File name: | 冰影-LD7.6.zip |
Full analysis: | https://app.any.run/tasks/854c0d77-a16b-467e-bba5-f409a1e90c64 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 23:00:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 12717BB161B26457D60C8889A5F8A11A |
SHA1: | 4DE0AC3A17370116A412A32EB535CEBDFE283F52 |
SHA256: | 699A94781124C41CB11CFAFA3F8423B296AFA1B69E17723A06D26FD07C5314E1 |
SSDEEP: | 196608:aFnBiQNQ0W5I7dbHp3y70Q1+VPEsP4bVqBWell6O1kiHq04snMBq:amADly7UpEsPjWm9kiHcsMY |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ??Ӱ-LD7.6.exe |
---|---|
ZipUncompressedSize: | 9736192 |
ZipCompressedSize: | 7969408 |
ZipCRC: | 0x31c3744a |
ZipModifyDate: | 2020:07:06 23:16:13 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3312 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\冰影-LD7.6.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
292 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2624 | "C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe" | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 3221225477 | ||||
3004 | "C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe" | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3221225477 | ||||
2764 | "C:\Windows\system32\wermgr.exe" "-outproc" "292" "2760" | C:\Windows\system32\wermgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2616 | "C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe" | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
292 | explorer.exe | C:\Users\admin\AppData\Local\Temp\TabAE6D.tmp | — | |
MD5:— | SHA256:— | |||
292 | explorer.exe | C:\Users\admin\AppData\Local\Temp\{5bb56fb0-dce9-4696-887a-6056d20f740e}\appcompat.txt | — | |
MD5:— | SHA256:— | |||
292 | explorer.exe | C:\Users\admin\AppData\Local\Temp\OutofProcReport2666329.txt | — | |
MD5:— | SHA256:— | |||
3312 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\强制清理日志.bat | text | |
MD5:ED195DA937A463D14D50038F816C6517 | SHA256:354ED183F6E544138C419C520D735358808D244FD7E6FCA9D121C3C247604B37 | |||
3312 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\myd3d.dll | executable | |
MD5:7C0D03B2CCF87473B9809C2EC1AD6A15 | SHA256:3F966C651A622CF9D11395D07CD266E2B7671C8579A8730E05BD7DFC1226D34E | |||
3312 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\破解补丁01~Rip.exe | executable | |
MD5:2B424301F1EA20F7B3C3E69C7D7F6E5F | SHA256:DDB77391D38F52F1D892F5E762D723214DB6138803515C26EC40832410650A4E | |||
3312 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\清理残留.zip | compressed | |
MD5:2D876B52D180518FFBDB640D6A6AF4A2 | SHA256:A553B138168BBF4DC43B15745532EBF1E7CBA6C0D543157BB5768DEF43C43594 | |||
2764 | wermgr.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_冰影-LD7.6.exe_4bf9a379673dd2a6ba88c25c292f27e8f0618a_cab_0ae4aecb\Report.wer | binary | |
MD5:681FA9690409B16923384D4768A51328 | SHA256:4E3CA709D41C16A3F4B98B8640BC35F3B6ABD00CFA6313D8054AEE495657DC27 | |||
3312 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\冰影-LD7.6\冰影-LD7.6.exe | executable | |
MD5:2B5B30FF0F38A61B58FF6CC7A600BAC2 | SHA256:E8E18D6E6E463F6005744BA30A8BFD1A75FD7ABE9738856F4425F4FC291BC167 | |||
2764 | wermgr.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_冰影-LD7.6.exe_4bf9a379673dd2a6ba88c25c292f27e8f0618a_cab_0ae4aecb\appcompat.txt | xml | |
MD5:6E50355A38C2FB8688897B88DC8B3620 | SHA256:D5CB8E92D65740B4C01653F57B43AD620113E66D1EF95672DC289B571C2A8C1E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
400 | WerFault.exe | GET | — | 52.158.209.219:80 | http://watson.microsoft.com/StageOne/%E5%86%B0%E5%BD%B1-LD7_6_exe/0_0_0_0/5f033ffe/%E5%86%B0%E5%BD%B1-LD7_6_exe/0_0_0_0/5f033ffe/c0000005/0000dceb.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063 | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1924 | WerFault.exe | 52.158.209.219:80 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
400 | WerFault.exe | 52.158.209.219:80 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1924 | WerFault.exe | Potential Corporate Privacy Violation | ET POLICY Application Crash Report Sent to Microsoft |
1924 | WerFault.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
400 | WerFault.exe | Potential Corporate Privacy Violation | ET POLICY Application Crash Report Sent to Microsoft |
Process | Message |
---|---|
冰影-LD7.6.exe | FTH: (2616): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
|