File name:

hkexplr.rar

Full analysis: https://app.any.run/tasks/fcf1b36b-9644-444c-8720-1f329267e9ec
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 09, 2025, 03:36:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
uac
phishing-ml
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

B5F95DEEEE017593D23C9517D621A044

SHA1:

E12329C01CDAD544770926A8701F9F6B57973539

SHA256:

E13EF534888F3CB876D78C8F299F6EE6BD10155B060FE37C3C7BBEC744D2C9A2

SSDEEP:

3072:y5Lr1E8sY7SlYNO3JUwUnzS3wEM0S4QfLFv:or1E8j7S6IDwOjmv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (fodhelper)

      • fodhelper.exe (PID: 12896)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • OneDriveSetup.exe (PID: 7916)

    • Scans artifacts that could help determine the target

      • OfficeHubWin32.exe (PID: 11836)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 8)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 8)
      • ShellExperienceHost.exe (PID: 3988)
      • GameBar.exe (PID: 11320)
      • OneDrive.exe (PID: 7148)
      • onenoteim.exe (PID: 12536)
      • OfficeHubWin32.exe (PID: 11836)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)

    • Creates/Modifies COM task schedule object

      • OneDrive.exe (PID: 7148)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 10748)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 10512)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 11504)
      • MicrosoftEdgeUpdate.exe (PID: 13284)
      • OneDriveSetup.exe (PID: 7916)

    • Executable content was dropped or overwritten

      • quickassist.exe (PID: 9460)
      • wv2C315.tmp (PID: 12000)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 9908)

    • Starts a Microsoft application from unusual location

      • wv2C315.tmp (PID: 12000)
      • MicrosoftEdgeUpdate.exe (PID: 12740)

    • Process drops legitimate windows executable

      • wv2C315.tmp (PID: 12000)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 9908)

    • Starts application with an unusual extension

      • quickassist.exe (PID: 9460)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 12740)

    • Checks Windows Trust Settings

      • onenoteim.exe (PID: 12536)
      • OneDrive.exe (PID: 7148)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)

    • Reads the Internet Settings

      • OfficeHubWin32.exe (PID: 11836)

    • Searches for installed software

      • OfficeHubWin32.exe (PID: 11836)
      • setup.exe (PID: 9908)

    • Reads settings of System Certificates

      • OfficeHubWin32.exe (PID: 11836)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 13396)

    • Application launched itself

      • OneDriveSetup.exe (PID: 12712)
      • setup.exe (PID: 9908)
      • MicrosoftEdgeUpdate.exe (PID: 5200)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 7916)

    • Sets XML DOM element text (SCRIPT)

      • splwow64.exe (PID: 7664)

    • Creates a software uninstall entry

      • OneDriveSetup.exe (PID: 7916)
      • setup.exe (PID: 9908)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 8)
      • quickassist.exe (PID: 9460)
      • wv2C315.tmp (PID: 12000)
      • svchost.exe (PID: 13396)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 9908)
      • msedge.exe (PID: 1076)

    • Checks supported languages

      • hkexplr.exe (PID: 6940)
      • OneDrive.exe (PID: 7148)
      • ShellExperienceHost.exe (PID: 3988)
      • sapisvr.exe (PID: 10056)
      • GameBar.exe (PID: 11320)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • onenoteim.exe (PID: 12536)
      • MicrosoftEdgeUpdate.exe (PID: 13284)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 11504)
      • OfficeHubWin32.exe (PID: 11836)
      • MicrosoftEdgeUpdate.exe (PID: 7196)
      • MicrosoftEdgeUpdate.exe (PID: 448)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)
      • FileSyncConfig.exe (PID: 14228)
      • OneDrive.exe (PID: 6928)
      • setup.exe (PID: 11808)
      • setup.exe (PID: 9908)
      • MicrosoftEdgeUpdate.exe (PID: 7936)

    • Reads the computer name

      • hkexplr.exe (PID: 6940)
      • ShellExperienceHost.exe (PID: 3988)
      • OneDrive.exe (PID: 7148)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 10512)
      • MicrosoftEdgeUpdate.exe (PID: 7196)
      • MicrosoftEdgeUpdate.exe (PID: 448)
      • OneDriveSetup.exe (PID: 12712)
      • OneDrive.exe (PID: 6928)
      • setup.exe (PID: 9908)
      • MicrosoftEdgeUpdate.exe (PID: 7936)

