File name:

test2.exe

Full analysis: https://app.any.run/tasks/758c0a83-ebe8-4be4-b19e-f2180bfd084b
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: March 02, 2024, 20:23:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
nanocore
rat
remote
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6D399A98F3269462F93FA87FF47C3E61

SHA1:

AF54797D6D47B7BD5CCC4D0BFB27ACED5D62DDC8

SHA256:

A50C859F181787F9D0094903FAA2DF36A67667B87B65E561F7BD9ACD0621CC4B

SSDEEP:

6144:mdhPqG+lvYv5vC3EeetGoSzihIccZG4wQRMT0f8WTnxhfnIJ/2KcKeWVN:mdhPUq5ODet4ChcfwWMTZWTnbfnIyTW7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • test2.exe (PID: 3240)
      • nan.exe (PID: 2920)
      • test.exe (PID: 3784)

    • Create files in the Startup directory

      • test2.exe (PID: 3240)

    • Changes the autorun value in the registry

      • nan.exe (PID: 2920)
      • test.exe (PID: 3784)

    • NANOCORE has been detected (YARA)

      • nan.exe (PID: 2920)

    • NANOCORE has been detected (SURICATA)

      • nan.exe (PID: 2920)

    • Connects to the CnC server

      • nan.exe (PID: 2920)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • test2.exe (PID: 3240)

    • Reads security settings of Internet Explorer

      • test2.exe (PID: 3240)
      • nan.exe (PID: 2920)

    • Executable content was dropped or overwritten

      • test2.exe (PID: 3240)
      • nan.exe (PID: 2920)
      • test.exe (PID: 3784)

    • Reads the Internet Settings

      • test2.exe (PID: 3240)
      • nan.exe (PID: 2920)

    • Connects to unusual port

      • nan.exe (PID: 2920)
      • test.exe (PID: 3784)

  • INFO

    • Checks supported languages

      • test2.exe (PID: 3240)
      • nan.exe (PID: 2920)
      • test.exe (PID: 3784)
      • salinewin.exe (PID: 2176)

    • Reads the machine GUID from the registry

      • nan.exe (PID: 2920)
      • test2.exe (PID: 3240)
      • test.exe (PID: 3784)

    • Reads the computer name

      • test2.exe (PID: 3240)
      • nan.exe (PID: 2920)
      • test.exe (PID: 3784)

    • Process checks whether UAC notifications are on

      • nan.exe (PID: 2920)

    • Creates files or folders in the user directory

      • test2.exe (PID: 3240)
      • nan.exe (PID: 2920)

    • Reads Environment values

      • test.exe (PID: 3784)
      • nan.exe (PID: 2920)

    • Manual execution by a user

      • chrome.exe (PID: 1876)

    • Reads product name

      • nan.exe (PID: 2920)

    • Create files in a temporary directory

      • nan.exe (PID: 2920)

    • Application launched itself

      • chrome.exe (PID: 1876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(2920) nan.exe
KeyboardLoggingTrue
BuildTime2024-03-02 19:47:13.325304
Version1.2.2.0
Mutex2e5f3c36-4873-479c-80aa-92426c28e6ac
DefaultGroupDefault
PrimaryConnectionHostBaggard437.ddns.net
BackupConnectionHostBaggard437.ddns.net
ConnectionPort8131
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5006
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8003
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x0154
OSVersion: -
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
29
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start test2.exe #NANOCORE nan.exe test.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs salinewin.exe no specs salinewin.exe chrome.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2372 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=2736 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1608"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3996 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1624"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3392 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1840"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3260 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1876"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1956"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3768 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2072"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2152"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2096 --field-trial-handle=1160,i,12432413129255327085,14708763212695094852,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2152"C:\Windows\System32\taskmgr.exe" C:\Windows\System32\taskmgr.exenan.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
12 506
Read events
12 361
Write events
144
Delete events
1

Modification events

(PID) Process:(3240) test2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3240) test2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3240) test2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3240) test2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3240) test2.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2920) nan.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TCP Monitor
Value:
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
(PID) Process:(3784) test.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Form1
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.exe
(PID) Process:(1876) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1876) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1876) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
Executable files
6
Suspicious files
38
Text files
97
Unknown types
60

Dropped files

PID
Process
Filename
Type
1876chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1805c7.TMP
MD5:
SHA256:
1876chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3240test2.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.exeexecutable
MD5:A450298168C4C795F5F49F01E3D2F474
SHA256:3727A9AD0A6C7949BE2BFBD5DB5FCB0E652EB5131C557172B37044B5FC6559F4
2920nan.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:C98F5B4483F6B0F6EE0058F2E2C49B52
SHA256:2FA2CBE2B65BC74CB56F993E1BE684E4A31C94C4E749A278DB0EB078A471ADF3
2920nan.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:E6583DA422BD06FA99E99E9CAE6C28A2
SHA256:D67E8FCC99AB0BC44B569ACF9A356D72D07433585C6CA8B317AFCEBA6EB8C508
3784test.exeC:\Users\admin\Desktop\warbot.Exeexecutable
MD5:A450298168C4C795F5F49F01E3D2F474
SHA256:3727A9AD0A6C7949BE2BFBD5DB5FCB0E652EB5131C557172B37044B5FC6559F4
3240test2.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nan.exeexecutable
MD5:C98F5B4483F6B0F6EE0058F2E2C49B52
SHA256:2FA2CBE2B65BC74CB56F993E1BE684E4A31C94C4E749A278DB0EB078A471ADF3
1876chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1805d7.TMPtext
MD5:ADB669AB4CD1C63883C64FB0DBA2C7DA
SHA256:18BFF89047EC5B122573D089B3DC7A7DD14A5A7A515B2D8141584B41E723253F
1876chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF180683.TMPtext
MD5:C383FD120B14BB0E98E99C1BCC9B43F6
SHA256:56A3A5EACBD28BEE1CF8C1D0052321A5C27EE858BEF7B2FA1DE20806A0823CC1
1876chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old~RF18076d.TMPtext
MD5:B36B68CE4A71A5BFAF89A4D1CC07893F
SHA256:6422CC04455EF100D67FD9F299AACFEF3BA4F77D0FA1D2440D89E7D1CF65EBBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
52
DNS requests
59
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3940
chrome.exe
GET
200
199.59.243.225:80
http://ww1.yyyyyy.info/
unknown
html
1.02 Kb
unknown
3940
chrome.exe
GET
200
199.59.243.225:80
http://ww1.yyyyyy.info/bvWPtiToT.js
unknown
text
32.2 Kb
unknown
3940
chrome.exe
POST
200
199.59.243.225:80
http://ww1.yyyyyy.info/_fd
unknown
compressed
2.02 Kb
unknown
3940
chrome.exe
GET
200
199.59.243.225:80
http://ww1.yyyyyy.info/
unknown
html
1.02 Kb
unknown
3940
chrome.exe
GET
200
199.59.243.225:80
http://ww1.yyyyyy.info/bugxgEoCB.js
unknown
text
32.2 Kb
unknown
3940
chrome.exe
POST
200
199.59.243.225:80
http://ww1.yyyyyy.info/_fd
unknown
compressed
2.03 Kb
unknown
856
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.49.1_all_ixzyrcu7pvmgu5pjv6enfqq6wa.crx3
unknown
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.49.1_all_ixzyrcu7pvmgu5pjv6enfqq6wa.crx3
unknown
binary
5.33 Kb
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.49.1_all_ixzyrcu7pvmgu5pjv6enfqq6wa.crx3
unknown
binary
7.54 Kb
unknown
856
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.49.1_all_ixzyrcu7pvmgu5pjv6enfqq6wa.crx3
unknown
binary
7.75 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2920
nan.exe
73.225.6.155:8131
Baggard437.ddns.net
COMCAST-7922
US
unknown
3784
test.exe
73.225.6.155:9091
Baggard437.ddns.net
COMCAST-7922
US
unknown
3940
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
1876
chrome.exe
239.255.255.250:1900
unknown
3940
chrome.exe
142.251.168.84:443
accounts.google.com
GOOGLE
US
unknown
3940
chrome.exe
172.217.23.100:443
www.google.com
GOOGLE
US
whitelisted
3940
chrome.exe
142.250.185.99:443
update.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
Baggard437.ddns.net
  • 73.225.6.155
unknown
baggard437.ddns.net
  • 73.225.6.155
unknown
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
accounts.google.com
  • 142.251.168.84
shared
www.google.com
  • 172.217.23.100
  • 142.250.184.196
whitelisted
update.googleapis.com
  • 142.250.185.99
whitelisted
encrypted-tbn0.gstatic.com
  • 142.250.185.142
whitelisted
yyyyyy.info
  • 199.115.116.162
unknown
ww1.yyyyyy.info
  • 199.59.243.225
unknown
www.adsensecustomsearchads.com
  • 142.250.185.238
whitelisted

Threats

PID
Process
Class
Message
2920
nan.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2920
nan.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2920
nan.exe
A Network Trojan was detected
ET MALWARE NanoCore RAT Keepalive Response 3
2920
nan.exe
A Network Trojan was detected
ET MALWARE NanoCore RAT Keepalive Response 1
3940
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
1080
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2920
nan.exe
A Network Trojan was detected
ET MALWARE NanoCore RAT Keepalive Response 3
2920
nan.exe
A Network Trojan was detected
ET MALWARE NanoCore RAT Keepalive Response 1
38 ETPRO signatures available at the full report
Process
Message
test2.exe
%s%s
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
test2.exe