File name:

BRLink_V_1.1.0.34.rar

Full analysis: https://app.any.run/tasks/5dc45a7b-7429-4795-a6af-c07d5a40f318
Verdict: Malicious activity
Analysis date: October 02, 2024, 16:16:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2CF8745ADEE2B92F2D049B18CAF6EFDA

SHA1:

7BD7815FD570972967CF5244A37725249315E14F

SHA256:

EF202B420189CD8D06B7C032E6A085E87E91580FC7FE85915A9F05D5EAB5CD52

SSDEEP:

98304:L5ctFbRno4kUgPpND6LiwJqlUDE9kCCAq1s4+OEqWbYMbYa3v2mrGLwq8CBvEX+c:l5P3am/onbIo++HRBsUHyQoMaL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 5932)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6572)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 5932)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 5932)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 4896)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 4896)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6572)

    • Manual execution by a user

      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 1804)
      • WinRAR.exe (PID: 4896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
218
Monitored processes
89
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs winrar.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs regsvr32.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68timeout /T 2C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
240timeout /T 2C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
420timeout /T 2C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
420taskkill /f /t /im iBridgeHelpCS.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
796C:\windows\SysWow64\regsvr32.exe -s C:\windows\Syswow64\iBridgeCSps.dllC:\Windows\SysWOW64\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
992timeout /T 2C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1132timeout /T 2C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1132C:\windows\System32\regsvr32.exe -s C:\windows\system32\iBridgeHelpCSps.dllC:\Windows\System32\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1308C:\windows\System32\regsvr32.exe -s C:\windows\system32\iBridgeCSps.dllC:\Windows\System32\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1492timeout /T 2C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
6 197
Read events
6 164
Write events
33
Delete events
0

Modification events

(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BRLink_V_1.1.0.34.rar
(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4896) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4896) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\AppData\Local\Temp\BRLink_V_1.1.0.34.rar
(PID) Process:(4896) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\BRLink_V_1.1.0.34\重新注册蓝牙服务(1).zip
(PID) Process:(4896) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
7
Suspicious files
15
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\BRLink.cabcompressed
MD5:D7CCC181A2F24F2920D33A80F130CA87
SHA256:94D91593C2884BFD8F35043FA301C896F070986A6423F857271C250CF45FB003
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\2052.mstbinary
MD5:FA5FB75628F70B442039319129A71079
SHA256:DD79A2106856A45B7DABBF9B1DD7CC3FAE11010410B7E7AEA4561139AA157C48
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\0x0404.inibinary
MD5:E21471906CED4962E5CC40185EAA8A44
SHA256:B9DD818ED60BB5E5A65BE6F9F0F6ED75EBA094F108519BB07267D196633187DF
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\1033.mstbinary
MD5:11D41BA7B5FE955642BBED724A41DE76
SHA256:B58429B0A7704838AD5CE97AD4FE72F8E1AC508D5B85F115FF7938A20F92FF50
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\0x0412.initext
MD5:2F29DFC373FC410636EC078B337D7701
SHA256:450A555B07BD053F31D9B6229AC2A50E92F58B2C6C068650E72D74796E4E55D0
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\1042.mstbinary
MD5:72AA247A9D5050E5D301DFF6D42AE5E6
SHA256:A61FF6AD8EB36FB6034FDD2011C551516B7405544E5ACDFB7C410B0841D291FF
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\0x0409.inibinary
MD5:6C87581375D4E4789761B9833C2A1B4D
SHA256:43160E278E4302E378E754149C6394BC51D1969A7941687CFCC6C00B25151282
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\Packet\vcredist_x86.exeexecutable
MD5:E304BB596EFE6509B96024385B1FCFEE
SHA256:0CE99658715E43D372D652EF02A269D64FADDB7004FC03BA0FFE2D75467D8F47
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\amd64\0x0804.initext
MD5:F4173ACFB530F6529B5A83F4734B7DE2
SHA256:72F2993DF49DE0263E981A7D36A11DF005755505C9F01C0B3560E427D79E5EB8
6572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6572.13415\BRLink_V_1.1.0.34\install\Packet\vcredist_x64.exeexecutable
MD5:4B6A99D596F2E6B9C497DA07795D4476
SHA256:A7D05B0FBDF03956F76C4385CF78646552E7A14B0EA4F087B430F2D65F1329FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
61
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6020
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3180
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3180
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2808
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.185.238
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.64
  • 40.126.31.73
  • 40.126.31.67
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.75
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted
browser.pipe.aria.microsoft.com
  • 20.189.173.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BRLink_V_1.1.0.34.rar