File name:

E-portal.html

Full analysis: https://app.any.run/tasks/29bc8b66-458b-474f-9c6d-a6ad6d1af313
Verdict: Malicious activity
Analysis date: July 23, 2024, 11:48:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ateraagent
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (64414)
MD5:

EF4D30FCC1E37EBC362F81918824EF8D

SHA1:

21118ACD97C0780FB4F7C5DAC8736158988FEFDB

SHA256:

C44939E5E44096B8BACBA52BC8B7F1B9F0934EDB6DB5C733CE525996F6374E0A

SSDEEP:

3072:sVUSNnIGCqh2/xS5i7zfEL8C9h+ZdhVvyg+E/1:rcIGN58TELdT+ZAgR/1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ATERAAGENT has been detected (YARA)

      • msiexec.exe (PID: 3800)
      • msiexec.exe (PID: 5904)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 5904)
      • AteraAgent.exe (PID: 1956)

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 3068)
      • net.exe (PID: 1148)
      • net.exe (PID: 2120)
      • msiexec.exe (PID: 7156)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msedge.exe (PID: 4328)
      • WinRAR.exe (PID: 7248)
      • msedge.exe (PID: 5052)
      • msiexec.exe (PID: 5904)
      • rundll32.exe (PID: 1148)
      • rundll32.exe (PID: 8148)
      • rundll32.exe (PID: 5928)
      • rundll32.exe (PID: 1148)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1564)
      • AteraAgent.exe (PID: 1956)
      • AteraAgent.exe (PID: 7848)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 5904)
      • AteraAgent.exe (PID: 7628)
      • AteraAgent.exe (PID: 5808)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5904)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 1148)
      • rundll32.exe (PID: 8148)
      • rundll32.exe (PID: 5928)
      • rundll32.exe (PID: 1148)
      • AteraAgent.exe (PID: 1956)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 3068)
      • msiexec.exe (PID: 7156)

    • Reads security settings of Internet Explorer

      • AteraAgent.exe (PID: 7628)
      • AteraAgent.exe (PID: 1956)
      • AteraAgent.exe (PID: 7848)
      • AteraAgent.exe (PID: 5808)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 1956)
      • AteraAgent.exe (PID: 7848)

    • Reads the date of Windows installation

      • AteraAgent.exe (PID: 1956)
      • AteraAgent.exe (PID: 7848)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 8148)
      • AteraAgent.exe (PID: 1956)
      • AgentPackageAgentInformation.exe (PID: 7452)
      • rundll32.exe (PID: 1148)
      • AgentPackageAgentInformation.exe (PID: 5684)
      • AgentPackageAgentInformation.exe (PID: 3380)
      • AteraAgent.exe (PID: 7848)
      • AgentPackageAgentInformation.exe (PID: 8168)

  • INFO

    • The process uses the downloaded file

      • msedge.exe (PID: 6112)
      • msedge.exe (PID: 5052)
      • WinRAR.exe (PID: 7248)

    • Checks supported languages

      • identity_helper.exe (PID: 7180)
      • TextInputHost.exe (PID: 3056)
      • msiexec.exe (PID: 5904)
      • msiexec.exe (PID: 5748)
      • msiexec.exe (PID: 3068)
      • AteraAgent.exe (PID: 7628)
      • AteraAgent.exe (PID: 1956)
      • AgentPackageAgentInformation.exe (PID: 7452)
      • AgentPackageAgentInformation.exe (PID: 3380)
      • AgentPackageAgentInformation.exe (PID: 5684)
      • AteraAgent.exe (PID: 5808)
      • msiexec.exe (PID: 2864)
      • msiexec.exe (PID: 7156)
      • AgentPackageAgentInformation.exe (PID: 8168)
      • AteraAgent.exe (PID: 7848)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 4328)
      • msedge.exe (PID: 5052)
      • WinRAR.exe (PID: 7248)
      • rundll32.exe (PID: 1148)
      • rundll32.exe (PID: 8148)
      • rundll32.exe (PID: 5928)
      • rundll32.exe (PID: 1148)

    • Reads Environment values

      • identity_helper.exe (PID: 7180)
      • AteraAgent.exe (PID: 7628)
      • AteraAgent.exe (PID: 1956)
      • AgentPackageAgentInformation.exe (PID: 7452)
      • AgentPackageAgentInformation.exe (PID: 3380)
      • AgentPackageAgentInformation.exe (PID: 5684)
      • AteraAgent.exe (PID: 5808)
      • AteraAgent.exe (PID: 7848)
      • AgentPackageAgentInformation.exe (PID: 8168)

    • Manual execution by a user

      • msiexec.exe (PID: 3800)
      • msiexec.exe (PID: 6672)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7248)
      • msiexec.exe (PID: 5904)

    • Reads the computer name

      • TextInputHost.exe (PID: 3056)
      • identity_helper.exe (PID: 7180)
      • msiexec.exe (PID: 5904)
      • msiexec.exe (PID: 5748)
      • msiexec.exe (PID: 3068)
      • AteraAgent.exe (PID: 7628)
      • AteraAgent.exe (PID: 1956)
      • AgentPackageAgentInformation.exe (PID: 3380)
      • AgentPackageAgentInformation.exe (PID: 7452)
      • AgentPackageAgentInformation.exe (PID: 5684)
      • AteraAgent.exe (PID: 5808)
      • msiexec.exe (PID: 2864)
      • msiexec.exe (PID: 7156)
      • AteraAgent.exe (PID: 7848)
      • AgentPackageAgentInformation.exe (PID: 8168)

    • Checks proxy server information

      • slui.exe (PID: 8052)
      • msiexec.exe (PID: 3800)
      • rundll32.exe (PID: 1148)
      • rundll32.exe (PID: 8148)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3800)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 5052)

    • Application launched itself

      • msedge.exe (PID: 5052)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3800)

    • Reads the software policy settings

      • msiexec.exe (PID: 3800)
      • slui.exe (PID: 8052)
      • msiexec.exe (PID: 5904)
      • rundll32.exe (PID: 8148)
      • AteraAgent.exe (PID: 7628)
      • AteraAgent.exe (PID: 1956)
      • rundll32.exe (PID: 1148)
      • AgentPackageAgentInformation.exe (PID: 3380)
      • AgentPackageAgentInformation.exe (PID: 7452)
      • AgentPackageAgentInformation.exe (PID: 5684)
      • AteraAgent.exe (PID: 5808)
      • AteraAgent.exe (PID: 7848)
      • AgentPackageAgentInformation.exe (PID: 8168)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 5904)
      • AteraAgent.exe (PID: 1956)
      • AgentPackageAgentInformation.exe (PID: 3380)
      • AgentPackageAgentInformation.exe (PID: 7452)
      • AgentPackageAgentInformation.exe (PID: 5684)
      • AteraAgent.exe (PID: 5808)
      • AteraAgent.exe (PID: 7848)
      • AgentPackageAgentInformation.exe (PID: 8168)
      • AteraAgent.exe (PID: 7628)

    • Create files in a temporary directory

      • rundll32.exe (PID: 1148)
      • rundll32.exe (PID: 8148)
      • rundll32.exe (PID: 5928)
      • rundll32.exe (PID: 1148)

    • Disables trace logs

      • rundll32.exe (PID: 8148)
      • AteraAgent.exe (PID: 1956)
      • rundll32.exe (PID: 1148)
      • AgentPackageAgentInformation.exe (PID: 3380)
      • AgentPackageAgentInformation.exe (PID: 7452)
      • AgentPackageAgentInformation.exe (PID: 5684)
      • AteraAgent.exe (PID: 7848)
      • AgentPackageAgentInformation.exe (PID: 8168)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5904)

    • Creates files in the program directory

      • AteraAgent.exe (PID: 7628)
      • AteraAgent.exe (PID: 1956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

