File name:

olawta-opswat01_2021-01-18_14_06_13.zip

Full analysis: https://app.any.run/tasks/8ca7406c-4b7a-48c5-9403-6db05d0c6991
Verdict: Malicious activity
Analysis date: January 18, 2021, 20:21:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract
MD5:

14098D8FA8140579F6E38CEC948F16C2

SHA1:

A45A61DEE36A38E4040939C4EC13E42789499994

SHA256:

58251FBEED7D3A8E6411C9C832607D51ABF2E1EB825EB6EAEB2C69F6098C5E12

SSDEEP:

12288:IbJV2ii8jgfxcftTK/4Rb2RdpGBPxcxR+G7:ISiP0fxcftTVR6rp+xcxok

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • aspcom.exe (PID: 3772)
      • aspcom.exe (PID: 2812)

    • Changes settings of System certificates

      • aspcom.exe (PID: 3772)

  • SUSPICIOUS

    • Creates a directory in Program Files

      • WinRAR.exe (PID: 936)

    • Creates files in the program directory

      • WinRAR.exe (PID: 936)
      • dw20.exe (PID: 3752)

    • Adds / modifies Windows certificates

      • aspcom.exe (PID: 3772)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 936)

  • INFO

    • Manual execution by user

      • aspcom.exe (PID: 3772)
      • aspcom.exe (PID: 2812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0801
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0xb938f89b
ZipCompressedSize: 419741
ZipUncompressedSize: 1066912
ZipFileName: Device/HarddiskVolume2/Program Files (x86)/Asp CommandLine/aspcom.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe aspcom.exe no specs aspcom.exe dw20.exe

Process information

PID
CMD
Path
Indicators
Parent process
936"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2812"C:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13\HarddiskVolume2\Program Files (x86)\Asp CommandLine\aspcom.exe" C:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13\HarddiskVolume2\Program Files (x86)\Asp CommandLine\aspcom.exeexplorer.exe
User:
admin
Company:
Systweak
Integrity Level:
MEDIUM
Description:
Advanced System Protector
Exit code:
3221226540
Version:
2.1.1000.10229
Modules
Images
c:\users\admin\desktop\olawta-opswat01_2021-01-18_14_06_13\harddiskvolume2\program files (x86)\asp commandline\aspcom.exe
c:\systemroot\system32\ntdll.dll
3752dw20.exe -x -s 936C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
aspcom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3772"C:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13\HarddiskVolume2\Program Files (x86)\Asp CommandLine\aspcom.exe" C:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13\HarddiskVolume2\Program Files (x86)\Asp CommandLine\aspcom.exe
explorer.exe
User:
admin
Company:
Systweak
Integrity Level:
HIGH
Description:
Advanced System Protector
Exit code:
3762507597
Version:
2.1.1000.10229
Modules
Images
c:\users\admin\desktop\olawta-opswat01_2021-01-18_14_06_13\harddiskvolume2\program files (x86)\asp commandline\aspcom.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
382
Read events
358
Write events
24
Delete events
0

Modification events

(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(936) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13.zip
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13
(PID) Process:(936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3752dw20.exeC:\Users\admin\AppData\Local\Temp\WER66FD.tmp.hdmp
MD5:
SHA256:
3752dw20.exeC:\Users\admin\AppData\Local\Temp\WER70B2.tmp.mdmp
MD5:
SHA256:
3752dw20.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspcom.exe_42445351279fd0b8d5da5412b14068b2998eb1b_cab_0ebe714c\WER66FD.tmp.hdmp
MD5:
SHA256:
3752dw20.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspcom.exe_42445351279fd0b8d5da5412b14068b2998eb1b_cab_0ebe714c\WER70B2.tmp.mdmp
MD5:
SHA256:
936WinRAR.exeC:\Users\admin\Desktop\olawta-opswat01_2021-01-18_14_06_13\HarddiskVolume2\Program Files (x86)\Asp CommandLine\aspcom.exeexecutable
MD5:
SHA256:
3752dw20.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspcom.exe_42445351279fd0b8d5da5412b14068b2998eb1b_cab_0ebe714c\WERE9BD.tmp.WERInternalMetadata.xmlxml
MD5:
SHA256:
3752dw20.exeC:\Users\admin\AppData\Local\Temp\WERE9BD.tmp.WERInternalMetadata.xmlxml
MD5:
SHA256:
3752dw20.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspcom.exe_42445351279fd0b8d5da5412b14068b2998eb1b_cab_0ebe714c\Report.werbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3752
dw20.exe
GET
52.255.188.83:80
http://watson.microsoft.com/StageOne/aspcom_exe/2_1_1000_10229/509cf042/KERNELBASE_dll/6_1_7601_17932/503275ba/e0434f4d/0000d3cf.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3752
dw20.exe
52.255.188.83:80
watson.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 52.255.188.83
whitelisted

Threats

PID
Process
Class
Message
3752
dw20.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
3752
dw20.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
olawta-opswat01_2021-01-18_14_06_13.zip