analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://winfiles.us/HOW%20TO%20DOWNLOAD%20ALL%20OCULUS%20QUEST%20GAMES%20FOR%20FREE

Full analysis: https://app.any.run/tasks/e24651b4-0295-4b08-a893-20976cfa156d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 15:34:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

5A579D6162CA628B0F90852FECAF78C2

SHA1:

74C5C498CDAEA4138AF8FAA5A836E8BBDF478F77

SHA256:

B9E706D3ABB5461EAC1495E1A7D33AD18A81314CF15153FB79964860E9C44C28

SSDEEP:

3:N8d8O/YTFsAFhJrEozppAXAHYewdyVilY:2eooFhFhJr3ppysYewUVi2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3960)
      • setup_0113595485.exe (PID: 3524)

    • Application was dropped or rewritten from another process

      • setup_0113595485.exe (PID: 1692)
      • setup_0113595485.exe (PID: 3524)
      • setup.exe (PID: 2940)

    • Loads dropped or rewritten executable

      • setup_0113595485.exe (PID: 3524)
      • setup.exe (PID: 2940)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3960)
      • setup_0113595485.exe (PID: 3524)
      • iexplore.exe (PID: 4040)
      • setup.exe (PID: 2940)

    • Cleans NTFS data-stream (Zone Identifier)

      • setup_0113595485.exe (PID: 1692)

    • Reads Environment values

      • setup_0113595485.exe (PID: 3524)

    • Reads Internet Cache Settings

      • setup_0113595485.exe (PID: 3524)

    • Application launched itself

      • setup_0113595485.exe (PID: 1692)

    • Creates files in the user directory

      • setup_0113595485.exe (PID: 3524)

    • Reads internet explorer settings

      • setup_0113595485.exe (PID: 3524)

    • Starts Internet Explorer

      • setup_0113595485.exe (PID: 3524)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3960)
      • iexplore.exe (PID: 4040)
      • IEXPLORE.EXE (PID: 3140)
      • IEXPLORE.EXE (PID: 3664)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 4040)

    • Changes internet zones settings

      • iexplore.exe (PID: 4040)
      • IEXPLORE.EXE (PID: 3140)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3960)
      • IEXPLORE.EXE (PID: 3664)

    • Creates files in the user directory

      • iexplore.exe (PID: 3960)

    • Application launched itself

      • IEXPLORE.EXE (PID: 3140)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3960)
      • iexplore.exe (PID: 4040)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 4040)

    • Changes settings of System certificates

      • iexplore.exe (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe setup_0113595485.exe no specs setup_0113595485.exe setup.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
4040"C:\Program Files\Internet Explorer\iexplore.exe" https://winfiles.us/HOW%20TO%20DOWNLOAD%20ALL%20OCULUS%20QUEST%20GAMES%20FOR%20FREEC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3960"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4040 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1692"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\setup_0113595485.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\setup_0113595485.exeiexplore.exe
User:
admin
Company:
Dopo
Integrity Level:
MEDIUM
Description:
Gehopos Setup
Exit code:
0
Version:
4.8.3.3
3524"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\setup_0113595485.exe" RSF /ppn:YWV4dQ0KChAjb3J1FQUI /ads:1 /mnlC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\setup_0113595485.exe
setup_0113595485.exe
User:
admin
Company:
Dopo
Integrity Level:
HIGH
Description:
Gehopos Setup
Exit code:
0
Version:
4.8.3.3
2940"C:\Users\admin\Downloads\setup.exe" C:\Users\admin\Downloads\setup.exe
setup_0113595485.exe
User:
admin
Company:
AIMP DevTeam
Integrity Level:
HIGH
Description:
AIMP Classic
Version:
1.77.9
3140"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ic-dc.bestapplicationgift.com/pr/c118a262-a58e-11e6-96e8-02d572c616f1/typ_1.html?exlg=696C:\Program Files\Internet Explorer\IEXPLORE.EXEsetup_0113595485.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3664"C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3140 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
8 443
Read events
2 578
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
37
Text files
103
Unknown types
14

