analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://free4pc.org/category/windows-10-activator/

Full analysis: https://app.any.run/tasks/342178e3-8f07-44f5-84f7-92b338b51e1c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 10:02:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
trojan
evasion
loader
Indicators:
MD5:

58A3610CED9F074BD807C5AAA024A2E0

SHA1:

B74D7038FB24BD0EFDA20AACE66DEA69DE65616B

SHA256:

22F40DB1DC4EE9098863470DBB4678CAA5C9CE3BF1988718450834769FE1ACCA

SSDEEP:

3:N8lV7SGACvkEGqW:2POX8kvD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • setup_install.exe (PID: 924)
      • setup_install.exe (PID: 3268)
      • d3.exe (PID: 3684)
      • L3.exe (PID: 3296)
      • kyphcaoi.exe (PID: 1132)

    • Loads dropped or rewritten executable

      • setup_install.exe (PID: 924)

    • Actions looks like stealing of personal data

      • d3.exe (PID: 3684)

    • Stealing of credential data

      • d3.exe (PID: 3684)

    • Changes settings of System certificates

      • cscript.exe (PID: 2572)

    • Downloads executable files from the Internet

      • L3.exe (PID: 3296)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 1032)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2852)
      • setup_install.exe (PID: 924)
      • L3.exe (PID: 3296)

    • Reads the cookies of Google Chrome

      • d3.exe (PID: 3684)

    • Reads the cookies of Mozilla Firefox

      • d3.exe (PID: 3684)

    • Starts CMD.EXE for commands execution

      • d3.exe (PID: 3684)
      • L3.exe (PID: 3296)
      • kyphcaoi.exe (PID: 1132)

    • Reads Internet Cache Settings

      • d3.exe (PID: 3684)
      • L3.exe (PID: 3296)
      • cscript.exe (PID: 2572)
      • kyphcaoi.exe (PID: 1132)

    • Adds / modifies Windows certificates

      • cscript.exe (PID: 2572)

    • Starts CMD.EXE for self-deleting

      • d3.exe (PID: 3684)
      • kyphcaoi.exe (PID: 1132)

    • Executes scripts

      • setup_install.exe (PID: 924)

    • Creates files in the program directory

      • setup_install.exe (PID: 924)
      • kyphcaoi.exe (PID: 1132)

    • Checks for external IP

      • L3.exe (PID: 3296)
      • kyphcaoi.exe (PID: 1132)

    • Searches for installed software

      • d3.exe (PID: 3684)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 3520)
      • chrome.exe (PID: 2008)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 3520)

    • Application launched itself

      • chrome.exe (PID: 3520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
37
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs winrar.exe chrome.exe no specs notepad.exe no specs setup_install.exe no specs setup_install.exe d3.exe cmd.exe no specs timeout.exe no specs cscript.exe l3.exe cmd.exe no specs kyphcaoi.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3520"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://free4pc.org/category/windows-10-activator/"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3652"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f1da9d0,0x6f1da9e0,0x6f1da9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1752 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2124"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,9130112733286926241,678453521404667746,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15044842701411879045 --mojo-platform-channel-handle=968 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2008"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1028,9130112733286926241,678453521404667746,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=9926673689292888121 --mojo-platform-channel-handle=1588 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,9130112733286926241,678453521404667746,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9257579966284256156 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3964"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,9130112733286926241,678453521404667746,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8815520218967758566 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,9130112733286926241,678453521404667746,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2957635834757390794 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
860"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,9130112733286926241,678453521404667746,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12891024664315285461 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2416"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,9130112733286926241,678453521404667746,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=446210081720072337 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 995
Read events
2 807
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
60
Text files
499
Unknown types
21

