File name: | UMF.Installer_v0.53.5.zip |
Full analysis: | https://app.any.run/tasks/c1d12b27-72bf-4a02-9163-2c203e79cef0 |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 19:54:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 38F4392D0B6AC2017A456185543E4991 |
SHA1: | 1B017FB608FFA750ED99DB2687ADEA0FF9F240B0 |
SHA256: | 30A8F1AEC09F2CC225EC52C6CBAB9C6B541291525104DB9503450540789A1EF4 |
SSDEEP: | 196608:urNFc+geu7W2k1hA0EjU4eUGyVBhMuiTgX5E/25dJd72D96/uf:Z3euSEjU4eUG4liME/Mrd72pauf |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2021:12:26 02:45:16 |
ZipCRC: | 0x7d65cb12 |
ZipCompressedSize: | 9118188 |
ZipUncompressedSize: | 10467840 |
ZipFileName: | UMF.Installer.exe |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2396 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UMF.Installer_v0.53.5.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3568 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.24771\UMF.Installer.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.24771\UMF.Installer.exe | — | WinRAR.exe | |||||||||||
User: admin Company: umodframework.com Integrity Level: MEDIUM Description: uMod Framework Installer Exit code: 3221226540 Version: 0.53.5 Modules
| |||||||||||||||
2268 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.24771\UMF.Installer.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.24771\UMF.Installer.exe | WinRAR.exe | ||||||||||||
User: admin Company: umodframework.com Integrity Level: HIGH Description: uMod Framework Installer Exit code: 3762504530 Version: 0.53.5 Modules
| |||||||||||||||
2944 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.26296\UMF.Installer.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.26296\UMF.Installer.exe | — | WinRAR.exe | |||||||||||
User: admin Company: umodframework.com Integrity Level: MEDIUM Description: uMod Framework Installer Exit code: 3221226540 Version: 0.53.5 Modules
| |||||||||||||||
3612 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.26296\UMF.Installer.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.26296\UMF.Installer.exe | WinRAR.exe | ||||||||||||
User: admin Company: umodframework.com Integrity Level: HIGH Description: uMod Framework Installer Exit code: 3762504530 Version: 0.53.5 Modules
| |||||||||||||||
2800 | "C:\Users\admin\Desktop\UMF.Installer.exe" | C:\Users\admin\Desktop\UMF.Installer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: umodframework.com Integrity Level: MEDIUM Description: uMod Framework Installer Exit code: 3221226540 Version: 0.53.5 Modules
| |||||||||||||||
1972 | "C:\Users\admin\Desktop\UMF.Installer.exe" | C:\Users\admin\Desktop\UMF.Installer.exe | Explorer.EXE | ||||||||||||
User: admin Company: umodframework.com Integrity Level: HIGH Description: uMod Framework Installer Exit code: 3762504530 Version: 0.53.5 Modules
| |||||||||||||||
1968 | "C:\Program Files\Windows Defender\MSASCui.exe" | C:\Program Files\Windows Defender\MSASCui.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Defender User Interface Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2236 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3840 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | Explorer.EXE | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3840 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61E1D555-F00.pma | — | |
MD5:— | SHA256:— | |||
2396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.26296\UMF.Installer.exe | executable | |
MD5:DA9F91FDC1B32EB81364B00A8935BFCB | SHA256:9BDBB68C8E4F067A66A899B2F5811484C4F06268A14E3BF9C570AEC5C9873327 | |||
3840 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences | text | |
MD5:08FF8B79FFDA0181B140239BA5D9ACBF | SHA256:6EF9D660996C97414261FE43AB37603FC2B956D9155774AE631959C36B36CF81 | |||
3840 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a626a656-d2e9-454d-9c60-01aa6f5649b2.tmp | text | |
MD5:08FF8B79FFDA0181B140239BA5D9ACBF | SHA256:6EF9D660996C97414261FE43AB37603FC2B956D9155774AE631959C36B36CF81 | |||
2396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2396.26732\UMF.Installer.exe | executable | |
MD5:DA9F91FDC1B32EB81364B00A8935BFCB | SHA256:9BDBB68C8E4F067A66A899B2F5811484C4F06268A14E3BF9C570AEC5C9873327 | |||
2396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2396.24771\UMF.Installer.exe | executable | |
MD5:DA9F91FDC1B32EB81364B00A8935BFCB | SHA256:9BDBB68C8E4F067A66A899B2F5811484C4F06268A14E3BF9C570AEC5C9873327 | |||
3840 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old | text | |
MD5:995C92837E4775CAFFE387D51ADBA520 | SHA256:51247C3464FD988B72670002D01A57FBFF1348704D325DC8FF8817ED2459D0D9 | |||
3840 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat | binary | |
MD5:9C016064A1F864C8140915D77CF3389A | SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787 | |||
3840 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old | text | |
MD5:7721CDA9F5B73CE8A135471EB53B4E0E | SHA256:DD730C576766A46FFC84E682123248ECE1FF1887EC0ACAB22A5CE93A450F4500 | |||
3840 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version | text | |
MD5:00046F773EFDD3C8F8F6D0F87A2B93DC | SHA256:593EDE11D17AF7F016828068BCA2E93CF240417563FB06DC8A579110AEF81731 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
860 | svchost.exe | HEAD | 302 | 142.250.185.110:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3 | US | — | — | whitelisted |
860 | svchost.exe | HEAD | 403 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3 | US | — | — | whitelisted |
860 | svchost.exe | HEAD | 200 | 173.194.5.234:80 | http://r5---sn-aigzrn7l.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3?cms_redirect=yes&mh=8t&mip=185.192.69.73&mm=28&mn=sn-aigzrn7l&ms=nvh&mt=1642189949&mv=m&mvi=5&pl=25&rmhost=r3---sn-aigzrn7l.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7e.gvt1.com | US | — | — | whitelisted |
860 | svchost.exe | GET | 206 | 173.194.5.234:80 | http://r5---sn-aigzrn7l.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3?cms_redirect=yes&mh=8t&mip=185.192.69.73&mm=28&mn=sn-aigzrn7l&ms=nvh&mt=1642189949&mv=m&mvi=5&pl=25&rmhost=r3---sn-aigzrn7l.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7e.gvt1.com | US | binary | 9.46 Kb | whitelisted |
860 | svchost.exe | GET | 206 | 173.194.5.234:80 | http://r5---sn-aigzrn7l.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3?cms_redirect=yes&mh=8t&mip=185.192.69.73&mm=28&mn=sn-aigzrn7l&ms=nvh&mt=1642189949&mv=m&mvi=5&pl=25&rmhost=r3---sn-aigzrn7l.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7e.gvt1.com | US | binary | 43.2 Kb | whitelisted |
860 | svchost.exe | GET | 302 | 142.250.185.110:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3 | US | html | 614 b | whitelisted |
3648 | chrome.exe | GET | 302 | 142.250.185.110:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 593 b | whitelisted |
860 | svchost.exe | GET | 206 | 173.194.5.234:80 | http://r5---sn-aigzrn7l.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3?cms_redirect=yes&mh=8t&mip=185.192.69.73&mm=28&mn=sn-aigzrn7l&ms=nvh&mt=1642189949&mv=m&mvi=5&pl=25&rmhost=r3---sn-aigzrn7l.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7e.gvt1.com | US | binary | 20.7 Kb | whitelisted |