Dropped files

PID
Process
Filename
Type
3960iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7B24.tmp
MD5:
SHA256:
3960iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7B25.tmp
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:4335FFB6EEE90CBBD7CBE55A136EE456
SHA256:5CB26B0A8CCBC72C2F60EC3C8660EA6D137DE89F17F1E89EBDC1F449BCC1D181
3960iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\0N7XOESD.txt
MD5:
SHA256:
3960iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\239H7LYX.txt
MD5:
SHA256:
3960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\collect[2].gif
MD5:
SHA256:
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1der
MD5:FB1DCFAD78F9693BB3A1A362365BDFD6
SHA256:C9733E8718FE8213E3E71412B290E4DE1B8F859D2D994C8BBBC829A37E43951A
3960iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PGXAICWX.txttext
MD5:06A392CD99C0371308E9F533EBFE1FC9
SHA256:0446588C833785184624811E5E3D2D4672A64D3CCC91132B401B5714BDD5E47C
3960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:20A5E48B1D3761D413D3F8900CF81C42
SHA256:D7C09C867B36004F364C514EC98007C38D51B38CAC16A6AAC9DB971188C9F3DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
59
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3524
setup_0113595485.exe
GET
200
104.31.71.161:80
http://refr.host/downloadimage/27526/16/249a2fa68e73eed0a5c302fb0f800a9c/logo4.png?logotipo=automatico&uo=uu7XiPfVh1j_hpMnlyPpkcYLSu9OEDC6Fcvccwdz1SSvn-TrBIPc7FLz2ms_ulUstNlxfN9SdTG8HBX9S_SOVeXa8IpCQGyE5wraawL6GI5_owVArPJdELNaRj5m6TbV&nada=true
US
image
3.67 Kb
suspicious
3524
setup_0113595485.exe
GET
200
199.201.110.78:80
http://db.moyes-refab.com/img/Sibarasawi/TPC_win_bg.png
US
image
9.60 Kb
malicious
3960
iexplore.exe
GET
200
2.21.242.187:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
3960
iexplore.exe
GET
200
13.225.87.88:80
http://d2ucl3lvmgar61.cloudfront.net/clsscwtg%7Cd1xx/setup.exe
US
executable
2.91 Mb
whitelisted
4040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
4040
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
4040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3524
setup_0113595485.exe
HEAD
200
199.201.110.78:80
http://db.moyes-refab.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16
US
malicious
3524
setup_0113595485.exe
POST
200
34.246.131.106:80
http://beta.moyes-refab.com/
IE
malicious
3524
setup_0113595485.exe
HEAD
200
185.59.222.148:80
http://new.moyes-refab.com/ofr/Solululadul/icut_v2_2
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3960
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4040
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3960
iexplore.exe
172.217.18.110:443
www.google-analytics.com
Google Inc.
US
whitelisted
3960
iexplore.exe
216.58.210.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3960
iexplore.exe
104.31.77.183:443
Cloudflare Inc
US
shared
3960
iexplore.exe
172.217.23.104:443
www.googletagmanager.com
Google Inc.
US
suspicious
3960
iexplore.exe
212.124.115.196:443
www.federationpitch.com
True Records Inc.
DE
suspicious
4040
iexplore.exe
104.27.156.86:443
file.xsave.info
Cloudflare Inc
US
shared
3960
iexplore.exe
104.27.156.86:443
file.xsave.info
Cloudflare Inc
US
shared
3960
iexplore.exe
2.21.242.187:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
winfiles.us
  • 54.154.136.239
  • 54.77.45.238
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.googletagmanager.com
  • 172.217.23.104
whitelisted
ocsp.pki.goog
  • 216.58.210.3
whitelisted
file.xsave.info
  • 104.27.156.86
  • 104.27.157.86
unknown
www.google-analytics.com
  • 172.217.18.110
whitelisted
d2ucl3lvmgar61.cloudfront.net
  • 13.225.87.88
  • 13.225.87.63
  • 13.225.87.52
  • 13.225.87.218
whitelisted
www.federationpitch.com
  • 212.124.115.196
  • 212.124.124.178
suspicious

Threats

PID
Process
Class
Message
3960
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3960
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3524
setup_0113595485.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3524
setup_0113595485.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3524
setup_0113595485.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3524
setup_0113595485.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://winfiles.us/HOW%20TO%20DOWNLOAD%20ALL%20OCULUS%20QUEST%20GAMES%20FOR%20FREE