Dropped files

PID
Process
Filename
Type
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F7457E0-DC0.pma
MD5:
SHA256:
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bd660e4b-45d7-4508-8713-98dbb3ff06b8.tmp
MD5:
SHA256:
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000046.dbtmp
MD5:
SHA256:
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF3bc1ca.TMPtext
MD5:D55489ED6031D8B188E37B0B59F5CED3
SHA256:365B01D1B3333E366EEA50106551AAC8721156CB2572C173E2F501D8255093F4
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:745FF98D6EB320D6A946D4C43E8D3317
SHA256:558AE8B06570B9C63A72F515E6CD288BCA67368A23E349B625D8B1B7E42E9918
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF3bc1da.TMPtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:D55489ED6031D8B188E37B0B59F5CED3
SHA256:365B01D1B3333E366EEA50106551AAC8721156CB2572C173E2F501D8255093F4
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:C5C3F347BDC11EA7A5BF62BCEA89896F
SHA256:EAE604A1C662FF82AD4B2D1056179FD77587159FDD7F1674404C0465E0610BC1
3520chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:1A89A1BEBE6C843C4FF582E7ED33CA1F
SHA256:65099CA087B66AA8CA420AB121DAAD713E1DB5A61C5A574D9B1C0DF24F012520
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
56
DNS requests
94
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3296
L3.exe
GET
302
8.211.23.107:80
http://nffiiload06.top/download.php?file=6.exe
US
malicious
3296
L3.exe
GET
302
8.211.23.107:80
http://nffiiload06.top/download.php?file=4.exe
US
malicious
3296
L3.exe
GET
200
8.211.23.107:80
http://nffiiload06.top/downfiles/4.exe
US
executable
906 Kb
malicious
3296
L3.exe
GET
200
8.211.23.107:80
http://nffiiload06.top/downfiles/6.exe
US
executable
2.07 Mb
malicious
1132
kyphcaoi.exe
GET
200
208.95.112.1:80
http://ip-api.com/line
unknown
text
179 b
shared
2572
cscript.exe
GET
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOFvRj973rrPO3ypqcX4igUEQ%3D%3D
unknown
der
527 b
whitelisted
1056
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
3296
L3.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
text
320 b
shared
1056
svchost.exe
GET
200
104.18.24.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0%2Fv9GUvNUu1EP06Tu7%2BChyAQUkZ47RGw9V5xCdyo010%2FRzEqXLNoCEyAAASWxwt68EQiA3cUAAAABJbE%3D
US
der
1.75 Kb
whitelisted
1056
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2008
chrome.exe
172.217.16.202:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2008
chrome.exe
104.26.6.221:443
free4pc.org
Cloudflare Inc
US
malicious
2008
chrome.exe
104.16.168.35:443
ajax.cloudflare.com
Cloudflare Inc
US
unknown
2008
chrome.exe
172.217.18.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2008
chrome.exe
142.250.74.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
2008
chrome.exe
172.217.22.45:443
accounts.google.com
Google Inc.
US
whitelisted
2008
chrome.exe
192.0.77.2:443
i0.wp.com
Automattic, Inc
US
suspicious
2008
chrome.exe
192.0.76.3:443
stats.wp.com
Automattic, Inc
US
suspicious
2008
chrome.exe
216.58.205.238:443
clients1.google.com
Google Inc.
US
whitelisted
2008
chrome.exe
172.217.23.174:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
free4pc.org
  • 104.26.6.221
  • 172.67.73.176
  • 104.26.7.221
malicious
accounts.google.com
  • 172.217.22.45
shared
fonts.googleapis.com
  • 172.217.16.202
whitelisted
ajax.cloudflare.com
  • 104.16.168.35
  • 104.16.167.35
whitelisted
fonts.gstatic.com
  • 142.250.74.195
whitelisted
ajax.googleapis.com
  • 172.217.16.138
whitelisted
api.pinterest.com
  • 151.101.0.84
  • 151.101.64.84
  • 151.101.128.84
  • 151.101.192.84
whitelisted
apis.google.com
  • 172.217.21.238
whitelisted
bblog.com
  • 104.27.145.58
  • 172.67.211.115
  • 104.27.144.58
malicious

Threats

PID
Process
Class
Message
1056
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3684
d3.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3684
d3.exe
A Network Trojan was detected
ET TROJAN Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
2572
cscript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
2572
cscript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
3296
L3.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3296
L3.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
3296
L3.exe
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
3296
L3.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3296
L3.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
13 ETPRO signatures available at the full report
Process
Message
d3.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
L3.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
kyphcaoi.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://free4pc.org/category/windows-10-activator/