860 | svchost.exe | GET | 206 | 173.194.5.234:80 | http://r5---sn-aigzrn7l.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3?cms_redirect=yes&mh=8t&mip=185.192.69.73&mm=28&mn=sn-aigzrn7l&ms=nvh&mt=1642189949&mv=m&mvi=5&pl=25&rmhost=r3---sn-aigzrn7l.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7e.gvt1.com | US | binary | 9.44 Kb | whitelisted |
860 | svchost.exe | GET | 302 | 142.250.185.110:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3 | US | html | 614 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3648 | chrome.exe | 142.250.185.74:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3648 | chrome.exe | 142.250.186.163:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
3648 | chrome.exe | 142.250.186.174:443 | apis.google.com | Google Inc. | US | whitelisted |
3648 | chrome.exe | 142.250.181.227:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3648 | chrome.exe | 34.104.35.123:80 | edgedl.me.gvt1.com | — | US | whitelisted |
3648 | chrome.exe | 142.250.185.68:443 | www.google.com | Google Inc. | US | whitelisted |
3648 | chrome.exe | 142.250.185.238:443 | clients2.google.com | Google Inc. | US | whitelisted |
3124 | WerFault.exe | 52.168.117.172:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
3648 | chrome.exe | 172.217.16.131:443 | update.googleapis.com | Google Inc. | US | whitelisted |
3648 | chrome.exe | 142.250.185.227:443 | www.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |
clients2.google.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
update.googleapis.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |
3648 | chrome.exe | Potentially Bad Traffic | ET INFO Observed ZeroSSL SSL/TLS Certificate |
3648 | chrome.exe | Potentially Bad Traffic | ET INFO Observed ZeroSSL SSL/TLS Certificate |
3648 | chrome.exe | Potentially Bad Traffic | ET INFO Observed ZeroSSL SSL/TLS Certificate |
3648 | chrome.exe | Potentially Bad Traffic | ET INFO Observed ZeroSSL SSL/TLS Certificate |
3800 | PCOptimizerProSetup_STD.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
3800 | PCOptimizerProSetup_STD.exe | Potentially Bad Traffic | ET INFO Observed ZeroSSL SSL/TLS Certificate |
3800 | PCOptimizerProSetup_STD.exe | Potentially Bad Traffic | ET INFO Observed ZeroSSL SSL/TLS Certificate |
Process | Message |
---|---|
regsvr32.exe | HKCR
{
NoRemove CLSID
{
ForceRemove {203ABD21-41F1-4F1B-BAE3-D6A89A90D239} = s 'PCProCtxMenu Class'
{
InprocServer32 = s 'C:\Program Files\PC Optimizer Pro\PCOptProCtxMenu.dll'
{
val ThreadingModel = s 'Apartment'
}
}
}
NoRemove *
{
NoRemove ShellEx
{
NoRemove ContextMenuHandlers
{
ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}'
}
}
}
NoRemove lnkfile
{
NoRemove ShellEx
{
NoRemove ContextMenuHandlers
{
ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}'
}
}
}
}
|
regsvr32.exe | HKCR
{
NoRemove CLSID
{
ForceRemove {203ABD21-41F1-4F1B-BAE3-D6A89A90D239} = s 'PCProCtxMenu Class'
{
InprocServer32 = s 'C:\Program Files\PC Optimizer Pro\PCOptProCtxMenu.dll'
{
val ThreadingModel = s 'Apartment'
}
}
}
NoRemove *
{
NoRemove ShellEx
{
NoRemove ContextMenuHandlers
{
ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}'
}
}
}
NoRemove lnkfile
{
NoRemove ShellEx
{
NoRemove ContextMenuHandlers
{
ForceRemove PCProCtxMenu = s '{203ABD21-41F1-4F1B-BAE3-D6A89A90D239}'
}
}
}
}
|
PCOptimizerProSetup_STD.exe |
strData:8044520824 |
PCOptimizerProSetup_STD.exe |
Initial:aH77qbHab7 |
PCOptimizerProSetup_STD.exe |
Target:9hVTp |
PCOptimizerProSetup_STD.exe |
Target:aH77qbHab79hVTp |
PCOptimizerPro.exe |
:N
Need Help? Dial
Toll Free: 1-866-364-6553:
|
PCOptimizerPro.exe |
:N
Need Help? Dial
Toll Free: 1-866-364-6553:
|