    • Manual execution by a user

      • OneDrive.exe (PID: 7148)
      • OUTLOOK.EXE (PID: 7164)
      • POWERPNT.EXE (PID: 188)
      • EXCEL.EXE (PID: 3224)
      • WINWORD.EXE (PID: 4132)
      • msedge.exe (PID: 6456)
      • msedge.exe (PID: 2164)
      • msedge.exe (PID: 6856)
      • osk.exe (PID: 7232)
      • quickassist.exe (PID: 7764)
      • sapisvr.exe (PID: 7920)
      • msedge.exe (PID: 7884)
      • WinRAR.exe (PID: 7816)
      • firefox.exe (PID: 8020)
      • firefox.exe (PID: 7960)
      • msedge.exe (PID: 7136)
      • rundll32.exe (PID: 3848)
      • firefox.exe (PID: 8176)
      • msedge.exe (PID: 3080)
      • msedge.exe (PID: 7136)
      • firefox.exe (PID: 8168)
      • osk.exe (PID: 8684)
      • quickassist.exe (PID: 9460)
      • firefox.exe (PID: 9636)
      • sapisvr.exe (PID: 10056)
      • OfficeHubWin32.exe (PID: 11836)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8)
      • firefox.exe (PID: 2996)
      • msedge.exe (PID: 1076)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 8)
      • sapisvr.exe (PID: 10056)
      • OneDriveSetup.exe (PID: 7916)

    • Create files in a temporary directory

      • OneDrive.exe (PID: 7148)
      • quickassist.exe (PID: 9460)
      • wv2C315.tmp (PID: 12000)
      • svchost.exe (PID: 13396)
      • OneDriveSetup.exe (PID: 7916)

    • Reads the machine GUID from the registry

      • OneDrive.exe (PID: 7148)
      • HelpPane.exe (PID: 8728)
      • onenoteim.exe (PID: 12536)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • OneDrive.exe (PID: 6928)

    • Application launched itself

      • msedge.exe (PID: 2164)
      • firefox.exe (PID: 8176)
      • firefox.exe (PID: 8168)
      • firefox.exe (PID: 7960)
      • firefox.exe (PID: 2996)
      • firefox.exe (PID: 9636)

    • Creates files or folders in the user directory

      • OneDrive.exe (PID: 7148)
      • quickassist.exe (PID: 9460)
      • onenoteim.exe (PID: 12536)
      • OfficeHubWin32.exe (PID: 11836)
      • ShellExperienceHost.exe (PID: 3988)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 11808)
      • setup.exe (PID: 9908)
      • OneDrive.exe (PID: 6928)
      • BackgroundTransferHost.exe (PID: 14248)

    • Reads the time zone

      • OneDrive.exe (PID: 7148)

    • Reads CPU info

      • OneDrive.exe (PID: 7148)
      • OfficeHubWin32.exe (PID: 11836)

    • Reads security settings of Internet Explorer

      • HelpPane.exe (PID: 8728)
      • quickassist.exe (PID: 9460)
      • BackgroundTransferHost.exe (PID: 11564)
      • BackgroundTransferHost.exe (PID: 14248)
      • BackgroundTransferHost.exe (PID: 11544)

    • Checks proxy server information

      • quickassist.exe (PID: 9460)
      • OneDrive.exe (PID: 7148)
      • onenoteim.exe (PID: 12536)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • BackgroundTransferHost.exe (PID: 14248)

    • Reads the software policy settings

      • quickassist.exe (PID: 9460)
      • HelpPane.exe (PID: 8728)
      • OneDrive.exe (PID: 7148)
      • onenoteim.exe (PID: 12536)
      • MicrosoftEdgeUpdate.exe (PID: 7196)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • OfficeHubWin32.exe (PID: 11836)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdgeUpdate.exe (PID: 7936)

    • Sends debugging messages

      • quickassist.exe (PID: 9460)
      • onenoteim.exe (PID: 12536)

    • Reads Internet Explorer settings

      • OUTLOOK.EXE (PID: 7164)

    • Reads Microsoft Office registry keys

      • onenoteim.exe (PID: 12536)
      • OfficeHubWin32.exe (PID: 11836)

    • Process checks computer location settings

      • ShellExperienceHost.exe (PID: 3988)
      • OfficeHubWin32.exe (PID: 11836)
      • OneDrive.exe (PID: 7148)
      • OneDriveSetup.exe (PID: 7916)
      • setup.exe (PID: 9908)

    • The sample compiled with portuguese language support

      • OneDriveSetup.exe (PID: 7916)

    • The sample compiled with chinese language support

      • OneDriveSetup.exe (PID: 7916)

    • Reads Environment values

      • OneDrive.exe (PID: 6928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

FileVersion: RAR v4
CompressedSize: 14267
UncompressedSize: 49152
OperatingSystem: Win32
ModifyDate: 2009:12:15 17:54:32
PackingMethod: Normal
ArchivedFileName: hkcmdr.sys
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
348
Monitored processes
147
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe hkexplr.exe no specs onedrive.exe outlook.exe powerpnt.exe rundll32.exe no specs winword.exe excel.exe shellexperiencehost.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs osk.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs quickassist.exe no specs winrar.exe msedge.exe no specs sapisvr.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs msedge.exe no specs firefox.exe rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs osk.exe helppane.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs quickassist.exe firefox.exe no specs firefox.exe no specs sapisvr.exe firefox.exe no specs firefox.exe no specs ai.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs DockInterface COM server no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs gamebar.exe no specs msedge.exe no specs speechuxwiz.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wv2c315.tmp screenclippinghost.exe no specs tiworker.exe no specs systemsettingsbroker.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedgeupdate.exe fodhelper.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs onenoteim.exe microsoftedgeupdatecomregistershell64.exe no specs officehubwin32.exe microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs UIAutomationCrossBitnessHook32 Class no specs microsoftedgeupdate.exe svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs UIAutomationCrossBitnessHook32 Class no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs onedrivesetup.exe no specs onedrivesetup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs splwow64.exe no specs filesyncconfig.exe no specs onedrive.exe no specs microsoftedge_x64_131.0.2903.112.exe setup.exe setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs msedge.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs msedge.exe no specs microsoftedgeupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\hkexplr.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
188"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
448"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{24904EAD-5785-4ABF-B62C-056A08BC196B}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9536 --field-trial-handle=2416,i,7362729305017076757,3901872667550514887,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2416,i,7362729305017076757,3901872667550514887,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1684"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2996"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
3080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=DefaultC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
119 877
Read events
111 591
Write events
7 455
Delete events
831

Modification events

(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\hkexplr.rar
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6856) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
1
(PID) Process:(6856) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
Executable files
506
Suspicious files
2 015
Text files
827
Unknown types
6

Dropped files

PID
Process
Filename
Type
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF138bc8.TMP
MD5:
SHA256:
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa8.13420\hkcmdr.sysexecutable
MD5:2F4F3D8DFB3E7A946BEA64112F8DF1D8
SHA256:CE185BA22AF8A5266579778A5E9B5207DAD907203F4693E44F8D826188AF8956
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Last Versiontext
MD5:C7E2197BAE099B13BBB3ADEB1433487D
SHA256:3460EEAF45D581DD43A6E4E17AF8102DDAFF5AEAA88B10099527CF85211629E9
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:1C42329800C95BC1DB27E7657711FF1E
SHA256:D58993216FB0CBF52CED6DA4FCAEBFC8FCC7C1A37191954397BA77951B16BE9B
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF138d01.TMP
MD5:
SHA256:
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:1AF1D1ED27A40F9FDA977B6C353EC48B
SHA256:01B66ED195749BF7909E0B655A6C4C6AFDECD665D7304653D09CD538191CC50A
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF138d10.TMP
MD5:
SHA256:
8WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa8.13420\hkexplr.exeexecutable
MD5:42C86B570E091AC295CFE6F1F89EC82D
SHA256:F2254B81DD87B148A2069D5FDA079880AA78D989B201548A0A9E16B2EB347C0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
90
TCP/UDP connections
356
DNS requests
332
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3884
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3884
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7164
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
2996
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
2996
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
6100
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3884
svchost.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3884
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.230.103
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.68
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.56.254.14
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
13396
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
Process
Message
quickassist.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hkexplr.rar