File name:

google-chrome_msetup_[1244143].exe

Full analysis: https://app.any.run/tasks/c57b9d92-e027-40b9-821c-8d816f1c0aed
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 13:38:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C41DC6A580BC50AE0850587F20FB68BC

SHA1:

FE6E4D5D8BBC398A5E33A576AE108D7AFE4F62E2

SHA256:

B8C3866121B71C44FB52F965F6EE49188989850A4CDA6627DAE224AA71421218

SSDEEP:

6144:n0HjIpOcK9GK81fl2RrS8i5U/V260mZ3Gn9HK70z3p+PyqQS:nR7sRrS8iit26LW960zqQS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • google-chrome_msetup_[1244143].exe (PID: 3960)
      • avast_free_antivirus_setup_online.exe (PID: 2612)
      • downloader.exe (PID: 3448)

    • Application was dropped or rewritten from another process

      • GoogleUpdate.exe (PID: 2520)
      • 2_ChromeSetup.exe (PID: 2284)
      • avast_free_antivirus_setup_online.exe (PID: 2612)
      • GoogleUpdate.exe (PID: 3884)
      • GoogleUpdate.exe (PID: 2680)
      • GoogleUpdate.exe (PID: 3636)
      • downloader.exe (PID: 3448)
      • avast_free_antivirus_setup_online.exe (PID: 2844)
      • YandexPackSetup.exe (PID: 4080)
      • instup.exe (PID: 3872)
      • downloader.exe (PID: 2340)
      • seederexe.exe (PID: 2320)
      • instup.exe (PID: 2428)
      • sbr.exe (PID: 2404)
      • Yandex.exe (PID: 2560)
      • sender.exe (PID: 2892)
      • lite_installer.exe (PID: 1744)

    • Changes settings of System certificates

      • google-chrome_msetup_[1244143].exe (PID: 3960)
      • GoogleUpdate.exe (PID: 2520)

    • Loads dropped or rewritten executable

      • GoogleUpdate.exe (PID: 3884)
      • GoogleUpdate.exe (PID: 3636)
      • GoogleUpdate.exe (PID: 2520)
      • GoogleUpdate.exe (PID: 2680)
      • instup.exe (PID: 3872)

    • Changes the autorun value in the registry

      • instup.exe (PID: 2428)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • google-chrome_msetup_[1244143].exe (PID: 3960)
      • GoogleUpdate.exe (PID: 2520)

    • Creates files in the program directory

      • 2_ChromeSetup.exe (PID: 2284)
      • avast_free_antivirus_setup_online.exe (PID: 2844)
      • instup.exe (PID: 3872)

    • Executable content was dropped or overwritten

      • google-chrome_msetup_[1244143].exe (PID: 3960)
      • 2_ChromeSetup.exe (PID: 2284)
      • avast_free_antivirus_setup_online.exe (PID: 2612)
      • avast_free_antivirus_setup_online.exe (PID: 2844)
      • instup.exe (PID: 3872)
      • downloader.exe (PID: 3448)
      • msiexec.exe (PID: 3048)
      • Yandex.exe (PID: 2560)
      • MsiExec.exe (PID: 4044)
      • instup.exe (PID: 2428)

    • Low-level read access rights to disk partition

      • avast_free_antivirus_setup_online.exe (PID: 2612)
      • instup.exe (PID: 3872)
      • instup.exe (PID: 2428)
      • avast_free_antivirus_setup_online.exe (PID: 2844)

    • Creates files in the Windows directory

      • avast_free_antivirus_setup_online.exe (PID: 2612)
      • avast_free_antivirus_setup_online.exe (PID: 2844)
      • instup.exe (PID: 3872)
      • instup.exe (PID: 2428)

    • Creates files in the user directory

      • google-chrome_msetup_[1244143].exe (PID: 3960)
      • MsiExec.exe (PID: 4044)
      • seederexe.exe (PID: 2320)
      • Yandex.exe (PID: 2560)
      • lite_installer.exe (PID: 1744)

    • Starts itself from another location

      • GoogleUpdate.exe (PID: 3636)
      • instup.exe (PID: 3872)

    • Removes files from Windows directory

      • instup.exe (PID: 3872)
      • instup.exe (PID: 2428)

    • Application launched itself

      • downloader.exe (PID: 3448)

    • Reads Environment values

      • MsiExec.exe (PID: 4044)

    • Creates a software uninstall entry

      • Yandex.exe (PID: 2560)

    • Changes the started page of IE

      • seederexe.exe (PID: 2320)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:07 19:20:03+02:00
PEType: PE32
LinkerVersion: 12
CodeSize: 210432
InitializedDataSize: 196608
UninitializedDataSize: -
EntryPoint: 0x208dd
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.1.9.0
ProductVersionNumber: 1.1.9.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: MultiSetup
FileDescription: MultiSetup
FileVersion: 1.1.9.0
InternalName: multisetup.exe
LegalCopyright: Copyright (C) 2019
OriginalFileName: multisetup.exe
ProductName: MultiSetup
ProductVersion: 1.1.9.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-May-2019 17:20:03
Detected languages:
  • Russian - Russia
Debug artifacts:
  • F:\Sources.Smartline\multi_install\Release\multi_setup.pdb
CompanyName: MultiSetup
FileDescription: MultiSetup
FileVersion: 1.1.9.0
InternalName: multisetup.exe
LegalCopyright: Copyright (C) 2019
OriginalFilename: multisetup.exe
ProductName: MultiSetup
ProductVersion: 1.1.9.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 07-May-2019 17:20:03
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0003342A
0x00033600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.61199
.rdata
0x00035000
0x0000FA92
0x0000FC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.75459
.data
0x00045000
0x00003FC8
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.02182
.rsrc
0x00049000
0x00018F88
0x00019000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.52142
.reloc
0x00062000
0x0000332C
0x00003400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.54652

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.2212
1505
UNKNOWN
Russian - Russia
RT_MANIFEST
2
3.25755
296
UNKNOWN
Russian - Russia
RT_ICON
3
3.91366
2216
UNKNOWN
Russian - Russia
RT_ICON
4
3.47151
1384
UNKNOWN
Russian - Russia
RT_ICON
107
2.64576
62
UNKNOWN
Russian - Russia
RT_GROUP_ICON
129
3.89665
1976
UNKNOWN
Russian - Russia
RT_DIALOG
130
3.32958
264
UNKNOWN
Russian - Russia
RT_DIALOG
131
7.94117
5818
UNKNOWN
Russian - Russia
PNG
132
6.86434
572
UNKNOWN
Russian - Russia
PNG
134
2.64335
416
UNKNOWN
Russian - Russia
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
POWRPROF.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
21
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start google-chrome_msetup_[1244143].exe 2_chromesetup.exe avast_free_antivirus_setup_online.exe googleupdate.exe no specs downloader.exe googleupdate.exe no specs googleupdate.exe googleupdate.exe avast_free_antivirus_setup_online.exe instup.exe yandexpacksetup.exe downloader.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe yandex.exe instup.exe sbr.exe no specs sender.exe google-chrome_msetup_[1244143].exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1744"C:\Users\admin\AppData\Local\Temp\7DC1FD6A-CEC1-49BE-9832-40C330578D23\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSERC:\Users\admin\AppData\Local\Temp\7DC1FD6A-CEC1-49BE-9832-40C330578D23\lite_installer.exe
MsiExec.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
YandexBrowserDownloader
Exit code:
0
Version:
1.0.1.88
Modules
Images
c:\users\admin\appdata\local\temp\7dc1fd6a-cec1-49be-9832-40c330578d23\lite_installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2284"C:\Users\admin\Downloads\Downloads msetup\2_ChromeSetup.exe" C:\Users\admin\Downloads\Downloads msetup\2_ChromeSetup.exe
google-chrome_msetup_[1244143].exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Update Setup
Exit code:
0
Version:
1.3.33.23
Modules
Images
c:\users\admin\downloads\downloads msetup\2_chromesetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
2320"C:\Users\admin\AppData\Local\Temp\3A760A57-58B6-40F6-BB4B-B337ADC0648E\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=1" "--locale=us" "--browser=y" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\admin\AppData\Local\Temp\1A694684-9B03-4982-88A5-AC36A5931507\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=1"C:\Users\admin\AppData\Local\Temp\3A760A57-58B6-40F6-BB4B-B337ADC0648E\seederexe.exe
MsiExec.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Browser Integration Module
Exit code:
0
Version:
3.5.3.98
Modules
Images
c:\users\admin\appdata\local\temp\3a760a57-58b6-40f6-bb4b-b337adc0648e\seederexe.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2340C:\Users\admin\AppData\Local\Temp\msetup\downloader.exe --stat dwnldr/p=8937/cnt=0/dt=10/ct=1/rt=0 --dh 332 --st 1557927541C:\Users\admin\AppData\Local\Temp\msetup\downloader.exe
downloader.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Downloader
Exit code:
0
Version:
0.1.0.32
Modules
Images
c:\users\admin\appdata\local\temp\msetup\downloader.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2404"C:\Windows\Temp\asw.d1b1720210bf9654\New_13040946\sbr.exe" 2428 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!"C:\Windows\Temp\asw.d1b1720210bf9654\New_13040946\sbr.exeinstup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Shutdown blocker
Exit code:
0
Version:
19.4.4318.0
Modules
Images
c:\windows\temp\asw.d1b1720210bf9654\new_13040946\sbr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2428"C:\Windows\Temp\asw.d1b1720210bf9654\New_13040946\instup.exe" /cookie:mmm_mrk_ppi_004_408_p /edat_dir:C:\Windows\Temp\asw.cc55296d0fa91dd3 /edition:1 /ga_clientid:f3a88f5a-e776-4b17-bf0d-65bc1f888443 /guid:58a68fee-1383-4778-b9e4-adb8a441ea8d /online_installer /prod:ais /sfx /sfxstorage:C:\Windows\Temp\asw.d1b1720210bf9654 /silentC:\Windows\Temp\asw.d1b1720210bf9654\New_13040946\instup.exe
instup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
19.4.4318.0
Modules
Images
c:\windows\temp\asw.d1b1720210bf9654\new_13040946\instup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
2520"C:\Program Files\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zMy4yMyIgc2hlbGxfdmVyc2lvbj0iMS4zLjMzLjIzIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0ie0U4MkY1MUYzLTcyRTctNDBBOS1BM0RGLUZEMUJBODBDRkFEMX0iIHVzZXJpZD0iezYwQkIwMzQ0LThDMTYtNENERi1CMzI2LUUwODNCQTlFMDVCNH0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9InswQkVDQzk3RC1ENzZDLTQ4RkItQkREMC0wNkZFRDIyMjFENUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjMiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDg2Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEuMy4zMy4yMyIgbmV4dHZlcnNpb249IjEuMy4zMy4yMyIgbGFuZz0icnUiIGJyYW5kPSIiIGNsaWVudD0iIiBpaWQ9IntDMDkyMjQwRC02N0Q1LTZFQTUtRjY4Mi01NTEyNUI3NUVGNzV9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjM5MSIvPjwvYXBwPjwvcmVxdWVzdD4C:\Program Files\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Installer
Exit code:
0
Version:
1.3.33.23
Modules
Images
c:\program files\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2560"C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe" --silentC:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe
msiexec.exe
User:
admin
Integrity Level:
HIGH
Description:
YandexPin
Exit code:
1
Version:
2.0.5.38
Modules
Images
c:\users\admin\appdata\local\yandex\yapin\yandex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2612"C:\Users\admin\AppData\Local\Temp\msetup\avast_free_antivirus_setup_online.exe" /silentC:\Users\admin\AppData\Local\Temp\msetup\avast_free_antivirus_setup_online.exe
google-chrome_msetup_[1244143].exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
2.1.1279.0
Modules
Images
c:\users\admin\appdata\local\temp\msetup\avast_free_antivirus_setup_online.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2680"C:\Program Files\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={C092240D-67D5-6EA5-F682-55125B75EF75}&lang=ru&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{E82F51F3-72E7-40A9-A3DF-FD1BA80CFAD1}"C:\Program Files\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Installer
Exit code:
0
Version:
1.3.33.23
Modules
Images
c:\program files\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
5 184
Read events
2 216
Write events
2 945
Delete events
23

Modification events

(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\EAB040689A0D805B5D6FD654FC168CFF00B78BE3
Operation:writeName:Blob
Value:
030000000100000014000000EAB040689A0D805B5D6FD654FC168CFF00B78BE31400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB040000000100000010000000DB78CBD190952735D940BC80AC2432C00F0000000100000030000000435FE6564241D6B3828352EF9BE443D511C21F0AFB325C4038A5820F00D87774A8EF2193DDAAE065B2572FAF2BF0EE63190000000100000010000000EA6089055218053DD01E37E1D806EEDF18000000010000001000000045ED9BBC5E43D3B9ECD63C060DB78E5C20000000010000007B050000308205773082045FA003020102021013EA28705BF4ECED0C36630980614336300D06092A864886F70D01010C0500306F310B300906035504061302534531143012060355040A130B416464547275737420414231263024060355040B131D41646454727573742045787465726E616C20545450204E6574776F726B312230200603550403131941646454727573742045787465726E616C20434120526F6F74301E170D3030303533303130343833385A170D3230303533303130343833385A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A381F43081F1301F0603551D23041830168014ADBD987A34B426F7FAC42654EF03BDE024CB541A301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF30110603551D20040A300830060604551D200030440603551D1F043D303B3039A037A0358633687474703A2F2F63726C2E7573657274727573742E636F6D2F416464547275737445787465726E616C4341526F6F742E63726C303506082B0601050507010104293027302506082B060105050730018619687474703A2F2F6F6373702E7573657274727573742E636F6D300D06092A864886F70D01010C050003820101009365F63783950F5EC3821C1FD677E73C8AC0AA09F0E90B26F1E0C26A75A1C779C9B95260C829120EF0AD03D609C476DFE5A68195A746DA8257A99592C5B68F03226C3377C17B32176E07CE5A14413A05241BF614063BA825240EBBCC2A75DDB970413F7CD0633621071F46FF60A491E167BCDE1F7E1914C9636791EA67076BB48F8BC06E437DC3A1806CB21EBC53857DDC90A1A4BC2DEF4672573505BFBB46BB6E6D3799B6FF239291C66E40F88F2956EA5FD55F1453ACF04F61EAF722CCA7560BE2B8341F26D97B1905683FBA3CD43806A2D3E68F0EE3B4716D4042C584B440952BF465A04879F61D8163969D4F75E0F87CE48EA9D1F2AD8AB38CC721CDC2EF
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\google-chrome_msetup_[1244143]_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\google-chrome_msetup_[1244143]_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\google-chrome_msetup_[1244143]_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\google-chrome_msetup_[1244143]_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\google-chrome_msetup_[1244143]_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3960) google-chrome_msetup_[1244143].exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\google-chrome_msetup_[1244143]_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
98
Suspicious files
25
Text files
448
Unknown types
5

Dropped files

PID
Process
Filename
Type
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1]
MD5:
SHA256:
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\icos[1].cab
MD5:
SHA256:
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CDbinary
MD5:
SHA256:
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CDder
MD5:
SHA256:
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Temp\msetup\5cd03116-96d41.cabcompressed
MD5:
SHA256:
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Temp\msetup\icons\2gis.icoimage
MD5:FE09DB3FA7E65A72D7F50AC1C61E3210
SHA256:DC561426CB019DADA6A3C253FF1DB8713B2D9B1E5E79C7A9B077AB61BF7431E7
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Temp\msetup\icons\acdsee.icoimage
MD5:1DF99698FD039DB47DB5651FC234BFA6
SHA256:C51EB90A2F6D59A9BDB847EF7269B1C51D7AFA83072165F13C361E9B00F946B4
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Temp\msetup\icons\adobe-animate.icoimage
MD5:B9619AEB9473F4D1AD145B9857B00EF6
SHA256:EA311F64C621C91631EA09ECE8E233180BE62BAB3FD46BBA8010502B913F40BF
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Temp\msetup\icons\3dmark.icoimage
MD5:837CDC1B9F6F3294F64FD953D1D1C7FB
SHA256:FCEB5B95B5C86F70FC76B4A140D38FF14CC01F631A993F5BFD9660244DBC0212
3960google-chrome_msetup_[1244143].exeC:\Users\admin\AppData\Local\Temp\msetup\icons\ableton-live-suite.icoimage
MD5:BD4E92A26A3619EE1B25D3FC8F8B1D5F
SHA256:5928C85D0A294C01021296AB004E9E1B010BC6A40A3E22947B55DA4C671AF512
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
66
DNS requests
69
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3960
google-chrome_msetup_[1244143].exe
HEAD
200
213.174.135.2:80
http://static.msetup.download/ChromeSetup.exe
US
malicious
3448
downloader.exe
GET
302
5.45.205.241:80
http://downloader.yandex.net/yandex-pack/downloader/info.rss
RU
whitelisted
HEAD
302
216.58.207.46:80
http://redirector.gvt1.com/edgedl/release2/chrome/AOEa5tQIt_05_74.0.3729.157/74.0.3729.157_chrome_installer.exe
US
whitelisted
3448
downloader.exe
GET
302
5.45.205.241:80
http://downloader.yandex.net/yandex-pack/8937/YandexPackSetup.exe
RU
whitelisted
HEAD
200
74.125.173.170:80
http://r5---sn-1gieen7e.gvt1.com/edgedl/release2/chrome/AOEa5tQIt_05_74.0.3729.157/74.0.3729.157_chrome_installer.exe?cms_redirect=yes&mip=185.212.170.83&mm=28&mn=sn-1gieen7e&ms=nvh&mt=1557927453&mv=m&pl=24&shardbypass=yes
US
whitelisted
3960
google-chrome_msetup_[1244143].exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
2612
avast_free_antivirus_setup_online.exe
GET
200
2.16.186.50:80
http://iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
unknown
executable
7.38 Mb
whitelisted
2612
avast_free_antivirus_setup_online.exe
POST
204
5.62.40.204:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
DE
whitelisted
3448
downloader.exe
GET
200
37.140.166.230:80
http://cache-default06h.cdn.yandex.net/downloader.yandex.net/yandex-pack/downloader/info.rss
RU
xml
543 b
whitelisted
3960
google-chrome_msetup_[1244143].exe
GET
200
213.174.135.2:80
http://static.msetup.download/ChromeSetup.exe
US
executable
1.08 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3960
google-chrome_msetup_[1244143].exe
88.208.5.115:443
api.msetup.pro
DataWeb Global Group B.V.
NL
malicious
3960
google-chrome_msetup_[1244143].exe
5.45.205.243:443
download.yandex.ru
YANDEX LLC
RU
whitelisted
3960
google-chrome_msetup_[1244143].exe
213.174.135.2:80
static.msetup.download
DataWeb Global Group B.V.
US
suspicious
3960
google-chrome_msetup_[1244143].exe
23.58.216.135:443
bits.avcdn.net
Akamai Technologies, Inc.
US
whitelisted
23.58.216.135:443
bits.avcdn.net
Akamai Technologies, Inc.
US
whitelisted
2612
avast_free_antivirus_setup_online.exe
172.217.16.206:80
www.google-analytics.com
Google Inc.
US
whitelisted
2612
avast_free_antivirus_setup_online.exe
2.16.186.50:80
iavs9x.u.avast.com
Akamai International B.V.
whitelisted
3448
downloader.exe
5.45.205.241:80
download.yandex.ru
YANDEX LLC
RU
whitelisted
3448
downloader.exe
5.45.205.221:80
cache-default99i.cdn.yandex.net
YANDEX LLC
RU
whitelisted
3448
downloader.exe
37.140.166.230:80
cache-default06h.cdn.yandex.net
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
crt.usertrust.com
  • 91.199.212.52
whitelisted
api.msetup.pro
  • 88.208.5.115
malicious
static.msetup.download
  • 213.174.135.2
  • 213.174.135.1
malicious
bits.avcdn.net
  • 23.58.216.135
whitelisted
download.yandex.ru
  • 5.45.205.243
  • 5.45.205.244
  • 5.45.205.245
  • 5.45.205.242
  • 5.45.205.241
whitelisted
cache-default05h.cdn.yandex.net
  • 37.140.166.229
whitelisted
cache-default04h.cdn.yandex.net
  • 37.140.166.228
whitelisted
www.google-analytics.com
  • 172.217.16.206
whitelisted
iavs9x.u.avast.com
  • 2.16.186.50
  • 2.16.186.104
whitelisted
v7event.stats.avast.com
  • 5.62.40.204
  • 77.234.45.54
  • 77.234.45.53
  • 5.62.40.203
whitelisted

Threats

PID
Process
Class
Message
3960
google-chrome_msetup_[1244143].exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3960
google-chrome_msetup_[1244143].exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3960
google-chrome_msetup_[1244143].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3960
google-chrome_msetup_[1244143].exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2612
avast_free_antivirus_setup_online.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3448
downloader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2340
downloader.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
1744
lite_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1744
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = USER-PC, dwSessionId = 1
YandexPackSetup.exe
GetSidFromEnumSess(): i = 0 : szUserName = Administrator, szDomain = USER-PC, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(1) = C:\Users\admin
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1302019708-1500728564-335382590-1000
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = USER-PC, dwSessionId = 1
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
google-chrome_msetup_[1244143].exe