URL:

http://www5l.incredimail.com/im/imsetup/201301300001/beta/installer/fullsetup/IncrediMailSetup.exe

Full analysis: https://app.any.run/tasks/f6107f5d-ba3e-43ef-9c8d-33958de03e6a
Verdict: Malicious activity
Analysis date: January 12, 2020, 14:15:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3037BC09ACD268D69F97B863D883B9A8

SHA1:

917A0D5ECA47C6293F3C2FC872B534059C1FFC52

SHA256:

D6BD1FDDDFA59746A0CF529D18AA1F2905B7AB30C7130136131B19B67075CDEF

SSDEEP:

3:N1KJSjJGl6IHKKM3YAZX+2L0EyqOXKDQLXAB34pVkA:Cc1G6PKML+2LnOX9LUopaA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • IncrediMailSetup.exe (PID: 2520)
      • IncrediMailSetup_en.exe (PID: 2144)
      • IncrediMailSetup_en.exe (PID: 3392)
      • IncMail.exe (PID: 3748)
      • ImNotfy.exe (PID: 2952)
      • ImApp.exe (PID: 3084)
      • ImpCnt.exe (PID: 2848)
      • ImpCnt.exe (PID: 2096)
      • ImpCnt.exe (PID: 1016)
      • ImpCnt.exe (PID: 1244)
      • ImpCnt.exe (PID: 2548)
      • ImpCnt.exe (PID: 2676)
      • ImpCnt.exe (PID: 1768)
      • ImpCnt.exe (PID: 1296)
      • ImpCnt.exe (PID: 2440)
      • IncMail.exe (PID: 1600)
      • IncMail.exe (PID: 3940)
      • ImApp.exe (PID: 252)
      • ImLpp.exe (PID: 2444)
      • ImLpp.exe (PID: 2712)
      • ImLpp.exe (PID: 3284)
      • ImLpp.exe (PID: 3940)
      • ImLpp.exe (PID: 1596)
      • ImLpp.exe (PID: 3588)
      • ImLpp.exe (PID: 3892)
      • ImLpp.exe (PID: 4012)
      • ImLpp.exe (PID: 3612)
      • ImLpp.exe (PID: 2700)
      • ImLpp.exe (PID: 3324)
      • ImLpp.exe (PID: 2004)
      • ImLpp.exe (PID: 1900)
      • ImLpp.exe (PID: 4068)
      • ImLpp.exe (PID: 3916)
      • ImLpp.exe (PID: 388)
      • ImLpp.exe (PID: 2844)
      • ImLpp.exe (PID: 3256)
      • ImLpp.exe (PID: 1556)
      • ImLpp.exe (PID: 3224)
      • ImLpp.exe (PID: 3608)
      • aeldr.exe (PID: 4088)
      • ImLpp.exe (PID: 2236)
      • ImLpp.exe (PID: 2612)
      • ImLpp.exe (PID: 1704)
      • ImLpp.exe (PID: 1952)
      • ImLpp.exe (PID: 720)
      • ImLpp.exe (PID: 3092)
      • ImLpp.exe (PID: 3248)
      • ImLpp.exe (PID: 2200)
      • ImLpp.exe (PID: 3124)
      • ImLpp.exe (PID: 2968)
      • ImLpp.exe (PID: 324)
      • ImLpp.exe (PID: 1796)
      • ImLpp.exe (PID: 1484)
      • ImLpp.exe (PID: 2648)
      • ImLpp.exe (PID: 2132)
      • ImLpp.exe (PID: 2556)
      • ImLpp.exe (PID: 3708)
      • ImLpp.exe (PID: 1036)
      • ImLpp.exe (PID: 1104)
      • ImLpp.exe (PID: 3568)
      • ImLpp.exe (PID: 2108)
      • ImLpp.exe (PID: 3352)
      • ImLpp.exe (PID: 4036)
      • ImLpp.exe (PID: 3920)
      • ImLpp.exe (PID: 2684)
      • ImLpp.exe (PID: 2176)

