File name: | PPURCHASE-ORDER-MMDW.tar.lz |
Full analysis: | https://app.any.run/tasks/20d783e9-abd0-4819-a324-89fa0e4965cf |
Verdict: | Malicious activity |
Analysis date: | January 25, 2022, 04:07:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-lzip |
File info: | lzip compressed data, version: 1 |
MD5: | DF0D4D66659BDD8708017140D7217ABD |
SHA1: | FF391D76F6A9B848BB863DB94AA6C5FF48CDD03A |
SHA256: | 6D7C04210975253E7708E8408087C986711BDE270B60BE50E2AD53AEB3D8010F |
SSDEEP: | 12288:4I+9xz171Q3QzICKXw9QSpx509NXj75TKVQf9gIi4n3oRCbcBiCsn+2z4KD07mmw:J4xrM0LWSpDGNzVeVdiYmcjs7Rcw |
.lz | | | LZIP compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3148 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PPURCHASE-ORDER-MMDW.tar.lz" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
1144 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.29800\PPURCHASE ORDER-MMDW.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.29800\PPURCHASE ORDER-MMDW.exe | WinRAR.exe | |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: CSMDown Exit code: 3762507597 Version: 1.0.0.0 | ||||
2868 | dw20.exe -x -s 420 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | PPURCHASE ORDER-MMDW.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) | ||||
3196 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.31355\PPURCHASE ORDER-MMDW.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.31355\PPURCHASE ORDER-MMDW.exe | WinRAR.exe | |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: CSMDown Exit code: 3762507597 Version: 1.0.0.0 | ||||
560 | dw20.exe -x -s 420 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | PPURCHASE ORDER-MMDW.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) | ||||
676 | "C:\Users\admin\Desktop\PPURCHASE ORDER-MMDW.exe" | C:\Users\admin\Desktop\PPURCHASE ORDER-MMDW.exe | Explorer.EXE | |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: CSMDown Exit code: 3762507597 Version: 1.0.0.0 | ||||
3284 | dw20.exe -x -s 408 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | PPURCHASE ORDER-MMDW.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) |
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\PPURCHASE-ORDER-MMDW.tar.lz | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3148) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2868 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_0b2038e1\Report.wer | — | |
MD5:— | SHA256:— | |||
560 | dw20.exe | C:\Users\admin\AppData\Local\Temp\WER5DDF.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
560 | dw20.exe | C:\Users\admin\AppData\Local\Temp\WER6B1E.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
560 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_cab_02246b99\WER5DDF.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
560 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_cab_02246b99\WER6B1E.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
560 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_cab_02246b99\Report.wer | — | |
MD5:— | SHA256:— | |||
3284 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_0cc1192f\Report.wer | — | |
MD5:— | SHA256:— | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.31355\PPURCHASE ORDER-MMDW.exe | executable | |
MD5:BF25C97E5D33C4458FBA29D4445C61E6 | SHA256:B4F317E79D77BB45E5DB5167268956D4527CBFBF458D46C8F08ED297CCB9F917 | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.29800\PPURCHASE ORDER-MMDW.exe | executable | |
MD5:BF25C97E5D33C4458FBA29D4445C61E6 | SHA256:B4F317E79D77BB45E5DB5167268956D4527CBFBF458D46C8F08ED297CCB9F917 | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\PPURCHASE-ORDER-MMDW\PPURCHASE ORDER-MMDW.exe | executable | |
MD5:BF25C97E5D33C4458FBA29D4445C61E6 | SHA256:B4F317E79D77BB45E5DB5167268956D4527CBFBF458D46C8F08ED297CCB9F917 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
560 | dw20.exe | 20.189.173.22:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
3284 | dw20.exe | 104.208.16.93:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |