File name:

031cb1c69db095e0a56ba97e6d01924733d1eca053fe58bca57158fdb1a0ea78.bin

Full analysis: https://app.any.run/tasks/c003d556-68dd-488e-a873-f226a1f33f27
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Analysis date: April 15, 2025, 17:55:38
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
rhadamanthys
stealer
hijackloader
loader
websocket
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

1A560E6AC1E56D6F1AA00E99132902B8

SHA1:

2706E759A40EE5BA597AFDC050007A772D668D9B

SHA256:

031CB1C69DB095E0A56BA97E6D01924733D1ECA053FE58BCA57158FDB1A0EA78

SSDEEP:

196608:437n/0JG7CZeywA2T9Xl4+9c1b41IccxomSPD7ejErUoY3PAXbsU1JynWr2:O7/37C8MQ9W+9QbecHAKEC3PAXbJ+nWy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • lnstaIer.exe (PID: 2064)
    • HIJACKLOADER has been detected (YARA)

      • FUyJYwqj.exe (PID: 2608)
    • RHADAMANTHYS mutex has been found

      • cmd.exe (PID: 5752)
      • svchost.exe (PID: 5508)
    • Actions looks like stealing of personal data

      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Steals credentials from Web Browsers

      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3568)
      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3568)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Reads the Internet Settings

      • lnstaIer.exe (PID: 2064)
      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Starts CMD.EXE for commands execution

      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3700)
      • cmd.exe (PID: 4988)
      • cmd.exe (PID: 1744)
      • cmd.exe (PID: 3664)
      • cmd.exe (PID: 6132)
    • There is functionality for taking screenshot (YARA)

      • lnstaIer.exe (PID: 2064)
    • Executable content was dropped or overwritten

      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
      • wmlaunch.exe (PID: 3584)
    • The process drops C-runtime libraries

      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 5508)
    • Reads settings of System Certificates

      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Reads Mozilla Firefox installation path

      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Loads DLL from Mozilla Firefox

      • svchost.exe (PID: 1168)
    • Searches for installed software

      • svchost.exe (PID: 1168)
    • Connects to unusual port

      • dllhost.exe (PID: 3336)
  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3568)
      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
      • wmlaunch.exe (PID: 3584)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3568)
    • Checks supported languages

      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
      • wmlaunch.exe (PID: 3584)
    • Create files in a temporary directory

      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
      • svchost.exe (PID: 1168)
      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Reads the machine GUID from the registry

      • lnstaIer.exe (PID: 2064)
      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
      • wmlaunch.exe (PID: 3584)
    • Checks operating system version

      • lnstaIer.exe (PID: 2064)
    • Checks proxy server information

      • lnstaIer.exe (PID: 2064)
      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Creates files or folders in the user directory

      • lnstaIer.exe (PID: 2064)
      • msedge.exe (PID: 1812)
      • wmlaunch.exe (PID: 3584)
    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5360)
    • The sample compiled with chinese language support

      • lnstaIer.exe (PID: 2064)
      • FUyJYwqj.exe (PID: 2608)
    • Reads the computer name

      • FUyJYwqj.exe (PID: 2608)
      • lnstaIer.exe (PID: 2064)
      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
      • wmlaunch.exe (PID: 3584)
    • Creates files in the program directory

      • FUyJYwqj.exe (PID: 2608)
    • Manual execution by a user

      • svchost.exe (PID: 5508)
      • svchost.exe (PID: 1168)
    • Application launched itself

      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Reads Environment values

      • chrome.exe (PID: 1924)
      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Process checks computer location settings

      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Process checks whether UAC notifications are on

      • msedge.exe (PID: 1812)
      • msedge.exe (PID: 1976)
    • Attempting to connect via WebSocket

      • svchost.exe (PID: 1168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2025:03:17 14:13:00
ZipCRC: 0xc76049c9
ZipCompressedSize: 3061
ZipUncompressedSize: 8944
ZipFileName: lnstaIer.py
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
70
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe lnstaier.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #HIJACKLOADER fuyjywqj.exe #RHADAMANTHYS cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #RHADAMANTHYS svchost.exe svchost.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe wmlaunch.exe dllhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
136"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4368 --field-trial-handle=2020,i,15865652212046538862,8466794488267120692,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
148"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1992,i,15637806676308580862,7101736284147317455,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
416\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
600"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3560,i,4581352578050688585,8812083709121872378,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:2C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
123.0.6312.86
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\123.0.6312.86\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
820"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3928 --field-trial-handle=1992,i,15637806676308580862,7101736284147317455,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,4581352578050688585,8812083709121872378,262144 --variations-seed-version --mojo-platform-channel-handle=3108 /prefetch:1C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
123.0.6312.86
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\123.0.6312.86\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
988"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5192 --field-trial-handle=2020,i,15865652212046538862,8466794488267120692,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1048"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Temp\chrDA94.tmp /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Temp\chrDA94.tmp\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x278,0x27c,0x280,0x270,0x288,0x7ffc733a5fd8,0x7ffc733a5fe4,0x7ffc733a5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1168"C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
46 210
Read events
46 118
Write events
88
Delete events
4

Modification events

(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\031cb1c69db095e0a56ba97e6d01924733d1eca053fe58bca57158fdb1a0ea78.bin.zip
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
46
Suspicious files
3 415
Text files
376
Unknown types
14

Dropped files

PID
Process
Filename
Type
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\lnstaIer.pytext
MD5:F82BFB01FA17B87134B14FC21DDACB74
SHA256:5A2D8E648E3F4CBDCD32CBD2BB0BA48D10DE32FE14042E201A8BB7088CEFAD79
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\._lnstaIer.pybinary
MD5:F948B9B7D71E8499AB0BB16298950D26
SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\archive.rpabinary
MD5:3C8CB207B14F16245F8DA6893D334D18
SHA256:3D8EA7DB91841F5AC40F8DBEC5345A3E2E213F147BA1BFAEC29BBEEC0458FDFE
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\._databinary
MD5:F948B9B7D71E8499AB0BB16298950D26
SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._archive.rpabinary
MD5:F948B9B7D71E8499AB0BB16298950D26
SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\script_version.txtbinary
MD5:5569A7FF423EA1F96B903A68457DC553
SHA256:C376AAC0470C00F63804E0ED35E1B812DCC11C80CCFDFBFCF4CE2EBE02ACA6D7
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\.keytext
MD5:3EB2931CC49DB48E7C9D0AAE93DCDF91
SHA256:46781D1A6BA1854828605C5173DC638CC725382AD828DED373C4D8870EFAEC74
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._cachebinary
MD5:F948B9B7D71E8499AB0BB16298950D26
SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._script_version.txtbinary
MD5:F948B9B7D71E8499AB0BB16298950D26
SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._.keybinary
MD5:F948B9B7D71E8499AB0BB16298950D26
SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
50
DNS requests
47
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1496
smartscreen.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fb0d43fa2dbc9d51
unknown
whitelisted
1496
smartscreen.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3640
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1352
svchost.exe
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?08d15ef3f08c448e
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?2efe063e74f19306
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?a373b5c2c52739f9
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6fcbef6e9a78fd97
unknown
whitelisted
5508
svchost.exe
GET
200
109.107.165.124:80
http://api.globalshimserv.top/76ece4d3ab5c60ead288414/9uaeqb17.m4tgq
unknown
2988
OfficeClickToRun.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
88.221.110.147:80
Akamai International B.V.
DE
unknown
1496
smartscreen.exe
48.209.162.134:443
checkappexec.microsoft.com
US
whitelisted
1496
smartscreen.exe
23.50.131.200:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
1496
smartscreen.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1480
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3640
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3640
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
1352
svchost.exe
88.221.110.216:80
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
checkappexec.microsoft.com
  • 48.209.162.134
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.200
  • 23.50.131.216
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.74
  • 40.126.32.138
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.3
whitelisted
fs.microsoft.com
  • 104.102.63.189
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
self.events.data.microsoft.com
  • 40.79.167.8
whitelisted
cloudflare-dns.com
  • 104.16.248.249
  • 104.16.249.249
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
Misc activity
ET INFO Cloudflare DNS Over HTTPS Certificate Inbound
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrA941.tmp directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrBDC4.tmp directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrDA94.tmp directory exists )