File name: | winlock.zip |
Full analysis: | https://app.any.run/tasks/867d3bf9-cf8c-4508-8013-459aee3547bf |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 09:33:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | F1643CC4AAC7DD15CFF9E5A87CD9E94D |
SHA1: | 900E3FCFF5EC7B31243C3521ECAFC12262EB9339 |
SHA256: | DCC88485E6CB3380EE0E5768498FAE0D45338A3E06CAA1F8CF09E7C7B97458FE |
SSDEEP: | 196608:vO0d1w14Oq24+LBfa+543b76JmzwFtbVP3CFwAVjOra3GW0HBqJ9:20Xw15LhaeOOJLfB3CFJVSFkX |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ???冷? ??⠭????.txt |
---|---|
ZipUncompressedSize: | 296 |
ZipCompressedSize: | 194 |
ZipCRC: | 0xb11f2031 |
ZipModifyDate: | 2020:09:11 12:42:00 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3788 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\winlock.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3548 | "C:\Users\admin\Desktop\winlock.exe" | C:\Users\admin\Desktop\winlock.exe | Explorer.EXE | ||||||||||||
User: admin Company: Crystal Office Systems Integrity Level: HIGH Description: WinLock Installation Exit code: 0 Version: 8.42 Modules
| |||||||||||||||
1652 | "C:\Users\admin\AppData\Local\Temp\is-UA4C5.tmp\winlock.tmp" /SL5="$5017A,11624009,57856,C:\Users\admin\Desktop\winlock.exe" | C:\Users\admin\AppData\Local\Temp\is-UA4C5.tmp\winlock.tmp | winlock.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
2764 | "netsh.exe" advfirewall firewall add rule name="WinLock" dir=in program="C:\Program Files\WinLock\winlock.exe" action=allow | C:\Windows\system32\netsh.exe | — | winlock.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2488 | "C:\Program Files\WinLock\winlock.exe" | C:\Program Files\WinLock\winlock.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Crystal Office Systems Integrity Level: MEDIUM Description: WinLock Exit code: 1073807364 Version: 8.4.2.0 Modules
| |||||||||||||||
3360 | "C:\Program Files\WinLock\uia.exe" | C:\Program Files\WinLock\uia.exe | — | winlock.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
1808 | "C:\Program Files\WinLock\uia.exe" | C:\Program Files\WinLock\uia.exe | winlock.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2044 | "C:\Program Files\WinLock\winlock.exe" | C:\Program Files\WinLock\winlock.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Crystal Office Systems Integrity Level: MEDIUM Description: WinLock Exit code: 0 Version: 8.4.2.0 Modules
|
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\winlock.zip | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3788) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1652 | winlock.tmp | C:\ProgramData\Crystal Office\WL\is-43D52.tmp | — | |
MD5:— | SHA256:— | |||
1652 | winlock.tmp | C:\ProgramData\Crystal Office\WL\winlockl.dat | — | |
MD5:— | SHA256:— | |||
1652 | winlock.tmp | C:\Program Files\WinLock\unins000.exe | executable | |
MD5:5D7C03090ECBB6B973E257432A3D566E | SHA256:551E20F706BD2C6DF74DF02C0B8414723D2425BB5A07FE4A8FC8D9D2233EA617 | |||
3548 | winlock.exe | C:\Users\admin\AppData\Local\Temp\is-UA4C5.tmp\winlock.tmp | executable | |
MD5:5D7C03090ECBB6B973E257432A3D566E | SHA256:551E20F706BD2C6DF74DF02C0B8414723D2425BB5A07FE4A8FC8D9D2233EA617 | |||
3788 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3788.27073\adguardinstaller.exe | executable | |
MD5:0E94A2E6330D0672630AD1EA8FDA38B4 | SHA256:C5A8E6E9ED8BFC442AB26B9CCA61784DC3D73A53925D040DBFAC825310BA98BC | |||
1652 | winlock.tmp | C:\Program Files\WinLock\elv.exe | executable | |
MD5:87BB22BB80709CA2DDA659E4684E54CA | SHA256:CACD7B7A33805DAEAF9B15A69EAA4A06B97CA850358551F955805FAFA85F56B4 | |||
1652 | winlock.tmp | C:\Program Files\WinLock\is-LR028.tmp | executable | |
MD5:87BB22BB80709CA2DDA659E4684E54CA | SHA256:CACD7B7A33805DAEAF9B15A69EAA4A06B97CA850358551F955805FAFA85F56B4 | |||
1652 | winlock.tmp | C:\Program Files\WinLock\is-FHLI5.tmp | executable | |
MD5:150B29B89FF77889EF4A59EF3AAC3BD7 | SHA256:A62ED0A37DF0644B367DD679E8AF2570F9C5CE3397B75EA84346382FF64CAF7E | |||
1652 | winlock.tmp | C:\Program Files\WinLock\is-C058P.tmp | executable | |
MD5:5D7C03090ECBB6B973E257432A3D566E | SHA256:551E20F706BD2C6DF74DF02C0B8414723D2425BB5A07FE4A8FC8D9D2233EA617 | |||
3788 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3788.27073\winlock.exe | executable | |
MD5:79D2EB09A31623DC3E6CC6B5834DC31E | SHA256:6C8057DAEB3E6F51FB6459F07C31C294A988323A6F67FC816045006F033F417C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 23.205.225.13:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=132976028961320000 | NL | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 23.205.225.13:80 | query.prod.cms.rt.microsoft.com | GTT Communications Inc. | NL | unknown |
Domain | IP | Reputation |
---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |