File name: | streamer.exe.zip |
Full analysis: | https://app.any.run/tasks/259c252c-9219-4873-ad34-947845238592 |
Verdict: | Malicious activity |
Analysis date: | December 02, 2019, 19:47:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 9128DF388886D65336CBF242DED529AE |
SHA1: | B6D51FC987C8BAF30F972809D4359305BEF0389A |
SHA256: | 2C06A3F5FF262B96D7CC4132C9D1743FBCFF146135404B23B2C43A6AEF62C36B |
SSDEEP: | 12288:RZ16PCVK55cc2y+OJ4A/U23RhdtXFwcY2+1tFvOh52yin0tXc:r16PCIUgbUYREc3+vEmyin0tM |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | streamer.exe |
---|---|
ZipUncompressedSize: | 862216 |
ZipCompressedSize: | 439274 |
ZipCRC: | 0xf3d9b3c1 |
ZipModifyDate: | 2019:12:02 19:39:20 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2128 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\streamer.exe.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1928 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\streamer.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
3940 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
3852 | C:\Windows\system32\pcwrun.exe "C:\Users\admin\Desktop\streamer.exe" | C:\Windows\system32\pcwrun.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Program Compatibility Troubleshooter Invoker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2764 | C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\admin\AppData\Local\Temp\PCW8DF.xml /skip TRUE | C:\Windows\System32\msdt.exe | pcwrun.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
516 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2956 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\uxejne2w.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | sdiagnhost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
1812 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1014.tmp" "c:\Users\admin\AppData\Local\Temp\CSC1013.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2176 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\w2fvyhxu.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | sdiagnhost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3948 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES115C.tmp" "c:\Users\admin\AppData\Local\Temp\CSC115B.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2128.6541\streamer.exe | — | |
MD5:— | SHA256:— | |||
2956 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC1013.tmp | — | |
MD5:— | SHA256:— | |||
2956 | csc.exe | C:\Users\admin\AppData\Local\Temp\uxejne2w.pdb | — | |
MD5:— | SHA256:— | |||
1812 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES1014.tmp | — | |
MD5:— | SHA256:— | |||
2956 | csc.exe | C:\Users\admin\AppData\Local\Temp\uxejne2w.dll | — | |
MD5:— | SHA256:— | |||
2956 | csc.exe | C:\Users\admin\AppData\Local\Temp\uxejne2w.out | — | |
MD5:— | SHA256:— | |||
2176 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC115B.tmp | — | |
MD5:— | SHA256:— | |||
3852 | pcwrun.exe | C:\Users\admin\AppData\Local\Temp\PCW8DF.xml | xml | |
MD5:48DF712113539C69B3B919C4B20A357C | SHA256:F9E5068E1C1EA40B78D8EF7958D08ADA90A3A471402A00C2F1D92A6E9E493222 | |||
516 | sdiagnhost.exe | C:\Users\admin\AppData\Local\Temp\uxejne2w.cmdline | text | |
MD5:CFAFE5992F936C781C3F6B08E9148CC6 | SHA256:49239133276A167F02615B2895B4AE5511AAF2E53FAF489AF35490A2C0DF6A3B | |||
2176 | csc.exe | C:\Users\admin\AppData\Local\Temp\w2fvyhxu.pdb | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3940 | gup.exe | 104.31.88.28:443 | notepad-plus-plus.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|