File name:

Your Package Tracked Now_5cadf9e53f83d.exe

Full analysis: https://app.any.run/tasks/6fba2ec5-5ad6-48c8-b6e6-ebaee51eabdb
Verdict: Malicious activity
Analysis date: April 14, 2019, 19:07:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

1306823190016B9463291D6AA3082E88

SHA1:

D1D6AD0A9369638F40DBD9CE54D7FBA6116123B7

SHA256:

BD85622762BF36B5E2416519702B4C1B2346C204AA615AEA7FF67B034FEC43E7

SSDEEP:

12288:rgy5pqtaUnZ9Y4GtC51vxhIOwL+xfSl4LedqlwBTGXCeBedjM71SqnlfjvqsQr:b5pqtHzYpt+/RpelqWBTbVadl7SDr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)

    • Changes the autorun value in the registry

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)

    • Application was dropped or rewritten from another process

      • Your Package Tracked Now.exe (PID: 3368)
      • Your Package Tracked Now.exe (PID: 1360)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)
      • Your Package Tracked Now.exe (PID: 1360)
      • Your Package Tracked Now.exe (PID: 3368)

    • Reads internet explorer settings

      • Your Package Tracked Now.exe (PID: 1360)

    • Executable content was dropped or overwritten

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)

    • Starts Internet Explorer

      • Your Package Tracked Now.exe (PID: 1360)

  • INFO

    • Application launched itself

      • IEXPLORE.EXE (PID: 2968)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2160)

    • Reads Internet Cache Settings

      • IEXPLORE.EXE (PID: 2968)
      • IEXPLORE.EXE (PID: 2160)

    • Changes internet zones settings

      • IEXPLORE.EXE (PID: 2968)

    • Reads settings of System Certificates

      • IEXPLORE.EXE (PID: 2160)

    • Creates files in the user directory

      • IEXPLORE.EXE (PID: 2160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:07:25 02:55:51+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x33b6
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.1.0.5
ProductVersionNumber: 3.1.0.5
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Springtech Ltd
FileDescription: Desktop web search
FileVersion: 3.1.0.5
LegalCopyright: (c) 2018 Springtech Ltd
OriginalFileName: SBInstaller
ProductName: Desktop Search Bar
ProductVersion: 3.1.0.5

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Jul-2016 00:55:51
Detected languages:
  • English - United States
CompanyName: Springtech Ltd
FileDescription: Desktop web search
FileVersion: 3.1.0.5
LegalCopyright: (c) 2018 Springtech Ltd
OriginalFilename: SBInstaller
ProductName: Desktop Search Bar
ProductVersion: 3.1.0.5

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 25-Jul-2016 00:55:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000615D
0x00006200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45023
.rdata
0x00008000
0x000013A4
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.163
.data
0x0000A000
0x00020338
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.9824
.ndata
0x0002B000
0x00026000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00051000
0x00007C20
0x00007E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.04043

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29536
1058
UNKNOWN
English - United States
RT_MANIFEST
2
6.01823
9640
UNKNOWN
English - United States
RT_ICON
3
6.44112
4264
UNKNOWN
English - United States
RT_ICON
4
6.6049
2440
UNKNOWN
English - United States
RT_ICON
5
6.45535
1128
UNKNOWN
English - United States
RT_ICON
6
0
744
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
103
2.80068
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start your package tracked now_5cadf9e53f83d.exe your package tracked now.exe iexplore.exe iexplore.exe your package tracked now.exe

Process information

PID
CMD
Path
Indicators
Parent process
1360"C:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe" /firstrunC:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe
Your Package Tracked Now_5cadf9e53f83d.exe
User:
admin
Company:
Springtech LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Exit code:
0
Version:
3.1.0.5
Modules
Images
c:\users\admin\appdata\local\your package tracked now\your package tracked now.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2160"C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:71937C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2432"C:\Users\admin\AppData\Local\Temp\Your Package Tracked Now_5cadf9e53f83d.exe" C:\Users\admin\AppData\Local\Temp\Your Package Tracked Now_5cadf9e53f83d.exe
explorer.exe
User:
admin
Company:
Springtech Ltd
Integrity Level:
MEDIUM
Description:
Desktop web search
Exit code:
0
Version:
3.1.0.5
Modules
Images
c:\users\admin\appdata\local\temp\your package tracked now_5cadf9e53f83d.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2968"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hyourpackagetrackednow.com/s?uid=2d96fe23-823d-43e9-a319-702230adc835&uc=20190410&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&i_id=packages_&ap=appfocus84C:\Program Files\Internet Explorer\IEXPLORE.EXE
Your Package Tracked Now.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3368"C:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe" /dsC:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe
explorer.exe
User:
admin
Company:
Springtech LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Exit code:
0
Version:
3.1.0.5
Modules
Images
c:\users\admin\appdata\local\your package tracked now\your package tracked now.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 031
Read events
906
Write events
124
Delete events
1

Modification events

(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2432) Your Package Tracked Now_5cadf9e53f83d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Your Package Tracked Now_5cadf9e53f83d_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
5
Suspicious files
5
Text files
48
Unknown types
10

Dropped files

PID
Process
Filename
Type
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Cab9678.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Tar9679.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Cab967A.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Tar967B.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Cab9757.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Tar9758.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\nsn6554.tmp
MD5:
SHA256:
1360Your Package Tracked Now.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\rotate_strings[1].json
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\nsn6555.tmp\npHelper.dllexecutable
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015compressed
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
22
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2432
Your Package Tracked Now_5cadf9e53f83d.exe
GET
200
3.18.145.221:80
http://sbdistro.com/Content/kits/sbui/widgets/packages/packages_ab.json?useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_
US
text
816 b
suspicious
2160
IEXPLORE.EXE
GET
302
52.6.170.180:80
http://results.hyourpackagetrackednow.com/s?uid=2d96fe23-823d-43e9-a319-702230adc835&uc=20190410&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&i_id=packages_&ap=appfocus84
US
html
302 b
unknown
2160
IEXPLORE.EXE
GET
200
52.6.170.180:80
http://results.hyourpackagetrackednow.com/scripts/home/common?v=6URW9YYrrVOx3m_ljnNsmDvIm6JyCW-wyILyhqNw8641
US
text
170 Kb
unknown
2160
IEXPLORE.EXE
GET
200
52.6.170.180:80
http://results.hyourpackagetrackednow.com/get/js/impression?uc=20190410&ap=appfocus84&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&uid=2d96fe23-823d-43e9-a319-702230adc835&i_id=packages_1&cid=
US
text
608 b
unknown
2160
IEXPLORE.EXE
GET
200
52.6.170.180:80
http://results.hyourpackagetrackednow.com/styles/home/packages_v1?v=x1BZmimwCuTPrxEKkON02bLwNE7X3DWDcBAeymH_VyI1
US
text
6.58 Kb
unknown
1360
Your Package Tracked Now.exe
GET
200
3.18.145.221:80
http://sbdistro.com/Content/kits/rotate_strings.json?useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_
US
text
455 b
suspicious
2432
Your Package Tracked Now_5cadf9e53f83d.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
2160
IEXPLORE.EXE
GET
200
52.6.170.180:80
http://results.hyourpackagetrackednow.com/Content/Images/saveMoney.png
US
image
1.96 Kb
unknown
2432
Your Package Tracked Now_5cadf9e53f83d.exe
GET
200
3.18.145.221:80
http://sbdistro.com/cgi/adk/chrdlid.cgi?id=5cadf9e53f83d
US
text
583 b
suspicious
2160
IEXPLORE.EXE
GET
200
52.6.170.180:80
http://results.hyourpackagetrackednow.com/Content/Home/Email/Sprites/Sprite_Email_V9.png
US
image
34.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1360
Your Package Tracked Now.exe
3.18.145.221:80
sbdistro.com
US
unknown
34.206.226.127:80
imp.hyourpackagetrackednow.com
Amazon.com, Inc.
US
unknown
2160
IEXPLORE.EXE
52.6.170.180:80
results.hyourpackagetrackednow.com
Amazon.com, Inc.
US
unknown
2968
IEXPLORE.EXE
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2160
IEXPLORE.EXE
104.111.241.173:443
imp.mt48.net
Akamai International B.V.
NL
whitelisted
2160
IEXPLORE.EXE
13.32.222.47:80
dap2y8k6nefku.cloudfront.net
Amazon.com, Inc.
US
whitelisted
2968
IEXPLORE.EXE
52.6.170.180:80
results.hyourpackagetrackednow.com
Amazon.com, Inc.
US
unknown
3.18.145.221:80
sbdistro.com
US
unknown
2160
IEXPLORE.EXE
52.22.227.196:443
imp.onesearch.org
Amazon.com, Inc.
US
unknown
2160
IEXPLORE.EXE
13.32.222.17:443
d3ff8olul1r3ot.cloudfront.net
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
sbdistro.com
  • 3.18.145.221
  • 3.18.236.124
suspicious
x.ss2.us
  • 13.32.222.30
  • 13.32.222.51
  • 13.32.222.12
  • 13.32.222.163
whitelisted
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
imp.hyourpackagetrackednow.com
  • 34.206.226.127
  • 52.202.155.97
unknown
results.hyourpackagetrackednow.com
  • 52.6.170.180
  • 18.215.37.163
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
d3ff8olul1r3ot.cloudfront.net
  • 13.32.222.17
  • 13.32.222.118
  • 13.32.222.21
  • 13.32.222.238
shared
imp.mt48.net
  • 104.111.241.173
whitelisted
dap2y8k6nefku.cloudfront.net
  • 13.32.222.47
  • 13.32.222.9
  • 13.32.222.250
  • 13.32.222.110
whitelisted
imp.onesearch.org
  • 52.22.227.196
  • 54.174.5.12
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Your Package Tracked Now_5cadf9e53f83d.exe