URL:

https://pan.quark.cn/s/ee5ca976be0b#/list/share

Full analysis: https://app.any.run/tasks/1049498d-1b23-4972-828b-2999ef5138af
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: March 20, 2026, 17:52:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
delphi
inno
installer
anti-evasion
andromeda
botnet
gamarue
stealer
crypto-regex
Indicators:
MD5:

E3FA222229DD2D859EF04CEF503569A9

SHA1:

4B772B79793733E5D829ECC446F561D640B60F01

SHA256:

25FCF882E928F58BA774904EBC8DAE3F92A798A8A302902DBB7121394CBADE32

SSDEEP:

3:N8A/URU5A1rAtGONNEQ:2A/URUptzWQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • updater.exe (PID: 7796)
      • quark.exe (PID: 6044)

    • Reads a specific registry key of the VM

      • quark.exe (PID: 6044)

    • ANDROMEDA mutex has been found

      • quark.exe (PID: 6044)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 6.5.5.759.tmp (PID: 7616)

    • Actions looks like stealing of personal data

      • quark.exe (PID: 6044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe (PID: 7452)
      • 6.5.5.759.exe (PID: 3016)
      • 6.5.5.759.tmp (PID: 7616)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 3120)

    • The process drops C-runtime libraries

      • 6.5.5.759.tmp (PID: 7616)
      • updater.exe (PID: 7796)

    • Reads the Windows owner or organization settings

      • 6.5.5.759.tmp (PID: 7616)

    • Searches for installed software

      • quark.exe (PID: 6044)
      • quark.exe (PID: 900)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 3120)
      • updater.exe (PID: 7332)
      • quark.exe (PID: 7312)
      • quark.exe (PID: 5824)
      • quark.exe (PID: 7952)
      • quark.exe (PID: 8200)
      • quark.exe (PID: 7608)
      • quark.exe (PID: 8244)
      • quark.exe (PID: 8512)
      • quark.exe (PID: 8540)
      • quark.exe (PID: 8496)
      • quark.exe (PID: 8952)
      • quark.exe (PID: 8564)
      • quark.exe (PID: 8664)
      • quark.exe (PID: 8584)
      • quark.exe (PID: 9108)
      • quark.exe (PID: 3140)
      • quark.exe (PID: 9272)
      • quark.exe (PID: 9416)
      • quark.exe (PID: 9596)
      • quark.exe (PID: 9880)
      • quark.exe (PID: 9612)
      • quark.exe (PID: 9772)
      • quark.exe (PID: 9940)
      • quark.exe (PID: 9424)
      • quark.exe (PID: 9932)
      • quark.exe (PID: 9916)
      • quark.exe (PID: 2324)
      • quark.exe (PID: 1400)
      • quark.exe (PID: 4960)
      • updater.exe (PID: 7384)
      • quark.exe (PID: 3156)
      • quark.exe (PID: 5748)
      • quark.exe (PID: 3420)
      • quark.exe (PID: 7820)
      • quark.exe (PID: 9336)
      • quark.exe (PID: 4124)
      • quark.exe (PID: 1404)
      • quark.exe (PID: 6028)
      • quark.exe (PID: 7560)

    • Application launched itself

      • quark.exe (PID: 6044)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 3120)
      • updater.exe (PID: 7332)
      • updater.exe (PID: 7384)

    • Write to the desktop.ini file (may be used to cloak folders)

      • quark.exe (PID: 6044)

    • Reads the date of Windows installation

      • quark.exe (PID: 6044)

    • Reads the BIOS version

      • quark.exe (PID: 6044)

    • The process checks if it is being run in the virtual environment

      • quark.exe (PID: 6044)

    • Read disk information to detect sandboxing environments

      • quark.exe (PID: 6044)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 9312)
      • quark.exe (PID: 6044)

    • Reads Mozilla Firefox installation path

      • quark.exe (PID: 6044)

    • Found regular expressions for crypto-addresses (YARA)

      • quark.exe (PID: 6044)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 7320)

    • The sample compiled with chinese language support

      • chrome.exe (PID: 7320)
      • chrome.exe (PID: 3340)
      • 6.5.5.759.tmp (PID: 7616)
      • updater.exe (PID: 7796)

    • Launching a file from the Downloads directory

      • chrome.exe (PID: 7320)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 7320)
      • chrome.exe (PID: 3340)
      • chrome.exe (PID: 9348)
      • chrome.exe (PID: 800)

    • Checks supported languages

      • QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe (PID: 7452)
      • 6.5.5.759.tmp (PID: 7616)
      • 6.5.5.759.exe (PID: 3016)
      • quark.exe (PID: 900)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 5648)
      • QuarkUpdaterSetup.exe (PID: 8000)
      • quark.exe (PID: 6044)
      • updater.exe (PID: 3120)
      • updater.exe (PID: 3160)
      • updater.exe (PID: 7576)
      • updater.exe (PID: 7332)
      • quark.exe (PID: 5824)
      • quark.exe (PID: 7952)
      • quark.exe (PID: 8200)
      • quark.exe (PID: 7312)
      • quark.exe (PID: 7608)
      • quark.exe (PID: 8244)
      • quark.exe (PID: 8496)
      • quark.exe (PID: 8512)
      • quark.exe (PID: 8540)
      • quark.exe (PID: 8952)
      • quark.exe (PID: 8564)
      • quark.exe (PID: 8584)
      • quark.exe (PID: 3140)
      • quark.exe (PID: 9108)
      • quark.exe (PID: 8664)
      • quark.exe (PID: 9272)
      • quark.exe (PID: 9416)
      • quark.exe (PID: 9612)
      • quark.exe (PID: 9424)
      • quark.exe (PID: 9596)
      • quark.exe (PID: 9772)
      • quark.exe (PID: 9880)
      • quark.exe (PID: 9940)
      • quark.exe (PID: 9932)
      • quark.exe (PID: 9916)
      • updater.exe (PID: 7384)
      • updater.exe (PID: 9948)
      • quark.exe (PID: 2324)
      • quark.exe (PID: 4960)
      • quark.exe (PID: 6028)
      • quark.exe (PID: 3156)
      • quark.exe (PID: 5748)
      • quark.exe (PID: 1400)
      • quark.exe (PID: 7820)
      • quark.exe (PID: 9336)
      • quark.exe (PID: 4124)
      • quark.exe (PID: 1404)
      • quark.exe (PID: 7560)
      • quark.exe (PID: 3420)

    • Reads the computer name

      • QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe (PID: 7452)
      • 6.5.5.759.tmp (PID: 7616)
      • quark.exe (PID: 6044)
      • quark.exe (PID: 900)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 3120)
      • updater.exe (PID: 7332)
      • quark.exe (PID: 5824)
      • quark.exe (PID: 7608)
      • quark.exe (PID: 8244)
      • quark.exe (PID: 7952)
      • quark.exe (PID: 7312)
      • quark.exe (PID: 8200)
      • quark.exe (PID: 8496)
      • quark.exe (PID: 8512)
      • quark.exe (PID: 8952)
      • quark.exe (PID: 8540)
      • quark.exe (PID: 9108)
      • quark.exe (PID: 3140)
      • quark.exe (PID: 8664)
      • quark.exe (PID: 8564)
      • quark.exe (PID: 9272)
      • quark.exe (PID: 8584)
      • quark.exe (PID: 9596)
      • quark.exe (PID: 9612)
      • quark.exe (PID: 9772)
      • quark.exe (PID: 9880)
      • quark.exe (PID: 9940)
      • quark.exe (PID: 9416)
      • quark.exe (PID: 9424)
      • quark.exe (PID: 9932)
      • quark.exe (PID: 9916)
      • updater.exe (PID: 7384)
      • quark.exe (PID: 2324)
      • quark.exe (PID: 5748)
      • quark.exe (PID: 1400)
      • quark.exe (PID: 4960)
      • quark.exe (PID: 3156)
      • quark.exe (PID: 6028)
      • quark.exe (PID: 3420)
      • quark.exe (PID: 7820)
      • quark.exe (PID: 9336)
      • quark.exe (PID: 4124)
      • quark.exe (PID: 1404)
      • quark.exe (PID: 7560)

    • Create files in a temporary directory

      • QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe (PID: 7452)
      • 6.5.5.759.exe (PID: 3016)
      • 6.5.5.759.tmp (PID: 7616)
      • QuarkUpdaterSetup.exe (PID: 8000)
      • quark.exe (PID: 6044)

    • Reads CPU info

      • QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe (PID: 7452)
      • quark.exe (PID: 6044)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 3120)
      • updater.exe (PID: 7332)
      • quark.exe (PID: 8496)
      • quark.exe (PID: 8540)
      • updater.exe (PID: 7384)

    • There is functionality for taking screenshot (YARA)

      • QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe (PID: 7452)
      • 6.5.5.759.tmp (PID: 7616)

    • Creates files or folders in the user directory

      • 6.5.5.759.tmp (PID: 7616)
      • QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe (PID: 7452)
      • quark.exe (PID: 900)
      • quark.exe (PID: 6044)
      • updater.exe (PID: 5648)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 7332)
      • updater.exe (PID: 3120)
      • quark.exe (PID: 5824)
      • quark.exe (PID: 8540)
      • quark.exe (PID: 8496)
      • updater.exe (PID: 7384)
      • quark.exe (PID: 7560)

    • The sample compiled with russian language support

      • 6.5.5.759.tmp (PID: 7616)

    • Compiled with Borland Delphi (YARA)

      • 6.5.5.759.exe (PID: 3016)
      • 6.5.5.759.tmp (PID: 7616)

    • The sample compiled with english language support

      • 6.5.5.759.tmp (PID: 7616)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 3120)
      • chrome.exe (PID: 9348)
      • chrome.exe (PID: 800)

    • Detects InnoSetup installer (YARA)

      • 6.5.5.759.exe (PID: 3016)
      • 6.5.5.759.tmp (PID: 7616)

    • Creates a software uninstall entry

      • 6.5.5.759.tmp (PID: 7616)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 7796)
      • updater.exe (PID: 3120)
      • updater.exe (PID: 7332)
      • quark.exe (PID: 6044)
      • quark.exe (PID: 5824)
      • quark.exe (PID: 8540)
      • updater.exe (PID: 7384)
      • quark.exe (PID: 7560)

    • Launching a file from a Registry key

      • updater.exe (PID: 7796)
      • quark.exe (PID: 6044)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3120)
      • updater.exe (PID: 7796)
      • updater.exe (PID: 7332)
      • updater.exe (PID: 7384)

    • Reads security settings of Internet Explorer

      • quark.exe (PID: 6044)
      • 6.5.5.759.tmp (PID: 7616)

    • Reads Environment values

      • quark.exe (PID: 8496)
      • quark.exe (PID: 8244)

    • Reads product name

      • quark.exe (PID: 8244)
      • quark.exe (PID: 8496)

    • Reads Microsoft Office registry keys

      • quark.exe (PID: 6044)

    • Creates files in the program directory

      • quark.exe (PID: 6044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
252
Monitored processes
107
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe quarkpc_v6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(build2655504-1003-x64).exe chrome.exe no specs 6.5.5.759.exe 6.5.5.759.tmp chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs quarkupdatersetup.exe no specs #ANDROMEDA quark.exe quark.exe updater.exe updater.exe no specs chrome.exe no specs updater.exe updater.exe no specs updater.exe updater.exe no specs quark.exe no specs quark.exe quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe quark.exe no specs quark.exe quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs regsvr32.exe no specs regsvr32.exe no specs chrome.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs quark.exe no specs quark.exe no specs updater.exe updater.exe no specs chrome.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs quark.exe no specs chrome.exe quark.exe no specs quark.exe no specs chrome.exe no specs quark.exe no specs chrome.exe quark.exe no specs quark.exe no specs quark.exe no specs chrome.exe no specs quark.exe no specs quark.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
552"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6436,i,9480404117901335033,9548387191939239822,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=6728 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
800"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=4908,i,9480404117901335033,9548387191939239822,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=4472 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
900C:\Users\admin\AppData\Local\Programs\Quark\quark.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Quark\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Quark\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Quark\User Data" --url=https://pan-api.quark.cn/monitor/crash/collect/ --annotation=_companyName=UC --annotation=_productName=QuarkPC --annotation=_version=6.5.5.759 --annotation=app=quark-windows --annotation=app_bid=999 --annotation=app_channel=pcquark@clouddrive_share8 --annotation=bizguid=ab2JtwAAACkDAO4hQNDhwFYf --annotation=bname=clouddrive --annotation=brand=DELL "--annotation=cpu_model=AMD Ryzen 5 3500 6-Core Processor" --annotation=dcheck=off --annotation=guid=ab2JtwAAACkDAO4hQNDhwFYf --annotation=model=DELL --annotation=official_build=true --annotation=plat=Win64 --annotation=platform=win32 --annotation=prod=Quark "--annotation=rom=Windows NT_10.0.19045" --annotation=shortcutEntrances=drive --annotation=sver=alpha --annotation=ucVersion=260313201235 --annotation=utdid=ab2JtwAAACkDAO4hQNDhwFYf --annotation=ver=6.5.5.759 --annotation=version=6.5.5.759 --annotation=xtm=1774029346616 --annotation=xtoken=f77e3a --initial-client-data=0x28c,0x290,0x294,0x268,0x2a0,0x7ffe1e0eac08,0x7ffe1e0eb42e,0x7ffe1e0ebc58C:\Users\admin\AppData\Local\Programs\Quark\quark.exe
quark.exe
User:
admin
Company:
The Quark Authors
Integrity Level:
MEDIUM
Description:
Quark
Version:
6.5.5.759
Modules
Images
c:\users\admin\appdata\local\programs\quark\quark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\quark\6.5.5.759\quark_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
1400"C:\Users\admin\AppData\Local\Programs\Quark\quark.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=zh-CN --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --standard-schemes=main,uccd --secure-schemes=main,uccd --cors-schemes=main,uccd --fetch-schemes=main,uccd --service-worker-schemes=main,uccd --field-trial-handle=8692,i,3117229362184606182,17029402926961513552,262144 --enable-features=EnableTabMuting,UseNewAlpsCodepointHttp2 --disable-features=PrefetchProxy --variations-seed-version --log-store-handle=824,i,2560512 --mojo-platform-channel-handle=9000 /prefetch:8C:\Users\admin\AppData\Local\Programs\Quark\quark.exequark.exe
User:
admin
Company:
The Quark Authors
Integrity Level:
LOW
Description:
Quark
Exit code:
0
Version:
6.5.5.759
Modules
Images
c:\users\admin\appdata\local\programs\quark\quark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\quark\6.5.5.759\quark_elf.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
1404"C:\Users\admin\AppData\Local\Programs\Quark\quark.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=zh-CN --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --standard-schemes=main,uccd --secure-schemes=main,uccd --cors-schemes=main,uccd --fetch-schemes=main,uccd --service-worker-schemes=main,uccd --field-trial-handle=5884,i,3117229362184606182,17029402926961513552,262144 --enable-features=EnableTabMuting,UseNewAlpsCodepointHttp2 --disable-features=PrefetchProxy --variations-seed-version --log-store-handle=824,i,2560512 --mojo-platform-channel-handle=5100 /prefetch:8C:\Users\admin\AppData\Local\Programs\Quark\quark.exequark.exe
User:
admin
Company:
The Quark Authors
Integrity Level:
LOW
Description:
Quark
Exit code:
0
Version:
6.5.5.759
Modules
Images
c:\users\admin\appdata\local\programs\quark\quark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\quark\6.5.5.759\quark_elf.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
1788"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5108,i,9480404117901335033,9548387191939239822,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=4608 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1972"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6536,i,9480404117901335033,9548387191939239822,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=7748 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2164"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,9480404117901335033,9548387191939239822,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=3308 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324"C:\Users\admin\AppData\Local\Programs\Quark\quark.exe" --type=renderer --string-annotations=is-enterprise-managed=no --quark-webui-version=Ni41LjUuMTAwMDAw --disable-quantum --standard-schemes=main,uccd --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=zh-CN --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=9648,i,3117229362184606182,17029402926961513552,262144 --enable-features=EnableTabMuting,UseNewAlpsCodepointHttp2 --disable-features=PrefetchProxy --variations-seed-version --log-store-handle=824,i,2560512 --mojo-platform-channel-handle=9032 /prefetch:1C:\Users\admin\AppData\Local\Programs\Quark\quark.exequark.exe
User:
admin
Company:
The Quark Authors
Integrity Level:
LOW
Description:
Quark
Version:
6.5.5.759
Modules
Images
c:\users\admin\appdata\local\programs\quark\quark.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\quark\6.5.5.759\quark_elf.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
Total events
50 476
Read events
48 836
Write events
1 566
Delete events
74

Modification events

(PID) Process:(3044) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\UTForPC
Operation:writeName:utdid
Value:
YWIySnR3QUFBQ2tEQU80aFFORGh3Rllm
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
0
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
1
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
2
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
3
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
4
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
5
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
6
(PID) Process:(7616) 6.5.5.759.tmpKey:HKEY_CURRENT_USER\SOFTWARE\QuarkUpdater\Update\ClientState\{FB7670C2-7F99-426D-B687-21BB585A5C73}
Operation:writeName:InstallerProgress
Value:
7
Executable files
236
Suspicious files
1 731
Text files
2 229
Unknown types
5

Dropped files

PID
Process
Filename
Type
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RFdff6f.TMP
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RFdff8e.TMP
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RFdff8e.TMP
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RFdff8e.TMP
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RFdff9e.TMP
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7320chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
397
TCP/UDP connections
677
DNS requests
225
Threats
66

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3340
chrome.exe
GET
200
142.250.201.170:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
US
binary
41 b
whitelisted
3340
chrome.exe
POST
200
142.251.127.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
US
text
17 b
whitelisted
3340
chrome.exe
GET
200
142.251.36.110:80
http://clients2.google.com/time/1/current?cup2key=8:cksRxKPSb754NtJbyPEC0uF_mhIflgxuBXeNA8ZPe5w&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
106 b
whitelisted
3340
chrome.exe
GET
200
2.16.206.4:443
https://g.alicdn.com/uc-cloud-drive-web-system/cloud-drive-web/4.5.90/vendor.css
NL
text
268 Kb
unknown
3340
chrome.exe
GET
200
142.251.208.3:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
US
compressed
90.9 Kb
whitelisted
3340
chrome.exe
GET
200
203.119.169.27:443
https://pan.quark.cn/s/ee5ca976be0b
CN
html
11.3 Kb
unknown
3340
chrome.exe
GET
200
2.16.206.4:443
https://g.alicdn.com/uc-cloud-drive-web-system/cloud-drive-web/4.5.90/share.css
NL
text
152 Kb
unknown
3340
chrome.exe
GET
200
2.16.206.4:443
https://g.alicdn.com/uc-cloud-drive-web-system/cloud-drive-web/4.5.90/vendor.js
NL
3.44 Mb
unknown
3340
chrome.exe
GET
200
2.16.206.4:443
https://g.alicdn.com/uc-cloud-drive-web-system/cloud-drive-web/4.5.90/share.js
NL
text
1001 Kb
unknown
3340
chrome.exe
GET
200
2.16.206.4:443
https://g.alicdn.com/secdev/sufei_data/3.9.14/index.js
NL
17.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5276
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
8000
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7824
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3340
chrome.exe
142.250.201.170:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
3340
chrome.exe
142.251.36.110:80
clients2.google.com
GOOGLE
US
whitelisted
3340
chrome.exe
142.251.208.3:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
3340
chrome.exe
142.251.127.84:443
accounts.google.com
GOOGLE
US
whitelisted
3340
chrome.exe
203.119.169.27:443
pan.quark.cn
ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.,Ltd.
CN
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.143.110
whitelisted
clients2.google.com
  • 142.251.36.110
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.201.170
  • 142.251.208.10
  • 142.250.201.74
  • 142.251.143.106
  • 142.250.187.234
  • 142.250.187.202
  • 172.217.16.202
  • 172.217.168.74
  • 142.251.127.95
  • 216.58.206.42
  • 142.251.208.170
  • 142.251.37.10
  • 216.58.206.74
  • 142.250.186.42
  • 142.251.141.74
  • 142.251.140.170
whitelisted
clientservices.googleapis.com
  • 142.251.208.3
whitelisted
pan.quark.cn
  • 203.119.169.27
  • 203.119.169.79
whitelisted
accounts.google.com
  • 142.251.127.84
whitelisted
g.alicdn.com
  • 2.16.206.4
  • 2.16.206.9
whitelisted
fourier.taobao.com
  • 203.119.204.19
whitelisted

Threats

PID
Process
Class
Message
8000
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
7452
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
Unknown Traffic
ET HUNTING Suspicious Empty Accept-Encoding Header
Process
Message
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
[tid 784][quark_installer][error] Send wpk report request failed. status: -1
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
[tid 784][quark_installer][error] Send report request failed. status: -1
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
[tid 6556][quark_installer][error] Send wpk report request failed. status: -1
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
[tid 784][quark_installer][error] Send wpk report request failed. status: -1
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
[tid 6556][quark_installer][error] Send wpk report request failed. status: -1
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
[tid 6556][quark_installer][error] Send report request failed. status: -1
QuarkPC_V6.5.5.759_pc_pf30002_(zh-cn)_wpmini_(Build2655504-1003-x64).exe
[tid 6556][quark_installer][error] Send report request failed. status: -1
quark.exe
[0320/135546.723:INFO:wpk_pv_helper.cc(202)] DelayUploadHotPvToWpk type :1
updater.exe
[0320/135548.099:ERROR:unet_native_impl.cc(764)] [unet.native] version(1.4.0.0) unet_native_bind(version:1.4.0.0, cb:000000F8C14FF560, ctx:000002BDD5E8E990)
updater.exe
[7796:0320/135548.108:ERROR:unet_persistence.cc(184)] [unet] UNetPersistence::Context::DoReadFile file(C:\Users\admin\AppData\Local\QuarkUpdater\QuarkUpdater\1.0.0.21\hc) open error(FILE_ERROR_NOT_FOUND)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://pan.quark.cn/s/ee5ca976be0b#/list/share