File name:

CefSharp.BrowsersSubprocess.exe

Full analysis: https://app.any.run/tasks/67402248-a9b1-463a-bc5f-36f4464a0b4e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 06, 2025, 05:45:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

56BCB1CFFA2362F6B01CDA8E73F5F938

SHA1:

246AD4D1563210827D83713618C725B66BFB8798

SHA256:

E962736250EA5B158E2B690F6154EF8D3309C9E63AADB575583EBADED94B049E

SSDEEP:

3072:m1O8ZV8fv097s1KcCnm7GEJT3N0k/h/smFpuASZtqqqqqq4paq929QGKwtEtMTbi:dl1KcCm7G4N0k/hEFASZtqqqqqq4paq2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Actions looks like stealing of personal data

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

  • SUSPICIOUS

    • Checks for external IP

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Executes application which crashes

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

  • INFO

    • Reads the computer name

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Checks supported languages

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Reads the software policy settings

      • slui.exe (PID: 6872)
      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Disables trace logs

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Checks proxy server information

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Reads CPU info

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)

    • Creates files or folders in the user directory

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)
      • WerFault.exe (PID: 6388)

    • Reads the machine GUID from the registry

      • CefSharp.BrowsersSubprocess.exe (PID: 7148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2071:07:31 00:00:57+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 151040
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x26d06
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.2
ProductVersionNumber: 1.0.1.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: CefSharp.BrowsersSubprocess
CompanyName: LLC 'Windows'
FileDescription: CefSharp.BrowsersSubprocess
FileVersion: 1.0.1.2
InternalName: CefSharp.BrowsersSubprocess.exe
LegalCopyright: LLC 'Windows' & Copyright © 2024
LegalTrademarks: LLC 'Windows'
OriginalFileName: CefSharp.BrowsersSubprocess.exe
ProductName: CefSharp
ProductVersion: 1.0.1.2
AssemblyVersion: 1.0.1.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cefsharp.browserssubprocess.exe sppextcomobj.exe no specs slui.exe werfault.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4408C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
6388C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7148 -s 2100C:\Windows\SysWOW64\WerFault.exeCefSharp.BrowsersSubprocess.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6576C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6872"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7148"C:\Users\admin\AppData\Local\Temp\CefSharp.BrowsersSubprocess.exe" C:\Users\admin\AppData\Local\Temp\CefSharp.BrowsersSubprocess.exe
explorer.exe
User:
admin
Company:
LLC 'Windows'
Integrity Level:
MEDIUM
Description:
CefSharp.BrowsersSubprocess
Exit code:
3762504530
Version:
1.0.1.2
Modules
Images
c:\users\admin\appdata\local\temp\cefsharp.browserssubprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
4 090
Read events
4 076
Write events
14
Delete events
0

Modification events

(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7148) CefSharp.BrowsersSubprocess.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CefSharp_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
12
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6388WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CefSharp.Browser_ea6f58f121828a86b96b9d70f5e3e34931f4ba83_6e37c527_e497a233-2833-4d19-86c7-f47dd0956217\Report.wer
MD5:
SHA256:
6388WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\CefSharp.BrowsersSubprocess.exe.7148.dmp
MD5:
SHA256:
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\SCef.WindowsAdapter\Files\answerreading.jpgbinary
MD5:10D5A367593333665C5A0972FB788F9F
SHA256:D5CB39226A8AADE14FD3F3D27D75081FCC7D72DCABBB3A778D853F420507F255
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\SCef.WindowsAdapter\Files\remotelinks.jpgbinary
MD5:F554EEA8DC38FC8AA03210C93BEEA12B
SHA256:6484DEDDB08C5BB97DF1D4EDDF70389EA5617DEF14B307557A079ACF6AF5266D
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\SCef.WindowsAdapter\Files\televisiondevelop.pngbinary
MD5:801284D1F530FB2F04FC2C4BB66050CA
SHA256:E02F1EB2714AC757BAE6C16CFB5639E721529559C70865C418054C02A57E1E74
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\CefSharp\CefSharp_BrowserSubprocess.dattext
MD5:8512497AA85D16B4E11DBA944CA5F675
SHA256:97BCAB8FE3683B023630C39E3462388F9D73524FA19BAEBFF7E341E4B0984C37
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\SCef.WindowsAdapter\Files\treerelease.pngbinary
MD5:24F0F4E65E3E84B77A1DC2BE90ADFBC5
SHA256:0D96F9E8587BA96444C7F93D70CE9CD15B7C8B29DED010A2C2D719D38401906B
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\SCef.WindowsAdapter\Files\additionwind.jpgbinary
MD5:F494906856D6E8FA4D2CB861D0DE80F5
SHA256:750BE65F59785601F40E3FE21BE79FED57D025FFC398099A28A9EA018DB75764
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\SCef.WindowsAdapter\Files\managersystem.jpgbinary
MD5:B666BA7039C376474A1581CB04D397AC
SHA256:DADF53E39E6BDBB6A5353C69B3463EB49ABFB62305521B10897FF46ED4D2D415
7148CefSharp.BrowsersSubprocess.exeC:\Users\admin\AppData\Local\SCef.WindowsAdapter\Information.txttext
MD5:5420CE5D2C1B723C0971DC83AC6F80ED
SHA256:20FCBFF4C700111C75785735695E5BC3304D198D70C78FF9A38CDC5D1B263B2B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
17
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6516
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7148
CefSharp.BrowsersSubprocess.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/45.86.203.67
unknown
whitelisted
6516
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7148
CefSharp.BrowsersSubprocess.exe
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
shared
7148
CefSharp.BrowsersSubprocess.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
3216
svchost.exe
172.172.255.216:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
google.com
  • 216.58.206.78
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
ip-api.com
  • 208.95.112.1
whitelisted
client.wns.windows.com
  • 172.172.255.216
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.130
  • 20.190.159.73
  • 20.190.159.75
  • 20.190.159.0
  • 40.126.31.131
  • 40.126.31.1
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7148
CefSharp.BrowsersSubprocess.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
7148
CefSharp.BrowsersSubprocess.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CefSharp.BrowsersSubprocess.exe