File name: | MRPQTGv98.1.exe |
Full analysis: | https://app.any.run/tasks/8eab11ef-6e11-49af-902a-bdf6c2235118 |
Verdict: | Malicious activity |
Analysis date: | August 24, 2019, 20:52:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 43412619617A74B67EA734FA4C92CBC3 |
SHA1: | FA52B9D52F36BD032DA207B2C8B7EB28198A1532 |
SHA256: | 9BF9CC8BB6106C9A8F1D104702BFF8089990EB344792941187D6281AE51CFF90 |
SSDEEP: | 98304:TfxANV3yMPwRADRBXBBqjWwE7nmU0fzfJ4LXDbzfJ4LXD1szfJ4LXDj:TfxEBPWoxBwE7h0fzR4TXzR4T5szR4TX |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductVersion: | 2. 0. 1. 9 |
---|---|
ProductName: | OEM Query Tool For MRP |
LegalCopyright: | MRP |
FileVersion: | 2. 0. 1. 9 |
FileDescription: | Query Tool |
CompanyName: | MRP |
Comments: | Computer Query Tool For MRP |
CharacterSet: | Windows, Latin1 |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.0.1.9 |
FileVersionNumber: | 2.0.1.9 |
Subsystem: | Windows command line |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xcb10 |
UninitializedDataSize: | - |
InitializedDataSize: | 6590464 |
CodeSize: | 64512 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2011:12:22 14:26:47+01:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3792 | "C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe" | C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe | — | explorer.exe |
User: admin Company: MRP Integrity Level: MEDIUM Description: Query Tool Exit code: 3221226540 Version: 2. 0. 1. 9 | ||||
2336 | "C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe" | C:\Users\admin\AppData\Local\Temp\MRPQTGv98.1.exe | explorer.exe | |
User: admin Company: MRP Integrity Level: HIGH Description: Query Tool Version: 2. 0. 1. 9 | ||||
3392 | cmd /c ""C:\Users\admin\AppData\Local\Temp\MRP_QT\MRP-QT2-Fread.cmd"" | C:\Windows\system32\cmd.exe | MRPQTGv98.1.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3756 | mode con cols=90 lines=23 | C:\Windows\System32\mode.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: DOS Device MODE Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2128 | C:\Windows\system32\cmd.exe /c C:\Windows\System32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" 2>nul | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2420 | C:\Windows\System32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" | C:\Windows\System32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2832 | wmic process get processid,parentprocessid,executablepath | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2960 | findstr /I "Powershell" | C:\Windows\System32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3980 | wmic process get processid,parentprocessid,executablepath | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4028 | findstr /I "CMD" | C:\Windows\System32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3432) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\GetInstDate.vbs | text | |
MD5:FEBA92D494D7E1C49A869386C470BB1D | SHA256:115DBCB99A2ECC9842E8BA5B772D28DB6FA157141B38A1F12036AD020B79BEDE | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\pkconfig.ini | text | |
MD5:6FCCC532651F434A0AFFCC458AF5A080 | SHA256:A930972AA7C75E05A87068DD8F85226B1F2999F5A206B2CF7B23C0F2301EEE6F | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\Generic_4.exe | executable | |
MD5:9FEB2B5E667B34D220DB3E774A31946D | SHA256:617B441C97BD97AEB01FF0C6D8F8DC4B3626716F0B75F889F620E2B2E95CB750 | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\NewSKU.ini | text | |
MD5:C13AA712BB85F528FCBE465BED113936 | SHA256:78FD535845C3C48CB10094DF58CCE7A916FE90A9BD418D49E2789BD0FAD4147A | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\RCodes.ini | text | |
MD5:ACD915F5093289E8A8D0765800450DE3 | SHA256:4662FDF052C540DA861371BACF0704B9190A6E7EFF4E60F320904D9DF3321B55 | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\KeyInfo.exe | executable | |
MD5:0B1B2C91E1E55B506FDFDAA57E705506 | SHA256:4BCCF0A5F92AE7D558BC6AAF46893557CB3FBFE0C3E52BD1848F8539D707D7D9 | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\BDTBT.exe | executable | |
MD5:1DB1EAB663363D484EF7C6C2F8EDD7A6 | SHA256:9FD28B97864EBBAABBD3C3F9C5A46F8EFC963ED5E90EBAAA2457AFA8112807C4 | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\Generic_2.exe | executable | |
MD5:99022B783EF7C73C93C1DFA1AC630CAC | SHA256:78C8CCB562EE0290C63A91C48107CB79AB5CD1D7F6D058688338D1E6190F0E58 | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\QTOEMTest.ini | text | |
MD5:46B14823C1A98A166A6E3841100D12DD | SHA256:F28073FF06C667D658E10A5AB84452E00C222799D8FF112EFFCA392AD2BE8732 | |||
2336 | MRPQTGv98.1.exe | C:\Users\admin\AppData\Local\Temp\MRP_QT\QueryDisks.vbs | text | |
MD5:FC9F70A8D5353786E792DC7AC76C9574 | SHA256:63EC86F3397FCB381BE76BD9D4E5F85969D7731AF26A5F04A9FDCA008BDF0424 |