File name: | strings3.zip |
Full analysis: | https://app.any.run/tasks/18df3f00-366f-43f9-aed3-7944c49a0dfb |
Verdict: | Malicious activity |
Analysis date: | March 30, 2020, 17:18:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 676E141CCCFF3236BF7B73BAB40AC66E |
SHA1: | 4ECF2B05784D271512BBDD1E6FF9F9DF70F0B0FF |
SHA256: | 1040C5A2D19F74A588602856EB86B71CA76772B19F242086666D65435564FD9C |
SSDEEP: | 192:PwfojDh7ZrPIQ1Hgj/GhquEC5FCIkGcEUGvgXECtX14DRgo9X3T03O9Ars2KqPll:LjhtAQqYWiFcE5l+F4DRt9ADs+dnMKWg |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Unknown (99) |
ZipModifyDate: | 2018:04:26 13:11:02 |
ZipCRC: | 0xbc7670f2 |
ZipCompressedSize: | 11258 |
ZipUncompressedSize: | 52736 |
ZipFileName: | strings3.exe_ |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2556 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\strings3.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 Modules
| |||||||||||||||
3540 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIb2556.8241\strings3.exe_ | C:\Windows\system32\rundll32.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3328 | "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=exe_ | C:\Program Files\Internet Explorer\iexplore.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3032 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3328 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3168 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 Modules
| |||||||||||||||
4012 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | — | iexplore.exe | |||||||||||
User: admin Company: Slimware Utilities Holdings, Inc. Integrity Level: MEDIUM Description: DriverUpdate Setup Wizard Exit code: 3221226540 Version: 2.24.5.32 Modules
| |||||||||||||||
2152 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | iexplore.exe | ||||||||||||
User: admin Company: Slimware Utilities Holdings, Inc. Integrity Level: HIGH Description: DriverUpdate Setup Wizard Version: 2.24.5.32 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3032 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabB60A.tmp | — | |
MD5:— | SHA256:— | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarB60B.tmp | — | |
MD5:— | SHA256:— | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\DTI6C8B8.txt | — | |
MD5:— | SHA256:— | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5128GIZO.txt | — | |
MD5:— | SHA256:— | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4Q01FLX6.txt | — | |
MD5:— | SHA256:— | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\02VHKIVJ.txt | — | |
MD5:— | SHA256:— | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\6ZEQR2R1.txt | — | |
MD5:— | SHA256:— | |||
3032 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7R1553HF.txt | text | |
MD5:FB465D570789581C0BBEB4B1C107F3C6 | SHA256:DE638F47A868088998285B689AE5123F31A825EEDD994F17C5EA779F9B4649CA | |||
3032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | der | |
MD5:B211134DC2B559A0A8FDD5600FCA0662 | SHA256:471E7C400B878CF174F3D1E67CFBFF5B099378A6EAA8E4E5E346E7D6B681981E | |||
3032 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | binary | |
MD5:EE3BF5AF23BD9738ECA4F1B733AE9E51 | SHA256:BF3C5564C54AFB13435A3C483B199700869B3BAAD1EC11E82CDEC665C246A45D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3032 | iexplore.exe | GET | 302 | 104.96.146.202:80 | http://go.microsoft.com/fwlink/?LinkId=57426&Ext=exe_ | NL | — | — | whitelisted |
3032 | iexplore.exe | GET | 301 | 23.55.161.159:80 | http://shell.windows.com/fileassoc/fileassoc.asp?Ext=exe_ | US | — | — | whitelisted |
3032 | iexplore.exe | GET | 200 | 104.18.25.243:80 | http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAvTsRon4%2BRVzrdwAAAAC9Ow%3D | US | der | 1.79 Kb | whitelisted |
3032 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D | US | der | 1.47 Kb | whitelisted |
3032 | iexplore.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
3032 | iexplore.exe | GET | 200 | 2.20.190.11:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
3032 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3032 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3032 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3032 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3032 | iexplore.exe | 23.55.161.159:80 | shell.windows.com | Akamai International B.V. | US | unknown |
3032 | iexplore.exe | 104.18.25.243:80 | ocsp.msocsp.com | Cloudflare Inc | US | shared |
3328 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3032 | iexplore.exe | 104.96.146.202:80 | go.microsoft.com | Akamai Technologies, Inc. | NL | malicious |
3032 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3032 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3032 | iexplore.exe | 20.190.129.160:443 | login.microsoftonline.com | Microsoft Corporation | US | malicious |
3328 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3032 | iexplore.exe | 40.90.137.124:443 | login.live.com | Microsoft Corporation | US | unknown |
3032 | iexplore.exe | 35.214.210.16:443 | openfile.club | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
go.microsoft.com |
| whitelisted |
shell.windows.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
api.bing.com |
| whitelisted |
login.microsoftonline.com |
| whitelisted |
ocsp.msocsp.com |
| whitelisted |
login.live.com |
| whitelisted |
www2.bing.com |
| whitelisted |
openfile.club |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2152 | DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Generic Protocol Command Decode | SURICATA HTTP Request abnormal Content-Encoding header |
2152 | DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Misc activity | ADWARE [PTsecurity] Win32/Slimware.A |
2152 | DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Generic Protocol Command Decode | SURICATA HTTP Request abnormal Content-Encoding header |
Process | Message |
---|---|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Calling SetDllDirectory
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Succeeded to SetDefaultDlLDirectories
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\BCRYPT.DLL
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\RSAENH.DLL
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\CRYPT32.DLL
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\MSASN1.DLL
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\USERENV.DLL
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\WINTRUST.DLL
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\GDIPLUS.DLL
|
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe | Loading C:\Windows\system32\MSI.DLL
|