File name:

hcanalesV3.0.rar

Full analysis: https://app.any.run/tasks/ed13cca2-3d1f-4b37-9a9e-34fada5aaae6
Verdict: Malicious activity
Analysis date: April 28, 2025, 16:23:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

BD67E5B61B9F214D7550D292119952D0

SHA1:

DFAADF7E4DAA8173BDFB0168EF38F2CB9753F7ED

SHA256:

3FA4E0902C486EE6765BFB7B5079201F122B54E670B502F7326E1A2BB4A0E6F9

SSDEEP:

98304:oc0Oqxomyjr73Hf4l31p8hCNrSYw2DL5It7j9T5taVTeEzyKlwMj53AZyiJ/4o7W:jaAPuukvHjKhSLr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6744)

    • Create files in the Startup directory

      • setup.exe (PID: 7152)
      • setup.exe (PID: 4724)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6744)
      • setup.exe (PID: 7152)
      • WinRAR.exe (PID: 1348)
      • setup.exe (PID: 4724)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 7152)
      • setup.exe (PID: 4724)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 7152)
      • SETUP1.EXE (PID: 1540)
      • SETUP1.EXE (PID: 6768)
      • ST6UNST.EXE (PID: 4272)
      • ST6UNST.EXE (PID: 4932)
      • setup.exe (PID: 4976)
      • setup.exe (PID: 4724)
      • setup.exe (PID: 4224)

    • Creates/Modifies COM task schedule object

      • setup.exe (PID: 7152)
      • setup.exe (PID: 4724)

    • Executes application which crashes

      • ST6UNST.EXE (PID: 1040)

  • INFO

    • The sample compiled with spanish language support

      • WinRAR.exe (PID: 6744)
      • setup.exe (PID: 7152)
      • WinRAR.exe (PID: 1348)
      • setup.exe (PID: 4724)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6744)
      • WinRAR.exe (PID: 1348)

    • Manual execution by a user

      • setup.exe (PID: 4224)
      • WinRAR.exe (PID: 1348)
      • SETUP1.EXE (PID: 6768)
      • SETUP1.EXE (PID: 1540)
      • setup.exe (PID: 4976)
      • ST6UNST.EXE (PID: 4272)
      • ST6UNST.EXE (PID: 4932)
      • setup.exe (PID: 4724)
      • setup.exe (PID: 7152)

    • Checks supported languages

      • setup.exe (PID: 7152)
      • Setup1.exe (PID: 1764)
      • ST6UNST.EXE (PID: 1040)
      • SETUP1.EXE (PID: 1540)
      • ST6UNST.EXE (PID: 4932)
      • setup.exe (PID: 4724)
      • Setup1.exe (PID: 1300)

    • Creates files or folders in the user directory

      • setup.exe (PID: 7152)
      • WerFault.exe (PID: 5576)
      • WerFault.exe (PID: 5084)
      • setup.exe (PID: 4724)

    • Create files in a temporary directory

      • setup.exe (PID: 7152)
      • Setup1.exe (PID: 1764)
      • setup.exe (PID: 4724)
      • SETUP1.EXE (PID: 1540)
      • Setup1.exe (PID: 1300)

    • Reads the computer name

      • Setup1.exe (PID: 1764)
      • ST6UNST.EXE (PID: 1040)
      • SETUP1.EXE (PID: 1540)
      • ST6UNST.EXE (PID: 4932)
      • setup.exe (PID: 4724)
      • Setup1.exe (PID: 1300)
      • setup.exe (PID: 7152)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1348)

    • Reads the software policy settings

      • slui.exe (PID: 6576)

