File name:	ChromeSetup.exe
Full analysis:	https://app.any.run/tasks/2bb6af2c-ae77-45db-8574-cde391d438a0
Verdict:	Malicious activity
Analysis date:	June 09, 2024, 11:53:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	D4C0273B69051DEE74050EB17332F6DE
SHA1:	0BDCB5E388FDA06B50A2BC137819506106A630BD
SHA256:	2F6E13C97D2C435016B47904BAC81C4447B3EDD5ABB83F10BF1E39A9A8731E90
SSDEEP:	49152:A0CZrjTSt9tvdOBp/ew9PT4CTsi6RlF/XfTajGKTQTAXFPaALwV5no7+MJnOZ4BI:dMOtnvdO/eor4usJRnX2hTjcbngG4BNO

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:01:10 02:10:49+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.2
CodeSize:	96256
InitializedDataSize:	1260032
UninitializedDataSize:	-
EntryPoint:	0x5374
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.3.36.372
ProductVersionNumber:	1.3.36.372
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Google LLC
FileDescription:	Google Update Setup
FileVersion:	1.3.36.372
InternalName:	Google Update Setup
LegalCopyright:	Copyright 2018 Google LLC
OriginalFileName:	GoogleUpdateSetup.exe
ProductName:	Google Update
ProductVersion:	1.3.36.372
LanguageId:	en


(PID) Process:	(3648) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	uid
Value:
(PID) Process:	(3648) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	old-uid
Value:
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	uid
Value:
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	old-uid
Value:
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update
Operation:	delete value	Name:	uid
Value:
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update
Operation:	delete value	Name:	old-uid
Value:
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 1
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	delete value	Name:	usagestats
Value:
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update
Operation:	delete value	Name:	eulaaccepted
Value:
(PID) Process:	(4916) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
Operation:	delete value	Name:	UpdateAvailableCount
Value:

PID	Process	Filename		Type
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\psmachine_64.dll		executable
		MD5:B002F5315B6EB8801A91756643A15C1B	SHA256:0A9C8F037925570FFE1D36E19E194B7D67346306C93296745AE4FE7002F02D3E
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\GoogleUpdate.exe		executable
		MD5:BAF0B64AF9FCEAB44942506F3AF21C87	SHA256:581EDECA339BB8C5EBC1D0193AD77F5CAFA329C5A9ADF8F5299B1AFABED6623B
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\GoogleUpdateOnDemand.exe		executable
		MD5:B191834EB918C5BCAA46E594561C53C9	SHA256:0FA78EEA190E3AE9DDB0E6CD85EB5188947CE0BA748FC6D567ADE48B1FB3AE27
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\psuser.dll		executable
		MD5:D7770594FA82330B50573FDD8A2CCF3D	SHA256:350339ACF9B3CA3055823C67AB568390D54C35DA4692E33C3A7E62FBC7C4B9A9
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\goopdateres_bn.dll		executable
		MD5:64ED14E0070B720FCEFE89E2AB323604	SHA256:635F3A7FD3C1F62EB91117189AC84E1A1E5C3A8E104863D125C16E8BE570E3D1
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\psmachine.dll		executable
		MD5:CDE140B706BB57F83D1AFE5C5B8EC346	SHA256:5A0C4B1BF6A52B2380803B3E2494DD37A221B68E5302B5AB7FF9C27D85398649
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\GoogleUpdateBroker.exe		executable
		MD5:FF2D1B951CAFE2A3B88A168900844303	SHA256:F8E20A4EFB9BB32AF39E3CBC414412B3B01C0442ABFE214A58BC3ECCFFFD35B7
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\psuser_64.dll		executable
		MD5:458F24A910A1022B5DB6219E7A838CE5	SHA256:E0D786B4823F4D4137A2110A2E867237ABC5BC29604A55D6A172199E56CE3BE7
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\goopdateres_ca.dll		executable
		MD5:BA783AC59839551280618C83C760D583	SHA256:C2D15F8DA32907D8CEA1AAA0D51F16BC692A74141FDACE43A84C78647433A086
5608	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\GUM3C2B.tmp\GoogleUpdateCore.exe		executable
		MD5:021C57C74DE40F7C3B4FCF58A54D3649	SHA256:04ADF40BA58D0AB892091C188822191F2597BC47DAB8B92423E8FC546DC437EF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5140	MoUsoCoreWorker.exe	GET	200	62.115.252.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5612	RUXIMICS.exe	GET	200	62.115.252.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5448	svchost.exe	GET	200	62.115.252.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5448	svchost.exe	GET	200	23.57.80.253:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
4148	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome/kdkzajqlu4fsukr4xd4ep2gooa_125.0.6422.142/125.0.6422.142_chrome_installer.exe	unknown	—	—	unknown
4148	svchost.exe	GET	—	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome/kdkzajqlu4fsukr4xd4ep2gooa_125.0.6422.142/125.0.6422.142_chrome_installer.exe	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.57.80.253:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
—	—	GET	200	142.250.185.164:443	https://dl.google.com/update2/installers/icons/%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D.bmp	unknown	image	6.52 Kb	—
—	—	POST	200	52.168.112.67:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—
—	—	POST	200	142.250.185.195:443	https://update.googleapis.com/service/update2	unknown	xml	233 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
5448	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4364	svchost.exe	239.255.255.250:1900	—	—	—	unknown
5612	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5140	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5140	MoUsoCoreWorker.exe	62.115.252.105:80	crl.microsoft.com	Telia Company AB	ES	unknown
5612	RUXIMICS.exe	62.115.252.105:80	crl.microsoft.com	Telia Company AB	ES	unknown
5448	svchost.exe	62.115.252.105:80	crl.microsoft.com	Telia Company AB	ES	unknown
5612	RUXIMICS.exe	23.57.80.253:80	www.microsoft.com	AKAMAI-AS	FR	whitelisted
624	GoogleUpdate.exe	142.250.185.195:443	update.googleapis.com	GOOGLE	US	whitelisted
1508	GoogleUpdate.exe	142.250.185.195:443	update.googleapis.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
crl.microsoft.com	62.115.252.105 62.115.252.155	whitelisted
www.microsoft.com	23.57.80.253	whitelisted
update.googleapis.com	142.250.185.195	unknown
dl.google.com	216.58.212.174	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
edgedl.me.gvt1.com	34.104.35.123	whitelisted
self.events.data.microsoft.com	104.208.16.91	whitelisted

PID	Process	Class	Message
4148	svchost.exe	Misc activity	ET INFO EXE - Served Attached HTTP
4148	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

ChromeSetup.exe

D4C0273B69051DEE74050EB17332F6DE

0BDCB5E388FDA06B50A2BC137819506106A630BD

2F6E13C97D2C435016B47904BAC81C4447B3EDD5ABB83F10BF1E39A9A8731E90

49152:A0CZrjTSt9tvdOBp/ew9PT4CTsi6RlF/XfTajGKTQTAXFPaALwV5no7+MJnOZ4BI:dMOtnvdO/eor4usJRnX2hTjcbngG4BNO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Scans artifacts that could help determine the target

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executable content was dropped or overwritten

Checks Windows Trust Settings

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Creates files in the program directory

Process checks computer location settings

Reads the software policy settings

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings