File name:	https://bitly.ws/?redirect=b4c7
Full analysis:	https://app.any.run/tasks/6f1b49b4-1f1d-440c-ba83-e12f0939f388
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	November 07, 2023, 22:22:23
OS:	Windows 8.1 Professional (build: 9600, 32 bit)
Tags:	loader
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SSDEEP:	3:y:y


(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-2655973190-2785740294-2321183924-1001_CLASSES\Local Settings\MuiCache\2e\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\CurrentState
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\PersistedPings\{D028F3B8-E4FE-48C1-ABE1-31C3DF1EFF71}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState
Operation:	write	Name:	StateValue
Value: 3
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-2655973190-2785740294-2321183924-1001\Software\Microsoft\EdgeUpdate\proxy
Operation:	write	Name:	source
Value: auto
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate
Operation:	write	Name:	ConsecutiveCheckFailures
Value: 0
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_USERS\S-1-5-21-2655973190-2785740294-2321183924-1001\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	dr
Value: 0
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	DayOfLastRollCall
Value: 5933
(PID) Process:	(3936) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:	write	Name:	ping_freshness
Value: {0A5B2725-9FB7-4145-B5E1-5B3CF1759911}

PID	Process	Filename		Type
3936	MicrosoftEdgeUpdate.exe	C:\Program Files\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.181.5\MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe		executable
		MD5:9B09E682511FD006DE0458875A8C2E84	SHA256:2450A90417EC5205709D79CC2BA5BB0401B49AF95DCF8D6E1786E0D72DA53754
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\MicrosoftEdgeUpdate.exe		executable
		MD5:11FE091ACE9D03B9ADA6D5A22D12C0D0	SHA256:50F4ED60A507CE9DD1F3F4E7D53053D923CB71594374A25251746A9B2271E4EE
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\psmachine.dll		executable
		MD5:56C1A9EC314B41CE4BF20AAE41E94078	SHA256:A82DB4F2EC83020B2BA31A96D214D4EE207173A8B4206432C765DEE870120917
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\MicrosoftEdgeUpdateOnDemand.exe		executable
		MD5:532D470DA7523ABBB2ADE51CBD6CF1BD	SHA256:611225DCD25B3DAB7D331CE187F3589D83C80EFC543B971D96DD5357363EC827
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\psmachine_64.dll		executable
		MD5:A1E69165B66D05938AB8FC8232EDC866	SHA256:5B7345DE0B70B8D0CEFD4140ACF428A5B0FFE5A147ADF8A75D981B37FBD81E3A
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\psmachine_arm64.dll		executable
		MD5:581BC2D275F8B2E23C2C8BEEDA8471AD	SHA256:28F2F1AC5189A07B59110946509B7C61CC7F2935AF96B000278A5C5952C4B7C3
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe		executable
		MD5:7750D94E4719BA69F5F83213444C0015	SHA256:1AB31694FF0B6283FBB6EC062D6EAB9FFB26DF9D6D1BA140CF60A8E7A4CB9FE5
3936	MicrosoftEdgeUpdate.exe	C:\Users\admin\AppData\Local\Temp\{3AB43804-EB25-45BD-94CE-157A5BDED41E}-MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe		executable
		MD5:9B09E682511FD006DE0458875A8C2E84	SHA256:2450A90417EC5205709D79CC2BA5BB0401B49AF95DCF8D6E1786E0D72DA53754
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\MicrosoftEdgeUpdateBroker.exe		executable
		MD5:4FDA82E4E5DB7141350CDDCEF7DB07A4	SHA256:48EFBB4780A6BE7EADC26DCC6D2C2B16DACCE447E53A3E2725AD4B1318A34E68
2740	MicrosoftEdgeUpdateSetup_X86_1.3.181.5.exe	C:\Program Files\Microsoft\Temp\EU9042.tmp\MicrosoftEdgeComRegisterShellARM64.exe		executable
		MD5:9540AD83A08605BA1F52196424CE3067	SHA256:B0B5D9EB6F4B176BDFBE4DA0A060AD1B76C813186FAE3D9A6E1B1DD9EE0D01D1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
796	svchost.exe	HEAD	200	8.248.115.254:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700000592&P2=404&P3=2&P4=Uzm8aT6C%2bzptUqsJ%2bqFRC65%2b85rycavYxkvvNxRsO7jRXcJF1oCANUdgf0cRunmSjdnGKBk5VeVDM8830X7UFw%3d%3d	unknown	—	—	unknown
796	svchost.exe	GET	—	8.248.115.254:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700000592&P2=404&P3=2&P4=Uzm8aT6C%2bzptUqsJ%2bqFRC65%2b85rycavYxkvvNxRsO7jRXcJF1oCANUdgf0cRunmSjdnGKBk5VeVDM8830X7UFw%3d%3d	unknown	—	—	unknown
—	—	GET	304	config.edge.skype.com:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.181.5?clientId=s:6B9497E7-8A14-4043-A0AD-B1B6823998F8&appBrandCode_edgeupdate=M100&appChannel_edgeupdate=6&appCohort_edgeupdate=rrf@0.81&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=5929&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=19094400&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.181.5&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=0&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=3&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x86&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=6.3.9600.18778&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=selfupdate&requestIsMachine=true&requestOmahaShellVersion=1.3.175.29&requestOmahaVersion=1.3.181.5	unknown	—	—	—
168	sdiagnhost.exe	GET	302	2.19.105.250:80	http://go.microsoft.com/fwlink/?LinkID=296332	unknown	—	—	unknown
—	—	GET	200	config.edge.skype.com:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.177.11?clientId=s:6B9497E7-8A14-4043-A0AD-B1B6823998F8&appBrandCode_stable=M100&appChannel_stable=4&appCohort_stable=rrf@0.72&appConsentState_stable=393219&appDayOfInstall_stable=5929&appInactivityBadgeApplied_stable=0&appInactivityBadgeCleared_stable=0&appInactivityBadgeDuration_stable=0&appInstallTimeDiffSec_stable=19094400&appIsPinnedSystem_stable=true&appLang_stable=en&appLastLaunchCount_stable=1&appLastLaunchTime_stable=13324769297808631&appLastLaunchTimeJson_stable=2023-03-31t20:48:17.808z&appLastLaunchTimeDaysAgo_stable=221&appUpdateCheckIsUpdateDisabled_stable=false&appUpdatesAllowedForMeteredNetworks_stable=false&appVersion_stable=109.0.1518.115&hwDiskType=0&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=3&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x86&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=6.3.9600.18778&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=core&requestIsMachine=true&requestOmahaShellVersion=1.3.175.29&requestOmahaVersion=1.3.177.11	unknown	binary	234 b	—
—	—	POST	200	msedge.api.cdp.microsoft.com:443	https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgeupdate-stable-win-x86/versions/1.3.181.5/files?action=GenerateDownloadInfo&foregroundPriority=false	unknown	ini	759 b	—
—	—	POST	200	self.events.data.microsoft.com:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	10 b	—
796	svchost.exe	GET	206	8.248.115.254:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a0b1d1cd-93e2-4589-ad91-42a1325c3d88?P1=1700000592&P2=404&P3=2&P4=Uzm8aT6C%2bzptUqsJ%2bqFRC65%2b85rycavYxkvvNxRsO7jRXcJF1oCANUdgf0cRunmSjdnGKBk5VeVDM8830X7UFw%3d%3d	unknown	executable	6.92 Kb	unknown
—	—	POST	200	self.events.data.microsoft.com:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—
—	—	POST	200	msedge.api.cdp.microsoft.com:443	https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates	unknown	ini	199 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
3948	msedge.exe	224.0.0.251:5353	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
3948	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
3936	MicrosoftEdgeUpdate.exe	20.166.2.191:443	msedge.api.cdp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
796	svchost.exe	8.248.115.254:80	msedge.b.tlu.dl.delivery.mp.microsoft.com	LEVEL3	US	unknown
3936	MicrosoftEdgeUpdate.exe	8.248.115.254:80	msedge.b.tlu.dl.delivery.mp.microsoft.com	LEVEL3	US	unknown
252	MicrosoftEdgeUpdate.exe	20.189.173.7:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1448	MicrosoftEdgeUpdate.exe	52.123.243.84:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	DE	unknown
1448	MicrosoftEdgeUpdate.exe	20.189.173.7:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1668	MicrosoftEdgeUpdate.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
msedge.api.cdp.microsoft.com	20.166.2.191 13.95.26.4	whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com	8.248.115.254 8.253.95.249 67.26.75.254	whitelisted
self.events.data.microsoft.com	20.189.173.7 40.79.189.59	whitelisted
config.edge.skype.com	52.123.243.84 52.123.243.200 52.123.243.71 52.123.243.80 13.107.42.16	whitelisted
go.microsoft.com	2.19.105.250	whitelisted
compatexchange.trafficmanager.net	—	unknown
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted

PID	Process	Class	Message
796	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3936	MicrosoftEdgeUpdate.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Process	Message
rundll32.exe	SHIMVIEW: ShimInfo(Complete)
rundll32.exe	SHIMVIEW: ShimInfo(Complete)
csrstub.exe	SHIMVIEW: ShimInfo(Complete)

General Info

https://bitly.ws/?redirect=b4c7

81051BCC2CF1BEDF378224B0A93E2877

BA8AB5A0280B953AA97435FF8946CBCBB2755A27

7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6

3:y:y

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Starts Visual C# compiler

Drops the executable file immediately after the start

SUSPICIOUS

Process drops legitimate windows executable

Executes as Windows Service

Checks Windows Trust Settings

Application launched itself

Disables SEHOP

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Reads settings of System Certificates

Reads the Internet Settings

Uses .NET C# to load dll

Probably uses Microsoft diagnostics tool to execute malicious payload

Uses RUNDLL32.EXE to load library

The process executes via Task Scheduler

INFO

Checks supported languages

Reads the computer name

Reads the software policy settings

Manual execution by a user

Create files in a temporary directory

Creates files in the program directory

Reads Environment values

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Drops the executable file immediately after the start

Checks proxy server information

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings