File name: | FW Error screen.zip |
Full analysis: | https://app.any.run/tasks/28b79608-39eb-456c-89fb-12874dd05a83 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 06:23:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | BC482A3ED40F8F3412F0AC1DC2599CB7 |
SHA1: | EAF125FD984DB22D1B236B91B5C907EE830A605F |
SHA256: | 88B7BEB41FFA35FEE315C97DDCC571D1B558B898AD5E13B06E2DB15DCD524DE7 |
SSDEEP: | 6144:BMBS9uOHZxoUZtF270B23M7j2FxyDVsN6s0xMbd5nFCutIxbcE8u+7HzThVLy:BMBuXH/oUB270B23kq8VsNtKM38yIhZv |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:11:15 11:48:11 |
ZipCRC: | 0x91a9bc50 |
ZipCompressedSize: | 338199 |
ZipUncompressedSize: | 373760 |
ZipFileName: | FW Error screen.msg |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2936 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FW Error screen.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1960 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Rar$DIa2936.4062\FW Error screen.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
3636 | "C:\Windows\system32\rmactivate.exe" | C:\Windows\system32\rmactivate.exe | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Rights Management Services Activation for Desktop Security Processor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3584 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\Desktop\FW Error screen.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1960 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE9AF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1960 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\ServiceLocator[1].asmx | — | |
MD5:— | SHA256:— | |||
3636 | rmactivate.exe | C:\Users\admin\AppData\Local\Temp\CabF604.tmp | — | |
MD5:— | SHA256:— | |||
3636 | rmactivate.exe | C:\Users\admin\AppData\Local\Temp\TarF605.tmp | — | |
MD5:— | SHA256:— | |||
1960 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ErrorPageTemplate[1] | — | |
MD5:— | SHA256:— | |||
1960 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\errorPageStrings[1] | — | |
MD5:— | SHA256:— | |||
1960 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\httpErrorPagesScripts[1] | — | |
MD5:— | SHA256:— | |||
1960 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IZR9TV1Q\message.rpmsg | rpmsg | |
MD5:8A8284A7D34CF939FEB79B62ACE7F08A | SHA256:E1CA037E03803222EA1FCE69534252732F6F03963621A415F720B0C45C748084 | |||
1960 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70 | binary | |
MD5:DA6C793FB0533AF0139A6D76C9956547 | SHA256:BCEC4BFFD8EE03E0FDF1C1577EF4635AC08DB1F94CF07B0C406A6B3A171E9E1D | |||
2936 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2936.4062\FW Error screen.msg | msg | |
MD5:40401D8D3FCA77006D6CC06546747AB2 | SHA256:EF9237E574E0FE6756CA6941C6473434AF6D22B78B1299521E20D27F6B645BE0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1960 | OUTLOOK.EXE | GET | 302 | 104.111.243.236:80 | http://go.microsoft.com/fwlink/?LinkId=5998&LANGID=1033 | NL | — | — | whitelisted |
3584 | OUTLOOK.EXE | GET | 302 | 104.111.243.236:80 | http://go.microsoft.com/fwlink/?LinkId=5998&LANGID=1033 | NL | — | — | whitelisted |
3636 | rmactivate.exe | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown | der | 550 b | whitelisted |
3636 | rmactivate.exe | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | der | 781 b | whitelisted |
3584 | OUTLOOK.EXE | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/tspca.crl | unknown | der | 521 b | whitelisted |
3584 | OUTLOOK.EXE | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/CSPCA.crl | unknown | der | 506 b | whitelisted |
3636 | rmactivate.exe | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/WinPCA.crl | unknown | der | 530 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1960 | OUTLOOK.EXE | 13.107.6.181:443 | 6e7e26ce-8ca5-41b5-a6bd-d8192a7abe2e.rms.ap.aadrm.com | Microsoft Corporation | US | suspicious |
1960 | OUTLOOK.EXE | 104.111.243.236:80 | go.microsoft.com | Akamai International B.V. | NL | whitelisted |
3584 | OUTLOOK.EXE | 2.16.186.74:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
3636 | rmactivate.exe | 2.16.186.74:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
3584 | OUTLOOK.EXE | 13.107.6.181:443 | 6e7e26ce-8ca5-41b5-a6bd-d8192a7abe2e.rms.ap.aadrm.com | Microsoft Corporation | US | suspicious |
3584 | OUTLOOK.EXE | 104.111.243.236:80 | go.microsoft.com | Akamai International B.V. | NL | whitelisted |
3584 | OUTLOOK.EXE | 65.55.61.29:443 | certification.drm.microsoft.com | Microsoft Corporation | US | whitelisted |
1960 | OUTLOOK.EXE | 65.55.61.29:443 | certification.drm.microsoft.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
6e7e26ce-8ca5-41b5-a6bd-d8192a7abe2e.rms.ap.aadrm.com |
| suspicious |
crl.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
certification.drm.microsoft.com |
| whitelisted |