Malware analysis MDE_File_Sample_b08eb259aba0cac2de72ef74df3f4b3edad9da9b.zip Malicious activity

Add for printing

File name:	MDE_File_Sample_b08eb259aba0cac2de72ef74df3f4b3edad9da9b.zip
Full analysis:	https://app.any.run/tasks/f6d48409-66b9-4d2a-bcf0-7d86224db109
Verdict:	Malicious activity
Analysis date:	October 25, 2024, 07:07:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	6A1894C5A407AAE268F2FF41F2C5459C
SHA1:	7502FC934D15B12ECF7112296B515D5445B30B18
SHA256:	9417312174B3006D85CD4A927DEABE3D6EAE6756913BF2649E62742BE22E22ED
SSDEEP:	49152:rPDtOpZV/XyrYPoSVskScatC03KlTwchEg/iza5kU32cqnTXYnFC2jd9Zb8TFFMS:rBOTV/XykzuC03Kljyg/izw32cyY5jdO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Antivirus name has been found in the command line (generic signature)
  - AVGUI.exe (PID: 9348)
  - AVGUI.exe (PID: 3944)
  - AVGUI.exe (PID: 7624)
  - AVGUI.exe (PID: 5476)
  - AVGUI.exe (PID: 9852)
  - AVGUI.exe (PID: 7084)
SUSPICIOUS
- Executes application which crashes
  - unir-pdf-3.8-installer_Bh-Xff1.tmp (PID: 3792)
- Executable content was dropped or overwritten
  - unir-pdf-3.8-installer_Bh-Xff1.tmp (PID: 3792)
  - icarus.exe (PID: 7784)
  - avg_antivirus_free_online_setup.exe (PID: 5324)
  - unir-pdf-3.8-installer_Bh-Xff1.exe (PID: 5400)
  - unir-pdf-3.8-installer_Bh-Xff1.exe (PID: 4432)
  - avg_antivirus_free_setup.exe (PID: 5652)
  - icarus.exe (PID: 7744)
  - unir_pdf.exe (PID: 1200)
  - engsup.exe (PID: 8288)
  - icarus.exe (PID: 7764)
  - unir-pdf.tmp (PID: 5240)
  - unir-pdf.exe (PID: 8880)
  - AvEmUpdate.exe (PID: 6368)
  - AVGSvc.exe (PID: 8940)
  - unir_pdf.exe (PID: 7136)
  - unir_pdf.tmp (PID: 784)
  - aswOfferTool.exe (PID: 6232)
- Starts itself from another location
  - icarus.exe (PID: 7784)
- Process drops legitimate windows executable
  - icarus.exe (PID: 7744)
  - unir_pdf.tmp (PID: 784)
- The process drops C-runtime libraries
  - icarus.exe (PID: 7744)
- Drops a system driver (possible attempt to evade defenses)
  - icarus.exe (PID: 7744)
  - engsup.exe (PID: 8288)
- Executes as Windows Service
  - avgToolsSvc.exe (PID: 7408)
  - wsc_proxy.exe (PID: 7572)
  - afwServ.exe (PID: 6152)
  - AVGSvc.exe (PID: 8940)
  - aswidsagent.exe (PID: 9684)
- Application launched itself
  - AVGUI.exe (PID: 9348)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5828)
  - msedge.exe (PID: 6820)
  - msedge.exe (PID: 1160)
  - msedge.exe (PID: 6364)
- The process uses the downloaded file
  - WinRAR.exe (PID: 5828)
- Application launched itself
  - msedge.exe (PID: 2360)
  - msedge.exe (PID: 6820)
- Manual execution by a user
  - unir-pdf-3.8-installer_Bh-Xff1.exe (PID: 4432)
  - msedge.exe (PID: 6820)
  - AVGUI.exe (PID: 9348)
  - unir-pdf.exe (PID: 11216)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0001
ZipCompression:	Deflated
ZipModifyDate:	2024:10:25 07:06:38
ZipCRC:	0xe4790875
ZipCompressedSize:	1224532
ZipUncompressedSize:	1724984
ZipFileName:	unir-pdf-3.8-installer_Bh-Xff1.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

302

Monitored processes

155

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

528

"C:\Users\admin\AppData\Local\Temp\is-O4J2U.tmp\unir-pdf-3.8-installer_Bh-Xff1.tmp" /SL5="$902DE,781278,776192,C:\Users\admin\Desktop\unir-pdf-3.8-installer_Bh-Xff1.exe"

C:\Users\admin\AppData\Local\Temp\is-O4J2U.tmp\unir-pdf-3.8-installer_Bh-Xff1.tmp

—

unir-pdf-3.8-installer_Bh-Xff1.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

3221226525

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-o4j2u.tmp\unir-pdf-3.8-installer_bh-xff1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

784

"C:\Users\admin\AppData\Local\Temp\is-889GB.tmp\unir_pdf.tmp" /SL5="$D021E,13528197,845824,C:\Users\admin\Downloads\unir_pdf.exe" /SPAWNWND=$A021A /NOTIFYWND=$B03AE

C:\Users\admin\AppData\Local\Temp\is-889GB.tmp\unir_pdf.tmp

unir_pdf.exe

User:

admin

Company:

convertidor-de-pdf.com

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

864

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6352 --field-trial-handle=2468,i,14379791176338782251,16541232520826675272,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

864

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=10172 --field-trial-handle=2468,i,14379791176338782251,16541232520826675272,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

1112

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6032 --field-trial-handle=2468,i,14379791176338782251,16541232520826675272,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

1160

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2100 --field-trial-handle=2468,i,14379791176338782251,16541232520826675272,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1184

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=6244 --field-trial-handle=2468,i,14379791176338782251,16541232520826675272,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1200

"C:\Users\admin\Downloads\unir_pdf.exe"

C:\Users\admin\Downloads\unir_pdf.exe

msedge.exe

User:

admin

Company:

convertidor-de-pdf.com

Integrity Level:

MEDIUM

Description:

Unir PDF Setup

Exit code:

Version:

1244

"C:\Program Files\AVG\Antivirus\SetupInf.exe" /uninstall /netservice:avgNdisFlt /catalog:avgNdisFlt.cat

C:\Program Files\AVG\Antivirus\SetupInf.exe

—

icarus.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

AVG Antivirus Installer

Exit code:

Version:

24.10.9535.0

1344

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5436 --field-trial-handle=2468,i,14379791176338782251,16541232520826675272,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Add for printing

Total events

18 422

Read events

18 340

Write events

Delete events

Modification events


(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\MDE_File_Sample_b08eb259aba0cac2de72ef74df3f4b3edad9da9b.zip
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(5828) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80

Add for printing

Executable files

777

Suspicious files

2 341

Text files

455

Unknown types

Dropped files

PID	Process	Filename		Type
5400	unir-pdf-3.8-installer_Bh-Xff1.exe	C:\Users\admin\AppData\Local\Temp\is-BI473.tmp\unir-pdf-3.8-installer_Bh-Xff1.tmp		executable
		MD5:4CC9DDB18514C94300FD78FE002B0D2F	SHA256:C4A5100DCF1EB5DC959E50E36A710C92A53A5C77D0569EE03293142E0EB43FC4
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	C:\Users\admin\AppData\Local\Temp\is-5JF7I.tmp\Y.png		image
		MD5:C199687E52F7393C941A143B45D78207	SHA256:0EB767424750B6F8C22AE5EBB105C5C37B3A047EED986FFA6DEBA53EFDC2142E
4432	unir-pdf-3.8-installer_Bh-Xff1.exe	C:\Users\admin\AppData\Local\Temp\is-O4J2U.tmp\unir-pdf-3.8-installer_Bh-Xff1.tmp		executable
		MD5:4CC9DDB18514C94300FD78FE002B0D2F	SHA256:C4A5100DCF1EB5DC959E50E36A710C92A53A5C77D0569EE03293142E0EB43FC4
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	C:\Users\admin\AppData\Local\Temp\is-5JF7I.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	C:\Users\admin\AppData\Local\Temp\is-5JF7I.tmp\is-QOG7D.tmp		image
		MD5:CFAB9ACEF1912BD2E33156AD2E950B9C	SHA256:896D5A2418CCC46C7AC21220EFAF38D0CCF935654A16A947C8BB9958F85B9254
5828	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb5828.35416\unir-pdf-3.8-installer_Bh-Xff1.exe		executable
		MD5:8426BEB5FCCE7F956F03A3A8639CB044	SHA256:2B5F752017206A0A1D56534BFE893DDA69E9AB7FFA97DD5DBE044410C86C1E8D
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	C:\Users\admin\AppData\Local\Temp\is-5JF7I.tmp\is-U6HEE.tmp		image
		MD5:AEE8E80B35DCB3CF2A5733BA99231560	SHA256:35BBD8F390865173D65BA2F38320A04755541A0783E9F825FDB9862F80D97AA9
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	C:\Users\admin\AppData\Local\Temp\is-5JF7I.tmp\image.jpg		image
		MD5:CFAB9ACEF1912BD2E33156AD2E950B9C	SHA256:896D5A2418CCC46C7AC21220EFAF38D0CCF935654A16A947C8BB9958F85B9254
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	C:\Users\admin\AppData\Local\Temp\is-5JF7I.tmp\100.png		image
		MD5:AEE8E80B35DCB3CF2A5733BA99231560	SHA256:35BBD8F390865173D65BA2F38320A04755541A0783E9F825FDB9862F80D97AA9
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	C:\Users\admin\AppData\Local\Temp\is-5JF7I.tmp\N.png		image
		MD5:1A01027365500D86730A737EB32CBF2A	SHA256:D79A97538B93179012A5EBEBDE873EDC18E30A0287953800F7AA7EA4F25724E1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

709

DNS requests

659

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6380	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1160	msedge.exe	GET	200	192.229.221.95:80	http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7144	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7508	WerFault.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1730419159&P2=404&P3=2&P4=g0vopL4E2sMgYSTqNT3KLG%2b2MQgzkv%2bFEwKNMNOXP8ua9xnd52BtDeai9%2bnNJRNNcqE0UORZCPhotqO8dUeyFQ%3d%3d	unknown	—	—	whitelisted
9064	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1730419159&P2=404&P3=2&P4=g0vopL4E2sMgYSTqNT3KLG%2b2MQgzkv%2bFEwKNMNOXP8ua9xnd52BtDeai9%2bnNJRNNcqE0UORZCPhotqO8dUeyFQ%3d%3d	unknown	—	—	whitelisted
7508	WerFault.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
9064	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1730419159&P2=404&P3=2&P4=g0vopL4E2sMgYSTqNT3KLG%2b2MQgzkv%2bFEwKNMNOXP8ua9xnd52BtDeai9%2bnNJRNNcqE0UORZCPhotqO8dUeyFQ%3d%3d	unknown	—	—	whitelisted
—	—	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1730419159&P2=404&P3=2&P4=g0vopL4E2sMgYSTqNT3KLG%2b2MQgzkv%2bFEwKNMNOXP8ua9xnd52BtDeai9%2bnNJRNNcqE0UORZCPhotqO8dUeyFQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1588	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6944	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	20.72.205.209:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6944	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6944	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3792	unir-pdf-3.8-installer_Bh-Xff1.tmp	65.9.7.228:443	d69gcyt8k9bu2.cloudfront.net	AMAZON-02	US	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46 216.58.212.174	whitelisted
settings-win.data.microsoft.com	20.72.205.209 4.231.128.59 52.137.106.217	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131 88.221.169.152	whitelisted
d69gcyt8k9bu2.cloudfront.net	65.9.7.228 65.9.7.98 65.9.7.85 65.9.7.45	whitelisted
images.sftcdn.net	151.101.1.91 151.101.65.91 151.101.129.91 151.101.193.91	whitelisted
www.bing.com	2.23.209.178 2.23.209.179 2.23.209.177 2.23.209.176 2.23.209.171 2.23.209.180 2.23.209.174 2.23.209.173 2.23.209.181 2.23.209.166 2.23.209.154 2.23.209.162 2.23.209.160 2.23.209.161 2.23.209.156 2.23.209.158 2.23.209.137 2.23.209.189 2.23.209.130 2.23.209.140 2.23.209.193 2.23.209.149 2.23.209.133 2.23.209.144 2.23.209.142 2.16.110.177 2.16.110.168 2.16.110.170 2.16.110.179 2.16.110.138 2.16.110.137 2.16.110.169 2.16.110.152 2.16.110.171 2.16.110.121 2.16.110.136 2.16.110.203 2.16.110.130 2.16.110.131 2.16.110.161 2.16.110.163 2.16.110.146 2.16.110.145	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.0 20.190.159.68 20.190.159.75 20.190.159.64 40.126.31.71 20.190.159.4 20.190.159.73 40.126.31.73	whitelisted
th.bing.com	2.23.209.189 2.23.209.133 2.23.209.193 2.23.209.137 2.23.209.191 2.23.209.141 2.23.209.132 2.23.209.130 2.23.209.140 2.23.209.182 2.23.209.162 2.23.209.173 2.23.209.179 2.23.209.177 2.23.209.181 2.23.209.166 2.23.209.176 2.23.209.171	whitelisted

Threats

PID	Process	Class	Message
1160	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
1160	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
—	—	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
—	—	Misc activity	ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
—	—	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
—	—	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
—	—	Misc activity	ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
—	—	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
—	—	Misc activity	ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)

Add for printing

Process	Message
msedge.exe	[1025/070836.996:ERROR:device_ticket.cc(187)] The identity is null.
msedge.exe	[1025/070837.979:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\acdc4d55-d1fe-454b-89f2-d852a95caeb5: The system cannot find the file specified. (0x2)
msedge.exe	[1025/070837.989:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\acdc4d55-d1fe-454b-89f2-d852a95caeb5: The system cannot find the file specified. (0x2)
msedge.exe	[1025/070838.025:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\acdc4d55-d1fe-454b-89f2-d852a95caeb5: The system cannot find the file specified. (0x2)
msedge.exe	[1025/070838.025:ERROR:filesystem_win.cc(128)] GetFileAttributes C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments\acdc4d55-d1fe-454b-89f2-d852a95caeb5: The system cannot find the file specified. (0x2)

General Info

MDE_File_Sample_b08eb259aba0cac2de72ef74df3f4b3edad9da9b.zip

6A1894C5A407AAE268F2FF41F2C5459C

7502FC934D15B12ECF7112296B515D5445B30B18

9417312174B3006D85CD4A927DEABE3D6EAE6756913BF2649E62742BE22E22ED

49152:rPDtOpZV/XyrYPoSVskScatC03KlTwchEg/iza5kU32cqnTXYnFC2jd9Zb8TFFMS:rBOTV/XykzuC03Kljyg/izw32cyY5jdO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

Executes application which crashes

Executable content was dropped or overwritten

Starts itself from another location

Process drops legitimate windows executable

The process drops C-runtime libraries

Drops a system driver (possible attempt to evade defenses)

Executes as Windows Service

Application launched itself

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Application launched itself

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Information

Information

Information

Modules

Information

Modules

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings