analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.toastpop.net

Full analysis: https://app.any.run/tasks/900a675e-45a0-4577-9387-cd1f4c01f226
Verdict: Malicious activity
Analysis date: June 16, 2019, 23:52:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MD5:

2B8BD82A676CD82E18213EF9F8770634

SHA1:

1D4203C751794E6778EC41F54B1531C96E0FD114

SHA256:

C088D3FB550B95F7F7B98CFFF297FCBCD8068530BDFD383414E2494D3B20EAFE

SSDEEP:

3:N1KJS4lWVk0R:Cc4lSk0R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NewsFeed_mitenews.exe (PID: 4028)
      • NewsFeedU.exe (PID: 2496)
      • NewsFeed.exe (PID: 3604)
    • Changes the autorun value in the registry

      • NewsFeed_mitenews.tmp (PID: 2108)
  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3372)
    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3372)
      • NewsFeed_mitenews.tmp (PID: 2108)
      • NewsFeed_mitenews.exe (PID: 4028)
    • Uses RUNDLL32.EXE to load library

      • NewsFeed_mitenews.tmp (PID: 2108)
    • Reads Internet Cache Settings

      • rundll32.exe (PID: 1252)
    • Creates files in the user directory

      • rundll32.exe (PID: 1252)
  • INFO

    • Changes settings of System certificates

      • chrome.exe (PID: 3372)
    • Reads Internet Cache Settings

      • chrome.exe (PID: 3372)
    • Application launched itself

      • chrome.exe (PID: 3372)
    • Loads dropped or rewritten executable

      • NewsFeed_mitenews.tmp (PID: 2108)
    • Application was dropped or rewritten from another process

      • NewsFeed_mitenews.tmp (PID: 2108)
    • Creates a software uninstall entry

      • NewsFeed_mitenews.tmp (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
25
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs newsfeed_mitenews.exe newsfeed_mitenews.tmp rundll32.exe no specs chrome.exe no specs newsfeedu.exe newsfeed.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3372"C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.toastpop.netC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2816"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f5e0f18,0x6f5e0f28,0x6f5e0f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
1872"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3376 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
948"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=932,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15920027177994419801 --mojo-platform-channel-handle=960 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
3656"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --service-pipe-token=10543181930582881302 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10543181930582881302 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
3276"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --service-pipe-token=6171271339089474049 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6171271339089474049 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2860"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --service-pipe-token=16025793553512845811 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16025793553512845811 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
1692"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=5285165500134928714 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5285165500134928714 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
2444"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=932,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=1549493268063564494 --mojo-platform-channel-handle=3904 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
1492"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=932,10475201787745855185,11569598025373852412,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=274361455086031465 --mojo-platform-channel-handle=4044 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
1 808
Read events
1 631
Write events
172
Delete events
5

Modification events

(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:Key:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:3372-13205202754836750
Value:
259
(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(3372) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(3372) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
9
Suspicious files
18
Text files
162
Unknown types
17

Dropped files

PID
Process
Filename
Type
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\061241fb-cd59-42df-904b-f9429385d70a.tmp
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
3372chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
33
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3372
chrome.exe
GET
302
172.217.18.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
504 b
whitelisted
3372
chrome.exe
GET
200
173.194.135.106:80
http://r5---sn-aigzrn7z.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=109.169.22.99&mm=28&mn=sn-aigzrn7z&ms=nvh&mt=1560728575&mv=u&pl=22&shardbypass=yes
US
crx
842 Kb
whitelisted
2108
NewsFeed_mitenews.tmp
HEAD
301
175.207.29.46:80
http://toastpop.net/file/nfc/NewsFeed.exe
KR
malicious
3372
chrome.exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
3372
chrome.exe
GET
200
91.199.212.52:80
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
GB
der
1.52 Kb
whitelisted
2108
NewsFeed_mitenews.tmp
HEAD
301
175.207.29.46:80
http://toastpop.net/file/nfc/NewsFeedU.exe
KR
malicious
3372
chrome.exe
GET
301
175.207.29.46:80
http://www.toastpop.net/
KR
html
185 b
malicious
2108
NewsFeed_mitenews.tmp
GET
301
175.207.29.46:80
http://toastpop.net/file/nfc/NewsFeedU.exe
KR
html
185 b
malicious
2108
NewsFeed_mitenews.tmp
GET
301
175.207.29.46:80
http://toastpop.net/file/nfc/NewsFeed.exe
KR
html
185 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3372
chrome.exe
172.217.16.163:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3372
chrome.exe
216.58.206.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3372
chrome.exe
172.217.23.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3372
chrome.exe
175.207.29.46:443
www.toastpop.net
Korea Telecom
KR
malicious
3372
chrome.exe
175.207.29.46:80
www.toastpop.net
Korea Telecom
KR
malicious
3372
chrome.exe
91.199.212.52:80
crt.sectigo.com
Comodo CA Ltd
GB
suspicious
3372
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
3372
chrome.exe
216.58.210.1:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
3372
chrome.exe
173.194.135.106:80
r5---sn-aigzrn7z.gvt1.com
Google Inc.
US
whitelisted
3372
chrome.exe
216.58.206.14:443
clients2.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.206.3
whitelisted
www.toastpop.net
  • 175.207.29.46
malicious
accounts.google.com
  • 172.217.16.141
shared
crt.sectigo.com
  • 91.199.212.52
whitelisted
crt.usertrust.com
  • 91.199.212.52
whitelisted
fonts.googleapis.com
  • 172.217.23.170
whitelisted
fonts.gstatic.com
  • 172.217.16.163
whitelisted
clients2.google.com
  • 216.58.206.14
whitelisted
clients2.googleusercontent.com
  • 216.58.210.1
whitelisted
redirector.gvt1.com
  • 172.217.18.110
whitelisted

Threats

PID
Process
Class
Message
2108
NewsFeed_mitenews.tmp
Misc activity
ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
2108
NewsFeed_mitenews.tmp
Misc activity
ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
2108
NewsFeed_mitenews.tmp
Misc activity
ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
2108
NewsFeed_mitenews.tmp
Misc activity
ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
No debug info