    • Loads dropped or rewritten executable

      • IncMail.exe (PID: 3748)
      • ImNotfy.exe (PID: 2952)
      • ImApp.exe (PID: 3084)
      • ImpCnt.exe (PID: 2848)
      • ImpCnt.exe (PID: 1244)
      • ImpCnt.exe (PID: 2096)
      • ImpCnt.exe (PID: 1016)
      • ImpCnt.exe (PID: 2548)
      • ImpCnt.exe (PID: 2676)
      • ImpCnt.exe (PID: 1296)
      • ImpCnt.exe (PID: 2440)
      • IncMail.exe (PID: 1600)
      • IncMail.exe (PID: 3940)
      • ImpCnt.exe (PID: 1768)
      • ImLpp.exe (PID: 2444)
      • ImLpp.exe (PID: 2712)
      • ImLpp.exe (PID: 3284)
      • ImApp.exe (PID: 252)
      • ImLpp.exe (PID: 3940)
      • ImLpp.exe (PID: 1596)
      • ImLpp.exe (PID: 3588)
      • ImLpp.exe (PID: 3892)
      • ImLpp.exe (PID: 4012)
      • ImLpp.exe (PID: 3612)
      • ImLpp.exe (PID: 2700)
      • ImLpp.exe (PID: 3324)
      • ImLpp.exe (PID: 2004)
      • ImLpp.exe (PID: 1900)
      • ImLpp.exe (PID: 4068)
      • ImLpp.exe (PID: 3916)
      • ImLpp.exe (PID: 388)
      • ImLpp.exe (PID: 2844)
      • ImLpp.exe (PID: 3256)
      • ImLpp.exe (PID: 1556)
      • ImLpp.exe (PID: 3224)
      • ImLpp.exe (PID: 2236)
      • ImLpp.exe (PID: 3608)
      • ImLpp.exe (PID: 2612)
      • aeldr.exe (PID: 4088)
      • ImLpp.exe (PID: 1484)
      • ImLpp.exe (PID: 1796)
      • ImLpp.exe (PID: 3092)
      • ImLpp.exe (PID: 1952)
      • ImLpp.exe (PID: 1704)
      • ImLpp.exe (PID: 720)
      • ImLpp.exe (PID: 3248)
      • ImLpp.exe (PID: 2200)
      • ImLpp.exe (PID: 2968)
      • ImLpp.exe (PID: 3124)
      • ImLpp.exe (PID: 324)
      • ImLpp.exe (PID: 2648)
      • ImLpp.exe (PID: 3568)
      • ImLpp.exe (PID: 3352)
      • ImLpp.exe (PID: 2108)
      • ImLpp.exe (PID: 1104)
      • ImLpp.exe (PID: 4036)
      • ImLpp.exe (PID: 2176)
      • ImLpp.exe (PID: 3920)
      • ImLpp.exe (PID: 2684)
      • ImLpp.exe (PID: 2132)
      • ImLpp.exe (PID: 2556)
      • ImLpp.exe (PID: 1036)
      • ImLpp.exe (PID: 3708)

    • Changes the autorun value in the registry

      • IncMail.exe (PID: 1600)

    • Scans artifacts that could help determine the target

      • IncMail.exe (PID: 1600)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2148)
      • chrome.exe (PID: 1328)
      • msiexec.exe (PID: 2696)
      • IncrediMailSetup.exe (PID: 2520)

    • Reads internet explorer settings

      • IncrediMailSetup.exe (PID: 2520)
      • ImApp.exe (PID: 252)
      • IncMail.exe (PID: 1600)

    • Starts Microsoft Installer

      • IncrediMailSetup_en.exe (PID: 3392)

    • Executed as Windows Service

      • vssvc.exe (PID: 2496)

    • Creates files in the user directory

      • msiexec.exe (PID: 2696)
      • MsiExec.exe (PID: 2212)
      • IncMail.exe (PID: 1600)
      • ImApp.exe (PID: 252)
      • ImLpp.exe (PID: 2004)
      • ImLpp.exe (PID: 1900)
      • ImLpp.exe (PID: 4068)
      • ImLpp.exe (PID: 2844)
      • ImLpp.exe (PID: 3256)
      • ImLpp.exe (PID: 1556)
      • ImLpp.exe (PID: 3916)
      • ImLpp.exe (PID: 388)
      • ImLpp.exe (PID: 2236)
      • ImLpp.exe (PID: 2612)
      • ImLpp.exe (PID: 3608)
      • aeldr.exe (PID: 4088)
      • ImLpp.exe (PID: 3224)
      • ImLpp.exe (PID: 1704)
      • ImLpp.exe (PID: 1952)
      • ImLpp.exe (PID: 720)
      • ImLpp.exe (PID: 1484)
      • ImLpp.exe (PID: 1796)
      • ImLpp.exe (PID: 3092)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 2696)

