File name: | UserOverflow.zip |
Full analysis: | https://app.any.run/tasks/51ac5875-c56e-4ecf-acba-a381cb01e756 |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 02:55:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | E63EB8701ABEAFC17E18807F996A2C4B |
SHA1: | E11387F6C188416F43E1A72F4FFDD759F4E43E54 |
SHA256: | 7EAFD43C18F9613D762567CB5E00D58DF71208D6B94C23D634DAEC42170E0D6C |
SSDEEP: | 12288:3vKCI7fDejRGO3Aq/GYakzIbNmUywpTMwWEMnPz4:fKCI7mLANFkGtMwlyL4 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 51 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Unknown (99) |
ZipModifyDate: | 2018:12:02 22:04:29 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | 577729 |
ZipUncompressedSize: | 591872 |
ZipFileName: | [email protected] |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1724 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UserOverflow.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 1073807364 Version: 5.60.0 | ||||
1744 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1724.29542\[email protected]" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1724.29542\[email protected] | — | WinRAR.exe |
User: admin Company: Endermanch Integrity Level: MEDIUM Description: A program overflowing user quantity in Windows Exit code: 0 Version: 1.0.0.2 | ||||
3672 | "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/endermanch | C:\Program Files\Internet Explorer\iexplore.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2952 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3672 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2800 | "C:\Windows\System32\net.exe" user user1 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2964 | "C:\Windows\System32\net.exe" user user2 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2088 | "C:\Windows\System32\net.exe" user user3 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1196 | "C:\Windows\System32\net.exe" user user4 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1096 | "C:\Windows\System32\net.exe" user user5 death /add | C:\Windows\System32\net.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2156 | C:\Windows\system32\net1 user user1 death /add | C:\Windows\system32\net1.exe | — | net.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab2AA3.tmp | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar2AA4.tmp | — | |
MD5:— | SHA256:— | |||
3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFAE7F9DB9AFCC2313.TMP | — | |
MD5:— | SHA256:— | |||
3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFA9D94A04317A0012.TMP | — | |
MD5:— | SHA256:— | |||
3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF0895F8333AFB122F.TMP | — | |
MD5:— | SHA256:— | |||
3672 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4BE6593B18847989.TMP | — | |
MD5:— | SHA256:— | |||
3672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BCFFF6AD-32B7-11EB-8E7A-12A9866C77DE}.dat | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | binary | |
MD5:8F8A553DF8870F1BC9F6AEBE981BE8E7 | SHA256:4CE227259BF8A72F865A17EC1A43AAA48EC5B479AFC5065C934272C18A9B5A20 | |||
3672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42A7EDC2-DE02-11E9-92C0-5254004A04AF}.dat | binary | |
MD5:CB50C829C8A78515AF2FB2B1CEB51AB2 | SHA256:1CBBF056A9ECBD707696340E5A1C89CB6D61CE164A72E0CA275BFCAF73D4869E | |||
3672 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{BCFFF6B0-32B7-11EB-8E7A-12A9866C77DE}.dat | binary | |
MD5:6D2C586BF21A03CFBE0F41DB22BBB7F5 | SHA256:38FC702F7B843AF3036DB325DA7C07C5B9C42DE6AF6BB63F993FFF65A5D4FBF1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD76E8xQFZstgIAAAAAgFWS | US | der | 472 b | whitelisted |
1528 | werfault.exe | GET | — | 13.88.21.125:80 | http://watson.microsoft.com/StageOne/Generic/AppHangB1/dllhost_exe/6_1_7600_16385/4a5bc6b7/2a4b/0.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063 | US | — | — | whitelisted |
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2952 | iexplore.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD76E8xQFZstgIAAAAAgFWS | US | der | 472 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | iexplore.exe | 172.217.18.99:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
1528 | werfault.exe | 13.88.21.125:80 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
2952 | iexplore.exe | 64.233.169.190:443 | www.youtube.com | Google Inc. | US | unknown |
2952 | iexplore.exe | 64.233.168.91:443 | youtube.com | Google Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
youtube.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.youtube.com |
| whitelisted |
watson.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1528 | werfault.exe | Potential Corporate Privacy Violation | ET POLICY Application Crash Report Sent to Microsoft |
1528 | werfault.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |