Advanced File Analysis System

File Name: MediaPlay_id3754771id.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 4618f1ae573e668331fa830efcc1c8050c23eff1

MD5: 786bdcc6f403a6bde9ef002e19e391ac

Download Kill Chain Report

Information Discovery

Expresses interest in specific running processes Show sources

api_process_name

MailRuUpdater.exe

Repeatedly searches for a not-found process, may want to run with startbrowser=1 option

Reads data out of its own binary image Show sources

api_process_name	process: 4618f1ae573e668331fa830efcc1c8050c23eff1.exe, pid: 1636, offset: 0x0013ca10, length: 0x0000466b
api_process_name	process: 4618f1ae573e668331fa830efcc1c8050c23eff1.exe, pid: 1636, offset: 0x00141211, length: 0x00071bc6
api_process_name	process: 4618f1ae573e668331fa830efcc1c8050c23eff1.tmp, pid: 2560, offset: 0x00000000, length: 0x0016e200

Networking

Attempts to connect to a dead IP:Port (10 unique times) Show sources

network_host_ip	93.184.220.29:80 (United States)
network_host_ip	217.69.139.247:443 (Russian Federation)
network_host_ip	217.69.139.245:443 (Russian Federation)
network_host_ip	217.69.139.245:80 (Russian Federation)
network_host_ip	23.215.131.194:80 (United States)
network_host_ip	94.100.180.110:443 (Russian Federation)
network_host_ip	23.215.131.177:80 (United States)
network_host_ip	193.0.201.76:443 (Russian Federation)
network_host_ip	72.21.91.29:80 (United States)
network_host_ip	217.69.139.122:443 (Russian Federation)

HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources

network_anomaly	HTTP traffic uses version 1.0
network_anomaly	http://download.mediaplay.ru/archives/mediaplay.7z
network_anomaly	http://amigobin.cdnmail.ru/AmigoDistrib.exe
network_anomaly	http://sputnikmailru.cdnmail.ru/mailruhomesearchvbm.exe
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=11&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?GUID={BE6997F4-D488-4E58-BAAF-8DB21A213BEE}&os=6.1&type=mloader_run&newrfr=mediaplay
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=%2Fsilent%20%2Frfr%3Dmediaplay&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=11&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
network_anomaly	http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAOWX413QS%2FkEIgesIUBbsM%3D
network_anomaly	http://crl.globalsign.net/primobject.crl
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=147&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=148&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=148&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=149&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=149&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=spnative_load&id=mrupdater&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=247&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=mru_install&ovr=0&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=7&elapsed_time=20&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=mru_online&tool=mrupdater&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=7&elapsed_time=21&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B901B414B-72A2-48C6-8DCD-29388B8B3E40%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=100&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=smon&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=101&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=sp_prep&time=165091&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=18&elapsed_time=314&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=mru_online_service&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=7&elapsed_time=20&mr_service=1&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=mru_install_service&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=8&elapsed_time=31&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=mruinfo&last_ch=80263646&ch_ver=48.0.2564.103&ie_hp=www.google.ro&ie_dse=www.bing.com&ie_ver=8.00.7600.16385&last_ff=46655904&ff_ver=46.0.1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=693&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B2AB1F4AB-E3FA-4047-9033-EC223C8354F5%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=693&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B4C1D0C36-25B2-4774-80E8-DAE1E7898A1A%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=1284&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B901B414B-72A2-48C6-8DCD-29388B8B3E40%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=10&elapsed_time=124&mr_service=1&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B84DC8324-C256-4EF5-B0DC-383B43EE77E9%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=1875&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=spnative_run&id=mrupdater&event=done&exit_code=0&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=317&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7BB202C093-6D9F-43F2-8B6C-44FC1583EFAF%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=2466&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7BFC604959-8A01-4E8B-A3E5-87CEEBD6FEDB%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=3057&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=prog_set&target=ch&prog=xtn_dse&event=done&mr_ext=gbnhehnpnbiioheicppmmmjaekcdfigc&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=361&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=prog_set&target=ch&prog=xtn_hp&event=done&mr_ext=fppjhfcgnalgfiimdflmikpifodndljf&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=496&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B2AB1F4AB-E3FA-4047-9033-EC223C8354F5%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=11583&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_anomaly	http://mrds.mail.ru/update/2/version.txt?GUID={BE6997F4-D488-4E58-BAAF-8DB21A213BEE}&os=6.1&type=mloader_downloaded&newrfr=mediaplay
network_anomaly	http://mrds.mail.ru/update/2/version.txt?type=prog_set&target=ch&prog=xtn_pult&event=done&mr_ext=ebkgajjadgojjkgacfgjpnpgagpecpjp&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=594&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=

Performs some HTTP requests Show sources

network_url	http://download.mediaplay.ru/archives/mediaplay.7z
network_url	http://amigobin.cdnmail.ru/AmigoDistrib.exe
network_url	http://sputnikmailru.cdnmail.ru/mailruhomesearchvbm.exe
network_url	http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=11&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?GUID={BE6997F4-D488-4E58-BAAF-8DB21A213BEE}&os=6.1&type=mloader_run&newrfr=mediaplay
network_url	http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=%2Fsilent%20%2Frfr%3Dmediaplay&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=11&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
network_url	http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAOWX413QS%2FkEIgesIUBbsM%3D
network_url	http://crl.globalsign.net/primobject.crl
network_url	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=147&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=148&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=148&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=149&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=149&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=spnative_load&id=mrupdater&event=done&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=18&elapsed_time=247&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=mru_install&ovr=0&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=0&comp_mem=3071&tool_mem=7&elapsed_time=20&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=mru_online&tool=mrupdater&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=7&elapsed_time=21&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B901B414B-72A2-48C6-8DCD-29388B8B3E40%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=100&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=smon&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=101&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=sp_prep&time=165091&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=18&elapsed_time=314&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=mru_online_service&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=7&elapsed_time=20&mr_service=1&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=mru_install_service&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=8&elapsed_time=31&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=mruinfo&last_ch=80263646&ch_ver=48.0.2564.103&ie_hp=www.google.ro&ie_dse=www.bing.com&ie_ver=8.00.7600.16385&last_ff=46655904&ff_ver=46.0.1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=693&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B2AB1F4AB-E3FA-4047-9033-EC223C8354F5%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=693&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B4C1D0C36-25B2-4774-80E8-DAE1E7898A1A%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=11&elapsed_time=1284&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B901B414B-72A2-48C6-8DCD-29388B8B3E40%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=10&elapsed_time=124&mr_service=1&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B84DC8324-C256-4EF5-B0DC-383B43EE77E9%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=1875&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=spnative_run&id=mrupdater&event=done&exit_code=0&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=317&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7BB202C093-6D9F-43F2-8B6C-44FC1583EFAF%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=2466&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7BFC604959-8A01-4E8B-A3E5-87CEEBD6FEDB%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=3057&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?type=prog_set&target=ch&prog=xtn_dse&event=done&mr_ext=gbnhehnpnbiioheicppmmmjaekcdfigc&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=361&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=prog_set&target=ch&prog=xtn_hp&event=done&mr_ext=fppjhfcgnalgfiimdflmikpifodndljf&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=496&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=
network_url	http://mrds.mail.ru/update/2/version.txt?type=task_executed&taskid=%7B2AB1F4AB-E3FA-4047-9033-EC223C8354F5%7D&done=1&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=12&elapsed_time=11583&mr_service=0&os=win6.1&install_id=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&GUID=%7BFDDD13D1-C518-46F4-AF38-584C93AD065A%7D&tool=mrupdater
network_url	http://mrds.mail.ru/update/2/version.txt?GUID={BE6997F4-D488-4E58-BAAF-8DB21A213BEE}&os=6.1&type=mloader_downloaded&newrfr=mediaplay
network_url	http://mrds.mail.ru/update/2/version.txt?type=prog_set&target=ch&prog=xtn_pult&event=done&mr_ext=ebkgajjadgojjkgacfgjpnpgagpecpjp&masterid=%7B6F701F8A-827D-4022-B9D7-591EA0276DB0%7D&user_id=%7BC3B64E02-D00F-40E8-955A-2712768AF7BF%7D&osver=7&osbit=64&osvernum=6.1&ossp=Service%20Pack%201&uac=0&admin=1&ver=5.0.0.172&mailru_guard=0&mailru_updater=1&comp_mem=3071&tool_mem=19&elapsed_time=594&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&common_rfr=&install_id=%7B7A3443F0-1262-404C-9669-83BD646EA222%7D&rfr_rules=

HIPS/ PFW/ Operating System Protection Evasion

Attempts to identify installed AV products by installation directory Show sources

file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\program files\sandboxie\Start.exe
file_query	C:\program files\sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Program Files\Sandboxie\Start.exe
file_query	C:\Program Files\Sandboxie
file_query	C:\Windows\Installer\SandboxieInstall64.exe
file_query	C:\Program Files\Sandboxie\SbieSvc.exe
file_query	C:\Program Files\Sandboxie\SbieSvc.exe

Attempts to identify installed AV products by registry key Show sources

registry_query

HKEY_CURRENT_USER\Software\ESET

Cryptography

At least one IP Address, Domain, or File Name was found in a crypto call Show sources

ioc	69.31.84.300
ioc	69.31.84.30
ioc	www.digicert.com1
ioc	6extensions.settings.gbnhehnpnbiioheicppmmmjaekcdfigc
ioc	distribution-module.js
ioc	background.js
ioc	http://go.mail.ru/favicon.ico
ioc	inline.go.mail.ru
ioc	https://inline.go.mail.ru/search
ioc	chxtn12.0.42
ioc	http://suggests.go.mail.ru/chrome
ioc	runtime.onStartup
ioc	128.png
ioc	16.png
ioc	48.png
ioc	6extensions.settings.fppjhfcgnalgfiimdflmikpifodndljf
ioc	build.js
ioc	https://inline.go.mail.ru/homepage
ioc	6extensions.settings.ebkgajjadgojjkgacfgjpnpgagpecpjp
ioc	ail.ru
ioc	background.html
ioc	disabled-128.png
ioc	disabled-16.png
ioc	disabled-32.png
ioc	disabled-48.png
ioc	visual-bookmarks.html
ioc	https://yandexadexchange.net/
ioc	https://an.yandex.ru
ioc	icon-128.png
ioc	icon-16.png
ioc	icon-32.png
ioc	icon-48.png
ioc	data.template_url_data
ioc	http://mail.ru
ioc	go.mail.ru
ioc	http://go.mail.ru/distib/ep/
ioc	6browser.show_home_buttontrue
ioc	http://mail.ru/cnt/10445
ioc	6session.restore_on_startup4
ioc	6session.startup_urls

Stealing of Sensitive Information

Steals private information from local Internet browsers Show sources

file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\prefs.js
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\cookies.sqlite
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file_read	C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\search.json.mozlz4

Attempts to modify proxy settings

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped	C:\Users\user\AppData\Local\Temp\is-OP7S1.tmp\4618f1ae573e668331fa830efcc1c8050c23eff1.tmp
file_dropped	C:\Users\user\AppData\Local\Temp\e45e-9fa6-6843-8bb8\na_runner.exe

Persistence and Installation Behavior

Installs itself for autorun at Windows startup Show sources

service_create	Updater.Mail.Ru
service_create	C:\Program Files (x86)\Mail.Ru\MailRuUpdater\MailRuUpdater.exe --s
registry_write	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mailruhomesearch
data	"C:\Users\user\AppData\Local\Mail.Ru\Sputnik\ptls\mailruhomesearch.exe" --pr_deferred
registry_write	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MailRuUpdater
data	C:\Users\user\AppData\Local\Mail.Ru\MailRuUpdater.exe
file_write	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MediaPlay.lnk

Malware Analysis System Evasion

Detects VirtualBox through the presence of a file Show sources

file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe

Attempts to repeatedly call a single API many times in order to delay analysis time Show sources

api_process_name

services.exe (460) called API GetSystemTimeAsFileTime 9004114 times

Creates a hidden or system file Show sources

file_write	C:\Windows\System32\GroupPolicy
file_write	C:\Users\user\AppData\Local\Temp\mini_loader_scoped_dir_1535188497\mediaplay-a.exe.dul!

Loading...