    • Changes IE settings (feature browser emulation)

      • msiexec.exe (PID: 2696)
      • IncMail.exe (PID: 1600)

    • Creates COM task schedule object

      • MsiExec.exe (PID: 856)
      • msiexec.exe (PID: 2696)

    • Creates files in the program directory

      • IncrediMailSetup.exe (PID: 2520)
      • ImApp.exe (PID: 252)

    • Reads Internet Cache Settings

      • IncMail.exe (PID: 1600)
      • ImApp.exe (PID: 252)
      • ImLpp.exe (PID: 2444)
      • ImLpp.exe (PID: 2712)
      • ImLpp.exe (PID: 3284)
      • ImLpp.exe (PID: 3940)
      • ImLpp.exe (PID: 1596)
      • ImLpp.exe (PID: 3588)
      • ImLpp.exe (PID: 3892)
      • ImLpp.exe (PID: 4012)
      • ImLpp.exe (PID: 3612)
      • ImLpp.exe (PID: 2700)
      • ImLpp.exe (PID: 3324)
      • ImLpp.exe (PID: 2004)
      • ImLpp.exe (PID: 1900)
      • ImLpp.exe (PID: 4068)
      • ImLpp.exe (PID: 3916)
      • ImLpp.exe (PID: 2844)
      • ImLpp.exe (PID: 3256)
      • ImLpp.exe (PID: 1556)
      • ImLpp.exe (PID: 388)
      • ImLpp.exe (PID: 2236)
      • ImLpp.exe (PID: 2612)
      • ImLpp.exe (PID: 3608)
      • aeldr.exe (PID: 4088)
      • ImLpp.exe (PID: 3224)
      • ImLpp.exe (PID: 1704)
      • ImLpp.exe (PID: 1952)
      • ImLpp.exe (PID: 1796)
      • ImLpp.exe (PID: 720)
      • ImLpp.exe (PID: 3092)
      • ImLpp.exe (PID: 1484)
      • ImLpp.exe (PID: 3248)
      • ImLpp.exe (PID: 2200)
      • ImLpp.exe (PID: 3124)
      • ImLpp.exe (PID: 2968)
      • ImLpp.exe (PID: 2556)
      • ImLpp.exe (PID: 1036)
      • ImLpp.exe (PID: 1104)
      • ImLpp.exe (PID: 4036)
      • ImLpp.exe (PID: 3920)
      • ImLpp.exe (PID: 2684)
      • ImLpp.exe (PID: 2176)
      • ImLpp.exe (PID: 324)
      • ImLpp.exe (PID: 3568)
      • ImLpp.exe (PID: 2108)
      • ImLpp.exe (PID: 3352)
      • ImLpp.exe (PID: 2648)
      • ImLpp.exe (PID: 2132)
      • ImLpp.exe (PID: 3708)

    • Executed via COM

      • ImApp.exe (PID: 252)

    • Reads the cookies of Mozilla Firefox

      • ImApp.exe (PID: 252)

    • Reads the cookies of Google Chrome

      • ImApp.exe (PID: 252)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2148)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2148)
      • chrome.exe (PID: 1328)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2148)

    • Dropped object may contain Bitcoin addresses

      • IncrediMailSetup.exe (PID: 2520)
      • msiexec.exe (PID: 2696)
      • IncMail.exe (PID: 1600)

    • Application launched itself

      • msiexec.exe (PID: 2696)
      • chrome.exe (PID: 2148)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2496)

    • Searches for installed software

      • msiexec.exe (PID: 2696)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2212)
      • MsiExec.exe (PID: 856)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2696)

    • Creates files in the program directory

      • MsiExec.exe (PID: 2212)
      • msiexec.exe (PID: 2696)

    • Manual execution by user

      • IncMail.exe (PID: 3940)

    • Reads Microsoft Office registry keys

      • IncMail.exe (PID: 1600)

    • Reads settings of System Certificates

      • IncMail.exe (PID: 1600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
98
Malicious processes
68
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs incredimailsetup.exe incredimailsetup_en.exe no specs incredimailsetup_en.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe no specs chrome.exe no specs incmail.exe no specs imnotfy.exe no specs chrome.exe no specs imapp.exe no specs impcnt.exe no specs impcnt.exe no specs impcnt.exe no specs impcnt.exe no specs impcnt.exe no specs impcnt.exe no specs impcnt.exe no specs impcnt.exe no specs impcnt.exe no specs incmail.exe incmail.exe no specs imapp.exe imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs aeldr.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs imlpp.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Program Files\IncrediMail\Bin\ImApp.exe" -EmbeddingC:\Program Files\IncrediMail\Bin\ImApp.exe
svchost.exe
User:
admin
Company:
IncrediMail Ltd.
Integrity Level:
MEDIUM
Description:
IncrediMail Tray Application
Exit code:
0
Version:
6, 6, 0, 5344
Modules
Images
c:\program files\incredimail\bin\imapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\incredimail\bin\imutilsu.dll
c:\program files\incredimail\bin\imntutilu.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
324ImLpp.exe "/SetCookie:C:\Users\admin\AppData\Local\Temp\Low\IM\im3645.tmp" "/Domain:http://www.incredimail.com"C:\Program Files\IncrediMail\Bin\ImLpp.exeImApp.exe
User:
admin
Company:
IncrediMail Ltd.
Integrity Level:
LOW
Description:
ImLpp MFC Application
Exit code:
0
Version:
6, 6, 0, 5344
Modules
Images
c:\program files\incredimail\bin\imlpp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
388ImLpp.exe "/SetCookie:C:\Users\admin\AppData\Local\Temp\Low\IM\im2BC3.tmp" "/Domain:http://incredimail.com"C:\Program Files\IncrediMail\Bin\ImLpp.exeImApp.exe
User:
admin
Company:
IncrediMail Ltd.
Integrity Level:
LOW
Description:
ImLpp MFC Application
Exit code:
0
Version:
6, 6, 0, 5344
Modules
Images
c:\program files\incredimail\bin\imlpp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,15717240026979722871,15473170587917080511,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14206427817265862060 --mojo-platform-channel-handle=1048 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
436"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,15717240026979722871,15473170587917080511,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=9693256191823163731 --mojo-platform-channel-handle=4968 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,15717240026979722871,15473170587917080511,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=16049764769388841934 --mojo-platform-channel-handle=4464 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
720ImLpp.exe "/SetCookie:C:\Users\admin\AppData\Local\Temp\Low\IM\im34A7.tmp" "/Domain:http://incredimail.com"C:\Program Files\IncrediMail\Bin\ImLpp.exeImApp.exe
User:
admin
Company:
IncrediMail Ltd.
Integrity Level:
LOW
Description:
ImLpp MFC Application
Exit code:
0
Version:
6, 6, 0, 5344
Modules
Images
c:\program files\incredimail\bin\imlpp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
820"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,15717240026979722871,15473170587917080511,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=12852000590749855 --mojo-platform-channel-handle=2780 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
856C:\Windows\system32\MsiExec.exe -Embedding D0F8E8719FA87B3491F15C3C4686F40E M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1016"C:\Program Files\IncrediMail\Bin\ImpCnt.exe" /silent /nothumb /common /path:"C:\Users\admin\AppData\Local\Temp\IM_F1BD.tmp\CommonAppData\IncrediMail\Data\SetupData\Emoticon"C:\Program Files\IncrediMail\Bin\ImpCnt.exeMsiExec.exe
User:
admin
Company:
IncrediMail Ltd.
Integrity Level:
HIGH
Description:
IncrediMail Content Importer
Exit code:
0
Version:
6, 6, 0, 5344
Modules
Images
c:\program files\incredimail\bin\impcnt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\incredimail\bin\imutilsu.dll
c:\program files\incredimail\bin\imntutilu.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
17 321
Read events
4 275
Write events
12 517
Delete events
529

Modification events

(PID) Process:(2168) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2148-13223312144584000
Value:
259
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1512-13197841398593750
Value:
0
(PID) Process:(2148) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
141
Suspicious files
469
Text files
1 848
Unknown types
191

