File name:

Sliver V4.2.2 latest_fix.zip

Full analysis: https://app.any.run/tasks/793fad7b-2696-49a2-b430-1cc12ed47eff
Verdict: Malicious activity
Analysis date: July 12, 2020, 15:56:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1C53DA1C484A946145743A49D9E6A3FF

SHA1:

1DBFBAED2048FE2E03237851A96E99C78E96A131

SHA256:

45C1089EB56FBCFFC97F4B0CC48E0BB5BFF7DED39722D4246211A6B200B289C2

SSDEEP:

393216:pyHOwaNLsA3uK9Fsw8bK5O2i0dDB0p4hxjX/IK8pbVsyyXH:IOTFsOFsw8bsO50dqwAvbhAH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3528)
      • Sliver v4.2.4.exe (PID: 3940)
      • Sliver v4.2.4.exe (PID: 2928)

    • Application was dropped or rewritten from another process

      • Sliver v4.2.4.exe (PID: 3940)
      • Sliver v4.2.4.exe (PID: 2108)
      • Sliver v4.2.4.exe (PID: 2928)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Sliver v4.2.4.exe (PID: 3940)
      • WinRAR.exe (PID: 1820)

  • INFO

    • Manual execution by user

      • Sliver v4.2.4.exe (PID: 3940)
      • Sliver v4.2.4.exe (PID: 2108)
      • Sliver v4.2.4.exe (PID: 2928)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 1820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:06:29 17:57:17
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Sliver V4.2.2 latest_fix/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs sliver v4.2.4.exe sliver v4.2.4.exe no specs sliver v4.2.4.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2108"C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe" C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PasscodeBypass
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sliver v4.2.2 latest_fix\sliver v4.2.4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2928"C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe" C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PasscodeBypass
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sliver v4.2.2 latest_fix\sliver v4.2.4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3528"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3940"C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe" C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PasscodeBypass
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sliver v4.2.2 latest_fix\sliver v4.2.4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
674
Read events
654
Write events
20
Delete events
0

Modification events

(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1820) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1820) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix.zip
(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
80
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\.irecoverytext
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\Renci.SshNet.dllexecutable
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\lsass.dllexecutable
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\AgileDotNet.VMRuntime.dllexecutable
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exeexecutable
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\bypass1binary
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\PasscodeBypass.exeexecutable
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\System.dllexecutable
MD5:
SHA256:
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\idevicebackup.exeexecutable
MD5:E3FD415840B550CB96A5C6B419D59620
SHA256:7957AA09B6F457F557DDCB569E54621D144F1487260036893D7DDBB8A9BCB849
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\idevice_id.exeexecutable
MD5:5B1B079330343FF387EA22644775B00D
SHA256:8C78CD8C26831A340C12935865FABB8DA958E3ACA6E8663A62EAA3B0E19CB8AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sliver V4.2.2 latest_fix.zip