File name:

7tsp GUI v0.6(2019).exe

Full analysis: https://app.any.run/tasks/81498521-075d-426f-bd15-2a561da1d25d
Verdict: Malicious activity
Analysis date: April 30, 2024, 21:06:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

0FC4B5592E3B58F1FC87D5EF81DE981A

SHA1:

F9408F54BE6540CCAF7CE0B9DBB80B81AFD83CA8

SHA256:

090C9E214599150F6ED241171BB2107E04D13BFA5E74927B094B139EAE280B65

SSDEEP:

98304:0kJXjsBN1FOVttlTfMO5bkjUBoUpQbo3r95HwTClvBAOMpWaQ0dy4ybVWT1rk/lv:0o31yYVBFX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 1868)
      • net.exe (PID: 1408)
      • cmd.exe (PID: 1996)
      • net.exe (PID: 2664)

    • Creates a writable file in the system directory

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

    • Changes the autorun value in the registry

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

  • SUSPICIOUS

    • Start notepad (likely ransomware note)

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

    • Drops 7-zip archiver for unpacking

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

    • Executable content was dropped or overwritten

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

    • Starts CMD.EXE for commands execution

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • c.i.c.exe (PID: 2092)

    • Searches for installed software

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • dllhost.exe (PID: 2240)

    • Reads the Internet Settings

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • sipnotify.exe (PID: 1816)
      • runonce.exe (PID: 2068)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2368)

    • Process drops legitimate windows executable

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 2112)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 1020)
      • cmd.exe (PID: 1144)
      • cmd.exe (PID: 2272)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 764)
      • cmd.exe (PID: 1800)
      • cmd.exe (PID: 2548)
      • cmd.exe (PID: 2572)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 2900)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 1816)
      • ctfmon.exe (PID: 1464)

    • Executing commands from a ".bat" file

      • c.i.c.exe (PID: 2092)

  • INFO

    • Reads the computer name

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • ResHacker.exe (PID: 748)
      • ResHacker.exe (PID: 116)
      • ResHacker.exe (PID: 304)
      • ResHacker.exe (PID: 2688)
      • ResHacker.exe (PID: 1280)
      • ResHacker.exe (PID: 2428)
      • ResHacker.exe (PID: 2812)
      • ResHacker.exe (PID: 2644)
      • ResHacker.exe (PID: 2908)
      • ResHacker.exe (PID: 3056)
      • ResHacker.exe (PID: 2972)
      • ResHacker.exe (PID: 2752)
      • ResHacker.exe (PID: 3124)
      • ResHacker.exe (PID: 3140)
      • ResHacker.exe (PID: 3260)
      • ResHacker.exe (PID: 3392)
      • ResHacker.exe (PID: 2920)
      • ResHacker.exe (PID: 3692)
      • ResHacker.exe (PID: 3548)
      • ResHacker.exe (PID: 3540)
      • ResHacker.exe (PID: 3820)
      • ResHacker.exe (PID: 2316)
      • ResHacker.exe (PID: 1932)
      • c.i.c.exe (PID: 2092)
      • wmpnscfg.exe (PID: 2588)
      • wmpnscfg.exe (PID: 2712)

    • Reads mouse settings

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • c.i.c.exe (PID: 2092)

    • Checks supported languages

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • ResHacker.exe (PID: 748)
      • ResHacker.exe (PID: 2204)
      • ResHacker.exe (PID: 116)
      • ResHacker.exe (PID: 304)
      • ResHacker.exe (PID: 2688)
      • ResHacker.exe (PID: 2812)
      • ResHacker.exe (PID: 1280)
      • ResHacker.exe (PID: 2428)
      • ResHacker.exe (PID: 2644)
      • ResHacker.exe (PID: 2884)
      • ResHacker.exe (PID: 2920)
      • ResHacker.exe (PID: 2908)
      • ResHacker.exe (PID: 2972)
      • ResHacker.exe (PID: 3056)
      • ResHacker.exe (PID: 2752)
      • ResHacker.exe (PID: 3140)
      • ResHacker.exe (PID: 3124)
      • ResHacker.exe (PID: 3260)
      • ResHacker.exe (PID: 3692)
      • ResHacker.exe (PID: 3392)
      • ResHacker.exe (PID: 3548)
      • ResHacker.exe (PID: 3540)
      • ResHacker.exe (PID: 3820)
      • ResHacker.exe (PID: 2316)
      • bru.exe (PID: 856)
      • bru.exe (PID: 304)
      • ResHacker.exe (PID: 1932)
      • c.i.c.exe (PID: 2092)
      • wmpnscfg.exe (PID: 2712)
      • wmpnscfg.exe (PID: 2588)

    • Checks Windows language

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • c.i.c.exe (PID: 2092)

    • Reads the machine GUID from the registry

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • bru.exe (PID: 856)
      • bru.exe (PID: 304)
      • c.i.c.exe (PID: 2092)

    • Creates files in the program directory

      • 7tsp GUI v0.6(2019).exe (PID: 4068)
      • ResHacker.exe (PID: 748)
      • ResHacker.exe (PID: 116)
      • ResHacker.exe (PID: 304)
      • ResHacker.exe (PID: 2644)
      • icacls.exe (PID: 4040)
      • icacls.exe (PID: 3332)
      • ResHacker.exe (PID: 1932)
      • ResHacker.exe (PID: 2316)
      • c.i.c.exe (PID: 2092)

    • Create files in a temporary directory

      • 7tsp GUI v0.6(2019).exe (PID: 4068)

    • Reads the time zone

      • runonce.exe (PID: 2068)

    • Manual execution by a user

      • runonce.exe (PID: 2068)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 2396)
      • explorer.exe (PID: 2220)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 2068)

    • Reads the Internet Settings

      • explorer.exe (PID: 2220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:03:07 16:08:39+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 270336
InitializedDataSize: 151552
UninitializedDataSize: 602112
EntryPoint: 0xd5bc0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.6.2.0
ProductVersionNumber: 3.3.6.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 0.6.2.0
Comments: Se7en Theme Source Patcher v0.6.2019 Patches your Windows Se7en System Files with new Icons and Bitmaps
FileDescription: Se7en Theme Source Patcher
LegalCopyright: XPtsp Team -Program Written By Fixit-
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
235
Monitored processes
102
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start 7tsp gui v0.6(2019).exe notepad.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs SPPSurrogate no specs vssvc.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs bru.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs takeown.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs reshacker.exe no specs cmd.exe no specs bru.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs explorer.exe no specs ctfmon.exe no specs sipnotify.exe runonce.exe c.i.c.exe no specs cmd.exe no specs taskkill.exe no specs explorer.exe no specs cmd.exe no specs wmpnscfg.exe no specs icacls.exe no specs cmd.exe no specs ping.exe no specs wmpnscfg.exe no specs 7tsp gui v0.6(2019).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112TAKEOWN /F "C:\Windows\system32\imageres.dll" /aC:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
116"C:\ProgramData\local\temp\7tsp\Programs\reshacker.exe""" -extract "C:\Windows\system32\shell32.dll", "C:\ProgramData\local\temp\7tsp\Extra\shell32\633.bmp", BITMAP,633,C:\ProgramData\local\temp\7tsp\programs\ResHacker.execmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Resource viewer, decompiler & recompiler.
Exit code:
0
Version:
3.6.0.92
Modules
Images
c:\programdata\local\temp\7tsp\programs\reshacker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
116icacls "C:\Windows\system32\imageres.dll" /grant *S-1-5-32-544:FC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
304"C:\ProgramData\local\temp\7tsp\Programs\reshacker.exe""" -extract "C:\Windows\explorer.exe", "C:\ProgramData\local\temp\7tsp\temp\orb.bmp", BITMAP,6801,C:\ProgramData\local\temp\7tsp\programs\ResHacker.execmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Resource viewer, decompiler & recompiler.
Exit code:
0
Version:
3.6.0.92
Modules
Images
c:\programdata\local\temp\7tsp\programs\reshacker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
304"C:\ProgramData\local\temp\7tsp\programs\bru.exe""" "C:\ProgramData\local\temp\7tsp\imageres.dll.bruC:\ProgramData\local\temp\7tsp\programs\bru.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\local\temp\7tsp\programs\bru.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcm90.dll
c:\windows\system32\ole32.dll
748"C:\ProgramData\local\temp\7tsp\Programs\reshacker.exe""" -extract "C:\Windows\system32\imageres.dll", "C:\ProgramData\local\temp\7tsp\Extra\logon\5033.jpg", IMAGE,5033,C:\ProgramData\local\temp\7tsp\programs\ResHacker.execmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Resource viewer, decompiler & recompiler.
Exit code:
0
Version:
3.6.0.92
Modules
Images
c:\programdata\local\temp\7tsp\programs\reshacker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
764C:\Windows\system32\cmd.exe /c icacls "C:\Windows\system32\imageres.dll" /setowner *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464C:\Windows\System32\cmd.exe7tsp GUI v0.6(2019).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
856"C:\ProgramData\local\temp\7tsp\programs\bru.exe""" "C:\ProgramData\local\temp\7tsp\shell32.dll.bruC:\ProgramData\local\temp\7tsp\programs\bru.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\local\temp\7tsp\programs\bru.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcm90.dll
c:\windows\system32\ole32.dll
864C:\Windows\system32\cmd.exe /c icacls "C:\Windows\system32\imageres.dll" /grant *S-1-5-32-544:FC:\Windows\System32\cmd.exe7tsp GUI v0.6(2019).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
948C:\Windows\system32\cmd.exe /c ""C:\ProgramData\local\temp\7tsp\Programs\reshacker.exe""" -extract "C:\ProgramData\local\temp\7tsp\resources\shell32.dll.res", "C:\ProgramData\local\temp\7tsp\recompile\recompile.rc ,,,"C:\Windows\System32\cmd.exe7tsp GUI v0.6(2019).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
32 607
Read events
32 090
Write events
498
Delete events
19

Modification events

(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CURRENT_USER\Software\Fixit Tools\7tsp
Operation:writeName:Agreement
Value:
(2019)Yes
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Operation:delete valueName:MRUList
Value:
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Operation:writeName:0
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00370074007300700020004700550049002000760030002E0036002800320030003100390029002E00650078006500000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070000000
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Operation:writeName:MRUListEx
Value:
00000000FFFFFFFF
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000070000000200000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:4
Value:
370074007300700020004700550049002000760030002E0036002800320030003100390029002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006E0100009C000000EE0300007C020000000000000000000000000000000000000100000000000000
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:delete valueName:4
Value:
7tsp GUI v0.6(2019).exe
(PID) Process:(4068) 7tsp GUI v0.6(2019).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:4
Value:
370074007300700020004700550049002000760030002E0036002800320030003100390029002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006B010000730000009703000044020000000000000000000000000000000000006E0100009C000000EE0300007C020000000000000000000000000000000000000100000000000000
Executable files
17
Suspicious files
26
Text files
51
Unknown types
17

Dropped files

PID
Process
Filename
Type
40687tsp GUI v0.6(2019).exeC:\ProgramData\local\temp\7tsp\programs\lang.initext
MD5:DD3D7C4A542DBD24F254093762300901
SHA256:38B48270CC628E4B60DDB354EE115E6C465740D0B93AA6FCAECC60D5C67D9B72
40687tsp GUI v0.6(2019).exeC:\ProgramData\local\temp\ReadMe.txttext
MD5:907DB78291FB358F7D8B4CE73D33F8F1
SHA256:4C01C8609EFEFF5B359AA5355266C933EDB3F50DCA1CBF532C4D9096253581C9
40687tsp GUI v0.6(2019).exeC:\Users\admin\AppData\Local\Temp\aut5621.tmpbinary
MD5:50A46D26B330BCD5D0BAC4E14554953B
SHA256:0D7193BDB42674D17C242D8504DB31A2C5B6864BD1D372016E8CDC9EAA62D9E4
40687tsp GUI v0.6(2019).exeC:\ProgramData\local\temp\7tsp\programs\7za.exeexecutable
MD5:C6D72642721E84D227DEFC3EC4AB12E6
SHA256:0CC0DE83B51DAE55A4FCAE559DEFC87BEA8448010D064C316ABCFE9459ECE035
40687tsp GUI v0.6(2019).exeC:\Users\admin\AppData\Local\Temp\aut868D.tmpbinary
MD5:EE15D23DEA27B37C972E58AFE27DC201
SHA256:4536C7F61CD9A26411D159E91DFF12B43AC72AEBA9F6C252AF49F0E682D12E19
40687tsp GUI v0.6(2019).exeC:\Users\admin\AppData\Local\Temp\aut86DC.tmpbinary
MD5:18EC3F6B83F3E22FD4FE0E7457178EEF
SHA256:73247FB3D2B630D6AB810BE9E7D14771465A205E604A7E28E00D96A8B68AA08E
40687tsp GUI v0.6(2019).exeC:\Users\admin\AppData\Local\Temp\aut8580.tmpbinary
MD5:24A69F380E798553D3057BB10E48D5D7
SHA256:12A574B867BF5B93BFD50F0BE082BC34E8A081CF1D4632CC68F4EEE839B197C9
40687tsp GUI v0.6(2019).exeC:\ProgramData\local\temp\7tsp\Programs\logos.bmpimage
MD5:D04E046BA533CE644FE6B97CD492FDB5
SHA256:6D9C1A14BDBF29D835F297CBAF39CF94FC4725CCDFE8878E3548D194E2E46648
40687tsp GUI v0.6(2019).exeC:\Users\admin\AppData\Local\Temp\aut8590.tmpbinary
MD5:27DA1566828714105C1ADBB661C76F7A
SHA256:2555C1E91E885ADBFE1F55617B1649DC926DF9AE3BC09B99D727C428B0D2AB17
40687tsp GUI v0.6(2019).exeC:\Users\admin\AppData\Local\Temp\aut569F.tmpbinary
MD5:0C4F0907658D48D9356D01C14282B1A0
SHA256:15B3DE395AD0E35EED04C239703C5CF1187FD016FD2B021A47A43AC85FD49D50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
12
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1816
sipnotify.exe
HEAD
184.25.191.235:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133589885519530000
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1472
svchost.exe
239.255.255.250:3702
unknown
1120
svchost.exe
224.0.0.252:5355
unknown
1816
sipnotify.exe
184.25.191.235:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 184.25.191.235
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7tsp GUI v0.6(2019).exe