File name:	ChromeUpdater.exe
Full analysis:	https://app.any.run/tasks/062305c0-8947-47e0-883c-ea825b418efa
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	August 29, 2024, 14:54:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	F765A1B738C578E624078F0199278B97
SHA1:	7446E9353FA590ACE1C04363EAFCB3B64665D509
SHA256:	810791CCD63225A766DD580E0E83D502DF14172812FB912997E6A844BC9D7F6C
SSDEEP:	12288:M6tsEz3F8NtzpL75x6VulMKKY5xcH7XD:HVzy1pL75xUuJj2bD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	AMD AMD64
TimeStamp:	2024:08:22 12:10:09+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	11
CodeSize:	141824
InitializedDataSize:	172544
UninitializedDataSize:	-
EntryPoint:	0x106f4
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.2.0.1
ProductVersionNumber:	1.2.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Unknown (1401)
CharacterSet:	Unicode
CompanyName:	Microsoft
FileDescription:	Services.exe
FileVersion:	1.2.0.1
InternalName:	Services.exe
LegalCopyright:	Copyright (C) 2024
OriginalFileName:	Services.exe
ProductName:	Services.exe
ProductVersion:	1.2.0.1


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 0000000000000000000000000000000003000100010001000F000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001400000000000000650071007500690070006D0065006E0074006100640064002E0070006E0067003E002000200000001500000000000000650076006500720079006F006E006500700065006100630065002E006A00700067003E0020002000000013000000000000006D006100740065007200690061006C006300610074002E007200740066003E0020002000000011000000000000007300680061006C006C0062006F006F006B002E006A00700067003E00200020000000120000000000000077006500720065007400690074006C00650073002E007200740066003E00200020000000130000000000000077006F0072006400730070006F0069006E00740073002E007200740066003E0020002000000015000000000000004300680072006F006D00650055007000640061007400650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000000F00000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000000400E00
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconNameVersion
Value: 1
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 968BD06600000000
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F006200000000000000000000000100000001000000803E1C03
(PID) Process:	(6556) ChromeUpdater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Services
Value: C:\Users\admin\AppData\Roaming\{2F33566DA0B91573532102}\{2F33566DA0B91573532102}.exe
(PID) Process:	(2212) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2212) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2212) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2212) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2212) svchost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Service_Adobe
Value: C:\Users\admin\AppData\Roaming\Adobe\Service_Adobe.exe

PID	Process	Filename		Type
6556	ChromeUpdater.exe	C:\Users\admin\AppData\Roaming\{2F33566DA0B91573532102}\{2F33566DA0B91573532102}.exe		executable
		MD5:F765A1B738C578E624078F0199278B97	SHA256:810791CCD63225A766DD580E0E83D502DF14172812FB912997E6A844BC9D7F6C
2212	svchost.exe	C:\Users\admin\AppData\Roaming\Adobe\Service_Adobe.exe		executable
		MD5:97F2564804F98D401A3E7FB4F715F62D	SHA256:A38E3E82E522F7ECEDFC51DA3B44B9013BDE09383F565A79A31B36E2E313C60C
2212	svchost.exe	C:\Users\admin\AppData\Roaming\Mozilla\Service_Mozilla.exe		executable
		MD5:97F2564804F98D401A3E7FB4F715F62D	SHA256:A38E3E82E522F7ECEDFC51DA3B44B9013BDE09383F565A79A31B36E2E313C60C
2212	svchost.exe	C:\Users\admin\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe		executable
		MD5:97F2564804F98D401A3E7FB4F715F62D	SHA256:A38E3E82E522F7ECEDFC51DA3B44B9013BDE09383F565A79A31B36E2E313C60C
6556	ChromeUpdater.exe	C:\Users\admin\AppData\Local\Temp\THBD5D.tmp		binary
		MD5:4600DD02E7F7EDBCC09F334146EDB0F3	SHA256:3F60D735500A6D4F2B9845BE12B9087C66CFF77D8FD8EEEA2F6CC0BBFEE1DCDE
2212	svchost.exe	C:\Users\admin\AppData\Roaming\Macromedia\Service_Macromedia.exe		executable
		MD5:97F2564804F98D401A3E7FB4F715F62D	SHA256:A38E3E82E522F7ECEDFC51DA3B44B9013BDE09383F565A79A31B36E2E313C60C
2212	svchost.exe	C:\Users\admin\AppData\Roaming\NuGet\Service_NuGet.exe		executable
		MD5:97F2564804F98D401A3E7FB4F715F62D	SHA256:A38E3E82E522F7ECEDFC51DA3B44B9013BDE09383F565A79A31B36E2E313C60C
2212	svchost.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.js		text
		MD5:B544D6183C9920CEBDA15C7519985ACA	SHA256:F0302B15990AE0C403A6380DF6CB6C9D95CF0D50206DFB3191C100633954A658
2212	svchost.exe	C:\Users\admin\AppData\Roaming\FileZilla\Service_FileZilla.exe		executable
		MD5:97F2564804F98D401A3E7FB4F715F62D	SHA256:A38E3E82E522F7ECEDFC51DA3B44B9013BDE09383F565A79A31B36E2E313C60C
2212	svchost.exe	C:\Users\admin\AppData\Roaming\Microsoft\Service_Microsoft.exe		executable
		MD5:97F2564804F98D401A3E7FB4F715F62D	SHA256:A38E3E82E522F7ECEDFC51DA3B44B9013BDE09383F565A79A31B36E2E313C60C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2212	svchost.exe	GET	200	176.111.174.140:80	http://176.111.174.140/vvTBswN.php	unknown	—	—	suspicious
2212	svchost.exe	GET	200	176.111.174.140:80	http://176.111.174.140/api/update.pack	unknown	—	—	suspicious
4552	explorer.exe	POST	200	176.111.174.140:80	http://176.111.174.140/api.php?{2F33566DA0B91573532102}	unknown	—	—	suspicious
4552	explorer.exe	POST	200	176.111.174.140:80	http://176.111.174.140/api.php?{2F33566DA0B91573532102}	unknown	—	—	unknown
4552	explorer.exe	POST	200	176.111.174.140:80	http://176.111.174.140/api.php?{2F33566DA0B91573532102}	unknown	—	—	unknown
4552	explorer.exe	POST	200	176.111.174.140:80	http://176.111.174.140/api.php?{2F33566DA0B91573532102}	unknown	—	—	unknown
2212	svchost.exe	GET	200	176.111.174.140:80	http://176.111.174.140/api/update2.pack	unknown	—	—	suspicious

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
6880	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6424	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2212	svchost.exe	176.111.174.140:80	—	Chang Way Technologies Co. Limited	RU	malicious
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6880	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4324	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4552	explorer.exe	176.111.174.140:80	—	Chang Way Technologies Co. Limited	RU	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.184.206	whitelisted

PID	Process	Class	Message
2212	svchost.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 30
2212	svchost.exe	A suspicious filename was detected	ET HUNTING Terse Named Filename EXE Download - Possibly Hostile
2212	svchost.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2212	svchost.exe	Misc activity	ET INFO EXE - Served Inline HTTP
2212	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2212	svchost.exe	A suspicious filename was detected	ET HUNTING Terse Named Filename EXE Download - Possibly Hostile
2212	svchost.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2212	svchost.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2212	svchost.exe	Misc activity	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

General Info

ChromeUpdater.exe

F765A1B738C578E624078F0199278B97

7446E9353FA590ACE1C04363EAFCB3B64665D509

810791CCD63225A766DD580E0E83D502DF14172812FB912997E6A844BC9D7F6C

12288:M6tsEz3F8NtzpL75x6VulMKKY5xcH7XD:HVzy1pL75xUuJj2bD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Create files in the Startup directory

Application was injected by another process

Runs injected code in another process

SUSPICIOUS

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Potential Corporate Privacy Violation

Connects to the server without a host name

INFO

Creates files or folders in the user directory

Reads the computer name

The process uses the downloaded file

Reads security settings of Internet Explorer

Checks proxy server information

Checks supported languages

Create files in a temporary directory

Changes appearance of the Explorer extensions

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings