URL:

https://www.mediafire.com/file/oks1b4rnq7buzbt/re4uhd-br-v1-01_16632.zip/file

Full analysis: https://app.any.run/tasks/b67856e4-46a1-4300-bf71-545f50f16418
Verdict: Malicious activity
Analysis date: October 30, 2023, 00:37:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
SHA1:

AF667FE68BD582672BA1955DF671D026988624A7

SHA256:

46EDFC66C93C6C189FD3947F3D80070E13767B8DB0AAAE2C005D675EDFAE1768

SSDEEP:

3:N8DSLw3eGUoFlcQN4XIYo3R:2OLw3eGBN4X0B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 864)

    • Drops the executable file immediately after the start

      • Install_01025.exe (PID: 3256)
      • Install_01025.exe (PID: 3644)
      • Uninstall.exe (PID: 3800)
      • 7zG.exe (PID: 3156)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Install_01025.exe (PID: 3256)

    • Drops 7-zip archiver for unpacking

      • Install_01025.exe (PID: 3256)
      • Install_01025.exe (PID: 3644)
      • 7zG.exe (PID: 3156)
      • Uninstall.exe (PID: 3800)

    • Starts itself from another location

      • Uninstall.exe (PID: 3800)

  • INFO

    • Manual execution by a user

      • Install_01025.exe (PID: 3256)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3852)
      • WinRAR.exe (PID: 3344)

    • Reads the computer name

      • Install_01025.exe (PID: 3256)

    • Checks supported languages

      • Install_01025.exe (PID: 3256)

    • Creates files or folders in the user directory

      • Install_01025.exe (PID: 3256)

    • Application launched itself

      • iexplore.exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
15
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs install_01025.exe explorer.exe no specs svchost.exe no specs install_01025.exe no specs 7zg.exe no specs 7zg.exe no specs 7zfm.exe no specs 7z.exe no specs uninstall.exe no specs consent.exe no specs uninstall.exe uninst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
948"C:\Users\admin\Desktop\Install_01025\7zG.exe" C:\Users\admin\Desktop\Install_01025\7zG.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip GUI
Exit code:
0
Version:
22.01
1176"C:\Users\admin\Desktop\Install_01025\7zFM.exe" C:\Users\admin\Desktop\Install_01025\7zFM.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip File Manager
Exit code:
0
Version:
22.01
1400C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1992C:\Users\admin\AppData\Local\Temp\7z0F29EED8\Uninst.exe /N /D=C:\Users\admin\Desktop\Install_01025\ C:\Users\admin\AppData\Local\Temp\7z0F29EED8\Uninst.exeUninstall.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Uninstaller
Exit code:
0
Version:
22.01
2060"C:\Users\admin\Desktop\Install_01025\7z.exe" C:\Users\admin\Desktop\Install_01025\7z.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
22.01
2468"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3852 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3156"C:\Users\admin\AppData\Roaming\7zip\7zG.exe" x -o"C:\Users\admin\Desktop\Install_01025\" -spe -an -ai#7zMap10985:84:7zEvent4705C:\Users\admin\AppData\Roaming\7zip\7zG.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip GUI
Exit code:
0
Version:
22.01
3256"C:\Users\admin\Desktop\Install_01025.exe" C:\Users\admin\Desktop\Install_01025.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7z SFX
Exit code:
0
Version:
22.01
Modules
Images
c:\users\admin\desktop\install_01025.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
3344"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\re4uhd-br-v1-01_16632.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
Total events
23 524
Read events
23 394
Write events
122
Delete events
8

Modification events

(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3852) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
27
Suspicious files
88
Text files
390
Unknown types
0

Dropped files

PID
Process
Filename
Type
2468iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\S4XDA0UV.txttext
MD5:FDC4CE4A7223001D64571AF86EFE6D4C
SHA256:670D96125C26A796033F2B9D232FB96B24EE6101687925FDA35B3DA3E2F26ACD
2468iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\G5GVFMXN.txttext
MD5:89A35C9AEB8F2ADBCA2CDBF9800357A7
SHA256:2A5564A588DFEF94DE1F57ADC64EEDB95A76B3BF5A2FDE13F2FFA874C0E2233D
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833Bbinary
MD5:44B7A9DB67EAA5571E0231304F431F0E
SHA256:C68601D4A84B8E77DD957937A035C1D538B8868CF0D104D565A1FBF4CB334CE0
2468iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\UQ0T8GLG.txttext
MD5:A08470997E490A0442703F7E00046D4D
SHA256:5790C7AE4966E2484FAF0F142392B248888341A947CF3EB20C8BC2D9249945E5
2468iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\64I3V0P6.txttext
MD5:8094FD994A046ED4148F0B1832172FCF
SHA256:658908F3B5EC613A36B438F55698BC3B1B0DE3FB40B2472FD078DDEE86BC9B1B
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:1C8D079BA37A6FA45F42033BC5A9A3CA
SHA256:3938528FA67E476908FB1DA224CD963391C16A58B22F9AB260073726DB2F1A30
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F4C9E5D1F1CFF77AFC3E0CF5F9F7DAF7
SHA256:C2CFF740A83152B3B58BEF9435D23CAC625BC2A1A543EDAE39D66E88F2973668
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2468iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833Bbinary
MD5:2B5CE4F0B6F0057739D98EF7CF386E7F
SHA256:9DE36DC92AC35FC094B1ED9AB866D634D9E2DC0550DCFFE74DC8CBF74ABDC2AA
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\file[1].htmhtml
MD5:35C75FFE1A3117E48E5663251AFEA6EC
SHA256:3CCB0FDE3F3A62648F3C1F686FB1B76DC1FC568705DBFFC958DB84BB94A17023
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
85
DNS requests
43
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2468
iexplore.exe
GET
200
142.251.140.3:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
2468
iexplore.exe
GET
200
67.27.233.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?088fea238d8b5b84
unknown
compressed
4.66 Kb
unknown
2468
iexplore.exe
GET
200
142.251.140.3:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
2468
iexplore.exe
GET
200
142.251.140.3:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
der
724 b
unknown
2468
iexplore.exe
GET
200
142.251.140.3:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
der
724 b
unknown
2468
iexplore.exe
GET
200
142.251.140.3:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
der
1.41 Kb
unknown
2468
iexplore.exe
GET
200
67.27.233.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?718e4d78999faf73
unknown
compressed
61.6 Kb
unknown
2468
iexplore.exe
GET
200
142.251.140.3:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCED0DQO7sPXWsCXu6cFHQzsU%3D
unknown
der
471 b
unknown
2468
iexplore.exe
GET
200
142.251.140.3:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
der
724 b
unknown
2468
iexplore.exe
GET
200
108.138.2.10:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2468
iexplore.exe
67.27.233.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
4
System
192.168.100.255:137
whitelisted
2468
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared
2468
iexplore.exe
172.67.144.62:443
the.gatekeeperconsent.com
CLOUDFLARENET
US
unknown
2468
iexplore.exe
142.251.140.72:443
www.googletagmanager.com
GOOGLE
US
unknown
2468
iexplore.exe
172.67.41.60:443
btloader.com
CLOUDFLARENET
US
unknown
2468
iexplore.exe
172.67.170.144:443
www.ezojs.com
CLOUDFLARENET
US
unknown
2468
iexplore.exe
172.217.20.78:443
translate.google.com
GOOGLE
US
whitelisted
2468
iexplore.exe
104.16.57.101:443
static.cloudflareinsights.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 67.27.233.126
  • 8.241.122.254
  • 8.248.149.254
  • 8.241.123.254
  • 67.27.157.254
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
the.gatekeeperconsent.com
  • 172.67.144.62
  • 104.21.28.48
unknown
www.googletagmanager.com
  • 142.251.140.72
whitelisted
btloader.com
  • 172.67.41.60
  • 104.22.75.216
  • 104.22.74.216
whitelisted
www.ezojs.com
  • 172.67.170.144
  • 104.21.63.106
unknown
translate.google.com
  • 172.217.20.78
whitelisted
static.cloudflareinsights.com
  • 104.16.57.101
  • 104.16.56.101
whitelisted
ocsp.pki.goog
  • 142.251.140.3
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
1088
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/oks1b4rnq7buzbt/re4uhd-br-v1-01_16632.zip/file