analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://gen.lib.rus.ec

Full analysis: https://app.any.run/tasks/cb7fdfe0-45c5-47ac-b365-1640ba6f3c4a
Verdict: Malicious activity
Analysis date: February 21, 2020, 17:31:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

E49965CCDA8236A1AAB4378FBE5F61F3

SHA1:

538C46349D422A9161C994FC1A7162691E90D25C

SHA256:

D21935C519582EED42F6AE6FF041C158F0C66774C0653C5D04918225CB4F0705

SSDEEP:

3:N1KZALwXj:C+sXj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3332)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 3332)
      • chrome.exe (PID: 3164)

    • Application launched itself

      • chrome.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
33
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://gen.lib.rus.ec"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fa8a9d0,0x6fa8a9e0,0x6fa8a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2952"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3972 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2968"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,636083941521690653,2799474172643377514,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=9422827919937958667 --mojo-platform-channel-handle=1040 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3164"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,636083941521690653,2799474172643377514,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=16623685079475074936 --mojo-platform-channel-handle=1632 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3408"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,636083941521690653,2799474172643377514,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14569685188497589374 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
4084"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,636083941521690653,2799474172643377514,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11978478794928138237 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2896"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,636083941521690653,2799474172643377514,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4782552673356813234 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2084"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,636083941521690653,2799474172643377514,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=1075315835818898957 --mojo-platform-channel-handle=3556 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,636083941521690653,2799474172643377514,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=14043667385980722291 --mojo-platform-channel-handle=3624 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
641
Read events
537
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
69
Text files
280
Unknown types
18

Dropped files

PID
Process
Filename
Type
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5E5013EE-D04.pma
MD5:
SHA256:
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ab176f06-a720-4306-a513-3625155b58e8.tmp
MD5:
SHA256:
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:AC43135B8C9FED46A92448C4E711F45C
SHA256:D840BA7CEBACF86DDBAD75BFB61A53449AA7AE3DE6B8ADC97FE45624626A6F09
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:702AEC53DCDCFEA33C4BE3D2F888473E
SHA256:D16286D6EE0EB33E7907EE4FCB8FDB6B5A54E5A56BFAF99A9C2451D239BC9765
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFa66c10.TMPtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:1A89A1BEBE6C843C4FF582E7ED33CA1F
SHA256:65099CA087B66AA8CA420AB121DAAD713E1DB5A61C5A574D9B1C0DF24F012520
3332chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
40
DNS requests
37
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3164
chrome.exe
GET
500
185.39.10.120:80
http://libgen.lc/ads.php?md5=487cb586c10177fce49f084f5fa1cf9a&key=4439
CH
html
652 b
suspicious
3164
chrome.exe
GET
200
185.39.10.120:80
http://libgen.lc/menu.css
CH
text
2.40 Kb
suspicious
3164
chrome.exe
GET
301
104.24.124.73:80
http://libgen.pw/
US
whitelisted
3164
chrome.exe
GET
200
185.39.10.120:80
http://libgen.lc/favicon.ico
CH
image
621 b
suspicious
3164
chrome.exe
GET
200
173.194.139.6:80
http://r1---sn-aigzrn7k.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.217.117.157&mm=28&mn=sn-aigzrn7k&ms=nvh&mt=1582306213&mv=m&mvi=0&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
3164
chrome.exe
GET
185.222.202.19:80
http://gen.lib.rus.ec/search.php?req=SAS+Institute&column=author
unknown
suspicious
3164
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
516 b
whitelisted
3164
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
511 b
whitelisted
3164
chrome.exe
GET
200
185.222.202.19:80
http://gen.lib.rus.ec/covers/26000/7a39c3bcecfa9e1f7d9fe772352d6233-d.jpg
unknown
image
27.1 Kb
suspicious
3164
chrome.exe
GET
200
185.222.202.19:80
http://gen.lib.rus.ec/book/index.php?md5=7A39C3BCECFA9E1F7D9FE772352D6233
unknown
html
8.39 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3164
chrome.exe
185.222.202.19:80
gen.lib.rus.ec
unknown
3164
chrome.exe
172.217.22.110:443
clients2.google.com
Google Inc.
US
whitelisted
3164
chrome.exe
173.194.139.6:80
r1---sn-aigzrn7k.gvt1.com
Google Inc.
US
whitelisted
3164
chrome.exe
172.217.22.100:443
www.google.com
Google Inc.
US
whitelisted
3164
chrome.exe
172.217.18.97:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
3164
chrome.exe
172.217.16.142:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3164
chrome.exe
172.217.16.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3164
chrome.exe
172.217.23.141:443
accounts.google.com
Google Inc.
US
whitelisted
3164
chrome.exe
104.24.124.73:80
libgen.pw
Cloudflare Inc
US
shared
3164
chrome.exe
216.58.210.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.16.163
whitelisted
gen.lib.rus.ec
  • 185.222.202.19
  • 198.167.223.167
suspicious
accounts.google.com
  • 172.217.23.141
shared
b-ok.cc
  • 5.182.211.50
  • 81.17.17.254
suspicious
b-ok.org
  • 5.182.211.50
  • 179.43.147.124
malicious
bookfi.net
  • 5.45.74.67
whitelisted
libgen.lc
  • 185.39.10.120
suspicious
forum.mhut.org
  • 176.123.10.72
unknown
libgen.pw
  • 104.24.124.73
  • 104.24.125.73
whitelisted
magzdb.org
  • 84.39.241.145
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
3164
chrome.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.pw domain
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://gen.lib.rus.ec