analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

vb6x64.7z

Full analysis: https://app.any.run/tasks/c8e11689-1c9f-4ed4-bffc-4e042fdeb275
Verdict: Malicious activity
Analysis date: September 11, 2019, 04:22:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

F876259217704AAC821D24B66AA8A4EE

SHA1:

390D5A6F450D9C2099DA5FC1807D86791F774C0E

SHA256:

C1FF63C472FD3F2FDC34DFACF864FFE2148DF9C0429F434C5B97AB055551E08F

SSDEEP:

98304:gF/e+sC7D7ZjsEAyRm0tGLJ2S2HmZYFrVpwTMp0+0:6m+77D7Zj/RntR5HmepwYO+0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1728)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3060)
  • INFO

    • Manual execution by user

      • control.exe (PID: 3808)
    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs control.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3060"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\vb6x64.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1728"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3808"C:\Windows\System32\control.exe" SYSTEMC:\Windows\System32\control.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
825
Read events
810
Write events
15
Delete events
0

Modification events

(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3060) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\vb6x64.7z
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1728) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1728) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:@C:\Windows\regedit.exe,-309
Value:
Registration Entries
Executable files
85
Suspicious files
3
Text files
19
Unknown types
2

Dropped files

PID
Process
Filename
Type
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\Farpoint\install.regreg
MD5:65A6A6F00F09AAB848211282D0D04DEC
SHA256:B2CF6EE08D92A34D1300F1BD3CC3220D25B7B17DC497A45387423CA530CC334E
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\GREENTREE\gtnum32.ocaexecutable
MD5:442E80AC1584FE4DDD73F5CBD3FAE63E
SHA256:C0597967AC2A8F1A478C2C7DC8523957747C7E1EA32347E56C505B8584A4990A
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\Imageman\IM31dxf.dilexecutable
MD5:275C7D3B8376174778E0E39B9998CC21
SHA256:E7FD68099E2E8CE25E1DB0C0AE4FB721C654F812EFDEBB3B4249FD0B91EFC228
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\GREENTREE\datamask_full.regtext
MD5:E932DDF961D16187F3B8AD625B5EAE3B
SHA256:8418FFAFF1DC4A3444C282F741C38B6523A62B58CAA1F0B672A985C576369AB4
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\Imageman\IM31bmp.dilexecutable
MD5:A24B44FDC0D4B301804A8B1E951F76B3
SHA256:D727A6EA57FBF7DE688CA866F689A8B1FD41C445EB2411C6270D37FFEBEFD607
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\Imageman\IM31tif.dilexecutable
MD5:8707BBA0551063FE6E0EF252D88E08C9
SHA256:75DAD86BC36F9FDDF9FF15D29F176A02E121D802FA3547BA6DCF8CD2ACF120BC
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\Imageman\IM31eps.dilexecutable
MD5:6209D267281C1C471DBF85E8167462BF
SHA256:7EFF9F79CA1481E7FF2DF46F82C7358B40BCD4CDE1DBE7EE3A27E0D00E219E4B
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\Imageman\IM31img.dilexecutable
MD5:DD7352EBF876F9C4570E6FF878D26214
SHA256:7F9C1A01EADF88BCA95B4CE6FC84BE50D9C4547BEDD75347C3B15FFD8CEAF322
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\GREENTREE\gtmask32.ocaexecutable
MD5:654FE31DBD624310215804286E0D4F56
SHA256:ED65C3F53C7A7504E63ABB604EB3C95704985F3A530850AF7C23FD343FF877CB
3060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3060.29167\vb6x64\CONTENT\Imageman\IM31fax.dilexecutable
MD5:793F5C053D28BF676903E5E0178B12F3
SHA256:3BAEDC6E44A746B708B13EFEEE7494FE323AF10A62FB56C53E364D6A32BE96AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info