File name:

strings3.zip

Full analysis: https://app.any.run/tasks/18df3f00-366f-43f9-aed3-7944c49a0dfb
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: March 30, 2020, 17:18:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
slimware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

676E141CCCFF3236BF7B73BAB40AC66E

SHA1:

4ECF2B05784D271512BBDD1E6FF9F9DF70F0B0FF

SHA256:

1040C5A2D19F74A588602856EB86B71CA76772B19F242086666D65435564FD9C

SSDEEP:

192:PwfojDh7ZrPIQ1Hgj/GhquEC5FCIkGcEUGvgXECtX14DRgo9X3T03O9Ars2KqPll:LjhtAQqYWiFcE5l+F4DRt9ADs+dnMKWg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe (PID: 4012)
      • DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe (PID: 2152)

    • SLIMWARE was detected

      • DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe (PID: 2152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2556)
      • iexplore.exe (PID: 3328)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 2556)

    • Starts Internet Explorer

      • rundll32.exe (PID: 3540)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3168)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3032)
      • iexplore.exe (PID: 3328)

    • Changes internet zones settings

      • iexplore.exe (PID: 3328)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3032)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3328)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3168)
      • iexplore.exe (PID: 3032)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3032)
      • iexplore.exe (PID: 3328)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3328)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2018:04:26 13:11:02
ZipCRC: 0xbc7670f2
ZipCompressedSize: 11258
ZipUncompressedSize: 52736
ZipFileName: strings3.exe_
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe rundll32.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs driverupdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe no specs #SLIMWARE driverupdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
iexplore.exe
User:
admin
Company:
Slimware Utilities Holdings, Inc.
Integrity Level:
HIGH
Description:
DriverUpdate Setup Wizard
Exit code:
0
Version:
2.24.5.32
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\driverupdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\strings3.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3032"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3328 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3168C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3328"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=exe_C:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3540"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIb2556.8241\strings3.exe_C:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
4012"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exeiexplore.exe
User:
admin
Company:
Slimware Utilities Holdings, Inc.
Integrity Level:
MEDIUM
Description:
DriverUpdate Setup Wizard
Exit code:
3221226540
Version:
2.24.5.32
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\driverupdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
c:\systemroot\system32\ntdll.dll
Total events
7 566
Read events
2 245
Write events
3 601
Delete events
1 720

Modification events

(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2556) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\strings3.zip
(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
1829241106
Executable files
2
Suspicious files
147
Text files
219
Unknown types
86

Dropped files

PID
Process
Filename
Type
3032iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabB60A.tmp
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarB60B.tmp
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\DTI6C8B8.txt
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5128GIZO.txt
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4Q01FLX6.txt
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\02VHKIVJ.txt
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\6ZEQR2R1.txt
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7R1553HF.txttext
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:
SHA256:
3032iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
80
TCP/UDP connections
153
DNS requests
66
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
iexplore.exe
GET
301
23.55.161.159:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=exe_
US
whitelisted
3032
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
US
der
1.47 Kb
whitelisted
3032
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3032
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3032
iexplore.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAvTsRon4%2BRVzrdwAAAAC9Ow%3D
US
der
1.79 Kb
whitelisted
3032
iexplore.exe
GET
200
2.20.190.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
3032
iexplore.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAvTsRon4%2BRVzrdwAAAAC9Ow%3D
US
der
1.79 Kb
whitelisted
3032
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3032
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
US
der
1.47 Kb
whitelisted
3032
iexplore.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3032
iexplore.exe
104.96.146.202:80
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
3032
iexplore.exe
23.55.161.159:80
shell.windows.com
Akamai International B.V.
US
unknown
3032
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3032
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3328
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3032
iexplore.exe
20.190.129.160:443
login.microsoftonline.com
Microsoft Corporation
US
malicious
3032
iexplore.exe
104.18.25.243:80
ocsp.msocsp.com
Cloudflare Inc
US
shared
3032
iexplore.exe
40.90.137.124:443
login.live.com
Microsoft Corporation
US
unknown
3328
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3032
iexplore.exe
35.214.210.16:443
openfile.club
US
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.96.146.202
whitelisted
shell.windows.com
  • 23.55.161.159
  • 23.55.161.167
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
login.microsoftonline.com
  • 20.190.129.160
  • 20.190.129.2
  • 40.126.1.130
  • 40.126.1.128
  • 20.190.129.128
  • 40.126.1.166
  • 20.190.129.19
  • 20.190.129.17
whitelisted
ocsp.msocsp.com
  • 104.18.25.243
  • 104.18.24.243
whitelisted
login.live.com
  • 40.90.137.124
  • 40.90.137.120
  • 40.90.23.247
whitelisted
www2.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
openfile.club
  • 35.214.210.16
suspicious

Threats

PID
Process
Class
Message
2152
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
2152
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Misc activity
ADWARE [PTsecurity] Win32/Slimware.A
2152
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
4 ETPRO signatures available at the full report
Process
Message
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\RSAENH.DLL
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\BCRYPT.DLL
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Calling SetDllDirectory
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\CRYPT32.DLL
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Succeeded to SetDefaultDlLDirectories
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\USERENV.DLL
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\OLEACC.DLL
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\WINTRUST.DLL
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\GDIPLUS.DLL
DriverUpdate-setup-4be168b7-7db4-4570-8386-5634697ca315.exe
Loading C:\Windows\system32\MSASN1.DLL
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
strings3.zip