File name:

utilmain5292.exe

Full analysis: https://app.any.run/tasks/bbf4dfd0-aff3-4459-ac7a-c5eedcd13269
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 17, 2025, 22:46:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
golang
auto-sch-xml
evasion
stealer
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

FBF592A3D9A66E858A68F2BBBFBB84D6

SHA1:

4A596C4745911B9D8B8B24A3A2864621A6275313

SHA256:

FB8688C0A6147FC605CBF4D0459730052381B06AB9E2DD006CF82F270F7FDFB0

SSDEEP:

98304:feEUibuhy8JT/TaOhrbmCoGTISyLAGJjoNNybtwcMIUo9aBQSyZt+LbVNNj9p9f9:VfF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2636)

    • Uses Task Scheduler to run other applications

      • utilmain5292.exe (PID: 7332)

    • Actions looks like stealing of personal data

      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 7516)
      • chrome.exe (PID: 6372)

    • Steals credentials from Web Browsers

      • chrome.exe (PID: 6780)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6076)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7384)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • utilmain5292.exe (PID: 7332)

    • Application launched itself

      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 6372)

    • Executable content was dropped or overwritten

      • utilmain5292.exe (PID: 7332)
      • powershell.exe (PID: 7384)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 2636)

    • The process hide an interactive prompt from the user

      • utilmain5292.exe (PID: 7332)

    • The process bypasses the loading of PowerShell profile settings

      • utilmain5292.exe (PID: 7332)
      • cmd.exe (PID: 6076)

    • Starts POWERSHELL.EXE for commands execution

      • utilmain5292.exe (PID: 7332)
      • cmd.exe (PID: 6076)

    • Kill processes via PowerShell

      • powershell.exe (PID: 2636)

    • Get information on the list of running processes

      • utilmain5292.exe (PID: 7332)

    • Uses ATTRIB.EXE to modify file attributes

      • utilmain5292.exe (PID: 7332)

    • Reads security settings of Internet Explorer

      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 6372)

    • Checks for external IP

      • chrome.exe (PID: 5308)

    • Starts CMD.EXE for commands execution

      • chrome.exe (PID: 5612)

    • Executing commands from ".cmd" file

      • chrome.exe (PID: 5612)

    • The process executes Powershell scripts

      • cmd.exe (PID: 6076)

    • The process executes via Task Scheduler

      • chrome.exe (PID: 7944)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 7384)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7384)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7384)

    • The executable file from the user directory is run by the CMD process

      • relay4412.exe (PID: 6124)
      • relay4412.exe (PID: 7176)
      • relay4412.exe (PID: 7900)
      • relay4412.exe (PID: 2720)
      • relay4412.exe (PID: 3200)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7384)

  • INFO

    • Reads the computer name

      • utilmain5292.exe (PID: 7332)
      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 5040)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 7580)
      • chrome.exe (PID: 5308)
      • chrome.exe (PID: 6892)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 8128)
      • chrome.exe (PID: 7516)
      • chrome.exe (PID: 5124)
      • relay4412.exe (PID: 7176)
      • chrome.exe (PID: 6372)
      • chrome.exe (PID: 7732)
      • chrome.exe (PID: 2868)
      • chrome.exe (PID: 5336)

    • Create files in a temporary directory

      • utilmain5292.exe (PID: 7332)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 6372)
      • chrome.exe (PID: 7732)

    • Checks supported languages

      • utilmain5292.exe (PID: 7332)
      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 4056)
      • chrome.exe (PID: 5040)
      • chrome.exe (PID: 2032)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 2764)
      • chrome.exe (PID: 4444)
      • chrome.exe (PID: 1288)
      • chrome.exe (PID: 7580)
      • chrome.exe (PID: 5308)
      • chrome.exe (PID: 5284)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 6764)
      • chrome.exe (PID: 8128)
      • chrome.exe (PID: 7516)
      • chrome.exe (PID: 5516)
      • chrome.exe (PID: 968)
      • chrome.exe (PID: 6892)
      • chrome.exe (PID: 6988)
      • chrome.exe (PID: 7176)
      • chrome.exe (PID: 5124)
      • chrome.exe (PID: 1928)
      • chrome.exe (PID: 7944)
      • chrome.exe (PID: 2868)
      • chrome.exe (PID: 6372)
      • relay4412.exe (PID: 6124)
      • relay4412.exe (PID: 7176)
      • relay4412.exe (PID: 7900)
      • chrome.exe (PID: 5508)
      • relay4412.exe (PID: 2720)
      • relay4412.exe (PID: 3200)
      • chrome.exe (PID: 7732)
      • chrome.exe (PID: 2272)
      • chrome.exe (PID: 3944)
      • chrome.exe (PID: 5336)

    • Reads the software policy settings

      • utilmain5292.exe (PID: 7332)
      • slui.exe (PID: 6384)

    • Reads the machine GUID from the registry

      • utilmain5292.exe (PID: 7332)
      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 6372)

    • Application based on Golang

      • utilmain5292.exe (PID: 7332)

    • Detects GO elliptic curve encryption (YARA)

      • utilmain5292.exe (PID: 7332)

    • Creates files or folders in the user directory

      • utilmain5292.exe (PID: 7332)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 5308)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 7516)

    • The sample compiled with english language support

      • utilmain5292.exe (PID: 7332)

    • Process checks computer location settings

      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 5284)
      • chrome.exe (PID: 2764)
      • chrome.exe (PID: 4444)
      • chrome.exe (PID: 1288)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 968)
      • chrome.exe (PID: 5516)
      • chrome.exe (PID: 2272)
      • chrome.exe (PID: 3944)
      • chrome.exe (PID: 6372)
      • chrome.exe (PID: 5508)

    • Checks proxy server information

      • chrome.exe (PID: 8132)
      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 6780)
      • powershell.exe (PID: 7384)
      • chrome.exe (PID: 6372)
      • slui.exe (PID: 6384)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • utilmain5292.exe (PID: 7332)

    • Reads CPU info

      • chrome.exe (PID: 5612)
      • chrome.exe (PID: 6780)
      • chrome.exe (PID: 6372)

    • Manual execution by a user

      • chrome.exe (PID: 6780)

    • Disables trace logs

      • powershell.exe (PID: 7384)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 8919552
InitializedDataSize: 7381504
UninitializedDataSize: -
EntryPoint: 0x7be40
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
56
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start utilmain5292.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe attrib.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe chrome.exe cmd.exe no specs conhost.exe no specs relay4412.exe no specs cmd.exe no specs conhost.exe no specs relay4412.exe no specs chrome.exe cmd.exe no specs conhost.exe no specs relay4412.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs relay4412.exe no specs cmd.exe no specs conhost.exe no specs relay4412.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
932C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Users\admin\AppData\Local\UngoogledChromium\IwaKeyDistribution\data\Archive/relay4412.exe" chrome-extension://dnfhghaihiddagngpfpgkikhjmjjckoo/ --parent-window=0" < \\.\pipe\chrome.nativeMessaging.in.65ddd8d34a6a852 > \\.\pipe\chrome.nativeMessaging.out.65ddd8d34a6a852C:\Windows\System32\cmd.exechrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
940attrib +h +s C:\Users\admin\AppData\Local\UngoogledChromiumC:\Windows\System32\attrib.exeutilmain5292.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
968"C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exe" --type=renderer --force-high-res-timeticks=disabled --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --metrics-shmem-handle=3224,i,3918318541439701244,7361911112895519813,2097152 --field-trial-handle=2044,i,8564731625977434785,17215022918252921294,262144 --variations-seed-version --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3236 /prefetch:1C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exechrome.exe
User:
admin
Company:
The Chromium Authors
Integrity Level:
LOW
Description:
Chromium
Version:
142.0.7444.162
Modules
Images
c:\users\admin\appdata\local\ungoogledchromium\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\ungoogledchromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1264\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1288"C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\UngoogledChromium\User Data" --extension-process --force-high-res-timeticks=disabled --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=1880,i,12541799046429966654,1075478456247001732,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708992871164437 --mojo-platform-channel-handle=3912 /prefetch:2C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exechrome.exe
User:
admin
Company:
The Chromium Authors
Integrity Level:
MEDIUM
Description:
Chromium
Version:
142.0.7444.162
Modules
Images
c:\users\admin\appdata\local\ungoogledchromium\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\ungoogledchromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
1928"C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-sandbox --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\UngoogledChromium\User Data" --force-high-res-timeticks=disabled --field-trial-handle=1880,i,12541799046429966654,1075478456247001732,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=4900 /prefetch:8C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exechrome.exe
User:
admin
Company:
The Chromium Authors
Integrity Level:
MEDIUM
Description:
Chromium
Exit code:
0
Version:
142.0.7444.162
Modules
Images
c:\users\admin\appdata\local\ungoogledchromium\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\ungoogledchromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
1952C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Users\admin\AppData\Local\UngoogledChromium\IwaKeyDistribution\data\Archive/relay4412.exe" chrome-extension://dnfhghaihiddagngpfpgkikhjmjjckoo/ --parent-window=0" < \\.\pipe\chrome.nativeMessaging.in.64a309c541df1345 > \\.\pipe\chrome.nativeMessaging.out.64a309c541df1345C:\Windows\System32\cmd.exechrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2032"C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\admin\AppData\Local\UngoogledChromium\User Data" --force-high-res-timeticks=disabled --metrics-shmem-handle=2328,i,13302570583691561063,10131899058204911591,524288 --field-trial-handle=1988,i,3598181904874279187,12604476423442314881,262144 --disable-features=OptimizationGuideModelDownloading --variations-seed-version --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2372 /prefetch:8C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exechrome.exe
User:
admin
Company:
The Chromium Authors
Integrity Level:
LOW
Description:
Chromium
Exit code:
0
Version:
142.0.7444.162
Modules
Images
c:\users\admin\appdata\local\ungoogledchromium\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\ungoogledchromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
2192\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2272"C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Temp\HeadlessChromium63721558750" --force-high-res-timeticks=disabled --no-sandbox --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1992,i,13598253386911666279,14180151773914260984,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=1840 /prefetch:1C:\Users\admin\AppData\Local\UngoogledChromium\chrome.exechrome.exe
User:
admin
Company:
The Chromium Authors
Integrity Level:
MEDIUM
Description:
Chromium
Version:
142.0.7444.162
Modules
Images
c:\users\admin\appdata\local\ungoogledchromium\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\ungoogledchromium\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
Total events
28 082
Read events
27 989
Write events
84
Delete events
9

Modification events

(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium
Operation:writeName:UsageStatsInSample
Value:
1
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium
Operation:writeName:usagestats
Value:
0
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium
Operation:writeName:metricsid
Value:
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium
Operation:writeName:metricsid_installdate
Value:
0
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium
Operation:writeName:metricsid_enableddate
Value:
0
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium\PreferenceMACs\Default
Operation:writeName:schedule_to_flush_to_disk
Value:
0DDC9C1BD53745DE5EC66CDD7046138182D9BB6078DA43BF4E60C00939067E19
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium\PreferenceMACs\Default
Operation:writeName:extensions.ui.developer_mode
Value:
37B859FC616C47C396331F3FC1D9BA17835B8484F837F55F806FE1C020DD890B
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium\PreferenceMACs\Default
Operation:writeName:media.cdm.origin_data
Value:
806FC6108C9C6CE5083FBA32142CB9EA8F419AA5546B3C079CA642CC2E1C4650
(PID) Process:(8132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Chromium\PreferenceMACs\Default
Operation:writeName:media.storage_id_salt
Value:
CA1DDE54259E5D5EEA618B03652520CE9BAE5BEFA4D30FCED2A117E0A93431A3
Executable files
23
Suspicious files
330
Text files
96
Unknown types
1

Dropped files

PID
Process
Filename
Type
7332utilmain5292.exeC:\Users\admin\AppData\Local\Temp\UngoogledChromiumDownload\ungoogled-chromium_142.0.7444.162-1.1_windows_x64.zip
MD5:
SHA256:
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\resources.pak
MD5:
SHA256:
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\elevated_tracing_service.exeexecutable
MD5:3436A3A0B24090FE4F65FC7C7D06AF1C
SHA256:07DFA7CFD9E6C5F6BBBE09F54571A97B796163E8B1D47A23AE74E71D954108EE
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\chrome_proxy.exeexecutable
MD5:D41A841A8515D57363B20BB251DE329C
SHA256:43CA327FD918E92868DD3D27BD0CEED843F9FF5C445BC5892961418C57774B1D
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\IwaKeyDistribution\iwa-key-distribution.pbbinary
MD5:0A437CD519FCBCA60C17C85B2E050BBB
SHA256:6A08FEFFAB2201C2EF3C3ED9D7C83F2F1C5CE3B190453029697CA9D712F6A1CD
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\vk_swiftshader_icd.jsonbinary
MD5:8642DD3A87E2DE6E991FAE08458E302B
SHA256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\elevation_service.exeexecutable
MD5:7AF888A67FFAE02EDBA71FC4E2058A36
SHA256:5429328D15072BA5061A3B3C710C3D2F77A65BCDEE6D2B9FDD004A5D67B11E83
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\notification_helper.exeexecutable
MD5:EB58AC60C023F799F98DA41D5254252E
SHA256:D38CCF38C0A55222DB890DE271AB86067348A545FB708D233853901AF8577437
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\IwaKeyDistribution\manifest.jsonbinary
MD5:26F5A14B2156F8277C7A02702F05398B
SHA256:25EAF9D40F1715B5EF9E89B9F65DD362CB3891C29ADB95FF03088641EC76DDB6
7332utilmain5292.exeC:\Users\admin\AppData\Local\UngoogledChromium\libEGL.dllexecutable
MD5:3187A3A526FDCD4F0CF65F09285EC20A
SHA256:32B903DD3C74F739F4EEDB267283CCC6D4BE80BFEB8F666BF63ADA8EF0AAFE7F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
29
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6792
svchost.exe
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3292
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7972
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
7972
SIHClient.exe
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7972
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7972
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
7972
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7972
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7972
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6792
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6048
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7088
SearchApp.exe
23.11.206.98:443
www.bing.com
Akamai International B.V.
DE
whitelisted
7332
utilmain5292.exe
140.82.121.5:443
api.github.com
GITHUB
US
whitelisted
7332
utilmain5292.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
7332
utilmain5292.exe
185.199.111.133:443
release-assets.githubusercontent.com
FASTLY
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6792
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 23.11.206.98
  • 95.100.158.114
  • 23.11.206.99
  • 23.11.206.96
  • 23.3.89.107
  • 23.11.206.107
  • 95.100.158.122
  • 23.11.206.113
  • 23.3.89.122
whitelisted
api.github.com
  • 140.82.121.5
whitelisted
github.com
  • 140.82.121.4
whitelisted
release-assets.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
whitelisted
crl.microsoft.com
  • 2.20.245.138
  • 2.20.245.137
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.130
  • 40.126.31.71
  • 40.126.31.3
  • 40.126.31.129
  • 40.126.31.0
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted

Threats

PID
Process
Class
Message
2276
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access release user assets on GitHub
5308
chrome.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5308
chrome.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5308
chrome.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5308
chrome.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Process
Message
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\UngoogledChromium directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\UngoogledChromium\User Data directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\UngoogledChromium\User Data directory exists )
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\HeadlessChromium63721558750 directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
utilmain5292.exe