Malware analysis GoogleChrome.exe Malicious activity | ANY.RUN

Add for printing

File name:	GoogleChrome.exe
Full analysis:	https://app.any.run/tasks/9f9825d5-5516-4bab-8c53-a53007e3a28b
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 25, 2025, 04:44:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	7781F5E47330791FEFAF9B6057CA2725
SHA1:	B8402513094B90E94B6662DF39C09D99CA6B6AB7
SHA256:	667969367B5870C729148EA106B496D7A0A0D0F5E290AF3B64CBAA9CD6B22C24
SSDEEP:	49152:g0C1Ms/5toaO6/V43YTt2kqQ6vltjsA0UpWwIOUo1YKu927wpIcBWkZCSEKE/ZXI:9EL/Tonh3YTt3wvjjf0W6OUo1YKu92sp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - setup.exe (PID: 7816)
SUSPICIOUS
- Executable content was dropped or overwritten
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
  - 135.0.7049.115_chrome_installer.exe (PID: 7792)
  - setup.exe (PID: 7816)
- Reads security settings of Internet Explorer
  - GoogleUpdate.exe (PID: 4756)
  - GoogleUpdate.exe (PID: 920)
  - GoogleUpdate.exe (PID: 1452)
- Potential Corporate Privacy Violation
  - svchost.exe (PID: 6644)
- There is functionality for taking screenshot (YARA)
  - GoogleUpdate.exe (PID: 4756)
- Process requests binary or script from the Internet
  - svchost.exe (PID: 6644)
- Application launched itself
  - setup.exe (PID: 7816)
  - setup.exe (PID: 7900)
  - GoogleUpdate.exe (PID: 1452)
- Searches for installed software
  - setup.exe (PID: 7816)
- Creates a software uninstall entry
  - setup.exe (PID: 7816)
  - chrome.exe (PID: 8104)
INFO
- The sample compiled with german language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with czech language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with arabic language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with english language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
  - svchost.exe (PID: 6644)
  - 135.0.7049.115_chrome_installer.exe (PID: 7792)
  - setup.exe (PID: 7816)
- The sample compiled with spanish language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with french language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with bulgarian language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with Indonesian language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- Create files in a temporary directory
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdate.exe (PID: 1452)
  - svchost.exe (PID: 6644)
- The sample compiled with Italian language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with japanese language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with korean language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with polish language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with portuguese language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with russian language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with slovak language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with swedish language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with turkish language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- The sample compiled with chinese language support
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
- Checks supported languages
  - GoogleUpdate.exe (PID: 4756)
  - GoogleChrome.exe (PID: 6244)
  - GoogleUpdateSetup.exe (PID: 4980)
  - GoogleUpdate.exe (PID: 4988)
  - GoogleUpdate.exe (PID: 1184)
  - GoogleUpdate.exe (PID: 920)
  - GoogleUpdate.exe (PID: 1452)
  - 135.0.7049.115_chrome_installer.exe (PID: 7792)
  - setup.exe (PID: 7816)
  - setup.exe (PID: 7836)
  - setup.exe (PID: 7920)
  - setup.exe (PID: 7900)
  - GoogleUpdate.exe (PID: 7996)
  - GoogleUpdate.exe (PID: 8032)
  - GoogleUpdateOnDemand.exe (PID: 8012)
  - elevation_service.exe (PID: 7468)
- Reads the computer name
  - GoogleUpdate.exe (PID: 4756)
  - GoogleUpdate.exe (PID: 920)
  - GoogleUpdate.exe (PID: 4988)
  - GoogleUpdate.exe (PID: 1452)
  - GoogleUpdate.exe (PID: 1184)
  - 135.0.7049.115_chrome_installer.exe (PID: 7792)
  - setup.exe (PID: 7900)
  - GoogleUpdate.exe (PID: 7996)
  - setup.exe (PID: 7816)
  - GoogleUpdate.exe (PID: 8032)
  - elevation_service.exe (PID: 7468)
- Process checks computer location settings
  - GoogleUpdate.exe (PID: 4756)
  - GoogleUpdate.exe (PID: 920)
- Creates files in the program directory
  - GoogleUpdate.exe (PID: 920)
  - GoogleUpdate.exe (PID: 4988)
  - GoogleUpdate.exe (PID: 1184)
  - GoogleUpdate.exe (PID: 1452)
  - 135.0.7049.115_chrome_installer.exe (PID: 7792)
  - setup.exe (PID: 7816)
  - setup.exe (PID: 7900)
  - GoogleUpdate.exe (PID: 7996)
- Checks proxy server information
  - GoogleUpdate.exe (PID: 1184)
  - GoogleUpdate.exe (PID: 1452)
  - GoogleUpdate.exe (PID: 7996)
- Reads the software policy settings
  - GoogleUpdate.exe (PID: 1452)
  - GoogleUpdate.exe (PID: 1184)
  - GoogleUpdate.exe (PID: 7996)
- Reads the machine GUID from the registry
  - GoogleUpdate.exe (PID: 1452)
- Creates files or folders in the user directory
  - GoogleUpdate.exe (PID: 1452)
- Executes as Windows Service
  - elevation_service.exe (PID: 7468)
- Application launched itself
  - chrome.exe (PID: 8104)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:05:30 18:47:35+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.2
CodeSize:	96256
InitializedDataSize:	1254400
UninitializedDataSize:	-
EntryPoint:	0x5374
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.3.36.272
ProductVersionNumber:	1.3.36.272
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Google LLC
FileDescription:	Google Update Setup
FileVersion:	1.3.36.272
InternalName:	Google Update Setup
LegalCopyright:	Copyright 2018 Google LLC
OriginalFileName:	GoogleUpdateSetup.exe
ProductName:	Google Update
ProductVersion:	1.3.36.272
LanguageId:	en

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

167

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=1988,i,665496165208840963,15465198506617550316,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

135.0.7049.115

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

920

C:\WINDOWS\SystemTemp\GUMBBE0.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2E200A24-0EB5-0E1D-E193-B2D632BDBE60}&lang=ru&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installelevated

C:\Windows\SystemTemp\GUMBBE0.tmp\GoogleUpdate.exe

—

GoogleUpdateSetup.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Installer

Exit code:

Version:

1.3.36.271

Modules

Images
c:\windows\systemtemp\gumbbe0.tmp\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1128

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1988,i,665496165208840963,15465198506617550316,262144 --variations-seed-version --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

135.0.7049.115

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1184

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4yNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi41MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntFMDdFMUI0NC1GN0QwLTQ5QTAtQTY2NS05QkNDOTIzQ0U5MTZ9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7NTIyMDIzMEEtODg2QS00RTBDLUEyMkEtQUZENkEzMTAyREI2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMzcyIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjI3MiIgbGFuZz0icnUiIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9InsyRTIwMEEyNC0wRUI1LTBFMUQtRTE5My1CMkQ2MzJCREJFNjB9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjMxMyIvPjwvYXBwPjwvcmVxdWVzdD4

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

GoogleUpdate.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Installer

Exit code:

Version:

1.3.36.51

Modules

Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1452

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2E200A24-0EB5-0E1D-E193-B2D632BDBE60}&lang=ru&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{E07E1B44-F7D0-49A0-A665-9BCC923CE916}"

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

GoogleUpdate.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Installer

Exit code:

Version:

1.3.36.51

Modules

Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

2192

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=1988,i,665496165208840963,15465198506617550316,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

135.0.7049.115

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2420

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=1988,i,665496165208840963,15465198506617550316,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

135.0.7049.115

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2984

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=1988,i,665496165208840963,15465198506617550316,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Version:

135.0.7049.115

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.115\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

4756

C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2E200A24-0EB5-0E1D-E193-B2D632BDBE60}&lang=ru&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"

C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\GoogleUpdate.exe

—

GoogleChrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Installer

Exit code:

Version:

1.3.36.271

Modules

Images
c:\users\admin\appdata\local\temp\gumb5a6.tmp\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4892

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

9 060

Read events

7 562

Write events

1 479

Delete events

Modification events


(PID) Process:	(4756) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	uid
Value:
(PID) Process:	(4756) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	old-uid
Value:
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	uid
Value:
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:	delete value	Name:	old-uid
Value:
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	delete value	Name:	usagestats
Value:
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
Operation:	delete value	Name:	UpdateAvailableCount
Value:
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
Operation:	delete value	Name:	UpdateAvailableSince
Value:
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
Operation:	write	Name:	iid
Value: {2E200A24-0EB5-0E1D-E193-B2D632BDBE60}
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\PersistedPings\{5220230A-886A-4E0C-A22A-AFD6A3102DB6}
Operation:	write	Name:	PersistedPingString
Value: <?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.36.272" shell_version="1.3.36.51" ismachine="1" sessionid="{E07E1B44-F7D0-49A0-A665-9BCC923CE916}" installsource="taggedmi" requestid="{5220230A-886A-4E0C-A22A-AFD6A3102DB6}" dedup="cr" domainjoined="0"><hw physmemory="4" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="10.0.19045.4046" sp="" arch="x64"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" version="1.3.36.372" nextversion="1.3.36.272" lang="ru" brand="" client="" iid="{2E200A24-0EB5-0E1D-E193-B2D632BDBE60}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0" install_time_ms="313"/></app></request>
(PID) Process:	(920) GoogleUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\PersistedPings\{5220230A-886A-4E0C-A22A-AFD6A3102DB6}
Operation:	write	Name:	PersistedPingTime
Value: 133900298998711574

Add for printing

Executable files

141

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\GoogleUpdateOnDemand.exe		executable
		MD5:456C34FF37DB338EF6108086F5D17BC2	SHA256:74B1373752DF8B259E44BC69CD0FCE3E268C82C5814ACC8155CB1BF36CCA60CF
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\goopdate.dll		executable
		MD5:682F50048847F3EDD03E7503F8AF7D00	SHA256:4BED4E6B3C86731A4FEC2A7022E66921465B5CA2BEFB6BC83606012E3C6D6AF0
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\GoogleUpdateComRegisterShell64.exe		executable
		MD5:C2C0992A4565B32FAF92CB0B21765CA8	SHA256:F9A6647B72D9A8F98F776A2EE202F90231B2B3B5E7FDC91B60F42D6AA77F151B
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\psmachine_64.dll		executable
		MD5:8AEE70895C90F43DA8A21664A69B6310	SHA256:EE967736BAE3CC9A907F1F27B5285EBE2C2901D49B024DBC405BB21E32C9DF42
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\GoogleCrashHandler.exe		executable
		MD5:754800639676DB690F90ED5822B0E2D1	SHA256:752F11284D89BB67E2D5AA1D537486AA2BC0DACD5B2D90B5F9DC8F899396CCF5
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\GoogleUpdate.exe		executable
		MD5:5722709CB676E5B6F2473943F9E71632	SHA256:0C48C63ACEC1892ECF03AB327D6584ADFE084E8470D165A91F793D7C28F70EEB
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\goopdateres_de.dll		executable
		MD5:CEBC631EA37EAE8EB31555412621A0DB	SHA256:C9EA94965D8B6C30749F8A72680583EFB792145817B545164BC32459DB8F7C48
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\goopdateres_ar.dll		executable
		MD5:5FD2043838B2A9BFF0AC76018947FCBF	SHA256:3598ACDFF7C7B1DB28D37EEF89ACE635A0DF4A9AE016010E9A9159F3E7533B96
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\goopdateres_am.dll		executable
		MD5:421DA80922569B608C10A6E38E2A4AB2	SHA256:003CB6789AF84AF768DAA1AC0A6D8017D765371852FC3E4C7771AD85DC25A58B
6244	GoogleChrome.exe	C:\Users\admin\AppData\Local\Temp\GUMB5A6.tmp\goopdateres_bn.dll		executable
		MD5:0BBF329D032E31318EE05FA16BC9AE27	SHA256:0F6FCD0152D11AE2A2A0A234076123E66B54D9CC0C774BB5888FE89BDDC99839

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	95.101.63.66:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1452	GoogleUpdate.exe	GET	200	142.250.181.227:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
1452	GoogleUpdate.exe	GET	200	142.250.181.227:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
1452	GoogleUpdate.exe	GET	200	142.250.181.227:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDQZgpWpezrXAmFnbj86J49	unknown	—	—	whitelisted
6644	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome/ackxpvrm3yhql4zsr7kcxuakkwkq_135.0.7049.115/135.0.7049.115_chrome_installer.exe	unknown	—	—	whitelisted
6644	svchost.exe	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome/ackxpvrm3yhql4zsr7kcxuakkwkq_135.0.7049.115/135.0.7049.115_chrome_installer.exe	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	23.63.118.230:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7652	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	95.101.63.66:80	crl.microsoft.com	Akamai International B.V.	GB	whitelisted
5496	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	unknown
—	—	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1184	GoogleUpdate.exe	142.250.186.163:443	update.googleapis.com	GOOGLE	US	whitelisted
1452	GoogleUpdate.exe	142.250.186.163:443	update.googleapis.com	GOOGLE	US	whitelisted
1452	GoogleUpdate.exe	142.250.185.110:443	dl.google.com	GOOGLE	US	whitelisted
1452	GoogleUpdate.exe	142.250.181.227:80	c.pki.goog	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
crl.microsoft.com	95.101.63.66 72.247.176.73	whitelisted
www.microsoft.com	2.23.181.156 23.219.150.101	whitelisted
google.com	142.250.185.206	whitelisted
update.googleapis.com	142.250.186.163	whitelisted
dl.google.com	142.250.185.110	whitelisted
c.pki.goog	142.250.181.227	whitelisted
o.pki.goog	142.250.181.227	whitelisted
edgedl.me.gvt1.com	34.104.35.123	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted

Threats

PID	Process	Class	Message
6644	svchost.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6644	svchost.exe	Misc activity	ET INFO Packed Executable Download
6644	svchost.exe	Misc activity	ET INFO EXE - Served Attached HTTP

Add for printing

No debug info

General Info

GoogleChrome.exe

7781F5E47330791FEFAF9B6057CA2725

B8402513094B90E94B6662DF39C09D99CA6B6AB7

667969367B5870C729148EA106B496D7A0A0D0F5E290AF3B64CBAA9CD6B22C24

49152:g0C1Ms/5toaO6/V43YTt2kqQ6vltjsA0UpWwIOUo1YKu927wpIcBWkZCSEKE/ZXI:9EL/Tonh3YTt3wvjjf0W6OUo1YKu92sp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

There is functionality for taking screenshot (YARA)

Process requests binary or script from the Internet

Application launched itself

Searches for installed software

Creates a software uninstall entry

INFO

The sample compiled with german language support

The sample compiled with czech language support

The sample compiled with arabic language support

The sample compiled with english language support

The sample compiled with spanish language support

The sample compiled with french language support

The sample compiled with bulgarian language support

The sample compiled with Indonesian language support

Create files in a temporary directory

The sample compiled with Italian language support

The sample compiled with japanese language support

The sample compiled with korean language support

The sample compiled with polish language support

The sample compiled with portuguese language support

The sample compiled with russian language support

The sample compiled with slovak language support

The sample compiled with swedish language support

The sample compiled with turkish language support

The sample compiled with chinese language support

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Executes as Windows Service

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules