Malware analysis ChromeSetup.exe Malicious activity | ANY.RUN

Add for printing

File name:	ChromeSetup.exe
Full analysis:	https://app.any.run/tasks/96da740b-f19c-417f-ac0a-e8ee09369a3f
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 25, 2023, 14:45:53
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	hijackloader loader stealer raccoon recordbreaker
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A68C75B2C8FB10543207FFD80C44F9E1
SHA1:	CBC7606AC79549705793A24ECDCA329EB4CAF368
SHA256:	F8428D6C7D75839C0E9F922021EE2E08CB3091D2BBD700E40D63F69A0AA4CCCA
SSDEEP:	24576:FovgwKyJEvHf3NITM1f2sJ5wxmkOJdPPARoxV79uvBtGhG0xTavOH:FoowKyOv/3NITM1f2sJ5wxXOJZA+QZtM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- HIJACKLOADER detected by memory dumps
  - cmd.exe (PID: 1384)
  - AarSvc.exe (PID: 2608)
- Application was dropped or rewritten from another process
  - AarSvc.exe (PID: 2608)
- RACCOON detected by memory dumps
  - AarSvc.exe (PID: 2608)
- RACCOON was detected
  - AarSvc.exe (PID: 2608)
- Connects to the CnC server
  - AarSvc.exe (PID: 2608)
- Loads dropped or rewritten executable
  - AarSvc.exe (PID: 2608)
- Steals credentials
  - AarSvc.exe (PID: 2608)
- Actions looks like stealing of personal data
  - AarSvc.exe (PID: 2608)
SUSPICIOUS
- Reads settings of System Certificates
  - ChromeSetup.exe (PID: 788)
- Starts CMD.EXE for commands execution
  - ChromeSetup.exe (PID: 788)
- Reads the Internet Settings
  - ChromeSetup.exe (PID: 788)
  - AarSvc.exe (PID: 2608)
- Connects to the server without a host name
  - AarSvc.exe (PID: 2608)
- Searches for installed software
  - AarSvc.exe (PID: 2608)
- Reads browser cookies
  - AarSvc.exe (PID: 2608)
- Process requests binary or script from the Internet
  - AarSvc.exe (PID: 2608)
INFO
- Reads the computer name
  - ChromeSetup.exe (PID: 788)
  - AarSvc.exe (PID: 2608)
- Reads the machine GUID from the registry
  - ChromeSetup.exe (PID: 788)
  - AarSvc.exe (PID: 2608)
- Checks supported languages
  - ChromeSetup.exe (PID: 788)
  - AarSvc.exe (PID: 2608)
- Create files in a temporary directory
  - ChromeSetup.exe (PID: 788)
- The executable file from the user directory is run by the CMD process
  - AarSvc.exe (PID: 2608)
- Checks proxy server information
  - AarSvc.exe (PID: 2608)
- Creates files or folders in the user directory
  - AarSvc.exe (PID: 2608)
- Reads Environment values
  - AarSvc.exe (PID: 2608)
- Reads product name
  - AarSvc.exe (PID: 2608)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Raccoon

(PID) Process(2608) AarSvc.exe

C2 (1)http://65.109.2.42:80

Keys

xor5e2505d8647542f05843f89ae7cd18e7

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

InternalBuildNumber:	203014
ProductVersion:	27
ProductName:	InstallShield
OriginalFileName:	Compile.exe
LegalCopyright:	Copyright (c) 2021 Flexera. All Rights Reserved.
InternalName:	CompileEXE
FileVersion:	27.0.58
FileDescription:	InstallShield (R) Command Line Compile Utility
CompanyName:	Flexera
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Dynamic link library
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	27.0.0.0
FileVersionNumber:	27.0.0.58
Subsystem:	Windows GUI
SubsystemVersion:	6
ImageVersion:	-
OSVersion:	6
EntryPoint:	0x496d3
UninitializedDataSize:	-
InitializedDataSize:	770048
CodeSize:	636416
LinkerVersion:	14
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit
TimeStamp:	2021:08:30 14:38:27+00:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

788

"C:\Users\admin\AppData\Local\Temp\ChromeSetup.exe"

C:\Users\admin\AppData\Local\Temp\ChromeSetup.exe

explorer.exe

User:

admin

Company:

Flexera

Integrity Level:

MEDIUM

Description:

InstallShield (R) Command Line Compile Utility

Exit code:

Version:

27.0.58

Modules

Images
c:\users\admin\appdata\local\temp\chromesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\user32.dll

1384

C:\Windows\SysWOW64\cmd.exe

ChromeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2608

C:\Users\admin\AppData\Local\Temp\AarSvc.exe

cmd.exe

User:

admin

Company:

Info-ZIP

Integrity Level:

MEDIUM

Description:

Info-ZIP Zip for Win32 console

Exit code:

Version:

3.0

Modules

Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\appdata\local\temp\aarsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll

Raccoon

(PID) Process(2608) AarSvc.exe

C2 (1)http://65.109.2.42:80

Keys

xor5e2505d8647542f05843f89ae7cd18e7

Add for printing

Total events

1 530

Read events

1 513

Write events

Delete events

Modification events


(PID) Process:	(788) ChromeSetup.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000B1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2608) AarSvc.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1384	cmd.exe	C:\Users\admin\AppData\Local\Temp\nwnrhq		—
		MD5:—	SHA256:—
788	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\CabD5E.tmp		compressed
		MD5:F3441B8572AAE8801C04F3060B550443	SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2608	AarSvc.exe	C:\Users\admin\AppData\LocalLow\8lZT738L7KTS		binary
		MD5:CEEDD8AE976601F9C9365EBEC5CFD997	SHA256:0B1A7E634F5B8A88211685983E83E7739359ACE5F26CA99746F46BB81507A42E
788	ChromeSetup.exe	C:\Users\admin\AppData\Local\Temp\b6bbb0d1		binary
		MD5:72AA01357182A681706D1166BD080811	SHA256:3D65ABC16BA8B7F7AC44578F83C91B80C5855B600D12136DDB64557FC5582714
2608	AarSvc.exe	C:\Users\admin\AppData\LocalLow\softokn3.dll		executable
		MD5:63A1FE06BE877497C4C2017CA0303537	SHA256:44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0
2608	AarSvc.exe	C:\Users\admin\AppData\LocalLow\freebl3.dll		executable
		MD5:15B61E4A910C172B25FB7D8CCB92F754	SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
2608	AarSvc.exe	C:\Users\admin\AppData\LocalLow\vcruntime140.dll		executable
		MD5:1B171F9A428C44ACF85F89989007C328	SHA256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
2608	AarSvc.exe	C:\Users\admin\AppData\LocalLow\1lG75At8RTLj		binary
		MD5:CEB39527E05115BBE0227EA14D897374	SHA256:D3406398F5A7D00D94E1F36065ACC5C63DBF27FB4026D75FB09129DDD05C2D20
2608	AarSvc.exe	C:\Users\admin\AppData\LocalLow\mozglue.dll		executable
		MD5:F07D9977430E762B563EAADC2B94BBFA	SHA256:4191FAF7E5EB105A0F4C5C6ED3E9E9C71014E8AA39BBEE313BC92D1411E9E862
2608	AarSvc.exe	C:\Users\admin\AppData\LocalLow\f90LHK20i6SD		binary
		MD5:8ED59ABBE343BC945E3A9F4801075399	SHA256:97E62577149EB459A713FCBE09C5C73A1ADDF230042F53B2CA9E256E695EA7A0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
788	ChromeSetup.exe	GET	200	8.238.206.126:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?d43ca4f947f04c6d	unknown	der	867 b	unknown
788	ChromeSetup.exe	GET	200	8.238.206.126:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3df2147b21750b02	unknown	compressed	61.6 Kb	unknown
2608	AarSvc.exe	GET	200	65.109.2.42:80	http://65.109.2.42/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll	unknown	executable	438 Kb	unknown
2608	AarSvc.exe	POST	200	65.109.2.42:80	http://65.109.2.42/	unknown	text	6.89 Kb	unknown
2608	AarSvc.exe	GET	200	65.109.2.42:80	http://65.109.2.42/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll	unknown	executable	78.2 Kb	unknown
2608	AarSvc.exe	GET	200	65.109.2.42:80	http://65.109.2.42/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll	unknown	executable	668 Kb	unknown
2608	AarSvc.exe	GET	200	65.109.2.42:80	http://65.109.2.42/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll	unknown	executable	1.95 Mb	unknown
2608	AarSvc.exe	GET	200	65.109.2.42:80	http://65.109.2.42/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll	unknown	executable	612 Kb	unknown
2608	AarSvc.exe	POST	200	65.109.2.42:80	http://65.109.2.42/0d6527bfaa1c97aa3c29bc5a145edff8	unknown	text	8 b	unknown
2608	AarSvc.exe	POST	200	65.109.2.42:80	http://65.109.2.42/0d6527bfaa1c97aa3c29bc5a145edff8	unknown	text	8 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1208	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
332	svchost.exe	224.0.0.252:5355	—	—	—	unknown
788	ChromeSetup.exe	178.248.238.19:443	kommersant.ru	HLL LLC	RU	unknown
788	ChromeSetup.exe	8.238.206.126:80	ctldl.windowsupdate.com	LEVEL3	US	unknown
2608	AarSvc.exe	65.109.2.42:80	—	Hetzner Online GmbH	FI	unknown

