File name: | apple2.png |
Full analysis: | https://app.any.run/tasks/dc969b23-da17-46fa-8f7d-d9fa8cd2b458 |
Verdict: | Malicious activity |
Analysis date: | November 29, 2020, 17:16:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | image/png |
File info: | PNG image data, 768 x 432, 8-bit/color RGBA, non-interlaced |
MD5: | CB2F9F801DA0FE7E1D2A64EBC5B7859F |
SHA1: | F9BA7035A29BB3B88B97E98B5EE0E62E1CFABA22 |
SHA256: | 26FB2BC614296744C511B9180F5C0D919FD87162947D9C28243125E76068D056 |
SSDEEP: | 12288:SfvP1Ut4kemV9YdAnPDMSf24oW8WN7imUVBrhacxJ0lUsexYNE:SnP1UikemXbMStDYVZhclyYNE |
.png | | | Portable Network Graphics (100) |
---|
ImageWidth: | 768 |
---|---|
ImageHeight: | 432 |
BitDepth: | 8 |
ColorType: | RGB with Alpha |
Compression: | Deflate/Inflate |
Filter: | Adaptive |
Interlace: | Noninterlaced |
PixelsPerUnitX: | 1 |
PixelsPerUnitY: | 1 |
PixelUnits: | Unknown |
Creator: | Premiere Pro |
XMPToolkit: | Adobe XMP Core 6.0-c002 79.164360, 2020/02/13-01:07:22 |
---|---|
InstanceID: | xmp.iid:69541ef9-9d56-6d48-83ab-c2254b51dc97 |
DocumentID: | bed2f23e-a996-cac6-9966-b0da0000003f |
OriginalDocumentID: | xmp.did:8517dfdc-0edd-8141-92c3-94c7e31540b1 |
MetadataDate: | 2020:11:26 16:49:22Z |
ModifyDate: | 2020:11:26 16:49:22Z |
CreateDate: | 2020:11:26 16:48:51 |
VideoFrameRate: | 25 |
VideoFieldOrder: | Progressive |
VideoPixelAspectRatio: | 1 |
StartTimeScale: | 25 |
StartTimeSampleSize: | 1 |
Format: | PNG |
HistoryAction: |
|
HistoryInstanceID: |
|
HistoryWhen: |
|
HistorySoftwareAgent: |
|
HistoryChanged: |
|
VideoFrameSizeW: | 768 |
VideoFrameSizeH: | 432 |
VideoFrameSizeUnit: | pixel |
DurationValue: | 248 |
DurationScale: | 0.04 |
StartTimecodeTimeFormat: | 25 fps |
StartTimecodeTimeValue: | 00:04:53:03 |
AltTimecodeTimeValue: | 00:04:53:03 |
AltTimecodeTimeFormat: | 25 fps |
ImageSize: | 768x432 |
---|---|
Megapixels: | 0.332 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1952 | "C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\AppData\Local\Temp\apple2.png | C:\Windows\System32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1728 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2744 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6edaa9d0,0x6edaa9e0,0x6edaa9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
592 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1744 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3500 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,1676518766232724167,7983961609800990419,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11314780168897675293 --mojo-platform-channel-handle=1036 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
4024 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,1676518766232724167,7983961609800990419,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=11847182204875655798 --mojo-platform-channel-handle=1628 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3692 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,1676518766232724167,7983961609800990419,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4399930977275939278 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2204 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,1676518766232724167,7983961609800990419,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12895191541364991545 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
3192 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,1676518766232724167,7983961609800990419,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8771633602172715983 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
1560 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,1676518766232724167,7983961609800990419,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=8687156519249141319 --mojo-platform-channel-handle=3260 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 |
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: rundll32.exe | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer |
Operation: | write | Name: | MainWndPos |
Value: 6000000034000000A00400008002000000000000 | |||
(PID) Process: | (1728) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
Operation: | write | Name: | failed_count |
Value: 0 | |||
(PID) Process: | (1728) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
Operation: | write | Name: | state |
Value: 2 | |||
(PID) Process: | (1728) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
Operation: | write | Name: | StatusCodes |
Value: | |||
(PID) Process: | (1728) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
(PID) Process: | (1728) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
Operation: | write | Name: | state |
Value: 1 | |||
(PID) Process: | (1728) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
Operation: | write | Name: | dr |
Value: 1 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
Operation: | write | Name: | 1728-13251143810760625 |
Value: 259 | |||
(PID) Process: | (1728) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
Operation: | write | Name: | UsageStatsInSample |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FC3D783-6C0.pma | — | |
MD5:— | SHA256:— | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old | — | |
MD5:— | SHA256:— | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF14aad5.TMP | — | |
MD5:— | SHA256:— | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\89023cf7-d348-4090-89df-0aa96cbd428a.tmp | — | |
MD5:— | SHA256:— | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp | — | |
MD5:— | SHA256:— | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF14aa58.TMP | text | |
MD5:C2DDBA63E4A2BD2E39A8B6C2C6384AAE | SHA256:6D5C1C78341C6F84911055D970ADDB0EC3499F8BF7FADE062122A22209CE67D9 | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF14aa48.TMP | text | |
MD5:D4322EEBAC92D1B8F7A6F5E39F6264B7 | SHA256:A3EEDF21B850DCC7CE5AE04395ECDD2D29DA4EA549C8A185DD9E8B552A87B8C2 | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old | text | |
MD5:1C97B70A4BAD7C026F79467C7D496AFA | SHA256:C5A02E4984DE3F30DADFC0A89A93F45418C06653C3962EAA94C93909E51D272D | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT | text | |
MD5:74D4DB05A4D3E7263E8AE314DEDD8DF1 | SHA256:67BF9950E818713E054268D40BED61A22D324385CE98E89DDF406A405B870802 | |||
1728 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4024 | chrome.exe | GET | 200 | 13.224.195.208:80 | http://d1lxhc4jvstzrp.cloudfront.net/themes/assets/style.css | US | text | 343 b | shared |
4024 | chrome.exe | GET | 200 | 2.16.186.64:80 | http://i4.cdn-image.com/__media__/js/min.js?v2.2 | unknown | text | 2.97 Kb | whitelisted |
4024 | chrome.exe | GET | 200 | 2.16.186.64:80 | http://i4.cdn-image.com/__media__/pics/27699/bg-arrow.png | unknown | image | 905 b | whitelisted |
4024 | chrome.exe | GET | 200 | 13.224.195.208:80 | http://d1lxhc4jvstzrp.cloudfront.net/themes/assets/skenzo.css | US | text | 208 b | shared |
4024 | chrome.exe | GET | 200 | 185.53.177.70:80 | http://i.projectthing.tk/ | DE | html | 477 b | malicious |
4024 | chrome.exe | GET | 200 | 208.91.196.46:80 | http://iyfsearch.com/?dn=projectthing.tk&pid=9PO755G95 | VG | html | 4.89 Kb | suspicious |
4024 | chrome.exe | GET | 200 | 185.53.177.70:80 | http://i.projectthing.tk/favicon.ico | DE | compressed | 477 b | malicious |
4024 | chrome.exe | GET | 200 | 2.16.186.64:80 | http://i4.cdn-image.com/__media__/pics/27699/search.png | unknown | image | 933 b | whitelisted |
4024 | chrome.exe | GET | 200 | 2.16.186.64:80 | http://i4.cdn-image.com/__media__/pics/27699/bg-arrow-h.png | unknown | image | 915 b | whitelisted |
4024 | chrome.exe | GET | 200 | 2.16.186.64:80 | http://i4.cdn-image.com/__media__/fonts/lato-black/lato-black.woff | unknown | woff | 37.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4024 | chrome.exe | 142.250.74.195:443 | www.google.com.ua | Google Inc. | US | whitelisted |
4024 | chrome.exe | 172.217.22.3:443 | www.gstatic.com | Google Inc. | US | whitelisted |
4024 | chrome.exe | 172.217.12.163:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
4024 | chrome.exe | 216.58.212.163:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
4024 | chrome.exe | 172.217.23.110:443 | ogs.google.com.ua | Google Inc. | US | whitelisted |
4024 | chrome.exe | 172.217.6.206:443 | apis.google.com | Google Inc. | US | whitelisted |
4024 | chrome.exe | 172.253.125.94:443 | www.google.de | Google Inc. | US | unknown |
4024 | chrome.exe | 172.217.18.100:443 | www.google.com | Google Inc. | US | whitelisted |
4024 | chrome.exe | 172.217.16.141:443 | accounts.google.com | Google Inc. | US | suspicious |
4024 | chrome.exe | 172.217.12.170:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
ogs.google.com.ua |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
www.google.com |
| whitelisted |
www.google.de |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |
4024 | chrome.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
4024 | chrome.exe | Misc activity | ADWARE [PTsecurity] InstantAccess |
4024 | chrome.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |