvc.exe (PID: 3036)
      • Adguard.exe (PID: 1892)
      • Adguard.Tools.exe (PID: 2388)
      • AdguardSvc.exe (PID: 2908)
      • Adguard.BrowserExtensionHost.exe (PID: 3712)
      • Adguard.Tools.exe (PID: 2792)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 3348)
      • rundll32.exe (PID: 3356)
      • rundll32.exe (PID: 2956)
      • rundll32.exe (PID: 4040)
      • rundll32.exe (PID: 2740)
      • rundll32.exe (PID: 1596)
      • rundll32.exe (PID: 3764)

    • Manual execution by a user

      • setup.exe (PID: 2776)
      • wmpnscfg.exe (PID: 3584)
      • chrome.exe (PID: 3068)
      • Adguard.exe (PID: 1892)

    • The process uses the downloaded file

      • msedge.exe (PID: 3632)

    • Create files in a temporary directory

      • setup.exe (PID: 2780)
      • adgSetup.exe (PID: 3004)
      • msiexec.exe (PID: 1404)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3348)
      • msiexec.exe (PID: 1404)

    • Application launched itself

      • msedge.exe (PID: 3348)
      • msiexec.exe (PID: 1404)
      • chrome.exe (PID: 3068)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 2780)
      • adgSetup.exe (PID: 3004)
      • msiexec.exe (PID: 3284)
      • msiexec.exe (PID: 1404)
      • msiexec.exe (PID: 2764)
      • AdguardSvc.exe (PID: 2020)
      • AdguardSvc.exe (PID: 3620)
      • AdguardSvc.exe (PID: 3036)
      • Adguard.exe (PID: 1892)
      • Adguard.Tools.exe (PID: 2388)
      • AdguardSvc.exe (PID: 2908)
      • Adguard.BrowserExtensionHost.exe (PID: 3712)
      • Adguard.Tools.exe (PID: 2792)

    • Disables trace logs

      • setup.exe (PID: 2780)
      • AdguardSvc.exe (PID: 2908)

    • Reads Environment values

      • setup.exe (PID: 2780)
      • Adguard.exe (PID: 1892)
      • AdguardSvc.exe (PID: 2908)

    • Creates files in the program directory

      • setup.exe (PID: 2780)
      • adgSetup.exe (PID: 3004)
      • AdguardSvc.exe (PID: 2020)
      • AdguardSvc.exe (PID: 3036)
      • AdguardSvc.exe (PID: 3620)
      • Adguard.exe (PID: 1892)
      • Adguard.Tools.exe (PID: 2388)
      • AdguardSvc.exe (PID: 2908)
      • Adguard.BrowserExtensionHost.exe (PID: 3712)
      • Adguard.Tools.exe (PID: 2792)

    • Reads the software policy settings

      • setup.exe (PID: 2780)
      • msiexec.exe (PID: 1404)
      • AdguardSvc.exe (PID: 2020)
      • AdguardSvc.exe (PID: 3036)
      • AdguardSvc.exe (PID: 3620)
      • AdguardSvc.exe (PID: 2908)

    • .NET Reactor protector has been detected

      • setup.exe (PID: 2780)
      • AdguardSvc.exe (PID: 3036)
      • Adguard.exe (PID: 1892)
      • AdguardSvc.exe (PID: 2908)

    • Reads Microsoft Office registry keys

      • rundll32.exe (PID: 3356)

    • Dropped object may contain TOR URL's

      • msiexec.exe (PID: 1404)
      • AdguardSvc.exe (PID: 2908)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1404)

    • Creates files or folders in the user directory

      • Adguard.exe (PID: 1892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
57
Malicious processes
10
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup.exe THREAT setup.exe adgsetup.exe msiexec.exe msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs rundll32.exe ie4uinit.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs adguardsvc.exe rundll32.exe sc.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs adguardsvc.exe chrome.exe no specs THREAT adguardsvc.exe THREAT adguard.exe sc.exe no specs adguard.tools.exe THREAT adguardsvc.exe adguard.browserextensionhost.exe sc.exe no specs sc.exe no specs adguard.tools.exe

Process information

PID
CMD
Path
Indicators
Parent process
3348"C:\Program Files\Microsoft\Edge\Application\msedge.exe" "static.adtidy.org/windows/setup.exe"C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3392"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6b05f598,0x6b05f5a8,0x6b05f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3100"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=900 --field-trial-handle=1364,i,1755127950683982140,401079909404922000,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2944"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1364,i,1755127950683982140,401079909404922000,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2076"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1624 --field-trial-handle=1364,i,1755127950683982140,401079909404922000,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2900"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1364,i,1755127950683982140,401079909404922000,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3176"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1364,i,1755127950683982140,401079909404922000,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3584"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3080"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2812 --field-trial-handle=1364,i,1755127950683982140,401079909404922000,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3084"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3728 --field-trial-handle=1364,i,1755127950683982140,401079909404922000,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
78 982
Read events
78 343
Write events
590
Delete events
49

Modification events

(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3348) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
3D27E6914B7B2F00
(PID) Process:(3348) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\FirstNotDefault
Operation:delete valueName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
(PID) Process:(3348) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
Executable files
271
Suspicious files
385
Text files
150
Unknown types
9

Dropped files

PID
Process
Filename
Type
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF4e27d.TMP
MD5:
SHA256:
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF4e29c.TMP
MD5:
SHA256:
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF4e2ea.TMP
MD5:
SHA256:
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3392msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:886E82F2CA62ECCCE64601B30592078A
SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\4ffe6329-cd74-47f7-9625-d7c141cc048f.tmpbinary
MD5:5058F1AF8388633F609CADB75A75DC9D
SHA256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF4e28c.TMPtext
MD5:646FEFDB4D82709E3056F5C71953783C
SHA256:7B83D8689750F64D31016F1E8AC2A4EB9D7DB406E4C9C66211D4ED17DEBFEAD9
3348msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:7D952F199B55B9FF30CBFA594212118D
SHA256:044142A8DF492BF8517CAE73ECD782D98474ACE2D4807FED07B5CDCED4D5CF46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
64
DNS requests
52
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2944
msedge.exe
GET
301
156.146.33.137:80
http://static.adtidy.org/windows/setup.exe
unknown
unknown
2780
setup.exe
GET
301
212.102.56.178:80
http://static.adguard.com/installer.v1.0.json
unknown
unknown
1372
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2908
AdguardSvc.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cc9f8c39a27b0efb
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3348
msedge.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2944
msedge.exe
156.146.33.137:80
static.adtidy.org
Datacamp Limited
DE
unknown
2944
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2944
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2944
msedge.exe
156.146.33.137:443
static.adtidy.org
Datacamp Limited
DE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
static.adtidy.org
  • 156.146.33.137
  • 156.146.33.14
  • 156.146.33.140
  • 195.181.175.15
  • 195.181.175.41
  • 212.102.56.182
  • 212.102.56.179
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.bing.com
  • 2.23.209.140
  • 2.23.209.187
  • 2.23.209.144
  • 2.23.209.189
  • 2.23.209.135
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.141
  • 2.23.209.183
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 104.208.16.90
whitelisted
time.windows.com
  • 20.101.57.9
whitelisted

Threats

PID
Process
Class
Message
2908
AdguardSvc.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
Process
Message
AdguardSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\AdGuard\x86\SQLite.Interop.dll"...
AdguardSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\AdGuard\x86\SQLite.Interop.dll"...
AdguardSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\AdGuard\x86\SQLite.Interop.dll"...
AdguardSvc.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\AdGuard\x86\SQLite.Interop.dll"...
AdguardSvc.exe
SQLite error (5): database is locked
AdguardSvc.exe
SQLite error (5): database is locked
AdguardSvc.exe
SQLite error (5): database is locked
AdguardSvc.exe
SQLite error (5): database is locked
AdguardSvc.exe
SQLite error (11): database corruption at line 61461 of [1a584e4999]
AdguardSvc.exe
SQLite error (11): database corruption at line 61502 of [1a584e4999]
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
static.adtidy.org/windows/setup.exe