File name: | temp.txt |
Full analysis: | https://app.any.run/tasks/6fa1bc2e-9b96-4003-87a1-77f8817f5de1 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | December 14, 2018, 17:36:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text |
MD5: | 6A7421D640CB19A0BCDAF90DC0CF60CC |
SHA1: | 2D886238675F6396D601E3659FDB844809C64189 |
SHA256: | F8AC8CCDC80862B082F3B8C19F54D2A0FC140A4A423C27F004A5DCE6B9BD7DB8 |
SSDEEP: | 3:N8PWNMKBJ9QUaalSJon:2PXKVQU7l6o |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\temp.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2344 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3148 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6f4300b0,0x6f4300c0,0x6f4300cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
2384 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2352 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3504 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=47B409068F25FA7E6681584528876D83 --mojo-platform-channel-handle=920 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 | ||||
2216 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --service-pipe-token=A7B40F077B180A4A19109F951BDB9C00 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A7B40F077B180A4A19109F951BDB9C00 --renderer-client-id=5 --mojo-platform-channel-handle=1900 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 | ||||
2820 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --service-pipe-token=A02D72CF683315D50A6EAEC9D8698E7A --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A02D72CF683315D50A6EAEC9D8698E7A --renderer-client-id=3 --mojo-platform-channel-handle=2068 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2852 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=3EBAD5E87462DB7BAC8AE4FEE3795C57 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3EBAD5E87462DB7BAC8AE4FEE3795C57 --renderer-client-id=6 --mojo-platform-channel-handle=3552 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 | ||||
2456 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=F64D83F0CCA07812360FDBFF538B7CDE --mojo-platform-channel-handle=3864 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2380 | "C:\Users\admin\Downloads\mail.exe" | C:\Users\admin\Downloads\mail.exe | chrome.exe | |
User: admin Company: NetEase (Hangzhou) Network Co., Ltd Integrity Level: MEDIUM Description: 网易邮箱大师安装程序 Version: 4.10.2.1001 |
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
Operation: | write | Name: | failed_count |
Value: 0 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
Operation: | write | Name: | state |
Value: 2 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
Operation: | write | Name: | state |
Value: 1 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
Operation: | write | Name: | dr |
Value: 1 | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
Operation: | write | Name: | 2344-13189282643654000 |
Value: 259 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
Operation: | delete value | Name: | 3516-13180984670829101 |
Value: 0 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
Operation: | write | Name: | usagestats |
Value: 0 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
Operation: | delete value | Name: | 2344-13189282643654000 |
Value: 259 | |||
(PID) Process: | (2344) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
Operation: | write | Name: | metricsid |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cee245b9-8d02-45fe-9acc-8a660929f009.tmp | — | |
MD5:— | SHA256:— | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\18e55ca6-2405-4d3a-85e0-d171fb4f984b.tmp | — | |
MD5:— | SHA256:— | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:197882774A7ECEC9046BC48F63189B66 | SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2 | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF249684.TMP | text | |
MD5:92BE6B127E72365885AD4C3FB6534EE2 | SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51 | |||
844 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:F21900C7A25F863C30D1D846EA91370B | SHA256:19E89AC099570546B4FB964A14D5E70B72AB17B892739FFE1A6111AD8404641F | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF2496b3.TMP | text | |
MD5:197882774A7ECEC9046BC48F63189B66 | SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2 | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF2496b3.TMP | text | |
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542 | SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD | |||
2344 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\temp-index | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/style/css/common-6a923c3e0a.css | CN | text | 4.17 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/js/respond-1854be559b.js | CN | html | 2.09 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/js/arale-qrcode-1749e8ca9e.js | CN | html | 5.53 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/style/css/index-6531a18a74.css | CN | text | 2.84 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/section2/08_iphone-594a8d3d45.png | CN | image | 37.2 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/section1/phone_bg1-b8769697a0.jpg | CN | image | 145 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/send_suc-f9e05ec25c.png | CN | image | 213 b | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/section1/pc_bg1-dd6b558f98.jpg | CN | image | 163 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/js/index-0f061e002b.js | CN | text | 12.7 Kb | suspicious |
2344 | chrome.exe | GET | 200 | 103.65.41.154:80 | http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/WechatQR-7591fe4833.png | CN | image | 4.62 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2344 | chrome.exe | 172.217.18.163:443 | www.google.de | Google Inc. | US | whitelisted |
2344 | chrome.exe | 216.58.206.3:443 | www.gstatic.com | Google Inc. | US | whitelisted |
2344 | chrome.exe | 216.58.210.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2344 | chrome.exe | 216.58.210.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
2344 | chrome.exe | 172.217.21.227:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
2344 | chrome.exe | 172.217.22.36:443 | www.google.com | Google Inc. | US | whitelisted |
2344 | chrome.exe | 103.65.41.154:443 | mimg.127.net | AOFEI DATA INTERNATIONAL COMPANY LIMITED | CN | unknown |
2344 | chrome.exe | 54.64.105.68:80 | mail.163.com | Amazon.com, Inc. | JP | unknown |
2344 | chrome.exe | 103.65.41.154:80 | mimg.127.net | AOFEI DATA INTERNATIONAL COMPANY LIMITED | CN | unknown |
2344 | chrome.exe | 54.64.105.68:443 | mail.163.com | Amazon.com, Inc. | JP | unknown |
Domain | IP | Reputation |
---|---|---|
clientservices.googleapis.com |
| whitelisted |
www.google.de |
| whitelisted |
www.gstatic.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
www.google.com |
| whitelisted |
mail.163.com |
| shared |
mimg.127.net |
| suspicious |
help.mail.163.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2344 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
---|---|
setup.exe | [2608:2520:1214/173751:2425546:VERBOSE1:setup_main.cpp(109)] Command Line: "C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\MAILMASTER.PACKED.7Z" --verbose-logging --mini_installer="C:\Users\admin\Downloads\mail.exe" --mailmaster-channel=81
|
setup.exe | [2608:2520:1214/173751:2425546:VERBOSE1:install_util.cpp(169)] Windows NT 6.1 SP1
|
setup.exe | [3344:3396:1214/173756:2430296:VERBOSE1:setup_main.cpp(109)] Command Line: "C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\MAILMASTER.PACKED.7Z" --verbose-logging --mini_installer="C:\Users\admin\Downloads\mail.exe" --mailmaster-channel=81 --run-as-admin --system-level
|
setup.exe | [3344:3396:1214/173756:2430296:VERBOSE1:install_util.cpp(169)] Windows NT 6.1 SP1
|
setup.exe | [3344:3396:1214/173756:2430312:INFO:install_service.cpp(163)] Checking Install path: C:\Program Files\Neteasewith install type: 1(1.new 2.down 3.eq 4.up)
|
setup.exe | [3344:3396:1214/173756:2430312:INFO:disk_util.cpp(33)] current path is match free space requirementC:\Program Files\Netease
|
setup.exe | [3344:3396:1214/173756:2430312:INFO:install_service.cpp(168)] Disk space is enough to install: C:\Program Files\Netease
|
setup.exe | [3344:3396:1214/173800:2434031:INFO:setup_window.cpp(220)] checking install path: C:\Program Files\Netease
|
setup.exe | [3344:3192:1214/173800:2434031:VERBOSE1:setup.cpp(662)] multi install is 0
|
setup.exe | [3344:3192:1214/173800:2434046:VERBOSE1:setup.cpp(665)] system install is 1
|