ContentType: text/html; charset=utf-8
Title: 240e4517-6a6d-4bcc-8209-a76bb55f78db
Author: Philip Rowell
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
250
Monitored processes
102
Malicious processes
4
Suspicious processes
7

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs winrar.exe msedge.exe no specs textinputhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs #ATERAAGENT msiexec.exe #ATERAAGENT msiexec.exe vssvc.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe msedge.exe no specs rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs ateraagent.exe msedge.exe no specs ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs ateraagent.exe no specs ateraagent.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=7828 --field-trial-handle=2336,i,1926823333321066362,16573315184114593770,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1148rundll32.exe "C:\WINDOWS\Installer\MSI9699.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1021750 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1148"NET" STOP AteraAgentC:\Windows\SysWOW64\net.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1148"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9116 --field-trial-handle=2336,i,1926823333321066362,16573315184114593770,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1148rundll32.exe "C:\WINDOWS\Installer\MSIB544.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1029484 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1552"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6860 --field-trial-handle=2336,i,1926823333321066362,16573315184114593770,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1564C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1956"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
services.exe
User:
SYSTEM
Company:
ATERA Networks Ltd.
Integrity Level:
SYSTEM
Description:
AteraAgent
Exit code:
1
Version:
1.8.7.2
Modules
Images
c:\program files (x86)\atera networks\ateraagent\ateraagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1996\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5148 --field-trial-handle=2336,i,1926823333321066362,16573315184114593770,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
73 810
Read events
73 168
Write events
600
Delete events
42

Modification events

(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5052) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
(PID) Process:(5052) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:usagestats
Value:
0
(PID) Process:(5052) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:urlstats
Value:
0
Executable files
59
Suspicious files
675
Text files
203
Unknown types
12

Dropped files

PID
Process
Filename
Type
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe0ccd.TMP
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe0ccd.TMP
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe0ccd.TMP
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe0ccd.TMP
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFe0ccd.TMP
MD5:
SHA256:
5052msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
203
DNS requests
196
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
2.16.241.13:80
http://apps.identrust.com/roots/dstrootcax3.p7c
unknown
whitelisted
4328
msedge.exe
GET
304
2.23.197.184:80
http://x1.i.lencr.org/
unknown
whitelisted
4328
msedge.exe
GET
304
2.23.197.184:80
http://r3.i.lencr.org/
unknown
whitelisted
880
svchost.exe
HEAD
200
23.50.131.72:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722298066&P2=404&P3=2&P4=e4Zrj5zsbJ4c%2b2hjaK2QZU4t5UFXo5sO%2bpUHDQtqbZfqRtHlRGXhkd0HNN6zUOf7b1SnKh4BnF1chZiiFK6HIw%3d%3d
unknown
whitelisted
880
svchost.exe
GET
206
23.50.131.72:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722298066&P2=404&P3=2&P4=e4Zrj5zsbJ4c%2b2hjaK2QZU4t5UFXo5sO%2bpUHDQtqbZfqRtHlRGXhkd0HNN6zUOf7b1SnKh4BnF1chZiiFK6HIw%3d%3d
unknown
whitelisted
880
svchost.exe
GET
206
23.50.131.72:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722298066&P2=404&P3=2&P4=e4Zrj5zsbJ4c%2b2hjaK2QZU4t5UFXo5sO%2bpUHDQtqbZfqRtHlRGXhkd0HNN6zUOf7b1SnKh4BnF1chZiiFK6HIw%3d%3d
unknown
whitelisted
880
svchost.exe
GET
206
23.50.131.72:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722298066&P2=404&P3=2&P4=e4Zrj5zsbJ4c%2b2hjaK2QZU4t5UFXo5sO%2bpUHDQtqbZfqRtHlRGXhkd0HNN6zUOf7b1SnKh4BnF1chZiiFK6HIw%3d%3d
unknown
whitelisted
880
svchost.exe
GET
206
23.50.131.72:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722298066&P2=404&P3=2&P4=e4Zrj5zsbJ4c%2b2hjaK2QZU4t5UFXo5sO%2bpUHDQtqbZfqRtHlRGXhkd0HNN6zUOf7b1SnKh4BnF1chZiiFK6HIw%3d%3d
unknown
whitelisted
880
svchost.exe
HEAD
200
23.50.131.72:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/07b2b28d-48a0-4636-b791-6e6129c8a3da?P1=1722298065&P2=404&P3=2&P4=TPjiMKqZGlZpL90gciS%2bP7JTH%2bNWqmUXyJtfJMq8IKhdwH5OW68P%2bqaXDhbj1OS7uWLUtUoiN3wUYLBX4fBM2w%3d%3d
unknown
whitelisted
880
svchost.exe
GET
206
23.50.131.72:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/07b2b28d-48a0-4636-b791-6e6129c8a3da?P1=1722298065&P2=404&P3=2&P4=TPjiMKqZGlZpL90gciS%2bP7JTH%2bNWqmUXyJtfJMq8IKhdwH5OW68P%2bqaXDhbj1OS7uWLUtUoiN3wUYLBX4fBM2w%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4548
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4220
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.86.251.11:443
www.bing.com
Akamai International B.V.
DE
unknown
4204
svchost.exe
4.209.32.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5052
msedge.exe
239.255.255.250:1900
whitelisted
4328
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4328
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.60
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.19.126.145
  • 2.19.126.152
whitelisted
www.bing.com
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.187
  • 2.23.209.188
  • 2.23.209.130
  • 2.23.209.191
  • 2.23.209.186
  • 2.23.209.192
  • 2.23.209.183
  • 2.23.209.176
  • 2.23.209.182
  • 2.23.209.173
  • 2.23.209.177
  • 2.23.209.175
  • 184.86.251.11
  • 184.86.251.7
  • 184.86.251.9
  • 184.86.251.14
  • 184.86.251.13
  • 184.86.251.15
  • 184.86.251.10
  • 184.86.251.8
  • 184.86.251.5
  • 2.20.142.146
  • 2.20.142.136
  • 2.20.142.129
  • 2.20.142.138
  • 2.20.142.122
  • 2.20.142.154
  • 2.20.142.144
  • 2.20.142.145
  • 92.122.215.98
  • 184.86.251.31
  • 184.86.251.30
  • 184.86.251.4
  • 184.86.251.29
  • 184.86.251.28
  • 2.23.209.166
  • 2.23.209.171
  • 2.23.209.160
  • 2.23.209.167
  • 2.23.209.169
  • 2.23.209.162
  • 2.23.209.168
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.0
  • 20.190.160.17
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.140
whitelisted
edgeservices.bing.com
  • 2.23.209.183
  • 2.23.209.176
  • 2.23.209.182
  • 2.23.209.173
  • 2.23.209.177
  • 2.23.209.175
  • 2.23.209.187
  • 2.23.209.185
  • 2.23.209.186
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

PID
Process
Class
Message
4328
msedge.exe
Misc activity
ET INFO File Sharing Service Related Domain in DNS Lookup (ws .onehub .com)
4328
msedge.exe
Misc activity
ET INFO Observed File Sharing Service Related Domain (ws .onehub .com in TLS SNI)
4328
msedge.exe
Misc activity
ET INFO File Sharing Service Related Domain in DNS Lookup (ws .onehub .com)
4328
msedge.exe
Misc activity
ET INFO Observed File Sharing Service Related Domain (ws .onehub .com in TLS SNI)
4328
msedge.exe
Misc activity
ET INFO Observed File Sharing Service Related Domain (ws .onehub .com in TLS SNI)
4328
msedge.exe
Misc activity
ET INFO Observed File Sharing Service Related Domain (ws .onehub .com in TLS SNI)
4328
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
4328
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
14 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
E-portal.html