analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://maiar.com/features

Full analysis: https://app.any.run/tasks/491e9c33-b689-422f-91eb-bd2bbcb815fd
Verdict: Malicious activity
Analysis date: April 14, 2019, 22:00:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

F020E980BDBD15CF0603F89D96CAF734

SHA1:

3B81F5E63FCCEACE452DA975B2282BD338643577

SHA256:

9F07A85E48AD19DDFEBF645A03814A5134A4014B1988E5ED1746C5956A31CD65

SSDEEP:

3:N802CAWn:20z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MaiarUpdateSetup.exe (PID: 3604)
      • MaiarSetup.exe (PID: 2908)
      • MaiarUpdate.exe (PID: 2860)
      • MaiarUpdate.exe (PID: 3240)
      • MaiarUpdate.exe (PID: 868)
      • MaiarUpdate.exe (PID: 2244)
      • MaiarUpdate.exe (PID: 2564)
      • MaiarUpdate.exe (PID: 2324)
      • MaiarUpdate.exe (PID: 2572)
      • MaiarUpdate.exe (PID: 3360)

    • Loads dropped or rewritten executable

      • MaiarUpdate.exe (PID: 2860)
      • MaiarUpdate.exe (PID: 868)
      • MaiarUpdate.exe (PID: 3240)
      • MaiarUpdate.exe (PID: 2324)
      • MaiarUpdate.exe (PID: 2564)
      • MaiarUpdate.exe (PID: 2244)
      • MaiarUpdate.exe (PID: 2572)
      • MaiarUpdate.exe (PID: 3360)

    • Loads the Task Scheduler COM API

      • MaiarUpdate.exe (PID: 868)

    • Changes settings of System certificates

      • MaiarUpdate.exe (PID: 2244)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2956)
      • chrome.exe (PID: 2096)
      • MaiarSetup.exe (PID: 2908)
      • MaiarUpdateSetup.exe (PID: 3604)
      • MaiarUpdate.exe (PID: 868)

    • Creates files in the program directory

      • MaiarUpdateSetup.exe (PID: 3604)
      • MaiarUpdate.exe (PID: 868)
      • MaiarUpdate.exe (PID: 2572)

    • Disables SEHOP

      • MaiarUpdate.exe (PID: 868)

    • Starts itself from another location

      • MaiarUpdate.exe (PID: 868)

    • Creates COM task schedule object

      • MaiarUpdate.exe (PID: 2564)
      • MaiarUpdate.exe (PID: 868)

    • Application launched itself

      • MaiarUpdate.exe (PID: 2572)

    • Adds / modifies Windows certificates

      • MaiarUpdate.exe (PID: 2244)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
24
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs maiarsetup.exe maiarupdate.exe no specs maiarupdatesetup.exe maiarupdate.exe maiarupdate.exe no specs maiarupdate.exe no specs maiarupdate.exe maiarupdate.exe no specs maiarupdate.exe maiarupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Google\Chrome\Application\chrome.exe" https://maiar.com/featuresC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
3568"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f550f18,0x6f550f28,0x6f550f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2692"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2960 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3832"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=968,17215634630916836933,4176483723390307175,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=6431492561213537796 --mojo-platform-channel-handle=956 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2096"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=968,17215634630916836933,4176483723390307175,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=6538527062471319232 --mojo-platform-channel-handle=1504 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2524"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,17215634630916836933,4176483723390307175,131072 --enable-features=PasswordImport --service-pipe-token=14929232735656079842 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14929232735656079842 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2996"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,17215634630916836933,4176483723390307175,131072 --enable-features=PasswordImport --service-pipe-token=8677483887613933414 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8677483887613933414 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3476"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,17215634630916836933,4176483723390307175,131072 --enable-features=PasswordImport --service-pipe-token=2909597758284394243 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2909597758284394243 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2284"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=968,17215634630916836933,4176483723390307175,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=12005571563935577244 --mojo-platform-channel-handle=3172 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3648"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=968,17215634630916836933,4176483723390307175,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13439512304242856846 --mojo-platform-channel-handle=3364 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
2 763
Read events
1 021
Write events
0
Delete events
0

Modification events

No data
Executable files
218
Suspicious files
45
Text files
129
Unknown types
14

Dropped files

PID
Process
Filename
Type
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\05e144ed-8856-4285-a5f6-714c88e4f1da.tmp
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
2956chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
29
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
52.222.162.11:80
http://downloads.maiar.com/static/media/build/Maiar/stable/win/79164841066596/72.0.59.100.exe
US
malicious
2096
chrome.exe
GET
302
172.217.16.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
507 b
whitelisted
2096
chrome.exe
GET
200
194.9.24.113:80
http://r6---sn-5uh5o-f5fd.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=212.7.217.54&mm=28&mn=sn-5uh5o-f5fd&ms=nvh&mt=1555279173&mv=m&pl=21&shardbypass=yes
PL
crx
842 Kb
whitelisted
2096
chrome.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
GET
200
52.222.162.11:80
http://downloads.maiar.com/static/media/build/Maiar/stable/win/79164841066596/72.0.59.100.exe
US
executable
57.8 Mb
malicious
2096
chrome.exe
GET
200
52.222.168.106:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2096
chrome.exe
172.217.23.170:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2096
chrome.exe
104.19.199.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
2096
chrome.exe
172.217.16.202:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2096
chrome.exe
52.29.147.234:443
maiar.com
Amazon.com, Inc.
DE
unknown
2096
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
2096
chrome.exe
172.217.22.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2096
chrome.exe
52.222.168.106:80
x.ss2.us
Amazon.com, Inc.
US
suspicious
2096
chrome.exe
209.197.3.15:443
stackpath.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2096
chrome.exe
13.107.4.50:80
www.download.windowsupdate.com
Microsoft Corporation
US
whitelisted
2096
chrome.exe
172.217.22.72:443
www.googletagmanager.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
maiar.com
  • 52.29.147.234
  • 18.196.209.57
malicious
clientservices.googleapis.com
  • 172.217.22.35
whitelisted
accounts.google.com
  • 172.217.16.141
shared
x.ss2.us
  • 52.222.168.106
  • 52.222.168.175
  • 52.222.168.85
  • 52.222.168.60
whitelisted
www.download.windowsupdate.com
  • 13.107.4.50
whitelisted
cdnjs.cloudflare.com
  • 104.19.199.151
  • 104.19.197.151
  • 104.19.198.151
  • 104.19.196.151
  • 104.19.195.151
whitelisted
ajax.googleapis.com
  • 172.217.23.170
  • 172.217.22.10
  • 172.217.18.170
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.74
  • 216.58.210.10
  • 172.217.16.202
  • 172.217.18.106
whitelisted
safebrowsing.googleapis.com
  • 172.217.16.202
whitelisted
stackpath.bootstrapcdn.com
  • 209.197.3.15
whitelisted
www.googletagmanager.com
  • 172.217.22.72
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://maiar.com/features