File name:

7zr.exe

Full analysis: https://app.any.run/tasks/e8f560ea-2b36-445c-9462-5cabe0e83084
Verdict: Malicious activity
Analysis date: December 26, 2024, 08:56:06
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
m0yv
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 6 sections
MD5:

1BC86F6C7DFC31B927B83CBFF91F9F1A

SHA1:

63EC7DD67E21853C41604DDD5F0FF0D704274855

SHA256:

91B28B851DDAC645FF303BFAEF9EB854F6BE2F63991D17EC76A1C3945732BD39

SSDEEP:

49152:JzhA7R2hELS/2E32LwnI8tuQIy1QxuBMEi4f8wxwPfAlGTfiLCHiYM1ik1hLlO/d:JzhCR2hELS/2u2LwIBQIQjlNfaAlGTv/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • 7zr.exe (PID: 4308)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • 7zr.exe (PID: 4308)

  • INFO

    • Reads the computer name

      • 7zr.exe (PID: 4308)

    • Checks supported languages

      • 7zr.exe (PID: 4308)

    • The sample compiled with english language support

      • 7zr.exe (PID: 4308)

    • Creates files or folders in the user directory

      • 7zr.exe (PID: 4308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:02:21 16:00:00+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 624640
InitializedDataSize: 142336
UninitializedDataSize: -
EntryPoint: 0x91c58
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 19.0.0.0
ProductVersionNumber: 19.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7-Zip Standalone Console
FileVersion: 19
InternalName: 7za
LegalCopyright: Copyright (c) 1999-2018 Igor Pavlov
OriginalFileName: 7za.exe
ProductName: 7-Zip
ProductVersion: 19
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV 7zr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4308"C:\Users\admin\Desktop\7zr.exe" C:\Users\admin\Desktop\7zr.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\desktop\7zr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4876\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7zr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
46
Read events
46
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
43087zr.exeC:\Users\admin\AppData\Roaming\dc123c8a6d67cbe2.binbinary
MD5:1DE4A4254EF7907034FD6236322921E7
SHA256:80D06C0DFA75E3B0E1353B4C58696273D7A3281921D8021E64D363BEC5D65F4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
25
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
256
rundll32.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bedd579f0f9d9caf
unknown
whitelisted
2932
firefox.exe
POST
200
95.101.54.131:80
http://r11.o.lencr.org/
unknown
whitelisted
2932
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
2932
firefox.exe
POST
200
95.101.54.131:80
http://r11.o.lencr.org/
unknown
whitelisted
2932
firefox.exe
POST
200
95.101.54.131:80
http://r11.o.lencr.org/
unknown
whitelisted
1296
svchost.exe
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2860
svchost.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c8be12605aaef0f9
unknown
whitelisted
2860
svchost.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0b3de69d37a33f41
unknown
whitelisted
2860
svchost.exe
GET
200
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bdb78aa50ddaee77
unknown
whitelisted
2860
svchost.exe
GET
304
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9d6bf2e53e134dd2
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2932
firefox.exe
34.149.100.209:443
GOOGLE
US
unknown
2932
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
256
rundll32.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5904
OfficeC2RClient.exe
52.109.76.240:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1296
svchost.exe
88.221.110.216:80
Akamai International B.V.
DE
unknown
256
rundll32.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
5904
OfficeC2RClient.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2932
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2932
firefox.exe
95.101.54.131:80
r11.o.lencr.org
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
google.com
  • 142.250.181.238
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
  • 23.50.131.216
  • 23.50.131.200
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
r11.o.lencr.org
  • 95.101.54.131
  • 2.16.202.121
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted
a1887.dscq.akamai.net
  • 95.101.54.131
  • 2.16.202.121
  • 2a02:26f0:480:e::210:f108
  • 2a02:26f0:480:e::210:f10f
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
whitelisted

Threats

PID
Process
Class
Message
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7zr.exe