File name:

Snail-Mail.exe

Full analysis: https://app.any.run/tasks/f32814b5-a783-43bf-b1f8-05189d3b832e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 10:24:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
loader
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

40CAEF19E19317F5F88C4ED696718DAB

SHA1:

A9E8EFC44A7A9A7EFB2394C8C10B9C8F3CFFBFB7

SHA256:

C75CE3BA73B174F120EE4EDC42D66935F5B0B9709B648E7DB10DC4E3726538BE

SSDEEP:

49152:3atjxA1xcWFZxrKa0SKpgKrZd//gYl+pEfI+H5jWMG8ew1a2wD7CwaxXA4HGFfCm:3atNZWFZx84Kr4Yl+pGH5CP8eca5Dha8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7748)
      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7932)
      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 8048)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 8176)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 7252)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 7404)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 5328)
      • cmhelper.exe (PID: 1116)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 4040)
      • cmhelper.exe (PID: 1052)
      • cmhelper.exe (PID: 960)
      • Location_extractor_326250.exe (PID: 8116)
      • EXEtender_Default.exe (PID: 7304)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)
      • IKernel.exe (PID: 7220)
      • IKernel.exe (PID: 5072)

    • Actions looks like stealing of personal data

      • Free Ride Games.exe (PID: 7612)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Snail-Mail.exe (PID: 7568)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Snail-Mail.exe (PID: 7568)

    • Reads security settings of Internet Explorer

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 960)
      • IKernel.exe (PID: 5072)
      • IKernel.exe (PID: 7220)
      • IKernel.exe (PID: 7392)

    • Executable content was dropped or overwritten

      • Snail-Mail.exe (PID: 7568)
      • Location_extractor_326250.exe (PID: 8116)
      • EXEtender_Default.exe (PID: 7304)
      • Free Ride Games.exe (PID: 7612)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)

    • Reads Microsoft Outlook installation path

      • Free Ride Games.exe (PID: 7612)

    • Reads Internet Explorer settings

      • Free Ride Games.exe (PID: 7612)

    • Reads browser cookies

      • Free Ride Games.exe (PID: 7612)

    • Application launched itself

      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 1116)
      • cmhelper.exe (PID: 1052)
      • IKernel.exe (PID: 7392)

    • There is functionality for taking screenshot (YARA)

      • Snail-Mail.exe (PID: 7568)

    • Process requests binary or script from the Internet

      • Free Ride Games.exe (PID: 7612)

    • Potential Corporate Privacy Violation

      • Free Ride Games.exe (PID: 7612)

    • Creates/Modifies COM task schedule object

      • IKernel.exe (PID: 7392)

    • Creates a software uninstall entry

      • IKernel.exe (PID: 7392)

    • Drops a system driver (possible attempt to evade defenses)

      • IKernel.exe (PID: 7392)

  • INFO

    • The sample compiled with english language support

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • EXEtender_Default.exe (PID: 7304)
      • Location_extractor_326250.exe (PID: 8116)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)

    • Checks supported languages

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7748)
      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7932)
      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 8048)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 8176)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 7252)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 7404)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 5328)
      • cmhelper.exe (PID: 1116)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 4040)
      • cmhelper.exe (PID: 1052)
      • cmhelper.exe (PID: 960)
      • Location_extractor_326250.exe (PID: 8116)
      • EXEtender_Default.exe (PID: 7304)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)
      • IKernel.exe (PID: 5072)
      • IKernel.exe (PID: 7220)

    • Reads the computer name

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7748)
      • cmhelper.exe (PID: 7932)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 8048)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 8176)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 7252)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 5328)
      • cmhelper.exe (PID: 7404)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 4040)
      • cmhelper.exe (PID: 960)
      • Location_extractor_326250.exe (PID: 8116)
      • IKernel.exe (PID: 5072)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)
      • IKernel.exe (PID: 7220)

    • Create files in a temporary directory

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • EXEtender_Default.exe (PID: 7304)
      • IKernel.exe (PID: 7392)
      • Setup.exe (PID: 7356)

    • Checks proxy server information

      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 960)
      • IKernel.exe (PID: 5072)
      • IKernel.exe (PID: 7392)
      • IKernel.exe (PID: 7220)

    • Manual execution by a user

      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 1116)
      • cmhelper.exe (PID: 1052)

    • Creates files or folders in the user directory

      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7996)
      • Location_extractor_326250.exe (PID: 8116)
      • IKernel.exe (PID: 7392)

    • Reads CPU info

      • Free Ride Games.exe (PID: 7612)
      • IKernel.exe (PID: 7392)

    • Process checks computer location settings

      • Free Ride Games.exe (PID: 7612)

    • UPX packer has been detected

      • Free Ride Games.exe (PID: 7612)

    • Creates files in the program directory

      • IKernel.exe (PID: 7392)
      • Setup.exe (PID: 7356)

    • Reads the machine GUID from the registry

      • IKernel.exe (PID: 7392)

    • Reads the software policy settings

      • IKernel.exe (PID: 7392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:05:11 20:03:42+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x30e2
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 7.3.0.0
ProductVersionNumber: 7.3.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: FreeRide Games
FileVersion: 07.03.00.00
LegalCopyright: Copyright (c) 1996-2023 Exent Technologies Ltd.
ProductName: FreeRide Games
ProductVersion: 07.03.00.00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
35
Malicious processes
15
Suspicious processes
17

Behavior graph

Click at the process to see the details
start snail-mail.exe free ride games.exe sppextcomobj.exe no specs cmhelper.exe no specs slui.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs location_extractor_326250.exe exetender_default.exe setup.exe ikernel.exe no specs ikernel.exe ikernel.exe no specs snail-mail.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
960WC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.execmhelper.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
LOW
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1052"C:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exe" PWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeexplorer.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
MEDIUM
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1116"C:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exe" HWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeexplorer.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
MEDIUM
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2108WC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.execmhelper.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
LOW
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4040UPWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeFree Ride Games.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
HIGH
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5072"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServerC:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exeSetup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1221
Modules
Images
c:\program files (x86)\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acspecfc.dll
5328UHWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeFree Ride Games.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
HIGH
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6028WC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.execmhelper.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
LOW
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6036"C:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exe" HWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeexplorer.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
MEDIUM
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7220"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVERC:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exeIKernel.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1221
Modules
Images
c:\program files (x86)\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acspecfc.dll
Total events
7 659
Read events
7 455
Write events
200
Delete events
4

Modification events

(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\RFC1156Agent\CurrentVersion\Parameters
Operation:writeName:TrapPollTimeMilliSecs
Value:
15000
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Exent\AOD\CLSID
Operation:writeName:NumberOfCLSIDs
Value:
1
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Exent\AOD\CLSID
Operation:writeName:CLSID1
Value:
06C2091ABA09F8BD02001E0100004C6C3C5C0C6C0CC1EDC1EEC1EFF5C64A8BD546207D643CC707E81EC881AB4D34BF724D6C3A12E7
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Exent\AOD\SDM
Operation:writeName:ResumePage
Value:
index.html#
(PID) Process:(5072) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(5072) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(5072) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib
Operation:writeName:Version
Value:
1.0
Executable files
94
Suspicious files
130
Text files
686
Unknown types
0

Dropped files

PID
Process
Filename
Type
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader3.jpgimage
MD5:649604DF8CC5DEDD3B85323519B32228
SHA256:8B102D38A8095A6165AADA839A756B9D76CB9D433EACDB7C6CA95C0A51E76779
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader4.jpgimage
MD5:822AC13D718AFAD4F2178CCA348B52C4
SHA256:1D79485F51813E85EF150E9612A5CDB6FB17F748D54503A2792965D99B95BBF5
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splasher.dllexecutable
MD5:41D94C8EB8CB17E04F8EC6E14132F9CA
SHA256:2E522A4DA2C291EBCDE484B4A04A6EF0691A732B9DB454F12399D3E577327C96
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader2.jpgimage
MD5:AF853A9F5673A3C3575291ECA0FBB9EA
SHA256:22A9972800D0E6BC97B6F883052A2E8145E91C5301C3C861C682EDBDBE6C7192
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader6.jpgimage
MD5:C2EA2FA6B012E2B697A6AAA91A46202C
SHA256:59EA97DFDDC92F57F9BEBFD566EC4F31966BCC0FC5841FB06F69EEBFAA1B0FDB
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeexecutable
MD5:51D301714C7361192D6305F6C46D90D1
SHA256:C9245047B86F8359A7F313434B85AF481008E8CDF9579FD55AFF8B8FBFB5EBCB
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader5.jpgimage
MD5:E10E6948952154DC44CEF8873C0E4D6C
SHA256:674AA4D23E072AD568AF3F20173297DC3B339E6252CCD07C80591CDDA584AAB4
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\nstB374.tmp\System.dllexecutable
MD5:A436DB0C473A087EB61FF5C53C34BA27
SHA256:75ED40311875312617D6711BAED0BE29FCAEE71031CA27A8D308A72B15A51E49
7612Free Ride Games.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Exent\DACC10044\925bebab-b82b-49bc-b274-7aa593f6da18
MD5:
SHA256:
7612Free Ride Games.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Exent\DACC10044\84326fde-d1c8-4bb0-9f38-3a50e5d00393
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
36
DNS requests
17
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7612
Free Ride Games.exe
GET
200
104.19.183.100:80
http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=FRG_Website&serviceId=143&gameId=326250
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7612
Free Ride Games.exe
POST
200
104.19.183.100:80
http://www.freeridegames.com/opTools/clientTracking.jsp?trackEvent=SDM_TotalProcessStart&sdmVersion=01.02.00.33&muid=30300030ADD1ADD2ADD399FA26B7B97A4C410800AB3B8422A4BDC77158831E7100067EDB
unknown
unknown
7612
Free Ride Games.exe
GET
200
104.16.148.233:80
http://img.exent.com/free/frg/products/326250/boxshot.jpg
unknown
unknown
7612
Free Ride Games.exe
POST
200
104.19.183.100:80
http://www.freeridegames.com/opTools/clientTracking.jsp?trackEvent=SDM_Player_validation&isPlayerInstalled=0&beginUpgrade=0&existingPlayerVersion=0&sdmVersion=01.02.00.33&muid=30300030ADD1ADD2ADD399FA26B7B97A4C410800AB3B8422A4BDC77158831E7100067EDB
unknown
unknown
7612
Free Ride Games.exe
POST
200
104.19.183.100:80
http://www.freeridegames.com/opTools/clientTracking.jsp?trackEvent=SDM_OfferDisplayed&OfferId=10002&OfferOrder=1&sdmVersion=01.02.00.33&muid=30300030ADD1ADD2ADD399FA26B7B97A4C410800AB3B8422A4BDC77158831E7100067EDB
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7612
Free Ride Games.exe
104.19.183.100:80
www.freeridegames.com
CLOUDFLARENET
suspicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.freeridegames.com
  • 104.19.183.100
  • 104.19.182.100
unknown
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.130
  • 20.190.160.67
  • 20.190.160.5
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.65
  • 20.190.160.132
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
img.exent.com
  • 104.16.148.233
  • 104.16.149.233
unknown
dts1.freeridegames.com
  • 104.19.183.100
  • 104.19.182.100
unknown

Threats

PID
Process
Class
Message
7612
Free Ride Games.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7612
Free Ride Games.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Snail-Mail.exe