analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

temp.txt

Full analysis: https://app.any.run/tasks/6fa1bc2e-9b96-4003-87a1-77f8817f5de1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 14, 2018, 17:36:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

6A7421D640CB19A0BCDAF90DC0CF60CC

SHA1:

2D886238675F6396D601E3659FDB844809C64189

SHA256:

F8AC8CCDC80862B082F3B8C19F54D2A0FC140A4A423C27F004A5DCE6B9BD7DB8

SSDEEP:

3:N8PWNMKBJ9QUaalSJon:2PXKVQU7l6o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • setup.exe (PID: 2608)
      • mail.exe (PID: 2380)
      • setup.exe (PID: 3344)
    • Downloads executable files from the Internet

      • chrome.exe (PID: 2344)
    • Loads dropped or rewritten executable

      • svchost.exe (PID: 844)
      • setup.exe (PID: 3344)
    • Changes the autorun value in the registry

      • setup.exe (PID: 3344)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2344)
      • mail.exe (PID: 2380)
      • setup.exe (PID: 3344)
    • Application launched itself

      • setup.exe (PID: 2608)
    • Creates COM task schedule object

      • setup.exe (PID: 3344)
    • Modifies the open verb of a shell class

      • setup.exe (PID: 3344)
    • Creates files in the user directory

      • setup.exe (PID: 3344)
    • Creates a software uninstall entry

      • setup.exe (PID: 3344)
    • Creates files in the program directory

      • setup.exe (PID: 3344)
  • INFO

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2344)
    • Reads settings of System Certificates

      • chrome.exe (PID: 2344)
    • Application launched itself

      • chrome.exe (PID: 2344)
    • Dropped object may contain Bitcoin addresses

      • setup.exe (PID: 3344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs mail.exe setup.exe setup.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\temp.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2344"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3148"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6f4300b0,0x6f4300c0,0x6f4300ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
2384"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2352 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3504"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=47B409068F25FA7E6681584528876D83 --mojo-platform-channel-handle=920 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
2216"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --service-pipe-token=A7B40F077B180A4A19109F951BDB9C00 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A7B40F077B180A4A19109F951BDB9C00 --renderer-client-id=5 --mojo-platform-channel-handle=1900 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
2820"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --service-pipe-token=A02D72CF683315D50A6EAEC9D8698E7A --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A02D72CF683315D50A6EAEC9D8698E7A --renderer-client-id=3 --mojo-platform-channel-handle=2068 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2852"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=3EBAD5E87462DB7BAC8AE4FEE3795C57 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3EBAD5E87462DB7BAC8AE4FEE3795C57 --renderer-client-id=6 --mojo-platform-channel-handle=3552 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
2456"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=896,1440875912577375196,16516353125945989345,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=F64D83F0CCA07812360FDBFF538B7CDE --mojo-platform-channel-handle=3864 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2380"C:\Users\admin\Downloads\mail.exe" C:\Users\admin\Downloads\mail.exe
chrome.exe
User:
admin
Company:
NetEase (Hangzhou) Network Co., Ltd
Integrity Level:
MEDIUM
Description:
网易邮箱大师安装程序
Version:
4.10.2.1001
Total events
1 209
Read events
1 082
Write events
124
Delete events
3

Modification events

(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:Key:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2344-13189282643654000
Value:
259
(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3516-13180984670829101
Value:
0
(PID) Process:(2344) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:2344-13189282643654000
Value:
259
(PID) Process:(2344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
13
Suspicious files
103
Text files
68
Unknown types
15

Dropped files

PID
Process
Filename
Type
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cee245b9-8d02-45fe-9acc-8a660929f009.tmp
MD5:
SHA256:
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\18e55ca6-2405-4d3a-85e0-d171fb4f984b.tmp
MD5:
SHA256:
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:197882774A7ECEC9046BC48F63189B66
SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF249684.TMPtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
844svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:F21900C7A25F863C30D1D846EA91370B
SHA256:19E89AC099570546B4FB964A14D5E70B72AB17B892739FFE1A6111AD8404641F
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF2496b3.TMPtext
MD5:197882774A7ECEC9046BC48F63189B66
SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF2496b3.TMPtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
2344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\temp-index
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
27
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/style/css/common-6a923c3e0a.css
CN
text
4.17 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/js/respond-1854be559b.js
CN
html
2.09 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/js/arale-qrcode-1749e8ca9e.js
CN
html
5.53 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/style/css/index-6531a18a74.css
CN
text
2.84 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/section2/08_iphone-594a8d3d45.png
CN
image
37.2 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/section1/phone_bg1-b8769697a0.jpg
CN
image
145 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/send_suc-f9e05ec25c.png
CN
image
213 b
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/section1/pc_bg1-dd6b558f98.jpg
CN
image
163 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/js/index-0f061e002b.js
CN
text
12.7 Kb
suspicious
2344
chrome.exe
GET
200
103.65.41.154:80
http://mimg.127.net/hxm/dashi-home/p/20151107/style/img/newHome/WechatQR-7591fe4833.png
CN
image
4.62 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2344
chrome.exe
172.217.18.163:443
www.google.de
Google Inc.
US
whitelisted
2344
chrome.exe
216.58.206.3:443
www.gstatic.com
Google Inc.
US
whitelisted
2344
chrome.exe
216.58.210.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2344
chrome.exe
216.58.210.13:443
accounts.google.com
Google Inc.
US
whitelisted
2344
chrome.exe
172.217.21.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2344
chrome.exe
172.217.22.36:443
www.google.com
Google Inc.
US
whitelisted
2344
chrome.exe
103.65.41.154:443
mimg.127.net
AOFEI DATA INTERNATIONAL COMPANY LIMITED
CN
unknown
2344
chrome.exe
54.64.105.68:80
mail.163.com
Amazon.com, Inc.
JP
unknown
2344
chrome.exe
103.65.41.154:80
mimg.127.net
AOFEI DATA INTERNATIONAL COMPANY LIMITED
CN
unknown
2344
chrome.exe
54.64.105.68:443
mail.163.com
Amazon.com, Inc.
JP
unknown

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.21.227
whitelisted
www.google.de
  • 172.217.18.163
whitelisted
www.gstatic.com
  • 216.58.206.3
whitelisted
safebrowsing.googleapis.com
  • 216.58.210.10
whitelisted
accounts.google.com
  • 216.58.210.13
shared
ssl.gstatic.com
  • 172.217.18.163
whitelisted
www.google.com
  • 172.217.22.36
whitelisted
mail.163.com
  • 54.64.105.68
shared
mimg.127.net
  • 103.65.41.154
suspicious
help.mail.163.com
  • 123.125.50.97
unknown

Threats

PID
Process
Class
Message
2344
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
setup.exe
[2608:2520:1214/173751:2425546:VERBOSE1:setup_main.cpp(109)] Command Line: "C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\MAILMASTER.PACKED.7Z" --verbose-logging --mini_installer="C:\Users\admin\Downloads\mail.exe" --mailmaster-channel=81
setup.exe
[2608:2520:1214/173751:2425546:VERBOSE1:install_util.cpp(169)] Windows NT 6.1 SP1
setup.exe
[3344:3396:1214/173756:2430296:VERBOSE1:setup_main.cpp(109)] Command Line: "C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\CR_C2032.tmp\MAILMASTER.PACKED.7Z" --verbose-logging --mini_installer="C:\Users\admin\Downloads\mail.exe" --mailmaster-channel=81 --run-as-admin --system-level
setup.exe
[3344:3396:1214/173756:2430296:VERBOSE1:install_util.cpp(169)] Windows NT 6.1 SP1
setup.exe
[3344:3396:1214/173756:2430312:INFO:install_service.cpp(163)] Checking Install path: C:\Program Files\Neteasewith install type: 1(1.new 2.down 3.eq 4.up)
setup.exe
[3344:3396:1214/173756:2430312:INFO:disk_util.cpp(33)] current path is match free space requirementC:\Program Files\Netease
setup.exe
[3344:3396:1214/173756:2430312:INFO:install_service.cpp(168)] Disk space is enough to install: C:\Program Files\Netease
setup.exe
[3344:3396:1214/173800:2434031:INFO:setup_window.cpp(220)] checking install path: C:\Program Files\Netease
setup.exe
[3344:3192:1214/173800:2434031:VERBOSE1:setup.cpp(662)] multi install is 0
setup.exe
[3344:3192:1214/173800:2434046:VERBOSE1:setup.cpp(665)] system install is 1