URL:

https://www.cheatengine.org/

Full analysis: https://app.any.run/tasks/99851c7e-3218-4310-b6c8-3aec18bfae0f
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: December 27, 2024, 16:05:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
advancedinstaller
loader
stealer
lua
Indicators:
MD5:

1DD9F14AD3EE66B4B3FC7CB3318B2557

SHA1:

4439081AE9D03FAD96C0139E2AD70C74D835385B

SHA256:

5ABCD667F4FA7622E3EC58A7E273761BE6BCE0C9077F0E8E8872F84FF884C357

SSDEEP:

3:N8DSLHJ:2OLHJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 8060)
      • CheatEngine75.tmp (PID: 7988)
      • net.exe (PID: 8184)

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • msiexec.exe (PID: 8052)

    • Actions looks like stealing of personal data

      • notification_helper.exe (PID: 2144)
      • onestart.exe (PID: 5080)
      • onestart.exe (PID: 8732)

    • Changes the autorun value in the registry

      • onestart.exe (PID: 5080)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • CheatEngine75.tmp (PID: 440)
      • Cheat Engine.exe (PID: 3656)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • msiexec.exe (PID: 8052)
      • MSIA1D8.tmp (PID: 4392)

    • Executable content was dropped or overwritten

      • CheatEngine75.exe (PID: 3260)
      • CheatEngine75.tmp (PID: 7576)
      • CheatEngine75.exe (PID: 8084)
      • CheatEngine75.exe (PID: 5392)
      • CheatEngine75.tmp (PID: 7988)
      • onestart_installer.exe (PID: 3688)
      • setup.exe (PID: 5008)

    • Reads the Windows owner or organization settings

      • CheatEngine75.tmp (PID: 7576)
      • CheatEngine75.tmp (PID: 7988)
      • msiexec.exe (PID: 7992)

    • Process drops SQLite DLL files

      • CheatEngine75.tmp (PID: 7988)

    • Windows service management via SC.EXE

      • sc.exe (PID: 3508)
      • sc.exe (PID: 1140)

    • Uses ICACLS.EXE to modify access control lists

      • CheatEngine75.tmp (PID: 7988)

    • Starts SC.EXE for service management

      • CheatEngine75.tmp (PID: 7988)

    • Process drops legitimate windows executable

      • CheatEngine75.tmp (PID: 7988)

    • Detected use of alternative data streams (AltDS)

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)

    • Checks Windows Trust Settings

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • msiexec.exe (PID: 7992)

    • There is functionality for communication over UDP network (YARA)

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7868)

    • Potential Corporate Privacy Violation

      • msiexec.exe (PID: 8052)
      • msedge.exe (PID: 6364)

    • Access to an unwanted program domain was detected

      • msiexec.exe (PID: 8052)

    • Process requests binary or script from the Internet

      • msiexec.exe (PID: 8052)

    • Application launched itself

      • setup.exe (PID: 5008)
      • onestart.exe (PID: 4968)
      • onestart.exe (PID: 5080)
      • setup.exe (PID: 3584)

    • Starts CMD.EXE for commands execution

      • onestart_installer.exe (PID: 3688)
      • MSIA1D8.tmp (PID: 4392)
      • msiexec.exe (PID: 7788)

    • The process deletes folder without confirmation

      • MSIA1D8.tmp (PID: 4392)

    • Reads Mozilla Firefox installation path

      • onestart.exe (PID: 5080)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 5000)
      • CheatEngine75.exe (PID: 3260)
      • CheatEngine75.tmp (PID: 440)
      • CheatEngine75.exe (PID: 5392)
      • CheatEngine75.exe (PID: 8084)
      • CheatEngine75.tmp (PID: 7576)
      • _setup64.tmp (PID: 6964)
      • CheatEngine75.tmp (PID: 7988)
      • Cheat Engine.exe (PID: 3656)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • Kernelmoduleunloader.exe (PID: 5076)
      • msiexec.exe (PID: 7992)
      • msiexec.exe (PID: 7788)
      • onestart_installer.exe (PID: 3688)
      • setup.exe (PID: 5008)
      • setup.exe (PID: 7636)
      • setup.exe (PID: 1596)
      • onestart.exe (PID: 5080)
      • notification_helper.exe (PID: 2144)
      • onestart.exe (PID: 4968)
      • setup.exe (PID: 3584)
      • MSIA1D8.tmp (PID: 4392)
      • onestart.exe (PID: 8460)
      • onestart.exe (PID: 8472)
      • onestart.exe (PID: 8624)
      • onestart.exe (PID: 8732)
      • onestart.exe (PID: 8864)
      • onestart.exe (PID: 8812)

    • Reads Environment values

      • identity_helper.exe (PID: 5000)
      • msiexec.exe (PID: 7788)
      • msiexec.exe (PID: 8052)

    • Reads the computer name

      • identity_helper.exe (PID: 5000)
      • CheatEngine75.tmp (PID: 440)
      • CheatEngine75.tmp (PID: 7576)
      • CheatEngine75.exe (PID: 5392)
      • CheatEngine75.tmp (PID: 7988)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • Kernelmoduleunloader.exe (PID: 5076)
      • msiexec.exe (PID: 7992)
      • msiexec.exe (PID: 7788)
      • onestart_installer.exe (PID: 3688)
      • setup.exe (PID: 5008)
      • onestart.exe (PID: 4968)
      • onestart.exe (PID: 5080)
      • setup.exe (PID: 3584)
      • notification_helper.exe (PID: 2144)
      • MSIA1D8.tmp (PID: 4392)

    • The process uses the downloaded file

      • msedge.exe (PID: 2456)
      • msedge.exe (PID: 2012)
      • Cheat Engine.exe (PID: 3656)
      • msedge.exe (PID: 768)
      • msedge.exe (PID: 2280)
      • msedge.exe (PID: 8212)
      • msedge.exe (PID: 8888)

    • Create files in a temporary directory

      • CheatEngine75.exe (PID: 3260)
      • CheatEngine75.tmp (PID: 7576)
      • CheatEngine75.exe (PID: 8084)
      • CheatEngine75.exe (PID: 5392)
      • CheatEngine75.tmp (PID: 7988)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • onestart.exe (PID: 8732)
      • onestart.exe (PID: 5080)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 2012)
      • msedge.exe (PID: 6364)
      • msedge.exe (PID: 8048)
      • msiexec.exe (PID: 7252)
      • msiexec.exe (PID: 7992)

    • Process checks computer location settings

      • CheatEngine75.tmp (PID: 440)
      • onestart.exe (PID: 5080)

    • Checks proxy server information

      • CheatEngine75.tmp (PID: 7576)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • msiexec.exe (PID: 8052)
      • onestart.exe (PID: 5080)

    • Reads the machine GUID from the registry

      • CheatEngine75.tmp (PID: 7576)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • msiexec.exe (PID: 7992)

    • Application launched itself

      • msedge.exe (PID: 2012)

    • The sample compiled with english language support

      • CheatEngine75.tmp (PID: 7576)
      • CheatEngine75.tmp (PID: 7988)
      • msedge.exe (PID: 8048)
      • msiexec.exe (PID: 7252)
      • msiexec.exe (PID: 7992)
      • onestart_installer.exe (PID: 3688)
      • setup.exe (PID: 5008)

    • Creates files in the program directory

      • CheatEngine75.tmp (PID: 7988)

    • Sends debugging messages

      • Kernelmoduleunloader.exe (PID: 5076)
      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)

    • Reads the software policy settings

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • msiexec.exe (PID: 7252)

    • Creates files or folders in the user directory

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)
      • onestart_installer.exe (PID: 3688)
      • setup.exe (PID: 5008)
      • onestart.exe (PID: 5080)
      • onestart.exe (PID: 8472)

    • The process uses Lua

      • cheatengine-x86_64-SSE4-AVX2.exe (PID: 7900)

    • Manages system restore points

      • SrTasks.exe (PID: 1480)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 7992)

    • Connects to unusual port

      • msedge.exe (PID: 6364)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 2012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
292
Monitored processes
152
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cheatengine75.exe cheatengine75.tmp no specs cheatengine75.exe cheatengine75.tmp msedge.exe no specs msedge.exe no specs cheatengine75.exe cheatengine75.tmp net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs _setup64.tmp no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs kernelmoduleunloader.exe msedge.exe no specs windowsrepair.exe no specs icacls.exe no specs conhost.exe no specs cheat engine.exe no specs cheatengine-x86_64-sse4-avx2.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe msedge.exe no specs msiexec.exe msiexec.exe no specs vssvc.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs #ADVANCEDINSTALLER msiexec.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs onestart_installer.exe setup.exe setup.exe no specs msedge.exe no specs msedge.exe no specs notification_helper.exe chrome.exe no specs setup.exe no specs setup.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs cmd.exe no specs msedge.exe no specs msedge.exe no specs msia1d8.tmp no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe onestart.exe no specs onestart.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6916 --field-trial-handle=2324,i,1145568199119291246,6861828508451305586,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
440"C:\Users\admin\AppData\Local\Temp\is-A5UNT.tmp\CheatEngine75.tmp" /SL5="$902C8,29019921,776192,C:\Users\admin\Downloads\CheatEngine75.exe" C:\Users\admin\AppData\Local\Temp\is-A5UNT.tmp\CheatEngine75.tmpCheatEngine75.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-a5unt.tmp\cheatengine75.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9332 --field-trial-handle=2324,i,1145568199119291246,6861828508451305586,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
768"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9012 --field-trial-handle=2324,i,1145568199119291246,6861828508451305586,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140"sc" delete BadlionAnticheatC:\Windows\System32\sc.exeCheatEngine75.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=10448 --field-trial-handle=2324,i,1145568199119291246,6861828508451305586,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1480C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1596"C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_1134F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=130.0.6723.134 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x7ff62b278148,0x7ff62b278154,0x7ff62b278160C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\CR_1134F.tmp\setup.exesetup.exe
User:
admin
Company:
OneStart.ai
Integrity Level:
MEDIUM
Description:
OneStart Installer
Exit code:
0
Version:
130.0.6723.134
Modules
Images
c:\users\admin\appdata\local\onestart.ai\onestart installer\cr_1134f.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=8988 --field-trial-handle=2324,i,1145568199119291246,6861828508451305586,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 032
Read events
33 550
Write events
457
Delete events
25

Modification events

(PID) Process:(2012) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2012) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2012) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2012) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(2012) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
716CB9EAD8882F00
(PID) Process:(2012) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
140AC6EAD8882F00
(PID) Process:(2012) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
722018EBD8882F00
(PID) Process:(2012) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393954
Operation:writeName:WindowTabManagerFileMappingId
Value:
{2FC24AFF-E093-48BA-814E-472E6B191B1B}
(PID) Process:(2012) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393954
Operation:writeName:WindowTabManagerFileMappingId
Value:
{508F0CCF-C421-499E-9D6C-937EFD933845}
(PID) Process:(2012) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\393954
Operation:writeName:WindowTabManagerFileMappingId
Value:
{6996960E-126E-4D84-8C96-81F837E18C15}
Executable files
195
Suspicious files
1 403
Text files
663
Unknown types
33

Dropped files

PID
Process
Filename
Type
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF136ac3.TMP
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF136ac3.TMP
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF136ac3.TMP
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF136ac3.TMP
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF136ac3.TMP
MD5:
SHA256:
2012msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
342
DNS requests
367
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7504
svchost.exe
GET
206
23.53.40.11:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9cf951df-e7db-4d00-b0fc-02131f5ca303?P1=1735348739&P2=404&P3=2&P4=iNDimyfquAdY83VcBamDaqZnPIvrPPwrmUiZmA3Bk2aP4FULfZI5iOVTm3TigrR0NOOaoITq3ScFXOAL3eImUg%3d%3d
unknown
whitelisted
7504
svchost.exe
GET
206
23.53.40.11:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9cf951df-e7db-4d00-b0fc-02131f5ca303?P1=1735348739&P2=404&P3=2&P4=iNDimyfquAdY83VcBamDaqZnPIvrPPwrmUiZmA3Bk2aP4FULfZI5iOVTm3TigrR0NOOaoITq3ScFXOAL3eImUg%3d%3d
unknown
whitelisted
7504
svchost.exe
GET
206
23.53.40.11:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9cf951df-e7db-4d00-b0fc-02131f5ca303?P1=1735348739&P2=404&P3=2&P4=iNDimyfquAdY83VcBamDaqZnPIvrPPwrmUiZmA3Bk2aP4FULfZI5iOVTm3TigrR0NOOaoITq3ScFXOAL3eImUg%3d%3d
unknown
whitelisted
7504
svchost.exe
HEAD
200
23.53.40.11:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8699fac5-cf38-4f97-a2f8-fb1e47f5e54e?P1=1735348739&P2=404&P3=2&P4=V7oYfgRbg1VC7EDfuBH%2f02TEG7rXPRs0p9bYBRmmAg4meQ8eZejLHu7aIFMAxKn6ezztIGFfSd5b2SapEXbFNA%3d%3d
unknown
whitelisted
7504
svchost.exe
GET
206
23.53.40.11:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8699fac5-cf38-4f97-a2f8-fb1e47f5e54e?P1=1735348739&P2=404&P3=2&P4=V7oYfgRbg1VC7EDfuBH%2f02TEG7rXPRs0p9bYBRmmAg4meQ8eZejLHu7aIFMAxKn6ezztIGFfSd5b2SapEXbFNA%3d%3d
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7568
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7568
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
2.21.110.139:443
www.bing.com
AKAMAI-AS
DE
whitelisted
6068
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6364
msedge.exe
142.250.185.66:443
pagead2.googlesyndication.com
whitelisted
2012
msedge.exe
239.255.255.250:1900
whitelisted
6364
msedge.exe
104.20.95.94:443
www.cheatengine.org
CLOUDFLARENET
whitelisted
6364
msedge.exe
104.17.25.14:443
cdnjs.cloudflare.com
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.21.110.139
  • 2.21.110.146
  • 2.23.209.179
  • 2.23.209.150
  • 2.23.209.156
  • 2.23.209.158
  • 2.23.209.177
  • 2.23.209.149
  • 2.23.209.160
  • 2.23.209.161
  • 2.23.209.176
  • 2.23.209.162
  • 2.23.209.181
  • 2.23.209.182
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.37.237.227
whitelisted
google.com
  • 142.250.186.78
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.cheatengine.org
  • 104.20.95.94
  • 172.67.35.220
  • 104.20.94.94
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
6364
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6364
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6364
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6364
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6364
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6364
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6364
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
8052
msiexec.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
8052
msiexec.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
1 ETPRO signatures available at the full report
Process
Message
Kernelmoduleunloader.exe
Running in wow64
Kernelmoduleunloader.exe
Setup. So do not show messages
Kernelmoduleunloader.exe
Kernelmodule unloader
Kernelmoduleunloader.exe
attempting to unload
Kernelmoduleunloader.exe
SCManager opened
Kernelmoduleunloader.exe
count=0
Kernelmoduleunloader.exe
setup=true
cheatengine-x86_64-SSE4-AVX2.exe
Lua thread terminated
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.cheatengine.org/