File name: | renew_1.1-BETA.cab |
Full analysis: | https://app.any.run/tasks/a7bbcefb-75e4-444f-9e72-148a780e6fbc |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 14:35:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-cab-compressed |
File info: | Microsoft Cabinet archive data, 506781 bytes, 10 files |
MD5: | AE6D5B1371515116AE985F26DAC1779B |
SHA1: | 1A8D88609FD09439768D1F112F7D069721821CF2 |
SHA256: | 73F25BAE88DE3247B8068EA86286A5E88F48FC86267AA56C37847A4E81814157 |
SSDEEP: | 12288:Z2hdWUDsvNDN/JjO29oHOcwaMt9A0VjDLn6I7IkFYR4:ZGdWLvNZ/Jjf6HVwaMX5DLZPJ |
.cab | | | Microsoft Cabinet Archive (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3428 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\renew_1.1-BETA.cab" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
2904 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2180 | "C:\Users\admin\Downloads\PasswdRenew.exe" | C:\Users\admin\Downloads\PasswdRenew.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3100 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Downloads\salapasswd.inf" | C:\Program Files\Notepad++\notepad++.exe | Explorer.EXE | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
3380 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Downloads\salapasswd.CMD" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2312 | PasswdRenew.exe | C:\Users\admin\Downloads\PasswdRenew.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3944 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Downloads\salapasswd.CMD" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3828 | PasswdRenew.exe | C:\Users\admin\Downloads\PasswdRenew.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3284 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Downloads\salapasswd_nu2menu.xml" | C:\Program Files\Notepad++\notepad++.exe | Explorer.EXE | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
2108 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | Explorer.EXE | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 86.0.4240.198 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3428 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\renew_1.1-BETA\salapasswd.inf | binary | |
MD5:900FA0798BBF0AC4319B8BB05862ABDD | SHA256:B67C9AC2ADD76DC398561EB71625044A517ACECB52920A650A690AE87774163B | |||
3428 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\renew_1.1-BETA\11_e.jpg | image | |
MD5:FB7B544307BBF5E757165D0E0421B48E | SHA256:D6F493E4435092735AB47E1F3A57A1AE554BF53EF37FF4A88D63934D5CEAE24C | |||
3428 | WinRAR.exe | C:\Users\admin\Downloads\11_e.jpg | image | |
MD5:FB7B544307BBF5E757165D0E0421B48E | SHA256:D6F493E4435092735AB47E1F3A57A1AE554BF53EF37FF4A88D63934D5CEAE24C | |||
3428 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\renew_1.1-BETA\salapasswd_nu2menu.xml | text | |
MD5:34E3454B41BF9D76D195F91C203C028B | SHA256:41B0A13A3D39274F39E278407CC44CBD85D903CF52B0B96DA1ECFFEEC7F6B1CF | |||
3428 | WinRAR.exe | C:\Users\admin\Downloads\PasswdRenew.exe | executable | |
MD5:FC70AC5E77D4B43FEC18B5B186D9A122 | SHA256:3D55B223823B303FEC3BF4279DBD88E478FFE89B654BA2FCD6818364EFBD47AD | |||
3428 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\renew_1.1-BETA\11_d.jpg | image | |
MD5:2C34EB75CA43A724BCC373147A713760 | SHA256:4A3A4D2C64AA5C1C55465A8956729B43432D950C91FB6C1683B0EC9D342CB12B | |||
2108 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-62F665DA-83C.pma | — | |
MD5:— | SHA256:— | |||
3428 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\renew_1.1-BETA\11_f.jpg | image | |
MD5:C0EC602B7E586DB5527807DDD45474D2 | SHA256:1B2FAF6C1A59D1EB44C295D97FFE18BA920F0B45AD7DEE842AF5CF71DC565511 | |||
3428 | WinRAR.exe | C:\Users\admin\Downloads\11_b.jpg | image | |
MD5:426DB948952F9782B2DC4A7CB966A568 | SHA256:97ADA288C486C724915430BFEA8D8EB073D75373D90F4789F43A27622B6D0DC6 | |||
3428 | WinRAR.exe | C:\Users\admin\Downloads\11_c.jpg | image | |
MD5:D2E9ED8D2FC3556DD92BDDF2A241651A | SHA256:59027852D303454D35D30568B6FEBD4D24E341BA081899C5E268AE3D2B06508A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
928 | svchost.exe | HEAD | 200 | 84.15.64.140:80 | http://r1---sn-cpux-8ov6.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3?cms_redirect=yes&mh=VX&mip=85.206.166.82&mm=28&mn=sn-cpux-8ov6&ms=nvh&mt=1660314744&mv=m&mvi=1&pl=22&shardbypass=sd | LT | — | — | whitelisted |
3632 | chrome.exe | GET | 302 | 216.239.32.21:80 | http://virustotal.com/ | US | — | — | whitelisted |
3632 | chrome.exe | GET | 302 | 142.250.181.238:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 612 b | whitelisted |
928 | svchost.exe | HEAD | 302 | 142.250.181.238:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | — | — | whitelisted |
928 | svchost.exe | GET | 302 | 142.250.181.238:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | html | 539 b | whitelisted |
928 | svchost.exe | GET | 206 | 84.15.64.140:80 | http://r1---sn-cpux-8ov6.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3?cms_redirect=yes&mh=VX&mip=85.206.166.82&mm=28&mn=sn-cpux-8ov6&ms=nvh&mt=1660314744&mv=m&mvi=1&pl=22&shardbypass=sd | LT | binary | 9.53 Kb | whitelisted |
928 | svchost.exe | GET | 302 | 142.250.181.238:80 | http://redirector.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3 | US | html | 539 b | whitelisted |
928 | svchost.exe | GET | 206 | 84.15.64.140:80 | http://r1---sn-cpux-8ov6.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3?cms_redirect=yes&mh=VX&mip=85.206.166.82&mm=28&mn=sn-cpux-8ov6&ms=nvh&mt=1660314986&mv=m&mvi=1&pcm2cms=yes&pl=22&shardbypass=sd | LT | binary | 30.8 Kb | whitelisted |
3632 | chrome.exe | GET | 200 | 84.15.64.172:80 | http://r1---sn-cpux-30oe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=85.206.166.82&mm=28&mn=sn-cpux-30oe&ms=nvh&mt=1660314744&mv=m&mvi=1&pcm2cms=yes&pl=22&rmhost=r2---sn-cpux-30oe.gvt1.com&shardbypass=sd&smhost=r1---sn-cpux-8ovs.gvt1.com | LT | crx | 242 Kb | whitelisted |
928 | svchost.exe | GET | 206 | 84.15.64.140:80 | http://r1---sn-cpux-8ov6.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3?cms_redirect=yes&mh=VX&mip=85.206.166.82&mm=28&mn=sn-cpux-8ov6&ms=nvh&mt=1660314744&mv=m&mvi=1&pl=22&shardbypass=sd | LT | binary | 9.54 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3632 | chrome.exe | 142.250.181.225:443 | clients2.googleusercontent.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 172.217.18.3:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 172.217.23.109:443 | accounts.google.com | Google Inc. | US | suspicious |
3632 | chrome.exe | 142.250.185.163:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 142.250.186.164:443 | www.google.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 142.250.185.78:443 | apis.google.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 142.250.185.67:443 | www.gstatic.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 142.250.185.142:443 | clients2.google.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 142.251.36.10:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3632 | chrome.exe | 172.217.16.131:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
clients2.google.com |
| whitelisted |
accounts.google.com |
| shared |
clients2.googleusercontent.com |
| whitelisted |
www.google.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
apis.google.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|