Dropped files

PID
Process
Filename
Type
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\005fd373-8b89-4936-999c-c406c838b848.tmp
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF39a94a.TMPtext
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF39a93b.TMPtext
MD5:
SHA256:
2148chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF39a94a.TMPtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
27
DNS requests
19
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
252
ImApp.exe
GET
200
52.48.188.30:80
http://www.incredimail.com/h/upn/?r=79e80d9e-f028-4a0d-bfaa-fc01d7021986
IE
text
19 b
whitelisted
252
ImApp.exe
POST
500
82.80.204.5:80
http://cen.incredimail.com/app/
IL
html
4.61 Kb
malicious
252
ImApp.exe
POST
500
82.80.204.5:80
http://cen.incredimail.com/app/
IL
html
4.61 Kb
malicious
252
ImApp.exe
POST
500
82.80.204.5:80
http://cen.incredimail.com/app/
IL
html
4.61 Kb
malicious
252
ImApp.exe
POST
500
82.80.204.5:80
http://cen.incredimail.com/app/
IL
html
4.61 Kb
malicious
1328
chrome.exe
GET
200
173.194.163.91:80
http://r5---sn-5go7ynez.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=82.103.130.125&mm=28&mn=sn-5go7ynez&ms=nvh&mt=1578838256&mv=u&mvi=4&pl=26&shardbypass=yes
US
crx
293 Kb
whitelisted
1328
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
510 b
whitelisted
1328
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
515 b
whitelisted
1328
chrome.exe
GET
200
173.194.150.168:80
http://r2---sn-5goeen76.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=82.103.130.125&mm=28&mn=sn-5goeen76&ms=nvh&mt=1578838256&mv=u&mvi=1&pl=26&shardbypass=yes
US
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1328
chrome.exe
172.217.23.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1328
chrome.exe
2.16.186.104:80
www5l.incredimail.com
Akamai International B.V.
whitelisted
252
ImApp.exe
82.80.204.5:80
cen.incredimail.com
Bezeq International
IL
malicious
1328
chrome.exe
172.217.22.110:443
clients1.google.com
Google Inc.
US
whitelisted
252
ImApp.exe
52.48.188.30:80
www.incredimail.com
Amazon.com, Inc.
IE
malicious
1328
chrome.exe
172.217.16.142:80
redirector.gvt1.com
Google Inc.
US
whitelisted
1328
chrome.exe
173.194.163.91:80
r5---sn-5go7ynez.gvt1.com
Google Inc.
US
whitelisted
1328
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
1328
chrome.exe
172.217.16.195:443
www.gstatic.com
Google Inc.
US
whitelisted
1328
chrome.exe
216.58.210.14:443
sb-ssl.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.23.131
whitelisted
www5l.incredimail.com
  • 2.16.186.104
  • 2.16.186.120
whitelisted
accounts.google.com
  • 172.217.16.141
shared
www.google.com
  • 216.58.208.36
malicious
ssl.gstatic.com
  • 172.217.16.163
whitelisted
sb-ssl.google.com
  • 216.58.210.14
whitelisted
www.gstatic.com
  • 172.217.16.195
whitelisted
clients1.google.com
  • 172.217.22.110
whitelisted
www.incredimail.com
  • 52.48.188.30
  • 34.247.227.247
whitelisted
cen.incredimail.com
  • 82.80.204.5
malicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
A Network Trojan was detected
ET MALWARE Misspelled Mozilla User-Agent (Mozila)
A Network Trojan was detected
MALWARE [PTsecurity] W32/IncrediMail.A.gen!Eldorado
A Network Trojan was detected
ET MALWARE Misspelled Mozilla User-Agent (Mozila)
A Network Trojan was detected
ET MALWARE Misspelled Mozilla User-Agent (Mozila)
A Network Trojan was detected
MALWARE [PTsecurity] W32/IncrediMail.A.gen!Eldorado
A Network Trojan was detected
ET MALWARE Misspelled Mozilla User-Agent (Mozila)
A Network Trojan was detected
MALWARE [PTsecurity] W32/IncrediMail.A.gen!Eldorado
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www5l.incredimail.com/im/imsetup/201301300001/beta/installer/fullsetup/IncrediMailSetup.exe