File name:

ChromeSetup.zip

Full analysis: https://app.any.run/tasks/31ed88f9-9bdd-499d-8028-8dac2541cc68
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 19, 2024, 02:16:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

3C2EBB73765B51173C81EE9E89D8E70F

SHA1:

7EE82077CFC0BFE94E29D07C9B1D1EE933DC9419

SHA256:

879D25E700D4033661BAADC71CDEA4C2019520A5A4A3EF6245B8E56F870ABE48

SSDEEP:

98304:/7gQE1flBa4JcKx4nPCL+ziHwPuZzcqH5ucEnhalU0iUE55HCCE/ANvvRsPTXwKg:UL3O/T5elv/Yf2wWo7wHQMsUuT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • chrome.exe (PID: 4064)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6784)
      • ChromeSetup.exe (PID: 7060)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6784)

    • Executable content was dropped or overwritten

      • ChromeSetup.exe (PID: 7060)

    • Likely accesses (executes) a file from the Public directory

      • findstr.exe (PID: 7120)

    • Using 'findstr.exe' to search for text patterns in files and output

      • crashpad_handler.exe (PID: 7100)

    • Executes application which crashes

      • ChromeSetup.exe (PID: 7060)

    • Application launched itself

      • chrome.exe (PID: 4064)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6784)

    • Checks supported languages

      • ChromeSetup.exe (PID: 7060)
      • crashpad_handler.exe (PID: 7100)
      • chrome.exe (PID: 4064)
      • TextInputHost.exe (PID: 1108)

    • Reads the computer name

      • ChromeSetup.exe (PID: 7060)
      • crashpad_handler.exe (PID: 7100)
      • chrome.exe (PID: 4064)
      • TextInputHost.exe (PID: 1108)

    • Creates files or folders in the user directory

      • chrome.exe (PID: 4064)
      • WerFault.exe (PID: 6560)

    • Reads the machine GUID from the registry

      • chrome.exe (PID: 4064)

    • Checks proxy server information

      • chrome.exe (PID: 4064)
      • WerFault.exe (PID: 6560)

    • Process checks computer location settings

      • chrome.exe (PID: 4064)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 4064)

    • Create files in a temporary directory

      • chrome.exe (PID: 4064)

    • Reads the software policy settings

      • WerFault.exe (PID: 6560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:04:04 05:18:12
ZipCRC: 0x7af6b320
ZipCompressedSize: 153
ZipUncompressedSize: 228
ZipFileName: 123.0.6312.106/123.0.6312.105.manifest
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
16
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe chromesetup.exe crashpad_handler.exe no specs findstr.exe no specs conhost.exe no specs chrome.exe werfault.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs textinputhost.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1108"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1536"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2320 --field-trial-handle=1932,i,2954812581478007864,6540950261726426696,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1564"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1932,i,2954812581478007864,6540950261726426696,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2064"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2184 --field-trial-handle=1932,i,2954812581478007864,6540950261726426696,262144 --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3900"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1924 --field-trial-handle=1932,i,2954812581478007864,6540950261726426696,262144 --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4064-url https://president.mn/wp-includes/class-wp-safe-check.php?status=orC:\Program Files\Google\Chrome\Application\chrome.exe
ChromeSetup.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4856 --field-trial-handle=1932,i,2954812581478007864,6540950261726426696,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6292"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3168 --field-trial-handle=1932,i,2954812581478007864,6540950261726426696,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6424"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fffd2f3dc40,0x7fffd2f3dc4c,0x7fffd2f3dc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6560C:\WINDOWS\system32\WerFault.exe -u -p 7060 -s 984C:\Windows\System32\WerFault.exe
ChromeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
21 774
Read events
21 736
Write events
38
Delete events
0

Modification events

(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\ChromeSetup.zip
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6784) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
12
Suspicious files
101
Text files
33
Unknown types
0

Dropped files

PID
Process
Filename
Type
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\chrome_wer.dllexecutable
MD5:BBA2453A9A4343D6692984CC343E08DB
SHA256:CD91C0E3B1F791FEF39AC80DFFDBE4E7702C260C1EB54F4AB19B527FFEEE03AE
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\chrome_100_percent.pakbinary
MD5:25F9A1850D7237E14A04B54E45E04063
SHA256:F3C54269BA5466523167D49A7540E28BFCD50C84C8B097D62656F9BA3667C3AC
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\VisualElements\SmallLogoBeta.pngimage
MD5:75347C2C5A884FA28173278D779BE88C
SHA256:2B60FFE21DD44716907C407B99E4BD06A422FC37CDBBAC8265BDD9DEA2D5B735
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\chrome_200_percent.pakbinary
MD5:A7E3D9C91BC8527275881C893AD74870
SHA256:4B40BD6B47517F7D76F9C0FED2E735AF7A9AB6E1A9BE0EA905B3931E6D7A63EC
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\123.0.6312.106.manifesttext
MD5:AB9362B752389E39AAEDAB5475BD0CB5
SHA256:412BAED86D097E2BE1BB5E48E79F6E641DF11F737C634651A3D539ABE20A1BD5
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\chrome.exe.sigpi2
MD5:3BECECFBC92DBD070430AFE483A07C2A
SHA256:5713D0F090F91DA3B0C6C2175B14C573A08C1C1A6FECF84DBE02258D2AA7FAEF
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\chrome_elf.dllexecutable
MD5:043576AD5FA3F7CED96442B17F71A273
SHA256:E37B989B670B040847BE50BF2CB5B783E358EFB55FE745A21DF56500E99F80A0
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\default_apps\external_extensions.jsontext
MD5:708428751D01199ED5F53E0FB2AD4BF0
SHA256:579032CB7B7BEA083E077BA85CB62DC231BA672F93CE1B55A379968FB3C2CEE9
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\VisualElements\LogoCanary.pngimage
MD5:EF8A81D1E1070F20CE809CCA75588612
SHA256:6F2F599BC3E34E11072CE7DDBAB2D484371563F0BC79DE785DF075DB5E17AE1B
6784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6784.11072\123.0.6312.106\eventlog_provider.dllexecutable
MD5:51FEE3E97826B85F4150DB750C41F3C2
SHA256:14F0DABB0F0B7F62E8C461E0EA91CCFEFAF0296134C4DABE6206D5FE82D9587F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
84
DNS requests
44
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2064
chrome.exe
POST
404
142.250.186.163:80
http://update.googleapis.com/service/update2/json?cup2key=13:WTdFzV_KLlH2SpcTSAd0JGx13ypZz2y4Jap3WsJdijA&cup2hreq=cfceaf7268c9106517fb5460c4d3472b21749adace70e7bc09e12774fe66cfc0
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4100
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4100
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2064
chrome.exe
142.250.186.35:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
4064
chrome.exe
239.255.255.250:1900
whitelisted
2064
chrome.exe
103.17.108.235:443
president.mn
National Data Center building
MN
unknown
2064
chrome.exe
209.85.203.84:443
accounts.google.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
dual-low.t-0009.ecs-msedge.net
  • 31.13.68.160
unknown
clientservices.googleapis.com
  • 142.250.186.35
whitelisted
president.mn
  • 103.17.108.235
malicious
accounts.google.com
  • 209.85.203.84
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
update.googleapis.com
  • 142.250.186.163
whitelisted
www.google.com
  • 142.250.185.68
whitelisted
optimizationguide-pa.googleapis.com
  • 142.250.185.106
  • 172.217.18.10
  • 142.250.185.234
  • 142.250.184.234
  • 142.250.185.74
  • 142.250.186.42
  • 142.250.184.202
  • 142.250.186.138
  • 142.250.186.170
  • 216.58.212.170
  • 142.250.185.170
  • 142.250.186.74
  • 142.250.181.234
  • 142.250.185.202
  • 172.217.16.202
  • 142.250.185.138
whitelisted

Threats

No threats detected
Process
Message
ChromeSetup.exe
DLL_PROCESS_ATTACH
ChromeSetup.exe
IsBrowserProcess
ChromeSetup.exe
GetInstallDetailsPayload
ChromeSetup.exe
SignalInitializeCrashReporting
ChromeSetup.exe
IsBrowserProcess
ChromeSetup.exe
SignalChromeElf
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ChromeSetup.zip