Malware analysis a74dd3d61350462c77d870bc3b7cead5df615dc2 Malicious activity

Add for printing

File name:	a74dd3d61350462c77d870bc3b7cead5df615dc2
Full analysis:	https://app.any.run/tasks/a6c669dc-78ac-4985-b0b0-1ed28d3a5bf4
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 09:54:41
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader arch-exec qrcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	4F8CA86DE2ED2DF5F931DCE222F0216C
SHA1:	A74DD3D61350462C77D870BC3B7CEAD5DF615DC2
SHA256:	386B77C682977D5335C384F5BBE5A8394627C35A95CA2DD7BEF5CA00CD753205
SSDEEP:	98304:ZLOBybVS1Ua2IhMvwoyOVN9QN84PRCUFeEf5nWFJ6jbwzc5QFshFeDhuDYh+YyYg:op6IZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - setup.exe (PID: 7560)
SUSPICIOUS
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 6004)
- Executable content was dropped or overwritten
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - ChromeSetup.exe (PID: 4428)
  - 136.0.7103.114_chrome_installer.exe (PID: 7540)
  - setup.exe (PID: 7560)
- Starts CMD.EXE for commands execution
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
- Reads security settings of Internet Explorer
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - GoogleUpdate.exe (PID: 3268)
  - GoogleUpdate.exe (PID: 2316)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 5112)
- Potential Corporate Privacy Violation
  - svchost.exe (PID: 6744)
- Process requests binary or script from the Internet
  - svchost.exe (PID: 6744)
- Application launched itself
  - setup.exe (PID: 7560)
  - setup.exe (PID: 7656)
  - setup.exe (PID: 7736)
  - GoogleUpdate.exe (PID: 2316)
- There is functionality for taking screenshot (YARA)
  - GoogleUpdate.exe (PID: 3268)
  - GoogleUpdate.exe (PID: 2316)
- Creates a software uninstall entry
  - setup.exe (PID: 7560)
- Starts itself from another location
  - setup.exe (PID: 7560)
- Searches for installed software
  - setup.exe (PID: 7560)
INFO
- Checks supported languages
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - ChromeSetup.exe (PID: 4428)
  - GoogleUpdate.exe (PID: 5376)
  - GoogleUpdate.exe (PID: 5024)
  - GoogleUpdate.exe (PID: 3268)
  - GoogleUpdate.exe (PID: 2316)
  - 136.0.7103.114_chrome_installer.exe (PID: 7540)
  - setup.exe (PID: 7560)
  - setup.exe (PID: 7656)
  - setup.exe (PID: 7676)
  - setup.exe (PID: 7736)
  - setup.exe (PID: 7768)
  - setup.exe (PID: 7580)
  - GoogleUpdate.exe (PID: 7840)
  - GoogleUpdate.exe (PID: 7812)
  - GoogleUpdateOnDemand.exe (PID: 7820)
  - elevation_service.exe (PID: 6540)
- Reads the machine GUID from the registry
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - GoogleUpdate.exe (PID: 2316)
- Reads the computer name
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - GoogleUpdate.exe (PID: 5376)
  - GoogleUpdate.exe (PID: 5024)
  - GoogleUpdate.exe (PID: 2316)
  - GoogleUpdate.exe (PID: 3268)
  - 136.0.7103.114_chrome_installer.exe (PID: 7540)
  - setup.exe (PID: 7560)
  - setup.exe (PID: 7656)
  - setup.exe (PID: 7736)
  - GoogleUpdate.exe (PID: 7812)
  - GoogleUpdate.exe (PID: 7840)
  - elevation_service.exe (PID: 6540)
- The sample compiled with chinese language support
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with english language support
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - ChromeSetup.exe (PID: 4428)
  - svchost.exe (PID: 6744)
  - 136.0.7103.114_chrome_installer.exe (PID: 7540)
  - setup.exe (PID: 7560)
- Create files in a temporary directory
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - svchost.exe (PID: 6744)
  - GoogleUpdate.exe (PID: 2316)
- Creates files in the program directory
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - cmd.exe (PID: 5640)
  - cmd.exe (PID: 6244)
  - ChromeSetup.exe (PID: 4428)
  - GoogleUpdate.exe (PID: 3268)
  - GoogleUpdate.exe (PID: 5376)
  - GoogleUpdate.exe (PID: 5024)
  - GoogleUpdate.exe (PID: 2316)
  - 136.0.7103.114_chrome_installer.exe (PID: 7540)
  - setup.exe (PID: 7560)
  - setup.exe (PID: 7656)
  - GoogleUpdate.exe (PID: 7812)
- Creates a new folder
  - cmd.exe (PID: 5640)
  - cmd.exe (PID: 6244)
- Creates files or folders in the user directory
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - GoogleUpdate.exe (PID: 2316)
- Process checks computer location settings
  - a74dd3d61350462c77d870bc3b7cead5df615dc2.exe (PID: 1348)
  - GoogleUpdate.exe (PID: 3268)
- The sample compiled with german language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with arabic language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with Italian language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with czech language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with spanish language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with Indonesian language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with french language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with portuguese language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with korean language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with japanese language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with russian language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with polish language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with slovak language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with bulgarian language support
  - ChromeSetup.exe (PID: 4428)
- Reads the software policy settings
  - GoogleUpdate.exe (PID: 5376)
  - GoogleUpdate.exe (PID: 2316)
  - GoogleUpdate.exe (PID: 7812)
  - slui.exe (PID: 4988)
- The sample compiled with swedish language support
  - ChromeSetup.exe (PID: 4428)
- The sample compiled with turkish language support
  - ChromeSetup.exe (PID: 4428)
- Checks proxy server information
  - GoogleUpdate.exe (PID: 2316)
  - GoogleUpdate.exe (PID: 7812)
  - GoogleUpdate.exe (PID: 5376)
- Executes as Windows Service
  - elevation_service.exe (PID: 4380)
  - elevation_service.exe (PID: 6540)
- Manual execution by a user
  - chrome.exe (PID: 1072)
- Application launched itself
  - chrome.exe (PID: 7916)
  - chrome.exe (PID: 1072)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (18)
.exe	\|	Win32 Executable (generic) (2.9)
.exe	\|	Generic Win/DOS Executable (1.3)
.exe	\|	DOS Executable Generic (1.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:03:29 18:36:02+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	4080640
InitializedDataSize:	1411072
UninitializedDataSize:	-
EntryPoint:	0x271b55
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	109.7.5610.208
ProductVersionNumber:	109.7.5610.208
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
CompanyName:	Xiamen Maikewei Information Network Co., Ltd.
FileDescription:	Google Chrome 浏览器安装程序
FileVersion:	109.7.5610.208
InternalName:	SetupChrome
LegalCopyright:	Copyright 2023 Xiamen Maikewei Information Network Co., Ltd. All rights reserved.
OriginalFileName:	SetupChrome
ProductName:	谷歌浏览器下载安装软件
ProductVersion:	109.7.5610.208

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

222

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

744

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=1928,i,3519157384317484407,5761640476489634668,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

136.0.7103.114

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

872

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=1928,i,3519157384317484407,5761640476489634668,262144 --variations-seed-version --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

136.0.7103.114

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1040

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1928,i,3519157384317484407,5761640476489634668,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

136.0.7103.114

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1072

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --field-trial-handle=1928,i,3519157384317484407,5761640476489634668,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

136.0.7103.114

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1072

"C:\Program Files\Google\Chrome\Application\chrome.exe" "--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints"

C:\Program Files\Google\Chrome\Application\chrome.exe

—

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

136.0.7103.114

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1180

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1348

"C:\Users\admin\AppData\Local\Temp\a74dd3d61350462c77d870bc3b7cead5df615dc2.exe"

C:\Users\admin\AppData\Local\Temp\a74dd3d61350462c77d870bc3b7cead5df615dc2.exe

explorer.exe

User:

admin

Company:

Xiamen Maikewei Information Network Co., Ltd.

Integrity Level:

HIGH

Description:

Google Chrome 浏览器安装程序

Exit code:

Version:

109.7.5610.208

Modules

Images
c:\users\admin\appdata\local\temp\a74dd3d61350462c77d870bc3b7cead5df615dc2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

1660

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

1912

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=1928,i,3519157384317484407,5761640476489634668,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

136.0.7103.114

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\136.0.7103.114\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2148

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1928,i,3519157384317484407,5761640476489634668,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

136.0.7103.114

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

17 456

Read events

15 930

Write events

1 504

Delete events

Modification events


(PID) Process:	(3268) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	delete value	Name:	usagestats
Value:
(PID) Process:	(3268) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\PersistedPings\{9FF82282-B047-477E-AF5F-2BE408FA6D59}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3268) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
Operation:	delete value	Name:	UpdateAvailableCount
Value:
(PID) Process:	(3268) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
Operation:	delete value	Name:	UpdateAvailableSince
Value:
(PID) Process:	(3268) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
Operation:	write	Name:	iid
Value: {F84835F2-542A-003D-0DC8-2768D7F15728}
(PID) Process:	(3268) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\PersistedPings\{9FF82282-B047-477E-AF5F-2BE408FA6D59}
Operation:	write	Name:	PersistedPingString
Value: <?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.36.152" shell_version="1.3.36.51" ismachine="1" sessionid="{D38F6115-E6A4-409E-82CD-CEDBC5E852F1}" installsource="taggedmi" requestid="{9FF82282-B047-477E-AF5F-2BE408FA6D59}" dedup="cr" domainjoined="0"><hw physmemory="4" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="10.0.19045.4046" sp="" arch="x64"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" version="1.3.36.372" nextversion="1.3.36.152" lang="zh-CN" brand="" client="" iid="{F84835F2-542A-003D-0DC8-2768D7F15728}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0" install_time_ms="219"/></app></request>
(PID) Process:	(3268) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\PersistedPings\{9FF82282-B047-477E-AF5F-2BE408FA6D59}
Operation:	write	Name:	PersistedPingTime
Value: 133918628950363135
(PID) Process:	(2316) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	delete value	Name:	usagestats
Value:
(PID) Process:	(5376) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\proxy
Operation:	write	Name:	source
Value: auto
(PID) Process:	(2316) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState
Operation:	write	Name:	StateValue
Value: 3

Add for printing

Executable files

Suspicious files

343

Text files

126

Unknown types

Dropped files

PID	Process	Filename		Type
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Users\admin\AppData\Local\Temp\s11g.0\Tmp.zip		compressed
		MD5:9F591241E1F293787209B12D62941D85	SHA256:3BC9DDA0770618F4BAB046C262647F9FD0CB8D546A73EF0F7F5EB29D7BE7A840
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Program Files\Google\Chrome\Application\initial_preferences		binary
		MD5:692D746D9B14E8F5A5483502265FA5EA	SHA256:B4335564EA8A3087C0F1576D6B2F54D32631B534DF53BDC43C4B742F5D3F01EC
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences		binary
		MD5:A7E6CD3E32F8817423E35596800527DC	SHA256:2AFA9818BFA6ECAE310FE2AEEAEB92D1E026DC78E99F2CE21F70D22BD8D66E6B
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Users\admin\AppData\Local\Temp\s11g.0\config.bin		text
		MD5:C4894488CC579FD0811571F4F38726FD	SHA256:63873E6E4E777047563A79A3FC92F9020C6D2AF7BE81C7E8E66114BCFF7C623B
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal		binary
		MD5:AE1A7A303A125E6D6E00BCD4A38AB858	SHA256:0A28790F403BC3BFC700C092B1C51B6235EF58A0DF3FB86E1AC80FCA207FEFCC
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences		binary
		MD5:A046D496924EC7AD8789974A945AC332	SHA256:A54DCEF6F79B90E58F7BAF276667A672B4716AAFEDDCE0EC6B297FD9F823EBAD
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Program Files\Google\Chrome\Application\bookmarks.html		html
		MD5:1FD7A47BA7100393F8D499ED8E9D349E	SHA256:2C6712E9F790760101281291F4C3F2AF47C5A6FC1992439EF3CA85E5FAE4E44B
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Program Files (x86)\Google\Chrome\Application\initial_preferences		binary
		MD5:692D746D9B14E8F5A5483502265FA5EA	SHA256:B4335564EA8A3087C0F1576D6B2F54D32631B534DF53BDC43C4B742F5D3F01EC
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Data		binary
		MD5:75F5EDC4EAE9AEC201D3DC3528A28803	SHA256:7F7CB631C893CDA1ACC824AE1F7A1AD47DC4A997051D8D144E51A039FA8A170E
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	C:\Users\admin\AppData\Local\Temp\s11g.0\ChromeSetup.exe		executable
		MD5:80F1BB57390EE2E4B2D24ECD658CB73C	SHA256:5855A5D52ABB60158458A90DDF8AF1115A1B6420C99A00951994CA5E14273EBA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

123

DNS requests

155

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2316	GoogleUpdate.exe	GET	200	142.250.186.99:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
7252	chrome.exe	GET	200	90.84.161.16:80	http://sdk.51.la/js-sdk-pro.min.js	unknown	—	—	unknown
2316	GoogleUpdate.exe	GET	200	142.250.186.99:80	http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEA85wFTvuwmlCdtY0UxEIqg%3D	unknown	—	—	whitelisted
6744	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome/ii74n6hkryhvtp67bbscqhvh2i_136.0.7103.114/136.0.7103.114_chrome_installer.exe	unknown	—	—	whitelisted
2316	GoogleUpdate.exe	GET	200	142.250.186.99:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6744	svchost.exe	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome/ii74n6hkryhvtp67bbscqhvh2i_136.0.7103.114/136.0.7103.114_chrome_installer.exe	unknown	—	—	whitelisted
7448	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7448	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7252	chrome.exe	GET	200	172.217.18.110:80	http://clients2.google.com/time/1/current?cup2key=9:fDNIdwvlCVBqbukEOtG42u41eAJDu2xazGsqPL212yg&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	101.35.136.203:443	hao.bbbxz.com	Shenzhen Tencent Computer Systems Company Limited	CN	unknown
2112	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1348	a74dd3d61350462c77d870bc3b7cead5df615dc2.exe	43.152.29.148:443	cdn.tongbuxing.net	ACE	SG	unknown
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5376	GoogleUpdate.exe	142.250.181.227:443	update.googleapis.com	GOOGLE	US	whitelisted
2316	GoogleUpdate.exe	142.250.181.227:443	update.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
hao.bbbxz.com	101.35.136.203	unknown
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
cdn.tongbuxing.net	43.152.29.148 43.152.28.41 43.152.28.111 43.152.28.77 43.152.26.142 43.152.29.101 43.152.26.154 43.152.26.209 43.152.28.43 43.152.26.239 43.152.26.151 43.152.29.77 43.152.29.72 43.152.26.238 43.152.26.197	unknown
client.wns.windows.com	172.211.123.250	whitelisted
update.googleapis.com	142.250.181.227	whitelisted
dl.google.com	142.250.185.142	whitelisted
c.pki.goog	142.250.186.99	whitelisted
o.pki.goog	142.250.186.99	whitelisted
edgedl.me.gvt1.com	34.104.35.123	whitelisted
login.live.com	20.190.160.22 40.126.32.76 20.190.160.132 20.190.160.5 20.190.160.66 20.190.160.128 20.190.160.14 40.126.32.133 40.126.31.131 20.190.159.2 20.190.159.64 40.126.31.71 20.190.159.68 40.126.31.0 20.190.159.130 40.126.31.130	whitelisted

Threats

PID	Process	Class	Message
6744	svchost.exe	Misc activity	ET INFO Packed Executable Download
6744	svchost.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6744	svchost.exe	Misc activity	ET INFO EXE - Served Attached HTTP
7252	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7252	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7252	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7252	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)

Add for printing

No debug info

General Info

a74dd3d61350462c77d870bc3b7cead5df615dc2

4F8CA86DE2ED2DF5F931DCE222F0216C

A74DD3D61350462C77D870BC3B7CEAD5DF615DC2

386B77C682977D5335C384F5BBE5A8394627C35A95CA2DD7BEF5CA00CD753205

98304:ZLOBybVS1Ua2IhMvwoyOVN9QN84PRCUFeEf5nWFJ6jbwzc5QFshFeDhuDYh+YyYg:op6IZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Uses TASKKILL.EXE to kill process

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Uses ATTRIB.EXE to modify file attributes

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Application launched itself

There is functionality for taking screenshot (YARA)

Creates a software uninstall entry

Starts itself from another location

Searches for installed software

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

The sample compiled with chinese language support

The sample compiled with english language support

Create files in a temporary directory

Creates files in the program directory

Creates a new folder

Creates files or folders in the user directory

Process checks computer location settings

The sample compiled with german language support

The sample compiled with arabic language support

The sample compiled with Italian language support

The sample compiled with czech language support

The sample compiled with spanish language support

The sample compiled with Indonesian language support

The sample compiled with french language support

The sample compiled with portuguese language support

The sample compiled with korean language support

The sample compiled with japanese language support

The sample compiled with russian language support

The sample compiled with polish language support

The sample compiled with slovak language support

The sample compiled with bulgarian language support

Reads the software policy settings

The sample compiled with swedish language support

The sample compiled with turkish language support

Checks proxy server information

Executes as Windows Service

Manual execution by a user

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules