analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://yolaplay.com/gamegb/Roblox_Setup.exe

Full analysis: https://app.any.run/tasks/821fa8c5-1ba2-4a37-b03b-a93aaf3fa0d7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 14, 2019, 16:31:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

6CF2401C4FB9C0A2CD94B6914FFAAA13

SHA1:

9E02C1658A4ED3CF9D0C74AE24F9D609768160D1

SHA256:

45DDAAD1B3F19AF56DAAE6D517751D0708A199E6B297BF22FFEAB2AA5F60649C

SSDEEP:

3:N1KH3VK43HInq39VkA:CXVK4Z33kA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Roblox_Setup.exe (PID: 3732)
      • ns7AEE.tmp (PID: 2508)
      • Roblox_Setup.exe (PID: 2920)
    • Downloads executable files from the Internet

      • chrome.exe (PID: 2872)
    • Loads dropped or rewritten executable

      • Roblox_Setup.exe (PID: 2920)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2872)
      • Roblox_Setup.exe (PID: 2920)
    • Starts CMD.EXE for commands execution

      • ns7AEE.tmp (PID: 2508)
    • Starts application with an unusual extension

      • Roblox_Setup.exe (PID: 2920)
    • Starts Internet Explorer

      • Roblox_Setup.exe (PID: 2920)
  • INFO

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2872)
    • Application launched itself

      • chrome.exe (PID: 2872)
      • iexplore.exe (PID: 2272)
    • Creates files in the user directory

      • iexplore.exe (PID: 2944)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2944)
    • Changes internet zones settings

      • iexplore.exe (PID: 2272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs roblox_setup.exe no specs roblox_setup.exe ns7aee.tmp no specs cmd.exe no specs wmic.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe iexplore.exe chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Program Files\Google\Chrome\Application\chrome.exe" http://yolaplay.com/gamegb/Roblox_Setup.exeC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3596"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x700d00b0,0x700d00c0,0x700d00ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3008"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2876 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
2108"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=188,14261149072462790407,17460684890802600919,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=2D108EA898A522B519354E7AFC8D5013 --mojo-platform-channel-handle=988 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
2660"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=188,14261149072462790407,17460684890802600919,131072 --enable-features=PasswordImport --service-pipe-token=199BA151892DFACE2F2EA4ADA53A00DC --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=199BA151892DFACE2F2EA4ADA53A00DC --renderer-client-id=4 --mojo-platform-channel-handle=1912 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
3400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=188,14261149072462790407,17460684890802600919,131072 --enable-features=PasswordImport --service-pipe-token=7380F854C0CC77A7782706AFBF706A2F --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7380F854C0CC77A7782706AFBF706A2F --renderer-client-id=3 --mojo-platform-channel-handle=2152 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2428"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=188,14261149072462790407,17460684890802600919,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=CC22A30A25ECD47B11BA6A31B2B60077 --mojo-platform-channel-handle=3764 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3732"C:\Users\admin\Downloads\Roblox_Setup.exe" C:\Users\admin\Downloads\Roblox_Setup.exechrome.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2920"C:\Users\admin\Downloads\Roblox_Setup.exe" C:\Users\admin\Downloads\Roblox_Setup.exe
chrome.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2508"C:\Users\admin\AppData\Local\Temp\nsl7ACE.tmp\ns7AEE.tmp" "C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:listC:\Users\admin\AppData\Local\Temp\nsl7ACE.tmp\ns7AEE.tmpRoblox_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
1 604
Read events
1 446
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
17
Text files
80
Unknown types
2

Dropped files

PID
Process
Filename
Type
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bd934b17-1d78-4454-a8a8-ed7e0e46278c.tmp
MD5:
SHA256:
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bfee93c7-8e6c-407a-913d-8ad41a7b9a5e.tmp
MD5:
SHA256:
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\85b510c2-5ecc-4705-a1c0-51084baafd2a.tmp
MD5:
SHA256:
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:C10EBD4DB49249EFC8D112B2920D5F73
SHA256:90A1B994CAFE902F22A88A22C0B6CC9CB5B974BF20F8964406DD7D6C9B8867D1
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:197882774A7ECEC9046BC48F63189B66
SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
2872chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
2872chrome.exeC:\Users\admin\Downloads\4c2609e9-d97f-445b-8675-9dde7c935317.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
32
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2872
chrome.exe
GET
200
104.18.33.217:80
http://yolaplay.com/gamegb/Roblox_Setup.exe
US
executable
277 Kb
suspicious
2944
iexplore.exe
GET
404
104.18.33.217:80
http://www.yolaplay.com/thanks/yolaheader.png
US
html
194 b
malicious
2272
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2944
iexplore.exe
GET
200
104.18.33.217:80
http://www.yolaplay.com/styles.css
US
text
1.53 Kb
malicious
2920
Roblox_Setup.exe
GET
406
104.18.33.217:80
http://www.yolaplay.com/roblox/download/Roblox.exe
US
html
401 b
malicious
2944
iexplore.exe
GET
200
104.18.33.217:80
http://www.yolaplay.com/favicon.ico
US
compressed
194 b
malicious
2944
iexplore.exe
GET
200
104.18.33.217:80
http://www.yolaplay.com/thanks/
US
html
1.38 Kb
malicious
2944
iexplore.exe
GET
200
204.79.197.200:80
http://bat.bing.com/bat.js
US
text
22.4 Kb
whitelisted
2944
iexplore.exe
GET
200
104.18.33.217:80
http://www.yolaplay.com/img/gradient_light.jpg
US
image
578 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2872
chrome.exe
172.217.22.67:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2872
chrome.exe
216.58.208.35:443
www.gstatic.com
Google Inc.
US
whitelisted
2872
chrome.exe
104.18.33.217:80
yolaplay.com
Cloudflare Inc
US
shared
2872
chrome.exe
172.217.22.78:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2920
Roblox_Setup.exe
64.111.117.81:443
www.demtxr.com
New Dream Network, LLC
US
malicious
2872
chrome.exe
172.217.16.173:443
accounts.google.com
Google Inc.
US
whitelisted
2872
chrome.exe
216.58.210.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2944
iexplore.exe
104.18.33.217:80
yolaplay.com
Cloudflare Inc
US
shared
2920
Roblox_Setup.exe
104.18.33.217:80
yolaplay.com
Cloudflare Inc
US
shared
2272
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.gstatic.com
  • 216.58.208.35
whitelisted
clientservices.googleapis.com
  • 216.58.210.3
whitelisted
yolaplay.com
  • 104.18.33.217
  • 104.18.32.217
suspicious
accounts.google.com
  • 172.217.16.173
shared
sb-ssl.google.com
  • 172.217.22.78
whitelisted
ssl.gstatic.com
  • 172.217.22.67
whitelisted
www.demtxr.com
  • 64.111.117.81
malicious
www.yolaplay.com
  • 104.18.33.217
  • 104.18.32.217
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
bat.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2872
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info