URL:

https://c.top4top.io/f_S37CrS9mZlrJak392t4M1g/1642203966/1415vlvb61.zip

Full analysis: https://app.any.run/tasks/2ac492e7-a929-44dc-89e6-15288ff24fa6
Verdict: Malicious activity
Analysis date: January 12, 2022, 23:46:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

BCA40A1A483A88E3009F0CA1075F5702

SHA1:

E183C618962FE356C51746F21578CA5F0FE3A220

SHA256:

372E8CD16E1721CD0E272D12127C51D3F2931EA4066ECD7565070AEB7103DE10

SSDEEP:

3:N8WOvm2Mm/vnzJC7RUGTSkVn:2WS2mn9YtTScn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2328)

    • Application was dropped or rewritten from another process

      • TSP Dork generator.exe (PID: 1260)
      • TSP Dork generator.exe (PID: 2400)
      • TSP Dork generator.exe (PID: 2544)

  • SUSPICIOUS

    • Creates files in the user directory

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3764)

    • Reads the computer name

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3764)
      • WinRAR.exe (PID: 2328)
      • TSP Dork generator.exe (PID: 1260)
      • TSP Dork generator.exe (PID: 2400)
      • TSP Dork generator.exe (PID: 2544)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3444)

    • Executed via COM

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3764)

    • Checks supported languages

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3764)
      • WinRAR.exe (PID: 2328)
      • TSP Dork generator.exe (PID: 1260)
      • TSP Dork generator.exe (PID: 2400)
      • TSP Dork generator.exe (PID: 2544)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2328)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2328)

    • Reads Environment values

      • TSP Dork generator.exe (PID: 1260)
      • TSP Dork generator.exe (PID: 2400)
      • TSP Dork generator.exe (PID: 2544)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3300)
      • iexplore.exe (PID: 3444)
      • NOTEPAD.EXE (PID: 2864)

    • Reads the computer name

      • iexplore.exe (PID: 3444)
      • iexplore.exe (PID: 3300)

    • Application launched itself

      • iexplore.exe (PID: 3300)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3444)
      • iexplore.exe (PID: 3300)
      • TSP Dork generator.exe (PID: 1260)
      • TSP Dork generator.exe (PID: 2400)
      • TSP Dork generator.exe (PID: 2544)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3444)
      • iexplore.exe (PID: 3300)

    • Creates files in the user directory

      • iexplore.exe (PID: 3444)
      • iexplore.exe (PID: 3300)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3444)

    • Changes internet zones settings

      • iexplore.exe (PID: 3300)

    • Reads CPU info

      • iexplore.exe (PID: 3444)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3300)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3300)

    • Manual execution by user

      • WinRAR.exe (PID: 2328)
      • NOTEPAD.EXE (PID: 2864)
      • TSP Dork generator.exe (PID: 1260)
      • TSP Dork generator.exe (PID: 2400)
      • TSP Dork generator.exe (PID: 2544)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_32_0_0_453_activex.exe no specs winrar.exe notepad.exe no specs tsp dork generator.exe tsp dork generator.exe tsp dork generator.exe

Process information

PID
CMD
Path
Indicators
Parent process
1260"C:\Users\admin\Downloads\TSP Dork generator - by Lh Production\TSP Dork generator.exe" C:\Users\admin\Downloads\TSP Dork generator - by Lh Production\TSP Dork generator.exe
Explorer.EXE
User:
admin
Company:
thiplol
Integrity Level:
MEDIUM
Description:
Gorker Private TSP Edition
Exit code:
0
Version:
7.0
2328"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\TSP Dork generator - by Lh Production.zip" C:\Users\admin\Downloads\C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2400"C:\Users\admin\Downloads\TSP Dork generator - by Lh Production\TSP Dork generator.exe" C:\Users\admin\Downloads\TSP Dork generator - by Lh Production\TSP Dork generator.exe
Explorer.EXE
User:
admin
Company:
thiplol
Integrity Level:
MEDIUM
Description:
Gorker Private TSP Edition
Exit code:
0
Version:
7.0
2544"C:\Users\admin\Downloads\TSP Dork generator - by Lh Production\TSP Dork generator.exe" C:\Users\admin\Downloads\TSP Dork generator - by Lh Production\TSP Dork generator.exe
Explorer.EXE
User:
admin
Company:
thiplol
Integrity Level:
MEDIUM
Description:
Gorker Private TSP Edition
Exit code:
0
Version:
7.0
2864"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Downloads\TSP Dork generator - by Lh Production\default_numbers.txtC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3300"C:\Program Files\Internet Explorer\iexplore.exe" "https://c.top4top.io/f_S37CrS9mZlrJak392t4M1g/1642203966/1415vlvb61.zip"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3444"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3300 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3764C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe� Flash� Player Installer/Uninstaller 32.0 r0
Exit code:
0
Version:
32,0,0,453
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
29
Text files
318
Unknown types
22

Dropped files

PID
Process
Filename
Type
3444iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
3444iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
3444iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83CF8B5BB5343F329FF080F6450A55CEbinary
MD5:
SHA256:
3444iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6AF72DC1CC855597ABE1BA0FB9A4D289der
MD5:
SHA256:
3444iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\downloadf-1415vlvb61-zip[1].htmhtml
MD5:
SHA256:
3444iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab3435.tmpcompressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
3444iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar3436.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
3444iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3444iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:
SHA256:
3444iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
80
DNS requests
32
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3444
iexplore.exe
GET
200
104.18.30.182:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDSgULZ%2BKzOuMFl8EbDyVt8
US
der
472 b
whitelisted
3300
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3444
iexplore.exe
GET
200
104.18.30.182:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
3444
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3300
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
3444
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3444
iexplore.exe
GET
200
104.18.31.182:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3444
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCZ2fjZwSXF%2BwoAAAABJfz9
US
der
472 b
whitelisted
3444
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGmSmALa8169CgAAAAEn3NM%3D
US
der
471 b
whitelisted
3444
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCAnDacZA1UWwoAAAABJ9nq
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3444
iexplore.exe
92.123.224.113:80
r3.o.lencr.org
Akamai International B.V.
suspicious
3300
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3444
iexplore.exe
142.250.186.42:443
ajax.googleapis.com
Google Inc.
US
whitelisted
3444
iexplore.exe
195.154.113.3:443
c.top4top.io
Online S.a.s.
FR
unknown
3444
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3300
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3444
iexplore.exe
142.250.186.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3444
iexplore.exe
104.16.86.20:443
cdn.jsdelivr.net
Cloudflare Inc
US
shared
3444
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3444
iexplore.exe
104.18.30.182:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
c.top4top.io
  • 195.154.113.3
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 104.89.32.83
whitelisted
r3.o.lencr.org
  • 92.123.224.113
  • 92.123.224.12
shared
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
top4top.io
  • 188.165.137.170
  • 188.165.137.138
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
s.top4top.io
  • 104.21.5.137
  • 172.67.133.128
malicious
ajax.googleapis.com
  • 142.250.186.42
whitelisted

Threats

PID
Process
Class
Message
Misc activity
AV INFO Observed DNS Request to Filesharing Service (top5top. io)
Misc activity
AV INFO Observed DNS Request to Filesharing Service (top5top. io)
Misc activity
AV INFO Observed DNS Request to Filesharing Service (top5top. io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://c.top4top.io/f_S37CrS9mZlrJak392t4M1g/1642203966/1415vlvb61.zip