File name:

TARISMiniLoader_official.wg.intl.exe

Full analysis: https://app.any.run/tasks/d992fd24-0d27-4171-967d-f4a2a50d813f
Verdict: Malicious activity
Analysis date: June 25, 2024, 18:18:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

1F1B1DC52E850B393DBC409490A56034

SHA1:

4C18AC0B8ED9DA80AEEA380B1E12A7879B50DC90

SHA256:

7E3A6B914DC1F307B4183E9EA01D97DEAC47507DB7880162D321AD6DCDE040DC

SSDEEP:

98304:mAgWgaX8+UcVHwrr7hvlXGncWayfF50usr8LY+yfHJ4UNpYyfc9Qjhg0PJyGpXYC:yCfOr+CFnLRoYeSyThaItFqtyg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • TARISMiniLoader_official.wg.intl.exe (PID: 3708)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • TARISMiniLoader_official.wg.intl.exe (PID: 3708)

  • INFO

    • Checks supported languages

      • TARISMiniLoader_official.wg.intl.exe (PID: 3708)
      • TARISMiniloader.exe (PID: 3372)

    • Reads the computer name

      • TARISMiniLoader_official.wg.intl.exe (PID: 3708)
      • TARISMiniloader.exe (PID: 3372)

    • Creates files or folders in the user directory

      • TARISMiniLoader_official.wg.intl.exe (PID: 3708)
      • TARISMiniloader.exe (PID: 3372)

    • Create files in a temporary directory

      • TARISMiniLoader_official.wg.intl.exe (PID: 3708)

    • Reads the machine GUID from the registry

      • TARISMiniloader.exe (PID: 3372)

    • Creates files in the program directory

      • TARISMiniloader.exe (PID: 3372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:11:15+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 150528
UninitializedDataSize: 2048
EntryPoint: 0x3ac9
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.6.228
ProductVersionNumber: 0.0.6.228
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Windows, Chinese (Simplified)
Comments: -
CompanyName: PROXIMA BETA PTE. LIMITED
FileDescription: -
FileVersion: 0.0.6.228
LegalCopyright: -
LegalTrademarks: -
ProductName: TARISMiniloader
ProductVersion: 0.0.6.228
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tarisminiloader_official.wg.intl.exe tarisminiloader.exe tarisminiloader_official.wg.intl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3372"C:\Users\admin\AppData\Local\TARISMiniloader\TARISMiniloader.exe" C:\Users\admin\AppData\Local\TARISMiniloader\TARISMiniloader.exe
TARISMiniLoader_official.wg.intl.exe
User:
admin
Integrity Level:
HIGH
Description:
Tarisland Minidown.exe
Version:
0.0.6.245
Modules
Images
c:\users\admin\appdata\local\tarisminiloader\tarisminiloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3380"C:\Users\admin\AppData\Local\Temp\TARISMiniLoader_official.wg.intl.exe" C:\Users\admin\AppData\Local\Temp\TARISMiniLoader_official.wg.intl.exeexplorer.exe
User:
admin
Company:
PROXIMA BETA PTE. LIMITED
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
0.0.6.228
Modules
Images
c:\users\admin\appdata\local\temp\tarisminiloader_official.wg.intl.exe
c:\windows\system32\ntdll.dll
3708"C:\Users\admin\AppData\Local\Temp\TARISMiniLoader_official.wg.intl.exe" C:\Users\admin\AppData\Local\Temp\TARISMiniLoader_official.wg.intl.exe
explorer.exe
User:
admin
Company:
PROXIMA BETA PTE. LIMITED
Integrity Level:
HIGH
Version:
0.0.6.228
Modules
Images
c:\users\admin\appdata\local\temp\tarisminiloader_official.wg.intl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
2 679
Read events
2 679
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
5
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\TARISMiniloader.exeexecutable
MD5:9B59A55E0679C08F1E9CA28B73C985A4
SHA256:E02B9BE6B2C09D032DF7F565051F116CF9F234D9F799579CFC280C49A7E67474
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\Minidown.xmlbinary
MD5:51ACA0BC86EAB4ECDFFA12D0DB3E1554
SHA256:8A71375485726EF98079C7938D43F00510B123ACE748F582FF41E395D9026103
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\tiny_dl\VersionServiceProxy.dllexecutable
MD5:B10205121C062D7E3C935A3D67A1AAAD
SHA256:AB9B1EFDCB96FB41639B869A002C1B4863BFE144F17E99D471C9EABD454B9A11
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\tiny_dl\VersionService.exeexecutable
MD5:4BD69FB25F7B2FD581810EDA46539AEB
SHA256:3EFBBAE84BFF66D42EA8EFEEE013FD4EAB88C6219D8EE312CBC14AD09D15FB7F
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\res.zipcompressed
MD5:D6DE9E4584E6992354920B3C84B12CF0
SHA256:8740A4EDA45D56FF6E10873C1B1EBF82551839DD7906073C787F64FD78714457
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\install_script.datbinary
MD5:4B825D933E87A697A663F3E30FCB31CB
SHA256:AFB0049FD6DDD8A90AA44DFFDDDD9ACEA89D6A59134F2E3C8774F2767C9684C0
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\LogConfig.initext
MD5:1E8CF5946A37D9A084BE613554260815
SHA256:E8A59173F505DBEDF4DD37EEC210E5E539A243E46F521A8BA8D2EC13FD99D29F
3372TARISMiniloader.exeC:\Users\admin\AppData\Local\TARISMiniloader\Local.xmlxml
MD5:A6619BCB25F8D87E384689967797A176
SHA256:10ACEE66F9297D9BF3242473F54FE7362B34D078BFF67A5870216954E4C1AD03
3708TARISMiniLoader_official.wg.intl.exeC:\Users\admin\AppData\Local\TARISMiniloader\icon.icoimage
MD5:92F781C68076A0DF4C70BDEEA56987B4
SHA256:FA3B712738365BFB7DD2B6F9ABCCFBDED43D7E32B6A722942AB17139D26E9399
3372TARISMiniloader.exeC:\Users\admin\AppData\Roaming\Tencent\TenioDL\Common.initext
MD5:BAAE927D9CBB65A4D74213BAB07606E3
SHA256:55D4E1DECF77AD73FD8C7358EB7CA01213460E2A57CC83073A13352001C1A49E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
16
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
304
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
239.255.255.250:3702
unknown
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3372
TARISMiniloader.exe
43.134.152.122:443
sg.jupiterlauncher.com
Tencent Building, Kejizhongyi Avenue
SG
unknown
3372
TARISMiniloader.exe
54.183.51.118:443
na.fleetlogd.com
AMAZON-02
US
unknown
1372
svchost.exe
2.19.126.163:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
sg.jupiterlauncher.com
  • 43.134.152.122
unknown
na.fleetlogd.com
  • 54.183.51.118
  • 54.241.5.138
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 2.19.126.163
  • 2.19.126.137
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TARISMiniLoader_official.wg.intl.exe