DNS requests

Domain	IP	Reputation
kommersant.ru	178.248.238.19	whitelisted
ctldl.windowsupdate.com	8.238.206.126 8.248.137.254 8.238.191.126 8.238.189.126 8.60.136.62	whitelisted
www.kommersant.ru	178.248.238.19	unknown

Threats

PID	Process	Class	Message
2608	AarSvc.exe	A Network Trojan was detected	ET MALWARE Win32/RecordBreaker CnC Checkin M1
2608	AarSvc.exe	A Network Trojan was detected	ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
2608	AarSvc.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
2608	AarSvc.exe	A suspicious filename was detected	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
2608	AarSvc.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2608	AarSvc.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
2608	AarSvc.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
2608	AarSvc.exe	A suspicious filename was detected	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
2608	AarSvc.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
2608	AarSvc.exe	A suspicious filename was detected	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity

3 ETPRO signatures available at the full report

Add for printing

Process	Message
AarSvc.exe	log: 2wh3jior
AarSvc.exe	log: wzqp6c4u
AarSvc.exe	log: wzqp6c4u
AarSvc.exe	log: wzqp6c4u
AarSvc.exe	log: xa8skody
AarSvc.exe	log: 10ac5g0i
AarSvc.exe	log: cm74tasm
AarSvc.exe	log: h5fxqpln
AarSvc.exe	log: rkizjfza
AarSvc.exe	log: 5qvdjrlo

General Info

ChromeSetup.exe

A68C75B2C8FB10543207FFD80C44F9E1

CBC7606AC79549705793A24ECDCA329EB4CAF368

F8428D6C7D75839C0E9F922021EE2E08CB3091D2BBD700E40D63F69A0AA4CCCA

24576:FovgwKyJEvHf3NITM1f2sJ5wxmkOJdPPARoxV79uvBtGhG0xTavOH:FoowKyOv/3NITM1f2sJ5wxXOJZA+QZtM

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

HIJACKLOADER detected by memory dumps

Application was dropped or rewritten from another process

RACCOON detected by memory dumps

RACCOON was detected

Connects to the CnC server

Loads dropped or rewritten executable

Steals credentials

Actions looks like stealing of personal data

SUSPICIOUS

Reads settings of System Certificates

Starts CMD.EXE for commands execution

Reads the Internet Settings

Connects to the server without a host name

Searches for installed software

Reads browser cookies

Process requests binary or script from the Internet

INFO

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Create files in a temporary directory

The executable file from the user directory is run by the CMD process

Checks proxy server information

Creates files or folders in the user directory

Reads Environment values

Reads product name

Malware configuration

Raccoon

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Raccoon

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings