analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://mega.nz/#!Ylpj3LYY!yC5N06zT2Wxl3CnHbgtsA5-3Fp3rDKN5VTCu-J8M8dA

Full analysis: https://app.any.run/tasks/194c07a8-35bd-4740-b2a8-7a64745853fe
Verdict: Malicious activity
Analysis date: May 30, 2020, 13:34:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C156DBE1A3F718A4DC4BC9832D9096F5

SHA1:

DAF76B7A537D3A18A13838A7B902C469BC10D768

SHA256:

008D896691ADD86B5A9731D699BB2257B9FB0DAE1AA57A55B4DBE7C9DE0E73F4

SSDEEP:

3:N8X/iGEYVuSVcOdYrWZlW3kwDk:299pdvuUwDk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • geometry dash auto speedhack.exe (PID: 3464)
      • geometry dash auto speedhack.exe (PID: 1848)
      • geometry dash auto speedhack.exe (PID: 844)
      • geometry dash auto speedhack.exe (PID: 344)
      • geometry dash auto speedhack.exe (PID: 1428)
      • geometry dash auto speedhack.exe (PID: 2016)
      • geometry dash auto speedhack.exe (PID: 496)
      • MEMZ.exe (PID: 2508)
      • geometry dash auto speedhack.exe (PID: 3176)

    • Low-level write access rights to disk partition

      • geometry dash auto speedhack.exe (PID: 3176)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 980)
      • cscript.exe (PID: 2328)

    • Application launched itself

      • geometry dash auto speedhack.exe (PID: 2016)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2248)

    • Creates files in the user directory

      • cscript.exe (PID: 2328)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 980)

    • Low-level read access rights to disk partition

      • geometry dash auto speedhack.exe (PID: 3176)

    • Executes scripts

      • cmd.exe (PID: 1748)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2084)
      • chrome.exe (PID: 2248)

    • Application launched itself

      • chrome.exe (PID: 2248)

    • Manual execution by user

      • SndVol.exe (PID: 1696)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
42
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs geometry dash auto speedhack.exe no specs geometry dash auto speedhack.exe geometry dash auto speedhack.exe no specs geometry dash auto speedhack.exe no specs geometry dash auto speedhack.exe no specs geometry dash auto speedhack.exe no specs geometry dash auto speedhack.exe no specs geometry dash auto speedhack.exe notepad.exe no specs chrome.exe no specs sndvol.exe no specs cmd.exe no specs cscript.exe memz.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2248"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mega.nz/#!Ylpj3LYY!yC5N06zT2Wxl3CnHbgtsA5-3Fp3rDKN5VTCu-J8M8dA"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3056"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6e65a9d0,0x6e65a9e0,0x6e65a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2432 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2308"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=12931410163794411618 --mojo-platform-channel-handle=1000 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2084"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=16690900221809745417 --mojo-platform-channel-handle=1636 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3416"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2357193666316705994 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2148"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7457320348284206982 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3016"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7977925937320989609 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3024"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=1908592054895001384 --mojo-platform-channel-handle=3344 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2364"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=14797407565142476885 --mojo-platform-channel-handle=3480 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 809
Read events
2 661
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
51
Text files
359
Unknown types
13

Dropped files

PID
Process
Filename
Type
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5ED260DC-8C8.pma
MD5:
SHA256:
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\6ac85ad8-8a8b-4f4e-913c-0339eede3c5c.tmp
MD5:
SHA256:
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF109a8c.TMPtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF109a7d.TMPtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:702AEC53DCDCFEA33C4BE3D2F888473E
SHA256:D16286D6EE0EB33E7907EE4FCB8FDB6B5A54E5A56BFAF99A9C2451D239BC9765
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF109acb.TMPtext
MD5:AC43135B8C9FED46A92448C4E711F45C
SHA256:D840BA7CEBACF86DDBAD75BFB61A53449AA7AE3DE6B8ADC97FE45624626A6F09
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
2248chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2084
chrome.exe
GET
200
172.217.131.71:80
http://r2---sn-q4flrnl7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjY5QUFXTEQwc2RPVXhRY3picjhxblh1dw/7619.603.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=Qx&mip=85.203.20.11&mm=28&mn=sn-q4flrnl7&ms=nvh&mt=1590845594&mv=m&mvi=1&pl=25&shardbypass=yes
US
crx
816 Kb
whitelisted
2084
chrome.exe
GET
200
173.194.191.170:80
http://r5---sn-q4flrnes.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=85.203.20.11&mm=28&mn=sn-q4flrnes&ms=nvh&mt=1590845594&mv=m&mvi=4&pl=25&shardbypass=yes
US
crx
293 Kb
whitelisted
2084
chrome.exe
GET
304
67.27.159.126:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
2084
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjY5QUFXTEQwc2RPVXhRY3picjhxblh1dw/7619.603.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
523 b
whitelisted
2084
chrome.exe
GET
200
67.27.159.126:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
2084
chrome.exe
GET
304
67.27.159.126:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
2084
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
518 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2084
chrome.exe
172.217.16.206:443
clients1.google.com
Google Inc.
US
whitelisted
2084
chrome.exe
216.58.207.67:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
172.217.23.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2084
chrome.exe
173.194.191.170:80
r5---sn-q4flrnes.gvt1.com
Google Inc.
US
whitelisted
2084
chrome.exe
172.217.23.97:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
2084
chrome.exe
67.27.159.126:80
www.download.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2084
chrome.exe
172.217.16.142:80
redirector.gvt1.com
Google Inc.
US
whitelisted
2084
chrome.exe
31.216.148.10:443
mega.nz
Datacenter Luxembourg S.A.
LU
unknown
2084
chrome.exe
31.216.148.11:443
eu.static.mega.co.nz
Datacenter Luxembourg S.A.
LU
unknown
2084
chrome.exe
172.217.131.71:80
r2---sn-q4flrnl7.gvt1.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.207.67
whitelisted
mega.nz
  • 31.216.148.10
  • 89.44.169.135
whitelisted
accounts.google.com
  • 172.217.23.109
shared
safebrowsing.googleapis.com
  • 172.217.23.106
whitelisted
clients1.google.com
  • 172.217.16.206
whitelisted
eu.static.mega.co.nz
  • 31.216.148.11
  • 89.44.169.134
  • 89.44.169.132
  • 31.216.148.13
shared
g.api.mega.co.nz
  • 31.216.147.135
  • 31.216.147.133
  • 31.216.147.132
  • 31.216.147.134
  • 31.216.147.136
shared
www.google.com
  • 172.217.22.100
whitelisted
clients2.google.com
  • 172.217.16.206
whitelisted
www.download.windowsupdate.com
  • 67.27.159.126
  • 8.248.133.254
  • 8.253.204.120
  • 8.253.204.121
  • 8.253.204.249
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mega.nz/#!Ylpj3LYY!yC5N06zT2Wxl3CnHbgtsA5-3Fp3rDKN5VTCu-J8M8dA