File name:

hkexplr.rar

Full analysis: https://app.any.run/tasks/fcf1b36b-9644-444c-8720-1f329267e9ec
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 09, 2025, 03:36:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
uac
phishing-ml
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

B5F95DEEEE017593D23C9517D621A044

SHA1:

E12329C01CDAD544770926A8701F9F6B57973539

SHA256:

E13EF534888F3CB876D78C8F299F6EE6BD10155B060FE37C3C7BBEC744D2C9A2

SSDEEP:

3072:y5Lr1E8sY7SlYNO3JUwUnzS3wEM0S4QfLFv:or1E8j7S6IDwOjmv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (fodhelper)

      • fodhelper.exe (PID: 12896)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • OneDriveSetup.exe (PID: 7916)

    • Scans artifacts that could help determine the target

      • OfficeHubWin32.exe (PID: 11836)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 8)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 8)
      • ShellExperienceHost.exe (PID: 3988)
      • GameBar.exe (PID: 11320)
      • OneDrive.exe (PID: 7148)
      • onenoteim.exe (PID: 12536)
      • OfficeHubWin32.exe (PID: 11836)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)

    • Creates/Modifies COM task schedule object

      • OneDrive.exe (PID: 7148)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 10748)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 10512)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 11504)
      • MicrosoftEdgeUpdate.exe (PID: 13284)
      • OneDriveSetup.exe (PID: 7916)

    • Executable content was dropped or overwritten

      • quickassist.exe (PID: 9460)
      • wv2C315.tmp (PID: 12000)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 9908)

    • Starts application with an unusual extension

      • quickassist.exe (PID: 9460)

    • Process drops legitimate windows executable

      • wv2C315.tmp (PID: 12000)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 9908)

    • Starts a Microsoft application from unusual location

      • wv2C315.tmp (PID: 12000)
      • MicrosoftEdgeUpdate.exe (PID: 12740)

    • Checks Windows Trust Settings

      • onenoteim.exe (PID: 12536)
      • OneDriveSetup.exe (PID: 7916)
      • OneDrive.exe (PID: 7148)
      • OneDriveSetup.exe (PID: 12712)

    • Reads settings of System Certificates

      • OfficeHubWin32.exe (PID: 11836)

    • Reads the Internet Settings

      • OfficeHubWin32.exe (PID: 11836)

    • Searches for installed software

      • OfficeHubWin32.exe (PID: 11836)
      • setup.exe (PID: 9908)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 13396)

    • Application launched itself

      • OneDriveSetup.exe (PID: 12712)
      • setup.exe (PID: 9908)
      • MicrosoftEdgeUpdate.exe (PID: 5200)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 12740)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 7916)

    • Sets XML DOM element text (SCRIPT)

      • splwow64.exe (PID: 7664)

    • Creates a software uninstall entry

      • OneDriveSetup.exe (PID: 7916)
      • setup.exe (PID: 9908)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 8)
      • quickassist.exe (PID: 9460)
      • wv2C315.tmp (PID: 12000)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • svchost.exe (PID: 13396)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 9908)
      • msedge.exe (PID: 1076)

    • Reads the computer name

      • hkexplr.exe (PID: 6940)
      • ShellExperienceHost.exe (PID: 3988)
      • OneDrive.exe (PID: 7148)
      • MicrosoftEdgeUpdate.exe (PID: 7196)
      • MicrosoftEdgeUpdate.exe (PID: 448)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 10512)
      • OneDriveSetup.exe (PID: 12712)
      • OneDrive.exe (PID: 6928)
      • setup.exe (PID: 9908)
      • MicrosoftEdgeUpdate.exe (PID: 7936)

    • Manual execution by a user

      • OUTLOOK.EXE (PID: 7164)
      • msedge.exe (PID: 6456)
      • OneDrive.exe (PID: 7148)
      • WINWORD.EXE (PID: 4132)
      • msedge.exe (PID: 6856)
      • POWERPNT.EXE (PID: 188)
      • EXCEL.EXE (PID: 3224)
      • msedge.exe (PID: 2164)
      • osk.exe (PID: 7232)
      • msedge.exe (PID: 7884)
      • sapisvr.exe (PID: 7920)
      • WinRAR.exe (PID: 7816)
      • firefox.exe (PID: 7960)
      • firefox.exe (PID: 8176)
      • firefox.exe (PID: 8020)
      • rundll32.exe (PID: 3848)
      • msedge.exe (PID: 7136)
      • msedge.exe (PID: 3080)
      • msedge.exe (PID: 7136)
      • firefox.exe (PID: 8168)
      • osk.exe (PID: 8684)
      • sapisvr.exe (PID: 10056)
      • quickassist.exe (PID: 9460)
      • firefox.exe (PID: 9636)
      • quickassist.exe (PID: 7764)
      • OfficeHubWin32.exe (PID: 11836)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8)
      • firefox.exe (PID: 2996)
      • msedge.exe (PID: 1076)

    • Checks supported languages

      • OneDrive.exe (PID: 7148)
      • hkexplr.exe (PID: 6940)
      • ShellExperienceHost.exe (PID: 3988)
      • sapisvr.exe (PID: 10056)
      • GameBar.exe (PID: 11320)
      • MicrosoftEdgeUpdate.exe (PID: 12740)
      • MicrosoftEdgeUpdate.exe (PID: 13284)
      • onenoteim.exe (PID: 12536)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 11504)
      • OfficeHubWin32.exe (PID: 11836)
      • MicrosoftEdgeUpdate.exe (PID: 7196)
      • MicrosoftEdgeUpdate.exe (PID: 448)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)
      • FileSyncConfig.exe (PID: 14228)
      • OneDrive.exe (PID: 6928)
      • setup.exe (PID: 11808)
      • setup.exe (PID: 9908)
      • MicrosoftEdgeUpdate.exe (PID: 7936)

    • Reads the machine GUID from the registry

      • OneDrive.exe (PID: 7148)
      • HelpPane.exe (PID: 8728)
      • onenoteim.exe (PID: 12536)
      • OneDriveSetup.exe (PID: 7916)
      • OneDriveSetup.exe (PID: 12712)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • OneDrive.exe (PID: 6928)

    • Creates files or folders in the user directory

      • OneDrive.exe (PID: 7148)
      • quickassist.exe (PID: 9460)
      • onenoteim.exe (PID: 12536)
      • OfficeHubWin32.exe (PID: 11836)
      • ShellExperienceHost.exe (PID: 3988)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • OneDriveSetup.exe (PID: 7916)
      • OneDrive.exe (PID: 6928)
      • MicrosoftEdge_X64_131.0.2903.112.exe (PID: 8756)
      • setup.exe (PID: 11808)
      • setup.exe (PID: 9908)
      • BackgroundTransferHost.exe (PID: 14248)

    • Application launched itself

      • msedge.exe (PID: 2164)
      • firefox.exe (PID: 8176)
      • firefox.exe (PID: 2996)
      • firefox.exe (PID: 8168)
      • firefox.exe (PID: 7960)
      • firefox.exe (PID: 9636)

    • Create files in a temporary directory

      • OneDrive.exe (PID: 7148)
      • quickassist.exe (PID: 9460)
      • wv2C315.tmp (PID: 12000)
      • svchost.exe (PID: 13396)
      • OneDriveSetup.exe (PID: 7916)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 8)
      • sapisvr.exe (PID: 10056)
      • OneDriveSetup.exe (PID: 7916)

    • Reads the time zone

      • OneDrive.exe (PID: 7148)

    • Reads CPU info

      • OneDrive.exe (PID: 7148)
      • OfficeHubWin32.exe (PID: 11836)

    • Reads security settings of Internet Explorer

      • HelpPane.exe (PID: 8728)
      • quickassist.exe (PID: 9460)
      • BackgroundTransferHost.exe (PID: 11564)
      • BackgroundTransferHost.exe (PID: 14248)
      • BackgroundTransferHost.exe (PID: 11544)

    • Sends debugging messages

      • quickassist.exe (PID: 9460)
      • onenoteim.exe (PID: 12536)

    • Reads the software policy settings

      • HelpPane.exe (PID: 8728)
      • quickassist.exe (PID: 9460)
      • OneDrive.exe (PID: 7148)
      • onenoteim.exe (PID: 12536)
      • MicrosoftEdgeUpdate.exe (PID: 7196)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • OfficeHubWin32.exe (PID: 11836)
      • OneDriveSetup.exe (PID: 12712)
      • OneDriveSetup.exe (PID: 7916)
      • MicrosoftEdgeUpdate.exe (PID: 7936)

    • Checks proxy server information

      • quickassist.exe (PID: 9460)
      • OneDrive.exe (PID: 7148)
      • onenoteim.exe (PID: 12536)
      • MicrosoftEdgeUpdate.exe (PID: 5200)
      • BackgroundTransferHost.exe (PID: 14248)

    • Reads Internet Explorer settings

      • OUTLOOK.EXE (PID: 7164)

    • Reads Microsoft Office registry keys

      • onenoteim.exe (PID: 12536)
      • OfficeHubWin32.exe (PID: 11836)

    • Process checks computer location settings

      • ShellExperienceHost.exe (PID: 3988)
      • OneDrive.exe (PID: 7148)
      • OfficeHubWin32.exe (PID: 11836)
      • OneDriveSetup.exe (PID: 7916)
      • setup.exe (PID: 9908)

    • The sample compiled with portuguese language support

      • OneDriveSetup.exe (PID: 7916)

    • The sample compiled with chinese language support

      • OneDriveSetup.exe (PID: 7916)

    • Reads Environment values

      • OneDrive.exe (PID: 6928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

FileVersion: RAR v4
CompressedSize: 14267
UncompressedSize: 49152
OperatingSystem: Win32
ModifyDate: 2009:12:15 17:54:32
PackingMethod: Normal
ArchivedFileName: hkcmdr.sys
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
348
Monitored processes
147
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe hkexplr.exe no specs onedrive.exe outlook.exe powerpnt.exe rundll32.exe no specs winword.exe excel.exe shellexperiencehost.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs osk.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs quickassist.exe no specs winrar.exe msedge.exe no specs sapisvr.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs msedge.exe no specs firefox.exe rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs osk.exe helppane.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs quickassist.exe firefox.exe no specs firefox.exe no specs sapisvr.exe firefox.exe no specs firefox.exe no specs ai.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs DockInterface COM server no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs gamebar.exe no specs msedge.exe no specs speechuxwiz.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wv2c315.tmp screenclippinghost.exe no specs tiworker.exe no specs systemsettingsbroker.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs microsoftedgeupdate.exe fodhelper.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs onenoteim.exe microsoftedgeupdatecomregistershell64.exe no specs officehubwin32.exe microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs UIAutomationCrossBitnessHook32 Class no specs microsoftedgeupdate.exe svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs UIAutomationCrossBitnessHook32 Class no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs onedrivesetup.exe no specs onedrivesetup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs splwow64.exe no specs filesyncconfig.exe no specs onedrive.exe no specs microsoftedge_x64_131.0.2903.112.exe setup.exe setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs msedge.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs msedge.exe no specs microsoftedgeupdate.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\hkexplr.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
188"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
448"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{24904EAD-5785-4ABF-B62C-056A08BC196B}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9536 --field-trial-handle=2416,i,7362729305017076757,3901872667550514887,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2416,i,7362729305017076757,3901872667550514887,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1684"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2044782C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2996"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
3080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=DefaultC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
119 877
Read events
111 591
Write events
7 455
Delete events
831

Modification events

(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\hkexplr.rar
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6856) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
1
(PID) Process:(6856) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
Executable files
506
Suspicious files
2 015
Text files
827
Unknown types
6

Dropped files

PID
Process
Filename
Type
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF138bc8.TMP
MD5:
SHA256:
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7148OneDrive.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Personal\telemetryCache.otc.session-journalbinary
MD5:F4037BEFE87B647EBAF09016E4CE5717
SHA256:EE47C1CB2222A7C2C602A35A4A1CDDC2273C979F9CF5ED4A9DC9984985C28820
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:1E9E15EF6E531C4557100F20C9C76F01
SHA256:46CB063CC268B69B172660F166C4394D5B4EDD802388B3EC16766DEBDB9F86C3
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF138bd8.TMPtext
MD5:92941BAD29B823669F85E6F7352F04EB
SHA256:19E674BF425E68E8B1C1242017BB22044BA558B1D5644F5D4EBA973AF39BABAA
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF138d01.TMP
MD5:
SHA256:
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexbinary
MD5:01F0B29822F7C00694ABF3150276196A
SHA256:C5CA04147E678498F16E8DED9EFB227591ABF40A3AFC5E65248D019D9B9198D9
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF138d10.TMP
MD5:
SHA256:
2164msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local Statebinary
MD5:02789AB05D698D65F0EA91E9A58627C0
SHA256:B076870DC9E5D75B386ADA28A8BEFE1CBFC9C1E47D9EB6263C0F91874CFA0611
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
90
TCP/UDP connections
356
DNS requests
332
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3884
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2996
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
3884
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2996
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
7164
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6100
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
POST
200
2.16.202.121:80
http://r11.o.lencr.org/
unknown
whitelisted
2996
firefox.exe
POST
200
2.16.168.113:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3884
svchost.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3884
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.230.103
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.68
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.56.254.14
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
13396
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
7676
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
Process
Message
quickassist.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hkexplr.rar