File name:

Snail-Mail.exe

Full analysis: https://app.any.run/tasks/f32814b5-a783-43bf-b1f8-05189d3b832e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 10:24:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
loader
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

40CAEF19E19317F5F88C4ED696718DAB

SHA1:

A9E8EFC44A7A9A7EFB2394C8C10B9C8F3CFFBFB7

SHA256:

C75CE3BA73B174F120EE4EDC42D66935F5B0B9709B648E7DB10DC4E3726538BE

SSDEEP:

49152:3atjxA1xcWFZxrKa0SKpgKrZd//gYl+pEfI+H5jWMG8ew1a2wD7CwaxXA4HGFfCm:3atNZWFZx84Kr4Yl+pGH5CP8eca5Dha8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7748)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7932)
      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 8048)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 8176)
      • cmhelper.exe (PID: 7252)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 7404)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 5328)
      • cmhelper.exe (PID: 1116)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 4040)
      • cmhelper.exe (PID: 1052)
      • cmhelper.exe (PID: 960)
      • Location_extractor_326250.exe (PID: 8116)
      • IKernel.exe (PID: 5072)
      • EXEtender_Default.exe (PID: 7304)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)
      • IKernel.exe (PID: 7220)

    • Actions looks like stealing of personal data

      • Free Ride Games.exe (PID: 7612)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Snail-Mail.exe (PID: 7568)

    • Executable content was dropped or overwritten

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • Location_extractor_326250.exe (PID: 8116)
      • Setup.exe (PID: 7356)
      • EXEtender_Default.exe (PID: 7304)
      • IKernel.exe (PID: 7392)

    • The process creates files with name similar to system file names

      • Snail-Mail.exe (PID: 7568)

    • Reads security settings of Internet Explorer

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 960)
      • IKernel.exe (PID: 7220)
      • IKernel.exe (PID: 5072)
      • IKernel.exe (PID: 7392)

    • Reads Microsoft Outlook installation path

      • Free Ride Games.exe (PID: 7612)

    • Reads Internet Explorer settings

      • Free Ride Games.exe (PID: 7612)

    • Reads browser cookies

      • Free Ride Games.exe (PID: 7612)

    • Application launched itself

      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 1052)
      • cmhelper.exe (PID: 1116)
      • IKernel.exe (PID: 7392)

    • There is functionality for taking screenshot (YARA)

      • Snail-Mail.exe (PID: 7568)

    • Potential Corporate Privacy Violation

      • Free Ride Games.exe (PID: 7612)

    • Process requests binary or script from the Internet

      • Free Ride Games.exe (PID: 7612)

    • Creates/Modifies COM task schedule object

      • IKernel.exe (PID: 7392)

    • Creates a software uninstall entry

      • IKernel.exe (PID: 7392)

    • Drops a system driver (possible attempt to evade defenses)

      • IKernel.exe (PID: 7392)

  • INFO

    • Create files in a temporary directory

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • EXEtender_Default.exe (PID: 7304)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)

    • The sample compiled with english language support

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • EXEtender_Default.exe (PID: 7304)
      • Setup.exe (PID: 7356)
      • Location_extractor_326250.exe (PID: 8116)
      • IKernel.exe (PID: 7392)

    • Checks supported languages

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7748)
      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7932)
      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 8048)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 7252)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 8176)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7404)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 5328)
      • cmhelper.exe (PID: 1116)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 4040)
      • cmhelper.exe (PID: 1052)
      • cmhelper.exe (PID: 960)
      • Location_extractor_326250.exe (PID: 8116)
      • EXEtender_Default.exe (PID: 7304)
      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 5072)
      • IKernel.exe (PID: 7392)
      • IKernel.exe (PID: 7220)

    • Reads the computer name

      • Snail-Mail.exe (PID: 7568)
      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7748)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 7932)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 8048)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 7252)
      • cmhelper.exe (PID: 8176)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7404)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 5328)
      • cmhelper.exe (PID: 4040)
      • cmhelper.exe (PID: 960)
      • IKernel.exe (PID: 5072)
      • Location_extractor_326250.exe (PID: 8116)
      • IKernel.exe (PID: 7392)
      • IKernel.exe (PID: 7220)
      • Setup.exe (PID: 7356)

    • Checks proxy server information

      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7884)
      • cmhelper.exe (PID: 8124)
      • cmhelper.exe (PID: 7996)
      • cmhelper.exe (PID: 7304)
      • cmhelper.exe (PID: 6028)
      • cmhelper.exe (PID: 7456)
      • cmhelper.exe (PID: 2108)
      • cmhelper.exe (PID: 960)
      • IKernel.exe (PID: 5072)
      • IKernel.exe (PID: 7220)
      • IKernel.exe (PID: 7392)

    • Manual execution by a user

      • cmhelper.exe (PID: 7848)
      • cmhelper.exe (PID: 7972)
      • cmhelper.exe (PID: 8084)
      • cmhelper.exe (PID: 7264)
      • cmhelper.exe (PID: 6036)
      • cmhelper.exe (PID: 7560)
      • cmhelper.exe (PID: 1116)
      • cmhelper.exe (PID: 1052)

    • Creates files or folders in the user directory

      • cmhelper.exe (PID: 7884)
      • Free Ride Games.exe (PID: 7612)
      • cmhelper.exe (PID: 7996)
      • Location_extractor_326250.exe (PID: 8116)
      • IKernel.exe (PID: 7392)

    • UPX packer has been detected

      • Free Ride Games.exe (PID: 7612)

    • Process checks computer location settings

      • Free Ride Games.exe (PID: 7612)

    • Reads CPU info

      • Free Ride Games.exe (PID: 7612)
      • IKernel.exe (PID: 7392)

    • Creates files in the program directory

      • Setup.exe (PID: 7356)
      • IKernel.exe (PID: 7392)

    • Reads the software policy settings

      • IKernel.exe (PID: 7392)

    • Reads the machine GUID from the registry

      • IKernel.exe (PID: 7392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:05:11 20:03:42+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x30e2
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 7.3.0.0
ProductVersionNumber: 7.3.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: FreeRide Games
FileVersion: 07.03.00.00
LegalCopyright: Copyright (c) 1996-2023 Exent Technologies Ltd.
ProductName: FreeRide Games
ProductVersion: 07.03.00.00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
35
Malicious processes
15
Suspicious processes
17

Behavior graph

Click at the process to see the details
start snail-mail.exe free ride games.exe sppextcomobj.exe no specs cmhelper.exe no specs slui.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs cmhelper.exe no specs location_extractor_326250.exe exetender_default.exe setup.exe ikernel.exe no specs ikernel.exe ikernel.exe no specs snail-mail.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
960WC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.execmhelper.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
LOW
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1052"C:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exe" PWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeexplorer.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
MEDIUM
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1116"C:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exe" HWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeexplorer.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
MEDIUM
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2108WC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.execmhelper.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
LOW
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4040UPWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeFree Ride Games.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
HIGH
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5072"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServerC:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exeSetup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1221
Modules
Images
c:\program files (x86)\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acspecfc.dll
5328UHWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeFree Ride Games.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
HIGH
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6028WC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.execmhelper.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
LOW
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6036"C:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exe" HWC:\Users\admin\AppData\Local\Temp\SDM143\cmhelper.exeexplorer.exe
User:
admin
Company:
Exent Technologies Ltd.
Integrity Level:
MEDIUM
Description:
cmhelper
Exit code:
0
Version:
1, 0, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\sdm143\cmhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7220"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVERC:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exeIKernel.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1221
Modules
Images
c:\program files (x86)\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acspecfc.dll
Total events
7 659
Read events
7 455
Write events
200
Delete events
4

Modification events

(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\RFC1156Agent\CurrentVersion\Parameters
Operation:writeName:TrapPollTimeMilliSecs
Value:
15000
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Exent\AOD\CLSID
Operation:writeName:NumberOfCLSIDs
Value:
1
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Exent\AOD\CLSID
Operation:writeName:CLSID1
Value:
06C2091ABA09F8BD02001E0100004C6C3C5C0C6C0CC1EDC1EEC1EFF5C64A8BD546207D643CC707E81EC881AB4D34BF724D6C3A12E7
(PID) Process:(7612) Free Ride Games.exeKey:HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Exent\AOD\SDM
Operation:writeName:ResumePage
Value:
index.html#
(PID) Process:(5072) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(5072) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(5072) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib
Operation:writeName:Version
Value:
1.0
Executable files
94
Suspicious files
130
Text files
686
Unknown types
0

Dropped files

PID
Process
Filename
Type
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader1.jpgimage
MD5:069FC33DD659035D7D2251ABAD8BEEB7
SHA256:3006D27765D5EE4204C312E02347D09B7EF7D7CEB0F712EBC5FB4B1EEF7DF2BD
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader5.jpgimage
MD5:E10E6948952154DC44CEF8873C0E4D6C
SHA256:674AA4D23E072AD568AF3F20173297DC3B339E6252CCD07C80591CDDA584AAB4
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader6.jpgimage
MD5:C2EA2FA6B012E2B697A6AAA91A46202C
SHA256:59EA97DFDDC92F57F9BEBFD566EC4F31966BCC0FC5841FB06F69EEBFAA1B0FDB
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader3.jpgimage
MD5:649604DF8CC5DEDD3B85323519B32228
SHA256:8B102D38A8095A6165AADA839A756B9D76CB9D433EACDB7C6CA95C0A51E76779
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splasher.dllexecutable
MD5:41D94C8EB8CB17E04F8EC6E14132F9CA
SHA256:2E522A4DA2C291EBCDE484B4A04A6EF0691A732B9DB454F12399D3E577327C96
7612Free Ride Games.exeC:\Users\admin\AppData\Local\Temp\SDM143\SDM_DB_143.xmlxml
MD5:B635D49C89A460FDFC38C464F37DEAEB
SHA256:16DF09C70A12CE1EAD4EFAFFB1FC74E3231C24608CC8545306CDE553E2C50C7B
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Splash\loader4.jpgimage
MD5:822AC13D718AFAD4F2178CCA348B52C4
SHA256:1D79485F51813E85EF150E9612A5CDB6FB17F748D54503A2792965D99B95BBF5
7568Snail-Mail.exeC:\Users\admin\AppData\Local\Temp\SDM143\Free Ride Games.exeexecutable
MD5:2DB35D715864B8846F21DC95756171E0
SHA256:854BB62475A4B700A7EC49651610D050F1651491D0148C4BD4928B18BDC0436B
7612Free Ride Games.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Exent\DACC10044\925bebab-b82b-49bc-b274-7aa593f6da18
MD5:
SHA256:
7612Free Ride Games.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Exent\DACC10044\84326fde-d1c8-4bb0-9f38-3a50e5d00393
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
36
DNS requests
17
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7612
Free Ride Games.exe
GET
200
104.19.183.100:80
http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=FRG_Website&serviceId=143&gameId=326250
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7612
Free Ride Games.exe
POST
200
104.19.183.100:80
http://www.freeridegames.com/opTools/clientTracking.jsp?trackEvent=SDM_TotalProcessStart&sdmVersion=01.02.00.33&muid=30300030ADD1ADD2ADD399FA26B7B97A4C410800AB3B8422A4BDC77158831E7100067EDB
unknown
unknown
7612
Free Ride Games.exe
POST
200
104.19.183.100:80
http://www.freeridegames.com/opTools/clientTracking.jsp?trackEvent=SDM_OfferDisplayed&OfferId=10002&OfferOrder=1&sdmVersion=01.02.00.33&muid=30300030ADD1ADD2ADD399FA26B7B97A4C410800AB3B8422A4BDC77158831E7100067EDB
unknown
unknown
7612
Free Ride Games.exe
GET
200
104.16.148.233:80
http://img.exent.com/free/frg/products/326250/boxshot.jpg
unknown
unknown
7612
Free Ride Games.exe
POST
200
104.19.183.100:80
http://www.freeridegames.com/opTools/clientTracking.jsp?trackEvent=SDM_Player_validation&isPlayerInstalled=0&beginUpgrade=0&existingPlayerVersion=0&sdmVersion=01.02.00.33&muid=30300030ADD1ADD2ADD399FA26B7B97A4C410800AB3B8422A4BDC77158831E7100067EDB
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7612
Free Ride Games.exe
104.19.183.100:80
www.freeridegames.com
CLOUDFLARENET
suspicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.freeridegames.com
  • 104.19.183.100
  • 104.19.182.100
unknown
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.130
  • 20.190.160.67
  • 20.190.160.5
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.65
  • 20.190.160.132
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
img.exent.com
  • 104.16.148.233
  • 104.16.149.233
unknown
dts1.freeridegames.com
  • 104.19.183.100
  • 104.19.182.100
unknown

Threats

PID
Process
Class
Message
7612
Free Ride Games.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7612
Free Ride Games.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Snail-Mail.exe