    • Checks proxy server information

      • slui.exe (PID: 6576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

FileVersion: RAR v4
CompressedSize: 5556235
UncompressedSize: 5565708
OperatingSystem: Win32
ModifyDate: 2006:10:02 16:36:46
PackingMethod: Normal
ArchivedFileName: Hcanales V3.0\Hcanales.CAB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setup.exe no specs setup.exe setup1.exe no specs st6unst.exe slui.exe werfault.exe no specs werfault.exe no specs winrar.exe setup1.exe no specs setup1.exe st6unst.exe no specs st6unst.exe setup.exe no specs setup.exe setup1.exe no specs st6unst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040C:\WINDOWS\st6unst.exe -n "C:\Windows\ST6UNST.000" -e 3 -f -w 1764C:\Windows\ST6UNST.EXE
Setup1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic Setup Toolkit Uninstaller
Exit code:
3221226525
Version:
6.00.8450
Modules
Images
c:\windows\st6unst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1300C:\WINDOWS\Setup1.exe "C:\Users\admin\Desktop\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"C:\Windows\Setup1.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Utilidad de instalación de Visual Basic 6.0
Version:
6.00.8804
Modules
Images
c:\windows\setup1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1348"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Hcanales.CAB" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1540"C:\Users\admin\Desktop\SETUP1.EXE" C:\Users\admin\Desktop\SETUP1.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Utilidad de instalación de Visual Basic 6.0
Exit code:
1
Version:
6.00.8804
Modules
Images
c:\users\admin\desktop\setup1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1764C:\WINDOWS\Setup1.exe "C:\Users\admin\Desktop\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"C:\Windows\Setup1.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Utilidad de instalación de Visual Basic 6.0
Exit code:
1
Version:
6.00.8804
Modules
Images
c:\windows\setup1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4224"C:\Users\admin\Desktop\setup.exe" C:\Users\admin\Desktop\setup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Instalación de Bootstrap para Visual Basic Setup Toolkit
Exit code:
3221226540
Version:
6.00.8804
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4272"C:\Users\admin\Desktop\ST6UNST.EXE" C:\Users\admin\Desktop\ST6UNST.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Setup Toolkit Uninstaller
Exit code:
3221226540
Version:
6.00.8450
Modules
Images
c:\users\admin\desktop\st6unst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4724"C:\Users\admin\Desktop\setup.exe" C:\Users\admin\Desktop\setup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Instalación de Bootstrap para Visual Basic Setup Toolkit
Version:
6.00.8804
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4932"C:\Users\admin\Desktop\ST6UNST.EXE" C:\Users\admin\Desktop\ST6UNST.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic Setup Toolkit Uninstaller
Exit code:
0
Version:
6.00.8450
Modules
Images
c:\users\admin\desktop\st6unst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4976"C:\Users\admin\Desktop\setup.exe" C:\Users\admin\Desktop\setup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Instalación de Bootstrap para Visual Basic Setup Toolkit
Exit code:
3221226540
Version:
6.00.8804
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
6 958
Read events
6 865
Write events
87
Delete events
6

Modification events

(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\hcanalesV3.0.rar
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7152) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\Windows\System32\VB6STKIT.DLL
Value:
1
(PID) Process:(7152) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SharedDlls
Operation:writeName:C:\WINDOWS\SYSTEM32\MSVCRT40.DLL
Value:
2
Executable files
45
Suspicious files
12
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6744.26330\Hcanales V3.0\Hcanales.CAB
MD5:
SHA256:
7152setup.exeC:\Windows\Hcanales.CAB
MD5:
SHA256:
5084WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_st6unst.exe_59d0a890ce5ff0db1cb42b5fe040ec6a33dcf737_b5bcd7ac_8a61cd0c-a6c9-410e-94f2-e61a9d8d221f\Report.wer
MD5:
SHA256:
6744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6744.26330\Hcanales V3.0\setup.exeexecutable
MD5:E60B0F63D64B2165177723D87721E2B6
SHA256:85C59AED7E699A253005532DC6F79D3767BACBB83FCDF61CCF7A7A86ED5B9475
7152setup.exeC:\Users\admin\AppData\Local\Temp\msftqws.pdw\st6unst.exeexecutable
MD5:9A8C5876F555720D5799AFE717C0149D
SHA256:77943B4E24CF8E64B1A4DC5C60FA392ABE0F004007AFF6E96307D1E52A7AD6C4
5084WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERABB0.tmp.xmlxml
MD5:40E1A557F8E5C9A88DD04B6CB692BF03
SHA256:DD7AD8F4812186E39FCD41077098A1E1AECB09F7F03F990B8C89A426D538DAB1
7152setup.exeC:\Windows\temp.000executable
MD5:9A8C5876F555720D5799AFE717C0149D
SHA256:77943B4E24CF8E64B1A4DC5C60FA392ABE0F004007AFF6E96307D1E52A7AD6C4
7152setup.exeC:\Windows\SysWOW64\temp.000executable
MD5:87AA9155ACC202711F5720718E1DFFCB
SHA256:564747CFF8ABB9367F4D435BFADDB578AAB7E4CB4BF174F361D33846207540FE
5576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_st6unst.exe_3713956c9d34a22b3f5236382a73db146ef629_b5bcd7ac_5308a97e-1c63-4335-9eab-dcb821bc3352\Report.wer
MD5:
SHA256:
7152setup.exeC:\Windows\ST6UNST.000text
MD5:5AAC644EE6BFD3EC38390A2C21A47872
SHA256:D405B1859C0F0907201DC00B5395CE55F2C0A6CFCB49A33A592D8E5D86C78296
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4696
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4696
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4696
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4696
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4696
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.139
  • 23.48.23.191
  • 23.48.23.141
  • 23.48.23.164
  • 23.48.23.180
  • 23.48.23.162
  • 23.48.23.192
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.128
  • 40.126.31.3
  • 40.126.31.130
  • 20.190.159.4
  • 20.190.159.131
  • 40.126.31.73
  • 40.126.31.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hcanalesV3.0.rar