File name:

setup.zip

Full analysis: https://app.any.run/tasks/6213daae-e18e-47ec-bba2-eac859aca319
Verdict: Malicious activity
Analysis date: July 25, 2024, 13:50:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
antivm
crypto-regex
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

6F275E8DEDDE7F0D475C454DF6DA9DB3

SHA1:

8EF7B71463322C4F109A6E21B7123718C2DAE598

SHA256:

F90867879E21C9D25DAA3E434A25CD0288048A154896F58EC3CE28D3870B9653

SSDEEP:

98304:sPo/8fvyXIW0IJvgVLhdf3q+xMLAiPSNRdu3iWiCtFPuKzDToed08DFvjtZClJk9:QYZZqXf00u/9WXVvJFZVKHd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4552)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1904)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • setup.exe (PID: 3124)
      • MicrosoftEdgeWebview2Setup.exe (PID: 812)
      • setup.exe (PID: 1772)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6608)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 4552)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1904)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • setup.exe (PID: 3124)
      • MicrosoftEdgeWebview2Setup.exe (PID: 812)
      • setup.exe (PID: 1772)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 4552)

    • Found regular expressions for crypto-addresses (YARA)

      • setup.exe (PID: 1772)
      • setup.exe (PID: 3124)

    • There is functionality for VM detection (antiVM strings)

      • setup.exe (PID: 1772)
      • setup.exe (PID: 3124)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeWebview2Setup.exe (PID: 1904)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeWebview2Setup.exe (PID: 812)
      • setup.exe (PID: 1772)
      • setup.exe (PID: 3124)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeWebview2Setup.exe (PID: 812)
      • MicrosoftEdgeUpdate.exe (PID: 1544)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1904)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeUpdate.exe (PID: 1544)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5500)
      • MicrosoftEdgeUpdate.exe (PID: 5192)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4912)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1596)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeUpdate.exe (PID: 1544)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeUpdate.exe (PID: 1544)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 6224)

    • There is functionality for VM detection (VMWare)

      • setup.exe (PID: 3124)
      • setup.exe (PID: 1772)

    • There is functionality for VM detection (VirtualBox)

      • setup.exe (PID: 3124)
      • setup.exe (PID: 1772)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4552)

    • Reads Environment values

      • setup.exe (PID: 1772)
      • MicrosoftEdgeUpdate.exe (PID: 3656)
      • MicrosoftEdgeUpdate.exe (PID: 6056)
      • MicrosoftEdgeUpdate.exe (PID: 3848)
      • setup.exe (PID: 3124)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeUpdate.exe (PID: 4104)

    • Checks supported languages

      • setup.exe (PID: 1772)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1904)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeUpdate.exe (PID: 5192)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5500)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4912)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1596)
      • MicrosoftEdgeUpdate.exe (PID: 3656)
      • MicrosoftEdgeUpdate.exe (PID: 6056)
      • MicrosoftEdgeUpdate.exe (PID: 6224)
      • MicrosoftEdgeUpdate.exe (PID: 3848)
      • setup.exe (PID: 3124)
      • MicrosoftEdgeWebview2Setup.exe (PID: 812)
      • MicrosoftEdgeUpdate.exe (PID: 1544)
      • MicrosoftEdgeUpdate.exe (PID: 7128)
      • MicrosoftEdgeUpdate.exe (PID: 4104)
      • MicrosoftEdgeUpdate.exe (PID: 7080)
      • MicrosoftEdgeUpdate.exe (PID: 6316)

    • Manual execution by a user

      • setup.exe (PID: 1772)
      • setup.exe (PID: 3124)

    • Reads the computer name

      • setup.exe (PID: 1772)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5500)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 1596)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4912)
      • MicrosoftEdgeUpdate.exe (PID: 5192)
      • MicrosoftEdgeUpdate.exe (PID: 3656)
      • MicrosoftEdgeUpdate.exe (PID: 6056)
      • MicrosoftEdgeUpdate.exe (PID: 6224)
      • MicrosoftEdgeUpdate.exe (PID: 3848)
      • setup.exe (PID: 3124)
      • MicrosoftEdgeUpdate.exe (PID: 1544)
      • MicrosoftEdgeUpdate.exe (PID: 4104)
      • MicrosoftEdgeUpdate.exe (PID: 7128)
      • MicrosoftEdgeUpdate.exe (PID: 7080)
      • MicrosoftEdgeUpdate.exe (PID: 6316)

    • Create files in a temporary directory

      • setup.exe (PID: 1772)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1904)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • setup.exe (PID: 3124)
      • MicrosoftEdgeWebview2Setup.exe (PID: 812)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 1772)
      • MicrosoftEdgeUpdate.exe (PID: 6056)
      • setup.exe (PID: 3124)

    • Reads the software policy settings

      • setup.exe (PID: 1772)
      • MicrosoftEdgeUpdate.exe (PID: 3656)
      • MicrosoftEdgeUpdate.exe (PID: 6224)
      • MicrosoftEdgeUpdate.exe (PID: 3848)
      • wermgr.exe (PID: 1080)
      • setup.exe (PID: 3124)
      • wermgr.exe (PID: 6752)
      • MicrosoftEdgeUpdate.exe (PID: 6316)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 6608)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6608)
      • MicrosoftEdgeUpdate.exe (PID: 6056)
      • MicrosoftEdgeUpdate.exe (PID: 1544)

    • Checks proxy server information

      • MicrosoftEdgeUpdate.exe (PID: 3656)
      • slui.exe (PID: 1408)
      • MicrosoftEdgeUpdate.exe (PID: 6224)
      • MicrosoftEdgeUpdate.exe (PID: 3848)
      • wermgr.exe (PID: 1080)
      • wermgr.exe (PID: 6752)
      • MicrosoftEdgeUpdate.exe (PID: 6316)

    • Creates files in the program directory

      • MicrosoftEdgeUpdate.exe (PID: 6056)
      • MicrosoftEdgeUpdate.exe (PID: 6608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:07:23 17:29:32
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: setup/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
23
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe rundll32.exe no specs THREAT setup.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe wermgr.exe THREAT setup.exe wermgr.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
812C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.193.5
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1080"C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "6056" "1052" "1088" "1048" "0" "0" "0" "0" "0" "0" "0" "0" C:\Windows\SysWOW64\wermgr.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1408C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1544C:\Users\admin\AppData\Local\Temp\EUAF77.tmp\MicrosoftEdgeUpdate.exe /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EUAF77.tmp\MicrosoftEdgeUpdate.exeMicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.193.5
Modules
Images
c:\users\admin\appdata\local\temp\euaf77.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1596"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.193.5\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.193.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.193.5\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1772"C:\Users\admin\Desktop\setup\setup.exe" C:\Users\admin\Desktop\setup\setup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\desktop\setup\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
1904C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Exit code:
2147747856
Version:
1.3.193.5
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3124"C:\Users\admin\Desktop\setup\setup.exe" C:\Users\admin\Desktop\setup\setup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\setup\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\powrprof.dll
3656"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTMuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE5My41IiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0ie0UxNzVBNTNGLUIyRTUtNDlDNi1CNjVBLThFQTQ5OUUyQTNERX0iIHVzZXJpZD0ie0VEQjI5RTA1LTNCQ0MtNEM3OS05MDQxLTM2MjgxQjlGMTAyRH0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntEN0YzRkY3Qi1FQTJDLTQ3QjItOEU3Ny00NDZCNEU1MDM2Mzh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5My41IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5NjI4MTk1NzA5IiBpbnN0YWxsX3RpbWVfbXM9IjEwMzEiLz48L2FwcD48L3JlcXVlc3Q-C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.193.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
3848"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTMuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE5My41IiBpc21hY2hpbmU9IjAiIHNlc3Npb25pZD0ie0UxNzVBNTNGLUIyRTUtNDlDNi1CNjVBLThFQTQ5OUUyQTNERX0iIHVzZXJpZD0ie0VEQjI5RTA1LTNCQ0MtNEM3OS05MDQxLTM2MjgxQjlGMTAyRH0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9InszMDU4MTNBOS05MTY5LTRFOEItOTc4RS01NkYyRDQzMUJBNzl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSImcXVvdDt1WXVGMlFJMlFCNENxeElTdUdZSkYxUUpsWXhEZHE2U0l2TWo2S0VLOUE4PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjYuMC4yNTkyLjExMyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTExMzM1MTUzMDkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTEzMzgyNTI1NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSI0IiBlcnJvcmNvZGU9Ii0yMTQ3MjE5NDQwIiBleHRyYWNvZGUxPSIyNjg0MzU0NjMiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMTQ5NjA5OTk3IiBpc19idW5kbGVkPSIwIiBzdGF0ZV9jYW5jZWxsZWQ9IjciIHRpbWVfc2luY2VfdXBkYXRlX2F2YWlsYWJsZV9tcz0iMTYxMCIgdGltZV9zaW5jZV9kb3dubG9hZF9zdGFydF9tcz0iMTU2MyIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MjE5NDQwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTE1MDIzMzM3MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDFhMDJkMGUtOWQ4ZC00N2EzLThjMzYtOWJmMzhkYWJlMjFhP1AxPTE3MjI1MjA0MjQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9QkklMmZsQjBRR21PaUpHMWxsVFJOeHVBSVBoSzl4RU1hJTJmUURTd0xwR0V6eE1Ed3ZtQnVNWGZHbWdsNXRhSk1KcXhZSWdZZ2ltRkpWVTIlMmZ3VENzd2o2UmclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxMDQ4NTc2IiB0b3RhbD0iMTczMTQ4NjE2IiBkb3dubG9hZF90aW1lX21zPSI4MjgiLz48L2FwcD48L3JlcXVlc3Q-C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.193.5
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
37 361
Read events
33 857
Write events
3 461
Delete events
43

Modification events

(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\setup.zip
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B010000B40000001B0500009D020000
(PID) Process:(4552) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
310
Suspicious files
4
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
4552WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4552.26063\setup\setup.exe
MD5:
SHA256:
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\MicrosoftEdgeUpdateOnDemand.exeexecutable
MD5:1ECF8A13497BBC34FC1CF2C7C2DAC9B0
SHA256:8BC7B53FFF82E9BE925BD28FE4F093039CAE5990F203B2EDB4F3C072408412F6
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\psuser_64.dllexecutable
MD5:A89808BFD9091ED531EA5F5C5C2FC232
SHA256:D801F2ABD497EF3B03A32B1FA06B397C81CBA71BE7A5C6FBDB183D922E237924
1772setup.exeC:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeexecutable
MD5:2AEB55B75F68B4EA3F949CAE0CEBA066
SHA256:22484FDF3008A593E7CA188863D423B8B2A345391120ED296CE8B156CFA983AB
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\MicrosoftEdgeUpdate.exeexecutable
MD5:090901EBEFC233CC46D016AF98BE6D53
SHA256:7864BB95EB14E0AE1C249759CB44AD746E448007563B7430911755CF17EA5A77
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\psuser.dllexecutable
MD5:5FC9E2E9E7F2AE6BDF66915F317BF12B
SHA256:12E75D69EB62B55F5B7DFA6772BC37DC8F51BC036041C51AA3951E4444C87DC3
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\MicrosoftEdgeComRegisterShellARM64.exeexecutable
MD5:5679308B2E276BD371798AC8D579B1F9
SHA256:C9AEF2D24F1C77A366B327B869E4103ED8276EA83B2B40942718CC134A1E122F
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\psmachine_64.dllexecutable
MD5:447D4FD7B37ABB43501AA13F7FD25750
SHA256:3A84348804AEFBE6172F53EAFBE0D87D29DC6F42EA050E68F1D31385384BD72C
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\msedgeupdate.dllexecutable
MD5:D1175F877AB160902113B3A2250D0D78
SHA256:5CCF3EEDF6F1F57D386CEF188F070C72583D9A96FF674CE91E8776CED8E989B5
1904MicrosoftEdgeWebview2Setup.exeC:\Users\admin\AppData\Local\Temp\EUA60F.tmp\psuser_arm64.dllexecutable
MD5:3B226A2484899AFA6DE93A82D9FBCC4F
SHA256:6D64BDADFF5F3216753E737D4E19A09A00B19D80403172675041E903EA5C2DF4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
68
DNS requests
34
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6624
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7092
svchost.exe
GET
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/01a02d0e-9d8d-47a3-8c36-9bf38dabe21a?P1=1722520424&P2=404&P3=2&P4=BI%2flB0QGmOiJG1llTRNxuAIPhK9xEMa%2fQDSwLpGEzxMDwvmBuMXfGmgl5taJMJqxYIgYgimFJVU2%2fwTCswj6Rg%3d%3d
unknown
whitelisted
7092
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/01a02d0e-9d8d-47a3-8c36-9bf38dabe21a?P1=1722520424&P2=404&P3=2&P4=BI%2flB0QGmOiJG1llTRNxuAIPhK9xEMa%2fQDSwLpGEzxMDwvmBuMXfGmgl5taJMJqxYIgYgimFJVU2%2fwTCswj6Rg%3d%3d
unknown
whitelisted
3148
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7092
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/01a02d0e-9d8d-47a3-8c36-9bf38dabe21a?P1=1722520473&P2=404&P3=2&P4=Y%2b%2fIvn4NwcC1HFCDHIzLJjnFJLP%2bicai0E2JnD2DfxhvhBI7kHHmlN6atSD4zba2AgnHrV4NH8Pkzdd8N%2bwZnA%3d%3d
unknown
whitelisted
7092
svchost.exe
GET
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/01a02d0e-9d8d-47a3-8c36-9bf38dabe21a?P1=1722520473&P2=404&P3=2&P4=Y%2b%2fIvn4NwcC1HFCDHIzLJjnFJLP%2bicai0E2JnD2DfxhvhBI7kHHmlN6atSD4zba2AgnHrV4NH8Pkzdd8N%2bwZnA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
2632
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2.23.209.166:443
www.bing.com
Akamai International B.V.
GB
unknown
5368
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5272
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5272
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
www.bing.com
  • 2.23.209.166
  • 2.23.209.160
  • 2.23.209.162
  • 2.23.209.158
  • 2.23.209.143
  • 2.23.209.141
  • 2.23.209.154
  • 2.23.209.150
  • 2.23.209.161
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.76
whitelisted
go.microsoft.com
  • 23.218.210.69
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
7092
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7092
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.zip