Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oBX1n79NgQ.exe

Overview

General Information

Sample name:oBX1n79NgQ.exe
renamed because original name is a hash value
Original sample name:771a3a3272e20ce119b5090ca974095c0b831f52.exe
Analysis ID:1447827
MD5:de2e32e7e89454a112c83f0c5a86cc45
SHA1:771a3a3272e20ce119b5090ca974095c0b831f52
SHA256:8c3b98d51b59adb5b3d55a704304345930da7ed2d7fd78652bb700b0fc7fd556
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:40%

Compliance

Score:47
Range:0 - 100

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • oBX1n79NgQ.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\oBX1n79NgQ.exe" MD5: DE2E32E7E89454A112C83F0C5A86CC45)
    • updater.exe (PID: 7128 cmdline: "C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8D0CD419-2DAC-C85B-BCFF-DB2D99044B99}&lang=en&browser=5&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2 MD5: 95222FAEEAB2CEBE9502F2E123D5DD2A)
      • updater.exe (PID: 7148 cmdline: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x8d965c,0x8d9668,0x8d9674 MD5: 95222FAEEAB2CEBE9502F2E123D5DD2A)
  • updater.exe (PID: 6236 cmdline: "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update-internal MD5: 95222FAEEAB2CEBE9502F2E123D5DD2A)
    • updater.exe (PID: 6360 cmdline: "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674 MD5: 95222FAEEAB2CEBE9502F2E123D5DD2A)
  • updater.exe (PID: 4180 cmdline: "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update MD5: 95222FAEEAB2CEBE9502F2E123D5DD2A)
    • updater.exe (PID: 1792 cmdline: "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674 MD5: 95222FAEEAB2CEBE9502F2E123D5DD2A)
    • 125.0.6422.113_chrome_installer.exe (PID: 6336 cmdline: "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\bdefe0a9-9fa1-476d-abba-f730b9c95120.tmp" MD5: 081A95E1BC6A90E22F4ABA75947B111A)
  • svchost.exe (PID: 2084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6612 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6712 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 6828 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6900 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7124 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 2756 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7088 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2084, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

barindex
Uses 32bit PE files
Source: oBX1n79NgQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
PE / OLE file has a valid certificate
Source: oBX1n79NgQ.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: oBX1n79NgQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\UpdaterSetup.exe.pdb source: oBX1n79NgQ.exe
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb0 source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 125.0.6422.113_chrome_installer.exe, 00000013.00000000.2299389431.00007FF64A175000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdbp source: 125.0.6422.113_chrome_installer.exe, 00000013.00000000.2299389431.00007FF64A175000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\UpdaterSetup.exe.pdb0 source: oBX1n79NgQ.exe
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: Joe Sandbox ViewIP Address: 2.19.244.127 2.19.244.127
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://.css
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://.jpg
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000008.00000002.2595675854.0000023A1C471000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: updater.7z.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/
Source: updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/
Source: updater.exe, 00000006.00000002.2602007070.000000000666D000.00000004.00000010.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-463c
Source: updater.exe, 00000006.00000002.2586506734.0000000005758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com:80
Source: updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dl.google.com:80/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-4
Source: updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/
Source: updater.exe, 00000006.00000002.2586506734.00000000057D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d3
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: updater.exe, 00000006.00000002.2586506734.0000000005758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80etJoinInfo:
Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://html4/loose.dtd
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://support.google.com/installer/
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
Source: svchost.exe, 0000000A.00000002.1367591897.000001DD04A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/
Source: updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: updater.exe, 00000007.00000002.2586643156.000000005DE88000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000007.00000003.1161275621.000000005DEF4000.00000004.00001000.00020000.00000000.sdmp, oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://clients2.google.com/cr/report
Source: updater.exe, 00000003.00000002.2590487374.0000000057804000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000005.00000002.1264591006.0000000048004000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000007.00000002.2585441245.000000005DE04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report--annotation=prod=Update4--annotation=ver=126.0.6462.0--attachm
Source: updater.exe, 00000007.00000002.2586643156.000000005DE88000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report--initial-client-data=0x288
Source: updater.exe, 00000005.00000002.1264819126.0000000048088000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/reportH
Source: updater.exe, 00000003.00000002.2592490051.0000000057888000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/reportP
Source: updater.exe, 00000003.00000002.2591774630.0000000057850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/reportcc(LOCALAPPDATA=C:
Source: updater.exe, 00000007.00000002.2586177812.000000005DE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/reportcc(ProgramFiles(x86)=C:
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://crashpad.chromium.org/
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://crashpad.chromium.org/bug/new
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1
Source: updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1Persistent-AuthWWW-AuthenticateVarySet-CookieGSESer
Source: svchost.exe, 0000000A.00000002.1367885661.000001DD04A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1367903297.000001DD04A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366726106.000001DD04A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366910911.000001DD04A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000002.1367929818.000001DD04A74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366726106.000001DD04A6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000003.1366819398.000001DD04A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.1366597748.000001DD04A75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.1367006248.000001DD04A5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.1367708275.000001DD04A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366819398.000001DD04A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1367903297.000001DD04A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000002.1367824106.000001DD04A44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: updater.exe, 00000002.00000002.2589112589.00000000052DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/
Source: updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/
Source: updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-463
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://dl.google.com/update2/installers/icons/
Source: updater.exe, 00000002.00000002.2589112589.000000000527D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
Source: svchost.exe, 0000000A.00000003.1367103659.000001DD04A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366910911.000001DD04A5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1367929818.000001DD04A70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.1367708275.000001DD04A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366819398.000001DD04A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/0:0
Source: updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/
Source: updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.00000000057D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d
Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000008.00000003.1202963770.0000023A1C332000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: updater.exe, 00000002.00000002.2589112589.00000000052DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.1367047073.000001DD04A3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1367033099.000001DD04A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.1367708275.000001DD04A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000002.1367885661.000001DD04A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: updater.exe, 00000006.00000002.2586506734.00000000057B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/
Source: updater.exe, 00000006.00000002.2604609507.000000005EC74000.00000004.00001000.00020000.00000000.sdmp, oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://update.googleapis.com/service/update2/json
Source: updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.00000000057D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/service/update2/json?cup2key=14:ytON3GIV-mrFgzOBE-t567j1nDscA90wGC-BsN
Source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drString found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo
Source: updater.exe, 00000006.00000002.2586506734.00000000057D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com:443/service/update2/json?cup2key=14:ytON3GIV-mrFgzOBE-t567j1nDscA90wGC
Source: updater.exe, 00000006.00000002.2586506734.0000000005758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com:4430
Source: updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/
Source: updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_17454511Jump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_17454511\UPDATER.PACKED.7ZJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_1700592644Jump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_1700592644\updater.7zJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_1700592644\binJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_1700592644\bin\uninstall.cmdJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\Google6236_1569822741Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_url_fetcher_4180_326256764Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_url_fetcher_4180_782093461Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_url_fetcher_4180_2047592324Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_url_fetcher_4180_2047592324\-8a69d345-d564-463c-aff1-a69d9e530f96-_125.0.6422.113_all_aogspox4cotu6xggqyym7s5hye.crx3Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exeJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\manifest.jsonJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\_metadata\Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\_metadata\verified_contents.jsonJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\manifest.fingerprintJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\bdefe0a9-9fa1-476d-abba-f730b9c95120.tmpJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile deleted: C:\Windows\SystemTemp\Google7068_1700592644\updater.7zJump to behavior
Source: oBX1n79NgQ.exeStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 125.0.6422.113_chrome_installer.exe.6.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 125.0.6422.113_chrome_installer.exe.6.drStatic PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1480068 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 130 datablocks, 0x1203 compression
Source: oBX1n79NgQ.exe, 00000000.00000000.1132671230.0000000000B90000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupdater.exeH vs oBX1n79NgQ.exe
Source: oBX1n79NgQ.exeBinary or memory string: OriginalFilenameupdater.exeH vs oBX1n79NgQ.exe
Source: oBX1n79NgQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: sus24.evad.winEXE@22/32@0/4
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Program Files (x86)\Google\GoogleUpdaterJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\{8a69d345-d564-463c-aff1-a69d9e530f96}[1].bmpJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeMutant created: \Sessions\1\BaseNamedObjects\Global\G{D8E4A6FE-EA7A-4D20-A8C8-B4628776A101}
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeMutant created: \BaseNamedObjects\Global\G{D8E4A6FE-EA7A-4D20-A8C8-B4628776A101}
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeMutant created: \Sessions\1\BaseNamedObjects\Global\G{A5732CF5-E5AD-47A5-8131-DC4CCA530B02}.126.0.6462.0
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeFile created: C:\Users\user\AppData\Local\Temp\updater-backupJump to behavior
Source: oBX1n79NgQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: oBX1n79NgQ.exeString found in binary or memory: https://dl.google.com/update2/installers/icons/
Source: oBX1n79NgQ.exeString found in binary or memory: byteshttps://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.google.com/devicemanagement/data/apihttps://dl.google.com/update2/installers/icons/1:356l7w0
Source: oBX1n79NgQ.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: oBX1n79NgQ.exeString found in binary or memory: http://support.google.com/installer/
Source: oBX1n79NgQ.exeString found in binary or memory: ..\..\chrome\updater\app\app_install_win.ccUpdate success.No updates.Updater error: http://support.google.com/installer/%s?product=%s&error=%d installation completed: error category[], error_code[], extra_code1[], completion_message[], post_install_launch_command_line[]SetOemInstallState failedStoreRunTimeEnrollmentToken failed
Source: oBX1n79NgQ.exeString found in binary or memory: Try '%ls --help' for more information.
Source: oBX1n79NgQ.exeString found in binary or memory: Try '%ls --help' for more information.
Source: oBX1n79NgQ.exeString found in binary or memory: --help display this help and exit
Source: oBX1n79NgQ.exeString found in binary or memory: --help display this help and exit
Source: oBX1n79NgQ.exeString found in binary or memory: asennuksen: $1oError sa pag-install: Nag-apply ang administrator ng network mo ng Group Policy na pumipigil sa pag-install: $1
Source: oBX1n79NgQ.exeString found in binary or memory: Tapos na ang pag-install.
Source: oBX1n79NgQ.exeString found in binary or memory: Kanselahin ang Pag-install
Source: oBX1n79NgQ.exeString found in binary or memory: Error sa pag-install: $1
Source: oBX1n79NgQ.exeString found in binary or memory: isvaatimuksia.fHindi na-install dahil hindi natutugunan ng iyong computer ang mga minimum na requirement sa hardware.mL'installation a
Source: oBX1n79NgQ.exeString found in binary or memory: Inihinto ang Pag-install.
Source: oBX1n79NgQ.exeString found in binary or memory: $1-installeerder
Source: oBX1n79NgQ.exeString found in binary or memory: $1-Installationsprogramm
Source: oBX1n79NgQ.exeString found in binary or memory: $1-installatieprogramma
Source: oBX1n79NgQ.exeString found in binary or memory: $1-installasjonsprogram
Source: oBX1n79NgQ.exeString found in binary or memory: .:Asennusvirhe: Asennusprosessin aloittaminen ei onnistunut.?Error sa pag-install: Hindi nagsimula ang proseso ng installer.GErreur d'installation
Source: oBX1n79NgQ.exeString found in binary or memory: .LAsennusvirhe: Asennusohjelmaa ei suoritettu loppuun. Asennus on keskeytetty.LError sa pag-install: Hindi natapos ang installer. Na-abort ang pag-install.tErreur d'installation
Source: oBX1n79NgQ.exeString found in binary or memory: Ini-install...
Source: oBX1n79NgQ.exeString found in binary or memory: 3Asennus ei ole valmis. Haluatko varmasti perua sen?IHindi nakumpleto ang pag-install. Sigurado ka bang gusto mong kanselahin?9Installation non termin
Source: oBX1n79NgQ.exeString found in binary or memory: uudelleen.#Hindi na-install. Pakisubukan ulit.,
Source: oBX1n79NgQ.exeString found in binary or memory: isen virheen takia.FHindi na-install dahil sa isang internal na error sa server ng update.Q
Source: oBX1n79NgQ.exeString found in binary or memory: ei tueta.OError sa pag-install: Invalid o hindi sinusuportahan ang filename ng installer.fErreur d'installation
Source: oBX1n79NgQ.exeString found in binary or memory: ivityspalvelimella ei ole tiivistedataa sovelluksesta.\Hindi na-install dahil walang anumang data ng hash para sa application ang server ng update.p
Source: oBX1n79NgQ.exeString found in binary or memory: n versiota ei tueta.QHindi na-install dahil hindi sinusuportahan ang bersyong ito ng operating system.ZL'installation a
Source: oBX1n79NgQ.exeString found in binary or memory: maassa.AHindi na-install dahil pinaghihigpitan ang access sa bansang ito.=L'installation a
Source: oBX1n79NgQ.exeString found in binary or memory: Ituloy ang Pag-install
Source: oBX1n79NgQ.exeString found in binary or memory: n.\Salamat sa pag-install. Dapat mong i-restart ang lahat ng iyong browser bago gamitin ang $1.eMerci d'avoir install
Source: oBX1n79NgQ.exeString found in binary or memory: n.SSalamat sa pag-install. Dapat mong i-restart ang iyong browser bago gamitin ang $1.aMerci d'avoir install
Source: oBX1n79NgQ.exeString found in binary or memory: n.TSalamat sa pag-install. Dapat mong i-restart ang iyong computer bago gamitin ang $1.aMerci d'avoir install
Source: oBX1n79NgQ.exeString found in binary or memory: .4Asennus ei onnistu, palvelin ei tunnista sovellusta.9Hindi na-install, hindi kilala ng server ang application.=Installation impossible. Le serveur ne reconna
Source: oBX1n79NgQ.exeString found in binary or memory: onnistui, koska protokollaa ei tueta.BHindi na-install dahil sa error na hindi sinusuportahang protocol.K
Source: oBX1n79NgQ.exeString found in binary or memory: Naghihintay sa pag-install...
Source: oBX1n79NgQ.exeString found in binary or memory: $1-InstallationsprogrammPA
Source: oBX1n79NgQ.exeString found in binary or memory: Ini-install...PA
Source: oBX1n79NgQ.exeString found in binary or memory: ivityspalvelimella ei ole tiivistedataa sovelluksesta.\Hindi na-install dahil walang anumang data ng hash para sa application ang server ng update.PAp
Source: unknownProcess created: C:\Users\user\Desktop\oBX1n79NgQ.exe "C:\Users\user\Desktop\oBX1n79NgQ.exe"
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe "C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8D0CD419-2DAC-C85B-BCFF-DB2D99044B99}&lang=en&browser=5&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x8d965c,0x8d9668,0x8d9674
Source: unknownProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update-internal
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674
Source: unknownProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\bdefe0a9-9fa1-476d-abba-f730b9c95120.tmp"
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe "C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8D0CD419-2DAC-C85B-BCFF-DB2D99044B99}&lang=en&browser=5&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x8d965c,0x8d9668,0x8d9674Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: asycfilt.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: mdmregistration.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: mdmregistration.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: omadmapi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: iri.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winsta.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: webio.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: schannel.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usosvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: updatepolicy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usocoreps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: oBX1n79NgQ.exeStatic PE information: certificate valid
Source: oBX1n79NgQ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: oBX1n79NgQ.exeStatic file information: File size 8730176 > 1048576
Source: oBX1n79NgQ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2a9800
Source: oBX1n79NgQ.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x4f7a00
Source: oBX1n79NgQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oBX1n79NgQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oBX1n79NgQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oBX1n79NgQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oBX1n79NgQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oBX1n79NgQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: oBX1n79NgQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: oBX1n79NgQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\UpdaterSetup.exe.pdb source: oBX1n79NgQ.exe
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb0 source: oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: 125.0.6422.113_chrome_installer.exe, 00000013.00000000.2299389431.00007FF64A175000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdbp source: 125.0.6422.113_chrome_installer.exe, 00000013.00000000.2299389431.00007FF64A175000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\UpdaterSetup.exe.pdb0 source: oBX1n79NgQ.exe
Source: oBX1n79NgQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: oBX1n79NgQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: oBX1n79NgQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: oBX1n79NgQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: oBX1n79NgQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: oBX1n79NgQ.exeStatic PE information: real checksum: 0x851d88 should be: 0x858a7c
Source: updater.exe.0.drStatic PE information: section name: CPADinfo
Source: updater.exe.2.drStatic PE information: section name: CPADinfo
Source: GoogleUpdate.exe.4.drStatic PE information: section name: CPADinfo
Source: 125.0.6422.113_chrome_installer.exe.6.drStatic PE information: section name: .retplne
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeCode function: 2_2_09ABCAEC pushfd ; iretd 2_2_09ABCAED
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeCode function: 2_2_09ABCA88 push eax; iretd 2_2_09ABCA89
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeCode function: 2_2_09ABEBC8 pushad ; ret 2_2_09ABEBC9

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeExecutable created and started: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeExecutable created and started: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeJump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeJump to dropped file
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exeJump to dropped file
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeFile created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeJump to dropped file
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Program Files (x86)\Google\Update\GoogleUpdate.exeJump to dropped file
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeFile created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeJump to dropped file
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exeJump to dropped file
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe TID: 6304Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6460Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_Bios
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: svchost.exe, 0000000C.00000002.2575559149.00000227C6A4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}'
Source: svchost.exe, 0000000C.00000002.2577691516.00000227C6A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: updater.exe, 00000002.00000002.2589112589.000000000527D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
Source: svchost.exe, 0000000C.00000002.2574358563.00000227C6A24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: updater.exe, 00000002.00000002.2589112589.0000000005305000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000002.00000002.2589112589.000000000527D000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.0000000005790000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2594577057.0000023A1C45E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2579626532.0000023A16E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.2572426051.00000227C6A02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 0000000C.00000002.2574358563.00000227C6A24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\'
Source: updater.exe, 00000006.00000002.2586506734.00000000057B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: svchost.exe, 0000000C.00000002.2580409594.00000227C6A8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000C.00000002.2575559149.00000227C6A4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x8d965c,0x8d9668,0x8d9674Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674Jump to behavior
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe "c:\windows\systemtemp\google7068_1700592644\bin\updater.exe" --install=appguid={8a69d345-d564-463c-aff1-a69d9e530f96}&iid={8d0cd419-2dac-c85b-bcff-db2d99044b99}&lang=en&browser=5&usagestats=0&appname=google%20chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe c:\windows\systemtemp\google7068_1700592644\bin\updater.exe --crash-handler --system "--database=c:\program files (x86)\google\googleupdater\126.0.6462.0\crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=update4 --annotation=ver=126.0.6462.0 "--attachment=c:\program files (x86)\google\googleupdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x8d965c,0x8d9668,0x8d9674
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "c:\program files (x86)\google\googleupdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=c:\program files (x86)\google\googleupdater\126.0.6462.0\crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=update4 --annotation=ver=126.0.6462.0 "--attachment=c:\program files (x86)\google\googleupdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "c:\program files (x86)\google\googleupdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=c:\program files (x86)\google\googleupdater\126.0.6462.0\crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=update4 --annotation=ver=126.0.6462.0 "--attachment=c:\program files (x86)\google\googleupdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe "c:\windows\systemtemp\chrome_unpacker_beginunzipping4180_536941199\125.0.6422.113_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="c:\windows\systemtemp\chrome_unpacker_beginunzipping4180_536941199\bdefe0a9-9fa1-476d-abba-f730b9c95120.tmp"
Source: C:\Users\user\Desktop\oBX1n79NgQ.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe "c:\windows\systemtemp\google7068_1700592644\bin\updater.exe" --install=appguid={8a69d345-d564-463c-aff1-a69d9e530f96}&iid={8d0cd419-2dac-c85b-bcff-db2d99044b99}&lang=en&browser=5&usagestats=0&appname=google%20chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2Jump to behavior
Source: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exeProcess created: C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe c:\windows\systemtemp\google7068_1700592644\bin\updater.exe --crash-handler --system "--database=c:\program files (x86)\google\googleupdater\126.0.6462.0\crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=update4 --annotation=ver=126.0.6462.0 "--attachment=c:\program files (x86)\google\googleupdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x8d965c,0x8d9668,0x8d9674Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "c:\program files (x86)\google\googleupdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=c:\program files (x86)\google\googleupdater\126.0.6462.0\crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=update4 --annotation=ver=126.0.6462.0 "--attachment=c:\program files (x86)\google\googleupdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeProcess created: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe "c:\program files (x86)\google\googleupdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=c:\program files (x86)\google\googleupdater\126.0.6462.0\crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=update4 --annotation=ver=126.0.6462.0 "--attachment=c:\program files (x86)\google\googleupdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674Jump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeQueries volume information: C:\Program Files (x86)\Google\GoogleUpdater\prefs.json VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeQueries volume information: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\prefs.json VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeQueries volume information: C:\Program Files (x86)\Google\GoogleUpdater\prefs.json VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Source: svchost.exe, 0000000F.00000002.2581923377.0000029F2E502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000F.00000002.2581923377.0000029F2E502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
Scheduled Task/Job		11
Process Injection		122
Masquerading		OS Credential Dumping41
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
DLL Side-Loading		1
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory3
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		Logon Script (Windows)1
DLL Side-Loading		3
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS33
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447827 Sample: oBX1n79NgQ.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 24 51 Drops executables to the windows directory (C:\Windows) and starts them 2->51 7 oBX1n79NgQ.exe 9 2->7         started        10 svchost.exe 2->10         started        13 updater.exe 18 2->13         started        16 7 other processes 2->16 process3 dnsIp4 37 C:\Windows\SystemTemp\...\updater.exe, PE32 7->37 dropped 18 updater.exe 29 23 7->18         started        55 Changes security center settings (notifications, updates, antivirus, firewall) 10->55 23 MpCmdRun.exe 1 10->23         started        45 142.250.181.227 GOOGLEUS United States 13->45 39 C:\...\125.0.6422.113_chrome_installer.exe, PE32+ 13->39 dropped 25 updater.exe 3 13->25         started        27 125.0.6422.113_chrome_installer.exe 13->27         started        47 2.19.244.127 AKAMAI-ASUS European Union 16->47 49 127.0.0.1 unknown unknown 16->49 41 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 16->41 dropped 29 updater.exe 3 16->29         started        file5 signatures6 process7 dnsIp8 43 172.217.16.206 GOOGLEUS United States 18->43 35 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 18->35 dropped 53 Drops executables to the windows directory (C:\Windows) and starts them 18->53 31 updater.exe 4 18->31         started        33 conhost.exe 23->33         started        file9 signatures10 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe0%ReversingLabs
C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe0%VirustotalBrowse
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0%ReversingLabs
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe0%VirustotalBrowse
C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe0%ReversingLabs
C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe0%VirustotalBrowse
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe0%ReversingLabs
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://csp.withgoogle.com/csp/clientupdate-aus/10%URL Reputationsafe
https://dev.ditu.live.com/REST/v1/Routes/0%URL Reputationsafe
https://dev.ditu.live.com/REST/v1/Routes/0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Routes/Driving0%URL Reputationsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%URL Reputationsafe
https://crashpad.chromium.org/bug/new0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Routes/Walking0%URL Reputationsafe
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new0%URL Reputationsafe
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new0%URL Reputationsafe
https://dev.ditu.live.com/mapcontrol/logging.ashx0%URL Reputationsafe
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%URL Reputationsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%URL Reputationsafe
http://www.bingmapsportal.com0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/0%URL Reputationsafe
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/0%URL Reputationsafe
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%URL Reputationsafe
https://crashpad.chromium.org/0%URL Reputationsafe
https://dev.ditu.live.com/REST/v1/Transit/Stops/0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Routes/0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%URL Reputationsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%URL Reputationsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%URL Reputationsafe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%URL Reputationsafe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%URL Reputationsafe
https://dev.virtualearth.net/REST/v1/Locations0%URL Reputationsafe
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%URL Reputationsafe
https://dev.virtualearth.net/mapcontrol/logging.ashx0%URL Reputationsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%URL Reputationsafe
http://dl.google.com:800%Avira URL Cloudsafe
https://dynamic.t0%URL Reputationsafe
https://g.live.com/odclientsettings/Prod-C:0%URL Reputationsafe
https://m.google.com/devicemanagement/data/api0%URL Reputationsafe
http://html4/loose.dtd0%Avira URL Cloudsafe
https://dev.virtualearth.net/REST/v1/Routes/Transit0%URL Reputationsafe
https://g.live.com/odclientsettings/ProdV2-C:0%URL Reputationsafe
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen0%URL Reputationsafe
http://.css0%Avira URL Cloudsafe
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=0%URL Reputationsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%URL Reputationsafe
https://dev.ditu.live.com/REST/v1/Locations0%URL Reputationsafe
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/0%URL Reputationsafe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%URL Reputationsafe
http://support.google.com/installer/%s?product=%s&error=%d0%Avira URL Cloudsafe
https://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/0%Avira URL Cloudsafe
https://dl.google.com/0%Avira URL Cloudsafe
https://dl.google.com/0%VirustotalBrowse
http://dl.google.com:800%VirustotalBrowse
http://.jpg0%Avira URL Cloudsafe
http://dl.google.com/0%Avira URL Cloudsafe
http://dl.google.com:80/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-40%Avira URL Cloudsafe
https://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d5640%Avira URL Cloudsafe
https://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/0%Avira URL Cloudsafe
http://dl.google.com/0%VirustotalBrowse
http://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-0%Avira URL Cloudsafe
http://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-463c0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
https://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-4630%Avira URL Cloudsafe
https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e0%Avira URL Cloudsafe
https://dl.google.com/update2/installers/icons/0%Avira URL Cloudsafe
http://support.google.com/installer/0%Avira URL Cloudsafe
http://dl.google.com:80/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-40%VirustotalBrowse
http://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/0%Avira URL Cloudsafe
http://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/0%Avira URL Cloudsafe
https://csp.withgoogle.com/csp/clientupdate-aus/1Persistent-AuthWWW-AuthenticateVarySet-CookieGSESer0%Avira URL Cloudsafe
https://dl.google.com/update2/installers/icons/0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtdoBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • Avira URL Cloud: safe
unknown
https://csp.withgoogle.com/csp/clientupdate-aus/1updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000003.1366819398.000001DD04A67000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://dl.google.com:80updater.exe, 00000006.00000002.2586506734.0000000005758000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://crashpad.chromium.org/bug/newoBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://.cssoBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • Avira URL Cloud: safe
unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newoBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1367903297.000001DD04A65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366726106.000001DD04A6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366910911.000001DD04A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000002.1367708275.000001DD04A2B000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000002.1367824106.000001DD04A44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://support.google.com/installer/%s?product=%s&error=%doBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • Avira URL Cloud: safe
unknown
https://dl.google.com/updater.exe, 00000002.00000002.2589112589.00000000052DF000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://.jpgoBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • Avira URL Cloud: safe
unknown
http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.1367591897.000001DD04A13000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.1367006248.000001DD04A5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://dl.google.com/updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000002.1367708275.000001DD04A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366819398.000001DD04A67000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://crashpad.chromium.org/oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • URL Reputation: safe
unknown
https://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://dl.google.com:80/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-4updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000A.00000003.1366597748.000001DD04A75000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.1367708275.000001DD04A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366819398.000001DD04A67000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1367903297.000001DD04A65000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-463cupdater.exe, 00000006.00000002.2602007070.000000000666D000.00000004.00000010.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.00000000057D1000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366910911.000001DD04A5E000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://crl.ver)svchost.exe, 00000008.00000002.2595675854.0000023A1C471000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.1367047073.000001DD04A3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1367033099.000001DD04A4A000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 0000000A.00000002.1367885661.000001DD04A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.1367060353.000001DD04A41000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/-8a69d345-d564-463updater.exe, 00000006.00000002.2605201170.000000005ECB0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=eupdater.exe, 00000002.00000002.2589112589.000000000527D000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dynamic.tsvchost.exe, 0000000A.00000002.1367929818.000001DD04A70000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://g.live.com/odclientsettings/Prod-C:edb.log.8.drfalse
  • URL Reputation: safe
unknown
https://m.google.com/devicemanagement/data/apioBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dl.google.com/update2/installers/icons/oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://support.google.com/installer/oBX1n79NgQ.exe, updater.exe.2.dr, GoogleUpdate.exe.4.dr, updater.7z.0.drfalse
  • Avira URL Cloud: safe
unknown
https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000008.00000003.1202963770.0000023A1C332000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drfalse
  • URL Reputation: safe
unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.google.com/dl/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 0000000A.00000002.1367885661.000001DD04A59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.1366840878.000001DD04A62000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://dl.google.com/release2/chrome/acjptviylg6r2k4fyfeeegku2wya_125.0.6422.113/updater.exe, 00000006.00000003.1182984504.000000005F2A4000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://csp.withgoogle.com/csp/clientupdate-aus/1Persistent-AuthWWW-AuthenticateVarySet-CookieGSESerupdater.exe, 00000006.00000002.2586506734.00000000057DF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.1366939390.000001DD04A58000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000002.1367929818.000001DD04A74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1366726106.000001DD04A6E000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.1367103659.000001DD04A30000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
142.250.181.227
unknownUnited States
15169GOOGLEUSfalse
2.19.244.127
unknownEuropean Union
16625AKAMAI-ASUSfalse
172.217.16.206
unknownUnited States
15169GOOGLEUSfalse

Private

IP
127.0.0.1

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1447827
Start date and time:2024-05-27 08:30:48 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:oBX1n79NgQ.exe
renamed because original name is a hash value
Original Sample Name:771a3a3272e20ce119b5090ca974095c0b831f52.exe
Detection:SUS
Classification:sus24.evad.winEXE@22/32@0/4
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, MoUsoCoreWorker.exe
  • Execution Graph export aborted for target updater.exe, PID 7128 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

TimeTypeDescription
02:31:18API Interceptor1x Sleep call for process: updater.exe modified
02:31:22API Interceptor2x Sleep call for process: svchost.exe modified
02:32:29API Interceptor1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
2.19.244.127https://laurabingham.org/wp-content/plugins/wp-recipe-maker/downexcel.phpGet hashmaliciousUnknownBrowse
    n6N8r2RjfaGet hashmaliciousUnknownBrowse
      FakeWinlogon.7zGet hashmaliciousUnknownBrowse
        https://www.google.com/search?sca_esv=559122478&rlz=1C1GCEU_enUS895US895&q=TPS7A94+%22krad%22&sa=X&ved=2ahUKEwiw4veU7_CAAxXqPEQIHZOoCygQ5t4CegQIKBAB&biw=2560&bih=1323&dpr=1Get hashmaliciousGRQ ScamBrowse
          email (2).emlGet hashmaliciousHTMLPhisherBrowse
            JUNE INVOICE345467564465456.xlsxGet hashmaliciousHTMLPhisherBrowse
              EXTERNAL New InvoiceStatementFrom Exxir Capital.msgGet hashmaliciousHTMLPhisherBrowse
                2023-03-08_1220.zipGet hashmaliciousEmotetBrowse
                  Fattura 783529.zipGet hashmaliciousEmotetBrowse
                    https://netorg4256154-my.sharepoint.com/:w:/g/personal/crpatton_workplace_org/EcSkHD8WppBIk8cqOjYd96wB--ZspsHY5nBgG84KpSd9DA?e=4%3aqFLxfz&at=9Get hashmaliciousUnknownBrowse

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      AKAMAI-ASUSTEILll7BsZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                      • 92.122.104.90
                      Pd3mM82Bs6.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                      • 104.102.42.29
                      c3f3d7cea638c32610d85c9c1dfdcfe3cba3dad9e932257113f07ffcac34b280_dump.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                      • 104.102.42.29
                      https://uncovered-fragrant-climb.glitch.me/public/eleventy.js.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 23.50.131.157
                      T57QiayIem.elfGet hashmaliciousUnknownBrowse
                      • 23.48.239.165
                      M4huqujaBY.elfGet hashmaliciousUnknownBrowse
                      • 104.78.21.180
                      cVxP229sNF.elfGet hashmaliciousUnknownBrowse
                      • 96.16.0.180
                      uBgwoHPWaf.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                      • 23.192.247.89
                      QJqJic3hex.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                      • 104.102.42.29
                      HeYgs7bTvy.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                      • 104.102.42.29

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Program Files (x86)\Google\GoogleUpdater\0b1b1fa9-587b-42ab-9a21-d311142c0a99.tmp

                      Download File
                      Process:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):49
                      Entropy (8bit):4.501866476503355
                      Encrypted:false
                      SSDEEP:3:YEGSAsPMF1xf8ty:YEGMS
                      MD5:2738E30424BB4F0DDDB94575F10D5F86
                      SHA1:21573096ECA9B8B7B3D9D68AD6A996807631B5E1
                      SHA-256:5E58028EDD1D27FB853A4B05E62BF20CFC4D042123DB9AE2E7DE01870CB18819
                      SHA-512:0DCCB0267E80A74402D01B0447D9C63178473830A146B5B9C530132AC52E7C73AE940F65D2879BFA5A39F811B61B70EBCA03F85931B15CF63E69FA4F4C12E9F5
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","swapping":true}

                      C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\20d7be24-7f19-48ac-bb8d-ec2ede596347.tmp

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):19
                      Entropy (8bit):3.6163485660751657
                      Encrypted:false
                      SSDEEP:3:YURAT9:YUWT9
                      MD5:AA2D0C0C72BB528CF4168EA91C1C9A56
                      SHA1:67BE5A0C29B13B92DD86BA935F605C4BA7EEA2CC
                      SHA-256:E03E9D262CA3B7D19E37C3A69C7D8B46BD3F5542AA555A17D864071C28257B2C
                      SHA-512:6BDB9A72B73F11F7627E6FCA0EE1D417201B038CB255D445DD29E5F27DE08E99A6C4729C4C893FFE97E4BC1835532879C47CCEAA051F07B3CDAD06AD17B2D5E7
                      Malicious:false
                      Preview:{"qualified":false}

                      C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\prefs.json (copy)

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):19
                      Entropy (8bit):3.6163485660751657
                      Encrypted:false
                      SSDEEP:3:YURAT9:YUWT9
                      MD5:AA2D0C0C72BB528CF4168EA91C1C9A56
                      SHA1:67BE5A0C29B13B92DD86BA935F605C4BA7EEA2CC
                      SHA-256:E03E9D262CA3B7D19E37C3A69C7D8B46BD3F5542AA555A17D864071C28257B2C
                      SHA-512:6BDB9A72B73F11F7627E6FCA0EE1D417201B038CB255D445DD29E5F27DE08E99A6C4729C4C893FFE97E4BC1835532879C47CCEAA051F07B3CDAD06AD17B2D5E7
                      Malicious:false
                      Preview:{"qualified":false}

                      C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\uninstall.cmd

                      Download File
                      Process:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):653
                      Entropy (8bit):4.923215133873056
                      Encrypted:false
                      SSDEEP:12:2snTJp6rOanOFkgU4hEu8NRaPJRRmvxOgtc/aH+ndUE:7T+rjO+Z4hTb6dIa8P
                      MD5:FBC297EE9060D4256192E4EDB98CAD1B
                      SHA1:F305C065378AEC46EB4DACAAEEE3F866B1527105
                      SHA-256:099592FFA867124D16C0C6D868AF1214FD2B7180FA76E4EEE01ABF2A5CF8F044
                      SHA-512:C867D366252E5124C6560FBB42ED4473DC7546360BC1221E9FCBC192E9216D6265E41AD26A733F7566C064B136AE02E21EF5F7095FCB6AE6F65B6FBEB3401FFE
                      Malicious:false
                      Preview:@echo off....rem Deletes recursively the directory specified by the `--dir` command line..rem argument of the script. The directory must be an updater install path.....echo %1 %2..if not "%1"=="--dir" (.. echo "Invalid switch.".. exit 1..)....set Directory=%2....rem Validate the path is an updater path...@echo %Directory% | FindStr /L \Google\GoogleUpdater > nul..if %ERRORLEVEL% NEQ 0 (.. echo "Invalid argument.".. exit 2..)....rem Try deleting the directory 15 times and wait one second between tries...for /L %%G IN (1,1,15) do (.. ping -n 2 127.0.0.1 > nul.. rmdir %Directory% /s /q > nul.. if not exist %Directory% exit 0..)....exit 3....

                      C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe

                      Download File
                      Process:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):4794656
                      Entropy (8bit):6.797091169119905
                      Encrypted:false
                      SSDEEP:98304:IyENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfR:bEN2tm5pOuU3TcLWGO7djZkrC5R
                      MD5:95222FAEEAB2CEBE9502F2E123D5DD2A
                      SHA1:DAC0E46C7B0BC998BEE826538A3128FBE396E638
                      SHA-256:B8AF4588875E697E49DB4E1FF5833EF8F89FFDE327AB9DC9FAD101551D6AEC28
                      SHA-512:AAEC6212BB69D7DBF4B7D09DFA6CCFCA803835C19A5974F534F7DB2D6235E741BB404969B2695FF9487EE2C7AC2AB1F740A436332B740B45FBAF579C6E13BF4F
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....H8f.........."......F5..........q............@...........................J.....A.I...@...........................>.P...p.>.......A.H.............I. )....H......>.......................>......b5...............?.......>.@....................text...'E5......F5................. ..`.rdata.. ....`5......J5.............@..@.data....t...p?..V...L?.............@....tls....q.....@.......?.............@...CPADinfo(.....A.......?.............@....rsrc...H.....A.......?.............@..@.reloc........H......8G.............@..B................................................................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Google\GoogleUpdater\a551b306-09a1-4111-8ae6-4879d84e3582.tmp

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):407
                      Entropy (8bit):4.946335397493816
                      Encrypted:false
                      SSDEEP:12:YewPFPuTEf4WcLfyAGVWTUQBaHSw5iuCY:YewNPWj9yAGVWTUQBayWiub
                      MD5:0C7BB1BCF5B8EE88537FEFDBFC59F8C2
                      SHA1:26059A80CEA72A037DB3489D83D6A9F954814F7B
                      SHA-256:03A0781EE86237A4FD90548DC218D743FA62C8B6B7F3B4E450AC1631C33AFAEC
                      SHA-512:90F93BBE85AFB68E9352AB5E39C77B9FAC7FF3948DC8CB8591677258CFCE840B8519F57692BA1E0DCD4B8C525CB772E783E0F6DF5CA575BCD516ECF6658EB42F
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","converted_legacy_updaters":true,"swapping":false,"updateclientdata":{"apps":{"{44fc7fe2-65ce-487c-93f4-edee46eeaaab}":{"dla":-1,"dlrc":-1,"installdate":-1,"pv":"126.0.6462.0"},"{8a69d345-d564-463c-aff1-a69d9e530f96}":{"ap":"x64-stable-statsdef_1","bc":"ONGR","cohort":"1:gu:1zzl@0.5","cohortname":"Stable","dla":6246,"dlrc":6246,"installdate":6119,"pv":"117.0.5938.132"}}}}

                      C:\Program Files (x86)\Google\GoogleUpdater\e7a85879-b109-406f-9f99-949ca8274942.tmp

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):456
                      Entropy (8bit):4.937096547320463
                      Encrypted:false
                      SSDEEP:12:Yewj9FPuTEf4WcLfyACWTUQBaHSw5iuCY:YewjTPWj9yACWTUQBayWiub
                      MD5:A2C40B49F1838639E55BC42D22FE0A12
                      SHA1:79585A77CC2A43473BD5C2B421B1AF61CCBA0CED
                      SHA-256:1F5D8A514DCD1C5448B3347A5C23F062ECD9181A72C9DF696202BDF1C7026B0A
                      SHA-512:757398DCC0693AE03F754427FB04C202DA0162ACDC3A48DDEA0B1B49558AACF96F0951B7521D16A85BB824DDB86A0385410CFB6F5049580E1F029EBB33890074
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","converted_legacy_updaters":true,"eula_required":false,"had_apps":true,"server_starts":1,"swapping":false,"updateclientdata":{"apps":{"{44fc7fe2-65ce-487c-93f4-edee46eeaaab}":{"dla":-1,"dlrc":-1,"installdate":-1,"pv":"126.0.6462.0"},"{8a69d345-d564-463c-aff1-a69d9e530f96}":{"ap":"x64-statsdef_1","bc":"ONGR","cohort":"1:gu:1zzl@0.5","cohortname":"Stable","dla":6246,"dlrc":6246,"installdate":6119,"pv":"117.0.5938.132"}}}}

                      C:\Program Files (x86)\Google\GoogleUpdater\f786af1e-3b2e-487d-a4b6-bf2235b87f24.tmp

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):520
                      Entropy (8bit):5.011212324290353
                      Encrypted:false
                      SSDEEP:6:YEGMo7kXIGkiCf1FPGtTEmeHBJEHWo5DusQK4ZXQCaBTVxIUiE2FVL8pZOrRuXSY:Yewj9FPuTEf4WcLfyACW7BimpZ8RuCY
                      MD5:C5690FE326AA678B9A9E8C79A815C5A2
                      SHA1:ECF1E1CC436D13C4EA999B3655F21BAB3369A744
                      SHA-256:3869969312BAC5417EF0BC9553F9106B9A2210304AD4BDC19F743DE846FCB5C0
                      SHA-512:D6749A0454BC8AB83534ACDC34717BCA2072753114DDDE02EC9B6C2F8114F84C8421BDFF482E9065C5D717B55776A0C114802DB86CAFA98FCBCABCE11C361498
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","converted_legacy_updaters":true,"eula_required":false,"had_apps":true,"server_starts":1,"swapping":false,"updateclientdata":{"apps":{"{44fc7fe2-65ce-487c-93f4-edee46eeaaab}":{"dla":-1,"dlrc":-1,"installdate":-1,"pv":"126.0.6462.0"},"{8a69d345-d564-463c-aff1-a69d9e530f96}":{"ap":"x64-statsdef_1","bc":"ONGR","cohort":"1:gu/i19:","cohortname":"Stable Installs & Version Pins","dla":6246,"dlrc":6355,"installdate":6119,"pf":"d484a09d-e1ec-442e-af08-741340bb36e5","pv":"117.0.5938.132"}}}}

                      C:\Program Files (x86)\Google\GoogleUpdater\prefs.json (copy)

                      Download File
                      Process:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):49
                      Entropy (8bit):4.501866476503355
                      Encrypted:false
                      SSDEEP:3:YEGSAsPMF1xf8ty:YEGMS
                      MD5:2738E30424BB4F0DDDB94575F10D5F86
                      SHA1:21573096ECA9B8B7B3D9D68AD6A996807631B5E1
                      SHA-256:5E58028EDD1D27FB853A4B05E62BF20CFC4D042123DB9AE2E7DE01870CB18819
                      SHA-512:0DCCB0267E80A74402D01B0447D9C63178473830A146B5B9C530132AC52E7C73AE940F65D2879BFA5A39F811B61B70EBCA03F85931B15CF63E69FA4F4C12E9F5
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","swapping":true}

                      C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RF5a14f9.TMP (copy)

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):49
                      Entropy (8bit):4.501866476503355
                      Encrypted:false
                      SSDEEP:3:YEGSAsPMF1xf8ty:YEGMS
                      MD5:2738E30424BB4F0DDDB94575F10D5F86
                      SHA1:21573096ECA9B8B7B3D9D68AD6A996807631B5E1
                      SHA-256:5E58028EDD1D27FB853A4B05E62BF20CFC4D042123DB9AE2E7DE01870CB18819
                      SHA-512:0DCCB0267E80A74402D01B0447D9C63178473830A146B5B9C530132AC52E7C73AE940F65D2879BFA5A39F811B61B70EBCA03F85931B15CF63E69FA4F4C12E9F5
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","swapping":true}

                      C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RF5a8c0d.TMP (copy)

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):49
                      Entropy (8bit):4.501866476503355
                      Encrypted:false
                      SSDEEP:3:YEGSAsPMF1xf8ty:YEGMS
                      MD5:2738E30424BB4F0DDDB94575F10D5F86
                      SHA1:21573096ECA9B8B7B3D9D68AD6A996807631B5E1
                      SHA-256:5E58028EDD1D27FB853A4B05E62BF20CFC4D042123DB9AE2E7DE01870CB18819
                      SHA-512:0DCCB0267E80A74402D01B0447D9C63178473830A146B5B9C530132AC52E7C73AE940F65D2879BFA5A39F811B61B70EBCA03F85931B15CF63E69FA4F4C12E9F5
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","swapping":true}

                      C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RF5aba32.TMP (copy)

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):49
                      Entropy (8bit):4.501866476503355
                      Encrypted:false
                      SSDEEP:3:YEGSAsPMF1xf8ty:YEGMS
                      MD5:2738E30424BB4F0DDDB94575F10D5F86
                      SHA1:21573096ECA9B8B7B3D9D68AD6A996807631B5E1
                      SHA-256:5E58028EDD1D27FB853A4B05E62BF20CFC4D042123DB9AE2E7DE01870CB18819
                      SHA-512:0DCCB0267E80A74402D01B0447D9C63178473830A146B5B9C530132AC52E7C73AE940F65D2879BFA5A39F811B61B70EBCA03F85931B15CF63E69FA4F4C12E9F5
                      Malicious:false
                      Preview:{"active_version":"126.0.6462.0","swapping":true}

                      C:\Program Files (x86)\Google\GoogleUpdater\updater.log

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:ASCII text, with very long lines (45447)
                      Category:modified
                      Size (bytes):1328893
                      Entropy (8bit):6.045834959696742
                      Encrypted:false
                      SSDEEP:24576:/SbY9scDnPQ5+UNkM0LLwLreMwHCoCsx2YL55ZmlwHmJ6Y0QE2zRewTYtl:G70LLRHJ52ww0QErsYtl
                      MD5:EE7756524B62BC1ABA4766AF93B53B1C
                      SHA1:3F9CE938D15216C6ECCC7D8000688AFFD3546901
                      SHA-256:6EAAFA8B224041112FE216FFFB44669C077B487C3B889E26D042E69E59A124EB
                      SHA-512:135DF40C4AFD21169EB64C9A780E3AC2433135E6B55B0904306DDB9380169C62083A29CB4D074F35BDA9E631D64CF9FE44221D12C1FF6C2CC596318F4E8293D9
                      Malicious:false
                      Preview:[7068:7072:0527/023115.570:VERBOSE1:installer.cc(386)] "C:\Users\user\Desktop\oBX1n79NgQ.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8D0CD419-2DAC-C85B-BCFF-DB2D99044B99}&lang=en&browser=5&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2.[7128:7132:0527/023116.128:VERBOSE1:updater.cc(326)] Version: 126.0.6462.0, opt, 32 bits, command line: "C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8D0CD419-2DAC-C85B-BCFF-DB2D99044B99}&lang=en&browser=5&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2.[7128:7132:0527/023116.128:VERBOSE1:updater.cc(328)] OS version: 10.0.19045.2006, System uptime (secon

                      C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):4794656
                      Entropy (8bit):6.797091169119905
                      Encrypted:false
                      SSDEEP:98304:IyENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfR:bEN2tm5pOuU3TcLWGO7djZkrC5R
                      MD5:95222FAEEAB2CEBE9502F2E123D5DD2A
                      SHA1:DAC0E46C7B0BC998BEE826538A3128FBE396E638
                      SHA-256:B8AF4588875E697E49DB4E1FF5833EF8F89FFDE327AB9DC9FAD101551D6AEC28
                      SHA-512:AAEC6212BB69D7DBF4B7D09DFA6CCFCA803835C19A5974F534F7DB2D6235E741BB404969B2695FF9487EE2C7AC2AB1F740A436332B740B45FBAF579C6E13BF4F
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....H8f.........."......F5..........q............@...........................J.....A.I...@...........................>.P...p.>.......A.H.............I. )....H......>.......................>......b5...............?.......>.@....................text...'E5......F5................. ..`.rdata.. ....`5......J5.............@..@.data....t...p?..V...L?.............@....tls....q.....@.......?.............@...CPADinfo(.....A.......?.............@....rsrc...H.....A.......?.............@..@.reloc........H......8G.............@..B................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):0.7946174631381349
                      Encrypted:false
                      SSDEEP:3072:yJjAgNE4Pj5vHcjTcyBP9UjaaQ/ka4qWn:QAgN8nj/ka4
                      MD5:2E62F700DBEF6F4FD6A791B1804F4B5A
                      SHA1:D87749E0A93088A08FEE21C698D668B192FAA596
                      SHA-256:801EA5DD22FA71303DE1D5A23D690E5687C16A9EA817709E3883DDBBB88259FE
                      SHA-512:4A664E1945E976EAC18FE6E71245295561C16398E359D8FA4D4E5DE3E3121C3A4E0579B8A5454AED1C5D7EA769D21C9C8727914893F51A64E28113835BB1B97D
                      Malicious:false
                      Preview:..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x50444f60, page size 16384, DirtyShutdown, Windows version 10.0
                      Category:dropped
                      Size (bytes):1310720
                      Entropy (8bit):0.7864922108122813
                      Encrypted:false
                      SSDEEP:1536:DSB2ESB2SSjlK/6vDfi5Wy10MctJ+t9ka4XQ0/Ykr3g16L2UPkLk+kyt4eCu3uZB:Dazaovh7uka4Es2U1RFNp3pvHzrHBHz
                      MD5:F1F574BA6776F9CF62C90958FBD59CA6
                      SHA1:82D6CD3059A17173504CF57C9C6E29894ABFC74E
                      SHA-256:AE441D85BE6445455F44C2DB80FC86227107A1C04D0C044A1EC99EB2A8A24D4E
                      SHA-512:DE6B583521752E5BC492F1CAE562F58D0CE188AFF138B30DDF9DCBD213D291F131396A414FEE71722CBA4EA33030E718C788B6F4E88BE3FD239E3798437608CC
                      Malicious:false
                      Preview:PDO`... ...............X\...;...{......................0.z...... ...{.......|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{....................................+.....|.7................nd.......|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):16384
                      Entropy (8bit):0.08165831017916597
                      Encrypted:false
                      SSDEEP:3:9Pll/EYeE8ZQjoWjvegMsjv/Ss/IGYZX/tgZQjl1ollSdLvl+/rS56/:9PXEzXZQdjGxsYSQZeQN0e
                      MD5:E9C25FE9F9A52D9FDEB833DD4D309CB6
                      SHA1:3980A63D56271DC7B50ABF15846C95DCEFD5AB1E
                      SHA-256:8CC2DA718D35E6C751EE87AA5C724095E05DABF9DB2786B325E750DD0953D498
                      SHA-512:DE95E137CD971C92103762E347BDC690A46D68D872F163E5BB07079FF52E415CDCD2DE9B89CFC6949CEE9C542B866D095F491581EF6872AA37F4A73656E420BC
                      Malicious:false
                      Preview:.Y.!.....................................;...{.......|... ...{........... ...{... ...{..#.#.. ...{.|................nd.......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.f89ee6fd-e514-48d1-a431-e731cf2d05b9.1.etl

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4096
                      Entropy (8bit):1.188324460838318
                      Encrypted:false
                      SSDEEP:12:o+jqPqF69Fq5jU38lQk56GWtbgjO3s7Nxk56GZkt6LBSk8pFvw+N:nc1gQGtm2jGtZtDeFHN
                      MD5:7A8A613976B7B7669E886D35D8110087
                      SHA1:292A74890C0E54BEE5469A5962559AA29BE1FFE4
                      SHA-256:63D53541E207022EC2CA940B01A0E429F49167780DF7D6AA01A70A5143EE9F96
                      SHA-512:FC0A4F8477778EC2B46DB657FFE0830D8015A13ECB5699DD450635DDBB94B58ED34A44C1D4592F60E29692E5D2CB3EA82490F62C7B468A6598ACC81863B90B61
                      Malicious:false
                      Preview:............................................................................D............(.....................eJ..............Zb..K....(......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................S.@.Y...........(.............U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.S.y.s.t.e.m.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...f.8.9.e.e.6.f.d.-.e.5.1.4.-.4.8.d.1.-.a.4.3.1.-.e.7.3.1.c.f.2.d.0.5.b.9...1...e.t.l...........P.P..........(.....................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\{8a69d345-d564-463c-aff1-a69d9e530f96}[1].bmp

                      Download File
                      Process:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      File Type:PC bitmap, Windows 3.x format, 92 x 24 x 24, resolution 2835 x 2835 px/m, cbSize 6678, bits offset 54
                      Category:modified
                      Size (bytes):6678
                      Entropy (8bit):3.742120780049679
                      Encrypted:false
                      SSDEEP:96:ITfMHLJWJLJJJGKJYJh5W8JxZpkuhfnQ3t2ms3kglj:I0x51aLfsNj
                      MD5:64C3009B9F0526A4FD2C8A9825B86F7D
                      SHA1:F501929B39E6488F26EFE5FAB3AB71EC879DE6AD
                      SHA-256:B49EDF5F970FA5B4D0608C2934053929E20D54C5E052164B4D2B375F2CB7E409
                      SHA-512:DECB6594DA8F5713A5DD9F0F80266BE9A0B3DE6A09EF3C45A0C28A10AF7977CF06A817A2D867F10F5F376475DB2D11CD21BC5F1D1D969162FCFF50F2053EACE9
                      Malicious:false
                      Preview:BM........6...(...\................................................................................................................................................................................................................................................................................................................................................}.Fb..T..L..?..K..d..........................................................................................................................................................................................................................................................e.#\..[..Y..V..Q.#F..@..B..C..G...............................................................................................................................................................................................................................................M^..Z..Y..Y..Y..X..S..M.sA..@..@..@..C.._............................................................

                      C:\Users\user\AppData\Local\Temp\~DFD6B7B8DB9D6FB665.TMP

                      Download File
                      Process:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):8704
                      Entropy (8bit):3.8505081657468243
                      Encrypted:false
                      SSDEEP:96:vTfMHLJWJLJJJGKJYJh5W8JxZpkuhfnQ3t2ms3kgl:v0x51aLfsN
                      MD5:5C2E7CBBA073E1B3A400453E928C9643
                      SHA1:268CF1D9FB0DAB1F9496CE81144504B1C351CCCC
                      SHA-256:0BE327163809789793EF4C602FE1A1687212E7D7A9B03D62B784CD8845AB4D38
                      SHA-512:4DB4728F46F45BF1458284D8C5370906FDB34CEDF50FE0DD8DEAF797A70823087A74D076D104AB79906AB83C2E5A087290E3C7F0344D4AF4F38F61CC542561D2
                      Malicious:false
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                      Download File
                      Process:C:\Windows\System32\svchost.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):55
                      Entropy (8bit):4.306461250274409
                      Encrypted:false
                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                      Malicious:false
                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                      Download File
                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:modified
                      Size (bytes):4926
                      Entropy (8bit):3.245270539372925
                      Encrypted:false
                      SSDEEP:48:FaqdF78F7B+AAHdKoqKFxcxkFiF7KaqdF7tZ+AAHdKoqKFxcxkF/z:cEOB+AAsoJjykePE7+AAsoJjykh
                      MD5:3C58A9B46096F9BFDC7B848AAD3CB150
                      SHA1:1224F55355BAB0B537D39628391B32B3B9F924B5
                      SHA-256:7E9A078AFEE10775CFDF4EA8DCA1357C25CE484812C8A4A1C6FC6D2DBE34FA25
                      SHA-512:74D28B3B7821E74C21ED0984F22EAAA7AF4F81D8254F4ACB2468BAFF1828DA61CDCF76DD1C40CD7ACF00C80381F2198B3FA0D4CC631017FFDB90D35230FE4459
                      Malicious:false
                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                      C:\Windows\SystemTemp\Google7068_1700592644\bin\uninstall.cmd

                      Download File
                      Process:C:\Users\user\Desktop\oBX1n79NgQ.exe
                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):653
                      Entropy (8bit):4.923215133873056
                      Encrypted:false
                      SSDEEP:12:2snTJp6rOanOFkgU4hEu8NRaPJRRmvxOgtc/aH+ndUE:7T+rjO+Z4hTb6dIa8P
                      MD5:FBC297EE9060D4256192E4EDB98CAD1B
                      SHA1:F305C065378AEC46EB4DACAAEEE3F866B1527105
                      SHA-256:099592FFA867124D16C0C6D868AF1214FD2B7180FA76E4EEE01ABF2A5CF8F044
                      SHA-512:C867D366252E5124C6560FBB42ED4473DC7546360BC1221E9FCBC192E9216D6265E41AD26A733F7566C064B136AE02E21EF5F7095FCB6AE6F65B6FBEB3401FFE
                      Malicious:false
                      Preview:@echo off....rem Deletes recursively the directory specified by the `--dir` command line..rem argument of the script. The directory must be an updater install path.....echo %1 %2..if not "%1"=="--dir" (.. echo "Invalid switch.".. exit 1..)....set Directory=%2....rem Validate the path is an updater path...@echo %Directory% | FindStr /L \Google\GoogleUpdater > nul..if %ERRORLEVEL% NEQ 0 (.. echo "Invalid argument.".. exit 2..)....rem Try deleting the directory 15 times and wait one second between tries...for /L %%G IN (1,1,15) do (.. ping -n 2 127.0.0.1 > nul.. rmdir %Directory% /s /q > nul.. if not exist %Directory% exit 0..)....exit 3....

                      C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe

                      Download File
                      Process:C:\Users\user\Desktop\oBX1n79NgQ.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):4794656
                      Entropy (8bit):6.797091169119905
                      Encrypted:false
                      SSDEEP:98304:IyENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfR:bEN2tm5pOuU3TcLWGO7djZkrC5R
                      MD5:95222FAEEAB2CEBE9502F2E123D5DD2A
                      SHA1:DAC0E46C7B0BC998BEE826538A3128FBE396E638
                      SHA-256:B8AF4588875E697E49DB4E1FF5833EF8F89FFDE327AB9DC9FAD101551D6AEC28
                      SHA-512:AAEC6212BB69D7DBF4B7D09DFA6CCFCA803835C19A5974F534F7DB2D6235E741BB404969B2695FF9487EE2C7AC2AB1F740A436332B740B45FBAF579C6E13BF4F
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....H8f.........."......F5..........q............@...........................J.....A.I...@...........................>.P...p.>.......A.H.............I. )....H......>.......................>......b5...............?.......>.@....................text...'E5......F5................. ..`.rdata.. ....`5......J5.............@..@.data....t...p?..V...L?.............@....tls....q.....@.......?.............@...CPADinfo(.....A.......?.............@....rsrc...H.....A.......?.............@..@.reloc........H......8G.............@..B................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\SystemTemp\Google7068_1700592644\updater.7z

                      Download File
                      Process:C:\Users\user\Desktop\oBX1n79NgQ.exe
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):4795504
                      Entropy (8bit):6.797272378551999
                      Encrypted:false
                      SSDEEP:98304:0yENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfRX:nEN2tm5pOuU3TcLWGO7djZkrC5RX
                      MD5:6DAE9FBB56642743BE1FC8BDEDB791C2
                      SHA1:0D7C375E7BB378190D142F85D5DDCBA8F0675F07
                      SHA-256:04C4C27BC623E52C1A348924D3FFB4827663888141259F211890B34424AE5AE4
                      SHA-512:DC609BAC461FB84973F976B860FCD858B385A55CD53E6FF6A5329471E5EB20C13042AF305F4A7D121B9E21AF1D8DF7E199F7AD207F7653E1B856229858A132CE
                      Malicious:false
                      Preview:7z..'.....:.,,I.....$..........@echo off....rem Deletes recursively the directory specified by the `--dir` command line..rem argument of the script. The directory must be an updater install path.....echo %1 %2..if not "%1"=="--dir" (.. echo "Invalid switch.".. exit 1..)....set Directory=%2....rem Validate the path is an updater path...@echo %Directory% | FindStr /L \Google\GoogleUpdater > nul..if %ERRORLEVEL% NEQ 0 (.. echo "Invalid argument.".. exit 2..)....rem Try deleting the directory 15 times and wait one second between tries...for /L %%G IN (1,1,15) do (.. ping -n 2 127.0.0.1 > nul.. rmdir %Directory% /s /q > nul.. if not exist %Directory% exit 0..)....exit 3....MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....H8f.........."......F5..........q............@...........................J.....A.I...@...........................>.P...p.>.......A.H.............I. )....H......>.......................>

                      C:\Windows\SystemTemp\Google7068_17454511\UPDATER.PACKED.7Z

                      Download File
                      Process:C:\Users\user\Desktop\oBX1n79NgQ.exe
                      File Type:7-zip archive data, version 0.4
                      Category:dropped
                      Size (bytes):4795634
                      Entropy (8bit):6.797251972564827
                      Encrypted:false
                      SSDEEP:98304:0yENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfRO:nEN2tm5pOuU3TcLWGO7djZkrC5RO
                      MD5:C5A5386E06DFEAADE687B981D6845FA9
                      SHA1:FDB52DBDF5832EE99003725F0FB05775FED11A0D
                      SHA-256:8091E8858BAAE8D9DE5680C22322DCB4E4CE888AFC021E418DB29B7165483AFC
                      SHA-512:1D03FA9ED5916DA8DF7910E47EC274DA6B9BAA6447630E591013CDD4E4833B2FF8F43060AA984DA31DF62E0EC01ABCB705AD5D4A08872C43295D904562C38B33
                      Malicious:false
                      Preview:7z..'......rp,I.....b.......AUv.7z..'.....:.,,I.....$..........@echo off....rem Deletes recursively the directory specified by the `--dir` command line..rem argument of the script. The directory must be an updater install path.....echo %1 %2..if not "%1"=="--dir" (.. echo "Invalid switch.".. exit 1..)....set Directory=%2....rem Validate the path is an updater path...@echo %Directory% | FindStr /L \Google\GoogleUpdater > nul..if %ERRORLEVEL% NEQ 0 (.. echo "Invalid argument.".. exit 2..)....rem Try deleting the directory 15 times and wait one second between tries...for /L %%G IN (1,1,15) do (.. ping -n 2 127.0.0.1 > nul.. rmdir %Directory% /s /q > nul.. if not exist %Directory% exit 0..)....exit 3....MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....H8f.........."......F5..........q............@...........................J.....A.I...@...........................>.P...p.>.......A.H.............I. )....H

                      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):113062448
                      Entropy (8bit):7.999993331426941
                      Encrypted:true
                      SSDEEP:3145728:SzAO4gB/Ni7twFa5fqNKMQbYSaRDyLF03xpO+2FRla:YAHmeDnTZOm+2FRU
                      MD5:081A95E1BC6A90E22F4ABA75947B111A
                      SHA1:6B19BA41A0D3AB1BA59599A48046C777DD747117
                      SHA-256:8869D64F87816FE5365A5E0AC5AF479EB309D62A32A9D22816755B9BCA9DB284
                      SHA-512:3D9E2C04735614FF4F743886A28BD36CB2A4F4EBBF6A0E97258A70ADBF7EF590529A59B84DBF8BDDBE1D52457075FFBB77ADA53DAC189E10724D7C5C05664690
                      Malicious:true
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....6Nf.........."......6..........P=.........@.............................@............`..................................................Y..P.......$.......p......0L...0..$....X..............................PP..@...........X[...............................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......P..............@....pdata..p............R..............@..@.retplne.............V...................rsrc...$............X..............@..@.reloc..$....0.....................@..B................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\_metadata\verified_contents.json

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):1459
                      Entropy (8bit):5.990928431982429
                      Encrypted:false
                      SSDEEP:24:pZRj/flT6rH50opRstVmdYpv7aoXlwhxo4IKACjxJxqOoXp/QRouRWhv4MX0Xh:p/h6dMtAdYpv7aklwnNIK1QOkZ0RWhva
                      MD5:3AA3E0093BDEE2792E941EAD76997BBE
                      SHA1:FF14E5FCDEE3D8FD8A8A0AB9A826568D6EF740DC
                      SHA-256:61866F067AF70A37BC324D43BE7874E58EC4BB1D54A46227960DEEEAB3D1416E
                      SHA-512:572137B3484FC8F8B44234737B03D5B299C0AB1697DE0AE1CDFC63AEE7A2D0A7198D8939A66FE4012EAA211A94345E33ACF5D8B7F80CAEA78181A050E36FEFC6
                      Malicious:false
                      Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiIxMjUuMC42NDIyLjExM19jaHJvbWVfaW5zdGFsbGVyLmV4ZSIsInJvb3RfaGFzaCI6IlI4Zk9QQzQwLVZ6MzBta0ZBcmMwNVNBbXhZQUlockVrSXN4WXpxOE5zQjAifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoicURqLWVtQkRxR2dFUUloQkFCb0lyMzQ2R0xwaVpBWXgyNHZvQ0hKX3lUayJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImhnYXBwamxhamVhZGRjaGJrb29ob2FjZG9laGdjbGJqIiwiaXRlbV92ZXJzaW9uIjoiMTI1LjAuNjQyMi4xMTMiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"NRF6aKQ-HBFAd1Rpquix2170Apxac43NLPnvAWYG94VPOybJ7UpQ1tMb4Ay47dqlftMpoNKIzbbv3l3uka0Gw6jUNg1sF_8xITETOXw3RI5xAs9NwcyfvdBSAWDWgS_FBXvXGbHF1ZinmgeTaI5GTyQVRl8U1QYcFTAXepqvI1lHuLAkjmD6hBDBDcM_AfzXcdoyPSu76xNgPnpU60t1_9jTMaPM7T28PW0BVY5xtjFGzkJten42b4FlMaiWSCvud9GAKSktraq1vtebmjhb7jbYt_GShwuGTabomDWyWHz0mo7bZSpwjTG

                      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\bdefe0a9-9fa1-476d-abba-f730b9c95120.tmp

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (65533), with no line terminators
                      Category:dropped
                      Size (bytes):646139
                      Entropy (8bit):6.022417709736822
                      Encrypted:false
                      SSDEEP:12288:noUVsxkhg/L55Z0SulglHmJAdY0GhE2amRhELEImtYlNDtg:noCsx2YL55ZmlwHmJ6Y0QE2zRewTYtg
                      MD5:156C30C8FF6F86C572A4C1F6C56A5D18
                      SHA1:D439791E116F76815C503F9526CD47C775D72CA3
                      SHA-256:80643F1A399CB74ECC8E3AE38FAB16F1C01C8FBBB87744B9D42A799C55A090F9
                      SHA-512:3463344E3B1C6FD3CDE8C926EB6A560A5EDAFF7BC3E84706CAF32BC74F77CA70174C2E1979913082C793EF134D6658027A6597109B3AF62DD0B9CE58A48202F5
                      Malicious:false
                      Preview:.{"variations_compressed_seed":"H4sIAAAAAAAA\/+z9eZwcyVknjHdWdffMhDSaUuhqla5WjqRpaUY1Vdl1zuFx9SV1jVpqV7UO25hSZmV0VU5nZRaZWd3qwbD2LLbhw+6awxjf5viw2D8wxh6z\/i2HDS+zL8Zgv8uxNrCAFy\/LrjE3u2vsl4X3kxGZWRl5VZZmPGfbf2i68nm+kfE8EZERTzwHKDVW5juv3V5ZWM6uLFzdXtnObq+sVfMrTy72V9ba2ysL1a3F9nK7Wn300XvXXsNfuiF+27UHL6mPwp9lwKHqcpdvozriRaStIFHiV2V+G2llprYIzlzVUTOEoKkbvCCjZi6bTYnC4VCgWg7AeVUxNFV2s4wJh2EYS\/0wvLtUzGQzs+VsJZPL5dLjpVLm3HRyZhx+1PPK1yQRqVf6Rq9vBL+yiyDylV10cV\/ZxVKfgrsHr1zkXG\/8VwlwrnptSe0rIm9IqjLP94y+hpZUbYvXxAbf7cloTeoi3eC7Pb3M1C6DowuSbjYrNhe7SGsjpbX9uCTLjS3JaHVSovAAHAGxhsDskqq1kHhFacZnS40JD6RHaWYd5K1m1tdHbIcdoZ36Cbg7x+Uz2UxxNp\/LZNMTOc4U9dg0M52YTs4w8M8ZcCAA7xpXZmrnwN2LChbtJb6vYGEeCqGuPQyOR8ntGpcaEw6lQ5gfAScipUG42WDu+hl4d7mcyWbys1w+k8sX07sqOfPPfD6fyQ66epOBfxzR2dPgTnsgmf2EL75+noDj5XLmXJrqbYHq4A8nwIFVvo2WlXW1Kqh9Y60j6Q3JQGWmtuTTJpcGexsddYuMGnMSI8WAE+u8rCNT04FIlAQCKYgEgpkpCYRys8Hc9RLcVSmZfS9WuEw2vTuXnc1kM4VsruhS9DiXQAo3gZTzVxv4nwtzNxn4fQmQpsCq+rbSWkJGqyMp7TJTe9A\/2I9GsdQWwb2DkRBKlhoTjqajYJbAKd

                      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\manifest.fingerprint

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):66
                      Entropy (8bit):3.919078122092779
                      Encrypted:false
                      SSDEEP:3:SqzQHIpSCYGcBSED2S6byzzcVUwn:SfHIUGcBSq1Pz2Uwn
                      MD5:4116CB9AE0F1240BC12F4D935E370418
                      SHA1:AE99D9B7F18A222441B39E0AEA104A3EA2E77063
                      SHA-256:AD1BD36A4C6B6D1F1D3DDE0D4BF5C8B655BB83F1848776FA54BF9855F2AC60BC
                      SHA-512:AEF0654D40E2DE94B97BADE3C3F90667AFD47B5AA7AAA3D54C0470DCBB3A5D7F690064923F15BDFFF8D903049283C994A0074CA00DDCA0414872424DE2E4C2BD
                      Malicious:false
                      Preview:1.af4056dff86a0f736adeea2f1c9247c6fb37a611754450eb01e36582171805b6

                      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\manifest.json

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):107
                      Entropy (8bit):4.629827473688602
                      Encrypted:false
                      SSDEEP:3:rR6TAulhFphifFjVLTtWc6YJOXLNBFFKS1DVLTtd:F6VlM8c6kOXLLKS1h
                      MD5:20606BCE9915CFAA0889001CDA020E09
                      SHA1:A909DCECD8495EE497272ED1A83FA902722BE668
                      SHA-256:A838FE7A6043A86804408841001A08AF7E3A18BA62640631DB8BE808727FC939
                      SHA-512:B12AF2FE6F4B34E3954D7B4495532409F590BAE6AD754A5F3F7179164B180765DCBE5F0A6D17D9AFFF7BCA9ECF07D6A92D0AF5B12F78EB79C169A0451C547DC9
                      Malicious:false
                      Preview:{. "manifest_version": 2,. "name": "125.0.6422.113_chrome_installer.exe",. "version": "125.0.6422.113".}

                      C:\Windows\SystemTemp\chrome_url_fetcher_4180_2047592324\-8a69d345-d564-463c-aff1-a69d9e530f96-_125.0.6422.113_all_aogspox4cotu6xggqyym7s5hye.crx3

                      Download File
                      Process:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      File Type:Google Chrome extension, version 3
                      Category:dropped
                      Size (bytes):113074060
                      Entropy (8bit):7.999996405747687
                      Encrypted:true
                      SSDEEP:3145728:Jv8cKsTDLUh52zsZlIF82onGSGLPwvRmtXp2oewbnKO:N8nQebn/5Q2oewbKO
                      MD5:D4C50F2A91605A1CCD69F9F400C97819
                      SHA1:D0D1A817427CD45F7520E95C44B9D6A17403D3AD
                      SHA-256:AF4056DFF86A0F736ADEEA2F1C9247C6FB37A611754450EB01E36582171805B6
                      SHA-512:CDFF92E839A56A9A97C4AA2BFB8D641FDB68056B54AEDCDF734A78E20EEE7BAE33FF4665C012B8B6CA6F0138684DC77D9C62154836BEAB6AA87557F90D069DF3
                      Malicious:false
                      Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b...........}.f{.F...n)..j`0.>1.=..qm......}.y...Q...D..yN7....=....z..._c...K....96*^w....3..g..5~n..k]..O.............5.........2..kHRb.o4..g......./.q.v+.....qv...#..h.n.o..f!L..p.)...YK..A..1+^/.{e;..........f].fn..L.....Y.....EY.R.S.A....1..r......0.."0...*.H.............0.............$.I0Y.._.......X.b.....U.h.Q.A_~....,X`.ytO...a........V.....P...s.a......O...v.Rj.j<..lgPF.....N...t..d...g3....i....e.i0...3[.....9a.C....4...t&..............=\.}.K....B- ...b..M......~....,..9...6.....a....p...1.mL.2...1....^...3....u..........l..l...fb(.i.Fk.....)..fD...H..2R{j../y..C+,G..<.d.^..m...`.}.J....|s..0n../.....^C...@>..2!....%/s....0.B.}....@.R...l.?...

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):6.7962273041061545
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:oBX1n79NgQ.exe
                      File size:8'730'176 bytes
                      MD5:de2e32e7e89454a112c83f0c5a86cc45
                      SHA1:771a3a3272e20ce119b5090ca974095c0b831f52
                      SHA256:8c3b98d51b59adb5b3d55a704304345930da7ed2d7fd78652bb700b0fc7fd556
                      SHA512:0d23a0bb1e870570d8eff0efe831f9bcfab54dba8aa9152a4cb3b81a2c957f00440c654d84ff5d537f43658b809f29635e57cf0481e9d23f2d968e77c9706bc4
                      SSDEEP:196608:WIVCzv5nF2CoAKQ5/X5bEN2tm5pOuU3TcLWGO7djZkrC5RQ:WIVCT5UJAKQNX5bENYm5IV3TcLWGO7tf
                      TLSH:BD969D12F6A09135E9A33132B53D673E9D323E329F3589CB83842C942FB46D1653979B
                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....H8f..........".......*..PZ...................@..........................`............@...........................3.U.....3.,..

                      File Icon

                      Icon Hash:2f232d67b7934633

                      Static PE Info

                      General

                      Entrypoint:0x53edc0
                      Entrypoint Section:.text
                      Digitally signed:true
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                      Time Stamp:0x663848AC [Mon May 6 03:04:12 2024 UTC]
                      TLS Callbacks:0x4bfdd0, 0x53dcc0, 0x4b0790, 0x53d910, 0x47d470, 0x4bb0a0
                      CLR (.Net) Version:
                      OS Version Major:10
                      OS Version Minor:0
                      File Version Major:10
                      File Version Minor:0
                      Subsystem Version Major:10
                      Subsystem Version Minor:0
                      Import Hash:34795544dc661f1ff917279b17571b81

                      Authenticode Signature

                      Signature Valid:true
                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                      Signature Validation Error:The operation completed successfully
                      Error Number:0
                      Not Before, Not After
                      • 02/07/2021 02:00:00 11/07/2024 01:59:59
                      Subject Chain
                      • CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
                      Version:3
                      Thumbprint MD5:DC429A22AA63D23DB8E84F53D05D1D48
                      Thumbprint SHA-1:2673EA6CC23BEFFDA49AC715B121544098A1284C
                      Thumbprint SHA-256:7D3D117664F121E592EF897973EF9C159150E3D736326E9CD2755F71E0FEBC0C
                      Serial:0E4418E2DEDE36DD2974C3443AFB5CE5

                      Entrypoint Preview

                      Instruction
                      call 00007F22C89CE4AAh
                      jmp 00007F22C89CE31Dh
                      mov ecx, dword ptr [0073E040h]
                      push esi
                      push edi
                      mov edi, BB40E64Eh
                      mov esi, FFFF0000h
                      cmp ecx, edi
                      je 00007F22C89CE4A6h
                      test esi, ecx
                      jne 00007F22C89CE4C8h
                      call 00007F22C89CE4D1h
                      mov ecx, eax
                      cmp ecx, edi
                      jne 00007F22C89CE4A9h
                      mov ecx, BB40E64Fh
                      jmp 00007F22C89CE4B0h
                      test esi, ecx
                      jne 00007F22C89CE4ACh
                      or eax, 00004711h
                      shl eax, 10h
                      or ecx, eax
                      mov dword ptr [0073E040h], ecx
                      not ecx
                      pop edi
                      mov dword ptr [0073E080h], ecx
                      pop esi
                      ret
                      push ebp
                      mov ebp, esp
                      sub esp, 14h
                      and dword ptr [ebp-0Ch], 00000000h
                      lea eax, dword ptr [ebp-0Ch]
                      and dword ptr [ebp-08h], 00000000h
                      push eax
                      call dword ptr [00738BFCh]
                      mov eax, dword ptr [ebp-08h]
                      xor eax, dword ptr [ebp-0Ch]
                      mov dword ptr [ebp-04h], eax
                      call dword ptr [00738B78h]
                      xor dword ptr [ebp-04h], eax
                      call dword ptr [00738B70h]
                      xor dword ptr [ebp-04h], eax
                      lea eax, dword ptr [ebp-14h]
                      push eax
                      call dword ptr [00738CCCh]
                      mov eax, dword ptr [ebp-10h]
                      lea ecx, dword ptr [ebp-04h]
                      xor eax, dword ptr [ebp-14h]
                      xor eax, dword ptr [ebp-04h]
                      xor eax, ecx
                      leave
                      ret
                      mov eax, 00004000h
                      ret
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      mov al, 01h
                      ret
                      push 00030000h
                      push 00010000h
                      push 00000000h
                      call 00007F22C89DDC1Ah
                      add esp, 0Ch

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x3381b40x55.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x33820c0x12c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3580000x4f79b4.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x84ec000x4a40
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8500000x15d40.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x333a700x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x3338000x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ab1880xc0.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x3388e00x5a8.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x2a97a80x2a98002f88acde28e81b42411b94a1984870daunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x2ab0000x927080x92800abf538394e67f67d1d56f603f4ec32d1False0.3593550021331058data6.194816279193363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x33e0000x180480x4e0052c1e8694b1e9ae8ad489549ef1d27a1False0.12114383012820513data3.1732192699558626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .tls0x3570000x10d0x2008deaa2e44539b48d8052312d16240ff5False0.0625data0.22129049870095682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x3580000x4f79b40x4f7a004520146fde6f946a0fcb02b1d469653aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x8500000x15d400x15e00518d109385e92c766cd29b99061ae63eFalse0.6675892857142857data6.719868139750451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      B70x35b6c00x492cf27-zip archive data, version 0.4EnglishUnited States0.5024223327636719
                      RT_ICON0x7ee3b40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colorsEnglishUnited States0.6317567567567568
                      RT_ICON0x7ee4dc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.5823699421965318
                      RT_ICON0x7eea440x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colorsEnglishUnited States0.5120967741935484
                      RT_ICON0x7eed2c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5455776173285198
                      RT_ICON0x7ef5d40x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.36341463414634145
                      RT_ICON0x7efc3c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.42350746268656714
                      RT_STRING0x7f0ae40xd0adataEnglishUnited States0.4682444577591372
                      RT_STRING0x7f17f00xdd2dataEnglishUnited States0.38157150932730355
                      RT_STRING0x7f25c40xc0cdataEnglishUnited States0.5239948119325551
                      RT_STRING0x7f31d00xd3cTarga image data - Color 1072 x 1093 x 32 +1083 +1075 "\257\0045\0044\004 "EnglishUnited States0.4542502951593861
                      RT_STRING0x7f3f0c0xbacdataEnglishUnited States0.499665327978581
                      RT_STRING0x7f4ab80x396dataEnglishUnited States0.6285403050108932
                      RT_STRING0x7f4e500x2dcdataEnglishUnited States0.4959016393442623
                      RT_STRING0x7f512c0x282dataEnglishUnited States0.7819314641744548
                      RT_STRING0x7f53b00x2bedataEnglishUnited States0.603988603988604
                      RT_STRING0x7f56700x2cedataEnglishUnited States0.6782729805013927
                      RT_STRING0x7f59400x1c6dataEnglishUnited States0.7026431718061674
                      RT_STRING0x7f5b080x1d6dataEnglishUnited States0.5808510638297872
                      RT_STRING0x7f5ce00x1f0dataEnglishUnited States0.7701612903225806
                      RT_STRING0x7f5ed00x1d8dataEnglishUnited States0.6334745762711864
                      RT_STRING0x7f60a80x1cadataEnglishUnited States0.7183406113537117
                      RT_STRING0x7f62740x21adataEnglishUnited States0.6672862453531598
                      RT_STRING0x7f64900x28edataEnglishUnited States0.43577981651376146
                      RT_STRING0x7f67200x27cdataEnglishUnited States0.7468553459119497
                      RT_STRING0x7f699c0x2aedataEnglishUnited States0.6749271137026239
                      RT_STRING0x7f6c4c0x280dataEnglishUnited States0.6296875
                      RT_STRING0x7f6ecc0x152dataEnglishUnited States0.7958579881656804
                      RT_STRING0x7f70200xccdataEnglishUnited States0.7401960784313726
                      RT_STRING0x7f70ec0xd2dataEnglishUnited States0.8904761904761904
                      RT_STRING0x7f71c00xeadataEnglishUnited States0.8974358974358975
                      RT_STRING0x7f72ac0xe8dataEnglishUnited States0.7931034482758621
                      RT_STRING0x7f73940x124dataEnglishUnited States0.8561643835616438
                      RT_STRING0x7f74b80x20cTarga image data - RLE 1083 x 1103 x 32 +1077 +1075 "A\0045\004."EnglishUnited States0.601145038167939
                      RT_STRING0x7f76c40x21cdataEnglishUnited States0.6611111111111111
                      RT_STRING0x7f78e00x24cdataEnglishUnited States0.7261904761904762
                      RT_STRING0x7f7b2c0x1d2dataEnglishUnited States0.6609442060085837
                      RT_STRING0x7f7d000x200dataEnglishUnited States0.75
                      RT_STRING0x7f7f000x2cedataEnglishUnited States0.564066852367688
                      RT_STRING0x7f81d00x298dataEnglishUnited States0.6204819277108434
                      RT_STRING0x7f84680x278dataEnglishUnited States0.7848101265822784
                      RT_STRING0x7f86e00x2d2Targa image data - Color 2379 x 2337 x 32 +2344 +2354 "8\011.\011M\011*\011(\011M\011(\011 "EnglishUnited States0.6481994459833795
                      RT_STRING0x7f89b40x29adataEnglishUnited States0.7087087087087087
                      RT_STRING0x7f8c500x488dataEnglishUnited States0.5198275862068965
                      RT_STRING0x7f90d80x476dataEnglishUnited States0.4956217162872154
                      RT_STRING0x7f95500x49cdataEnglishUnited States0.6466101694915254
                      RT_STRING0x7f99ec0x456dataEnglishUnited States0.5540540540540541
                      RT_STRING0x7f9e440x3f8dataEnglishUnited States0.5974409448818898
                      RT_STRING0x7fa23c0x460dataEnglishUnited States0.575
                      RT_STRING0x7fa69c0x4b4dataEnglishUnited States0.46677740863787376
                      RT_STRING0x7fab500x478dataEnglishUnited States0.6354895104895105
                      RT_STRING0x7fafc80x470dataEnglishUnited States0.5598591549295775
                      RT_STRING0x7fb4380x41cdataEnglishUnited States0.5807984790874525
                      RT_STRING0x7fb8540x426dataEnglishUnited States0.5790960451977402
                      RT_STRING0x7fbc7c0x488dataEnglishUnited States0.45775862068965517
                      RT_STRING0x7fc1040x424dataEnglishUnited States0.6490566037735849
                      RT_STRING0x7fc5280x42cdataEnglishUnited States0.5608614232209738
                      RT_STRING0x7fc9540x43adataEnglishUnited States0.6090573012939002
                      RT_STRING0x7fcd900x43cdataEnglishUnited States0.6199261992619927
                      RT_STRING0x7fd1cc0x59cdataEnglishUnited States0.435933147632312
                      RT_STRING0x7fd7680x500Targa image data - Color 2379 x 2337 x 32 +2344 +2354 "\025\011@\011 "EnglishUnited States0.6640625
                      RT_STRING0x7fdc680x59cdataEnglishUnited States0.5682451253481894
                      RT_STRING0x7fe2040x536dataEnglishUnited States0.5907046476761619
                      RT_STRING0x7fe73c0x8e6dataEnglishUnited States0.5258999122036875
                      RT_STRING0x7ff0240xc92dataEnglishUnited States0.3334369173399627
                      RT_STRING0x7ffcb80xbf4dataEnglishUnited States0.5320261437908497
                      RT_STRING0x8008ac0xc5edataEnglishUnited States0.48673404927353126
                      RT_STRING0x80150c0xcd8dataEnglishUnited States0.4382603406326034
                      RT_STRING0x8021e40x92cdataEnglishUnited States0.5404599659284497
                      RT_STRING0x802b100x9cedataEnglishUnited States0.3669322709163347
                      RT_STRING0x8034e00x962dataEnglishUnited States0.5104079933388843
                      RT_STRING0x803e440x986dataEnglishUnited States0.5332239540607056
                      RT_STRING0x8047cc0x9d8dataEnglishUnited States0.4765873015873016
                      RT_STRING0x8051a40x8ecdataEnglishUnited States0.563922942206655
                      RT_STRING0x805a900xcc6dataEnglishUnited States0.382262996941896
                      RT_STRING0x8067580xca8dataEnglishUnited States0.4367283950617284
                      RT_STRING0x8074000xcbedataEnglishUnited States0.5076640098099325
                      RT_STRING0x8080c00xd0cdataEnglishUnited States0.4224550898203593
                      RT_STRING0x808dcc0x8a6dataEnglishUnited States0.5519421860885275
                      RT_STRING0x8096740x256dataEnglishUnited States0.4983277591973244
                      RT_STRING0x8098cc0x260dataEnglishUnited States0.5444078947368421
                      RT_STRING0x809b2c0x22edataEnglishUnited States0.6505376344086021
                      RT_STRING0x809d5c0x23adataEnglishUnited States0.5333333333333333
                      RT_STRING0x809f980x1e6dataEnglishUnited States0.6296296296296297
                      RT_STRING0x80a1800xe0dataEnglishUnited States0.10714285714285714
                      RT_STRING0x80a2600xe0dataEnglishUnited States0.10714285714285714
                      RT_STRING0x80a3400xe0dataEnglishUnited States0.10714285714285714
                      RT_STRING0x80a4200xe0dataEnglishUnited States0.10714285714285714
                      RT_STRING0x80a5000xe0dataEnglishUnited States0.10714285714285714
                      RT_STRING0x80a5e00x2f4AmigaOS bitmap font "f", fc_YSize 14848, 16640 elements, 2nd "$", 3rd "n"EnglishUnited States0.6362433862433863
                      RT_STRING0x80a8d40x314dataEnglishUnited States0.47588832487309646
                      RT_STRING0x80abe80x2d0dataEnglishUnited States0.6777777777777778
                      RT_STRING0x80aeb80x2fadataEnglishUnited States0.5931758530183727
                      RT_STRING0x80b1b40x2fadataEnglishUnited States0.6286089238845144
                      RT_STRING0x80b4b00x2eadataEnglishUnited States0.6005361930294906
                      RT_STRING0x80b79c0x2dedataEnglishUnited States0.44005449591280654
                      RT_STRING0x80ba7c0x296dataEnglishUnited States0.676737160120846
                      RT_STRING0x80bd140x2f6dataEnglishUnited States0.5620052770448549
                      RT_STRING0x80c00c0x2f4dataEnglishUnited States0.623015873015873
                      RT_STRING0x80c3000x25adataEnglishUnited States0.6495016611295681
                      RT_STRING0x80c55c0x2badataEnglishUnited States0.4355300859598854
                      RT_STRING0x80c8180x26edataEnglishUnited States0.7138263665594855
                      RT_STRING0x80ca880x29adataEnglishUnited States0.581081081081081
                      RT_STRING0x80cd240x280dataEnglishUnited States0.5953125
                      RT_STRING0x80cfa40x2c6dataEnglishUnited States0.647887323943662
                      RT_STRING0x80d26c0x328dataEnglishUnited States0.44925742574257427
                      RT_STRING0x80d5940x320dataEnglishUnited States0.6825
                      RT_STRING0x80d8b40x350dataEnglishUnited States0.6096698113207547
                      RT_STRING0x80dc040x37edataEnglishUnited States0.5391498881431768
                      RT_STRING0x80df840x37cdataEnglishUnited States0.6390134529147982
                      RT_STRING0x80e3000x478dataEnglishUnited States0.42395104895104896
                      RT_STRING0x80e7780x462dataEnglishUnited States0.5811051693404634
                      RT_STRING0x80ebdc0x400dataEnglishUnited States0.6123046875
                      RT_STRING0x80efdc0x4b0dataEnglishUnited States0.5016666666666667
                      RT_STRING0x80f48c0x276dataEnglishUnited States0.6825396825396826
                      RT_STRING0x80f7040xd0dataEnglishUnited States0.7836538461538461
                      RT_STRING0x80f7d40xcadataEnglishUnited States0.8613861386138614
                      RT_STRING0x80f8a00xdcdataEnglishUnited States0.9045454545454545
                      RT_STRING0x80f97c0xd8dataEnglishUnited States0.7268518518518519
                      RT_STRING0x80fa540x306dataEnglishUnited States0.6950904392764858
                      RT_STRING0x80fd5c0xbc4dataEnglishUnited States0.42363877822045154
                      RT_STRING0x8109200xba2dataEnglishUnited States0.46474143720617866
                      RT_STRING0x8114c40xac8dataEnglishUnited States0.5876811594202899
                      RT_STRING0x811f8c0xb36dataEnglishUnited States0.47560975609756095
                      RT_STRING0x812ac40x8dadataEnglishUnited States0.5728155339805825
                      RT_STRING0x8133a00x220AmigaOS bitmap font ",\0061\006J\006 ", fc_YSize 26880, 10758 elements, 2nd "l", 3rd "i"EnglishUnited States0.6066176470588235
                      RT_STRING0x8135c00x20adataEnglishUnited States0.6264367816091954
                      RT_STRING0x8137cc0x232dataEnglishUnited States0.7633451957295374
                      RT_STRING0x813a000x202dataEnglishUnited States0.6108949416342413
                      RT_STRING0x813c040x1f6dataEnglishUnited States0.6852589641434262
                      RT_STRING0x813dfc0x2e4dataEnglishUnited States0.6
                      RT_STRING0x8140e00x32cdataEnglishUnited States0.5517241379310345
                      RT_STRING0x81440c0x2b0dataEnglishUnited States0.7659883720930233
                      RT_STRING0x8146bc0x2e6dataEnglishUnited States0.6145552560646901
                      RT_STRING0x8149a40x2a8dataEnglishUnited States0.6838235294117647
                      RT_STRING0x814c4c0x256dataEnglishUnited States0.5836120401337793
                      RT_STRING0x814ea40x288dataEnglishUnited States0.4521604938271605
                      RT_STRING0x81512c0x226dataEnglishUnited States0.6854545454545454
                      RT_STRING0x8153540x206dataEnglishUnited States0.527027027027027
                      RT_STRING0x81555c0x26cdataEnglishUnited States0.6193548387096774
                      RT_STRING0x8157c80x5f6dataEnglishUnited States0.5321100917431193
                      RT_STRING0x815dc00x820dataEnglishUnited States0.35865384615384616
                      RT_STRING0x8165e00x70adataEnglishUnited States0.5832408435072142
                      RT_STRING0x816cec0x7f2dataEnglishUnited States0.47000983284169123
                      RT_STRING0x8174e00x76adataEnglishUnited States0.5068493150684932
                      RT_STRING0x817c4c0x7cedataEnglishUnited States0.5125125125125125
                      RT_STRING0x81841c0xa82dataEnglishUnited States0.3252788104089219
                      RT_STRING0x818ea00x9cedataEnglishUnited States0.5091633466135458
                      RT_STRING0x8198700xa2edataEnglishUnited States0.4716039907904835
                      RT_STRING0x81a2a00xa44dataEnglishUnited States0.4257990867579909
                      RT_STRING0x81ace40x464Targa image data - Color 1089 x 1103 x 32 +1083 +1072 "?\004>\004<\0048\004;\004:\0040\004."EnglishUnited States0.604982206405694
                      RT_STRING0x81b1480x212dataEnglishUnited States0.4830188679245283
                      RT_STRING0x81b35c0x1d4AmigaOS bitmap font "n", fc_YSize 30725, 18688 elements, 2nd "t\005& \013", 3rdEnglishUnited States0.6645299145299145
                      RT_STRING0x81b5300x20adataEnglishUnited States0.6800766283524904
                      RT_STRING0x81b73c0x210dataEnglishUnited States0.5852272727272727
                      RT_STRING0x81b94c0x3aaAmigaOS bitmap font "3\016%\0161\016\007\016\025\0164\016\024\016\025\0161\016I\016\007\016.", fc_YSize 25856, 270 elements, 2nd "C", 3rd "%\0065\006/\006'\0061\006K\006'\006 "EnglishUnited States0.5565031982942431
                      RT_STRING0x81bcf80x710dataEnglishUnited States0.3407079646017699
                      RT_STRING0x81c4080x79cdataEnglishUnited States0.4029774127310062
                      RT_STRING0x81cba40x848dataEnglishUnited States0.45943396226415095
                      RT_STRING0x81d3ec0x728dataEnglishUnited States0.36899563318777295
                      RT_STRING0x81db140x5f4dataEnglishUnited States0.4678477690288714
                      RT_STRING0x81e1080x350dataEnglishUnited States0.5283018867924528
                      RT_STRING0x81e4580x37edataEnglishUnited States0.5760626398210291
                      RT_STRING0x81e7d80x320dataEnglishUnited States0.69125
                      RT_STRING0x81eaf80x368dataEnglishUnited States0.5538990825688074
                      RT_STRING0x81ee600x30cdataEnglishUnited States0.6641025641025641
                      RT_STRING0x81f16c0x80adataEnglishUnited States0.49173955296404276
                      RT_STRING0x81f9780x7cedataEnglishUnited States0.4934934934934935
                      RT_STRING0x8201480x64cdataEnglishUnited States0.6625310173697271
                      RT_STRING0x8207940x79adataEnglishUnited States0.5190133607399794
                      RT_STRING0x820f300x640dataEnglishUnited States0.595
                      RT_STRING0x8215700x52adataEnglishUnited States0.5612708018154312
                      RT_STRING0x821a9c0x5a0dataEnglishUnited States0.4888888888888889
                      RT_STRING0x82203c0x498dataEnglishUnited States0.6870748299319728
                      RT_STRING0x8224d40x546Targa image data - Color 1072 x 1078 x 32 +1083 +1075 "G\0040\0044\004A\0040\004=\0043\004\257\0049\004."EnglishUnited States0.5733333333333334
                      RT_STRING0x822a1c0x4a6dataEnglishUnited States0.6226890756302521
                      RT_STRING0x822ec40x80adataEnglishUnited States0.5262390670553936
                      RT_STRING0x8236d00x95edataEnglishUnited States0.390325271059216
                      RT_STRING0x8240300x792dataEnglishUnited States0.6062951496388029
                      RT_STRING0x8247c40x896dataEnglishUnited States0.4899909008189263
                      RT_STRING0x82505c0x87edataEnglishUnited States0.547378104875805
                      RT_STRING0x8258dc0x82edataEnglishUnited States0.543935052531041
                      RT_STRING0x82610c0xaaedataEnglishUnited States0.35515727871250913
                      RT_STRING0x826bbc0x96adataEnglishUnited States0.549792531120332
                      RT_STRING0x8275280xa08dataEnglishUnited States0.470404984423676
                      RT_STRING0x827f300x9fedataEnglishUnited States0.4980453479280688
                      RT_STRING0x8289300x304dataEnglishUnited States0.6282383419689119
                      RT_STRING0x828c340x142dataEnglishUnited States0.5341614906832298
                      RT_STRING0x828d780x10edataEnglishUnited States0.8740740740740741
                      RT_STRING0x828e880x16cdataEnglishUnited States0.7307692307692307
                      RT_STRING0x828ff40x140dataEnglishUnited States0.7
                      RT_STRING0x8291340x586dataEnglishUnited States0.574964639321075
                      RT_STRING0x8296bc0xc0adataEnglishUnited States0.36632057105775473
                      RT_STRING0x82a2c80xbbedataEnglishUnited States0.49933466400532267
                      RT_STRING0x82ae880xad6dataEnglishUnited States0.5475847152126893
                      RT_STRING0x82b9600xb66dataEnglishUnited States0.4609321453050034
                      RT_STRING0x82c4c80xa64dataEnglishUnited States0.5789473684210527
                      RT_STRING0x82cf2c0xde2dataEnglishUnited States0.4127743387732133
                      RT_STRING0x82dd100xd9cdataEnglishUnited States0.46039035591274396
                      RT_STRING0x82eaac0xe30dataEnglishUnited States0.5341409691629956
                      RT_STRING0x82f8dc0xeb4dataEnglishUnited States0.4585547290116897
                      RT_STRING0x8307900x99cdataEnglishUnited States0.582520325203252
                      RT_STRING0x83112c0x3d2dataEnglishUnited States0.5224948875255624
                      RT_STRING0x8315000x3bedataEnglishUnited States0.5845511482254697
                      RT_STRING0x8318c00x2d2dataEnglishUnited States0.7686980609418282
                      RT_STRING0x831b940x3aedataEnglishUnited States0.5859872611464968
                      RT_STRING0x831f440x3d6dataEnglishUnited States0.6446028513238289
                      RT_STRING0x83231c0xa3adataEnglishUnited States0.45110771581359815
                      RT_STRING0x832d580xa06dataEnglishUnited States0.44232268121590024
                      RT_STRING0x8337600x8f8dataEnglishUnited States0.5971254355400697
                      RT_STRING0x8340580x9aadataEnglishUnited States0.4773645917542441
                      RT_STRING0x834a040x852dataEnglishUnited States0.5629107981220657
                      RT_STRING0x8352580x282dataEnglishUnited States0.6682242990654206
                      RT_STRING0x8354dc0x2c0dataEnglishUnited States0.5582386363636364
                      RT_STRING0x83579c0x276dataEnglishUnited States0.7793650793650794
                      RT_STRING0x835a140x2a4dataEnglishUnited States0.643491124260355
                      RT_STRING0x835cb80x278dataEnglishUnited States0.7104430379746836
                      RT_STRING0x835f300x226dataEnglishUnited States0.7127272727272728
                      RT_STRING0x8361580x252dataEnglishUnited States0.5589225589225589
                      RT_STRING0x8363ac0x224dataEnglishUnited States0.8029197080291971
                      RT_STRING0x8365d00x278dataEnglishUnited States0.6329113924050633
                      RT_STRING0x8368480x272dataEnglishUnited States0.7060702875399361
                      RT_STRING0x836abc0x628dataEnglishUnited States0.565989847715736
                      RT_STRING0x8370e40x8a8dataEnglishUnited States0.4056859205776173
                      RT_STRING0x83798c0x814dataEnglishUnited States0.6276595744680851
                      RT_STRING0x8381a00x7f0dataEnglishUnited States0.514763779527559
                      RT_STRING0x8389900x82adataEnglishUnited States0.561244019138756
                      RT_STRING0x8391bc0x3badataEnglishUnited States0.6666666666666666
                      RT_STRING0x8395780x2a0dataEnglishUnited States0.4568452380952381
                      RT_STRING0x8398180x2c2dataEnglishUnited States0.7407932011331445
                      RT_STRING0x839adc0x2f2dataEnglishUnited States0.6790450928381963
                      RT_STRING0x839dd00x2b8dataEnglishUnited States0.6379310344827587
                      RT_STRING0x83a0880x1eedataEnglishUnited States0.7510121457489879
                      RT_STRING0x83a2780x1b6dataEnglishUnited States0.6164383561643836
                      RT_STRING0x83a4300x1fadataEnglishUnited States0.7055335968379447
                      RT_STRING0x83a62c0x1dedataEnglishUnited States0.694560669456067
                      RT_STRING0x83a80c0x1fadataEnglishUnited States0.6521739130434783
                      RT_STRING0x83aa080x4ecdataEnglishUnited States0.6246031746031746
                      RT_STRING0x83aef40xb86dataEnglishUnited States0.4277966101694915
                      RT_STRING0x83ba7c0xb7cdataEnglishUnited States0.48435374149659866
                      RT_STRING0x83c5f80xbc6dataEnglishUnited States0.5517584605175846
                      RT_STRING0x83d1c00xc76dataEnglishUnited States0.46206896551724136
                      RT_STRING0x83de380xa0edataEnglishUnited States0.5687645687645687
                      RT_STRING0x83e8480xac4dataEnglishUnited States0.4386792452830189
                      RT_STRING0x83f30c0xb18dataEnglishUnited States0.4721830985915493
                      RT_STRING0x83fe240xa6edataEnglishUnited States0.5928838951310862
                      RT_STRING0x8408940xbbadataEnglishUnited States0.47401732178547634
                      RT_STRING0x8414500x9a4dataEnglishUnited States0.5559157212317666
                      RT_STRING0x841df40xac0dataEnglishUnited States0.46257267441860467
                      RT_STRING0x8428b40xb5edataEnglishUnited States0.45738831615120273
                      RT_STRING0x8434140xa02dataEnglishUnited States0.594847775175644
                      RT_STRING0x843e180xb7cdataEnglishUnited States0.48367346938775513
                      RT_STRING0x8449940xa08dataEnglishUnited States0.5323208722741433
                      RT_STRING0x84539c0x742dataEnglishUnited States0.5285252960172229
                      RT_STRING0x845ae00x808dataEnglishUnited States0.44455252918287935
                      RT_STRING0x8462e80x71edataEnglishUnited States0.6009879253567508
                      RT_STRING0x846a080x774Targa image data - Color 1072 x 1093 x 32 +1083 +1075 "1\004>\004;\004>\004<\0046\0043\004\257\0049\004."EnglishUnited States0.5361635220125787
                      RT_STRING0x84717c0x6acdataEnglishUnited States0.5837236533957846
                      RT_STRING0x8478280x79adataEnglishUnited States0.5303186022610483
                      RT_STRING0x847fc40x906dataEnglishUnited States0.40346320346320347
                      RT_STRING0x8488cc0x7c2dataEnglishUnited States0.6047331319234642
                      RT_STRING0x8490900x818dataEnglishUnited States0.48986486486486486
                      RT_STRING0x8498a80x842dataEnglishUnited States0.5402081362346263
                      RT_STRING0x84a0ec0x6dadataEnglishUnited States0.5775370581527937
                      RT_STRING0x84a7c80x8b0dataEnglishUnited States0.3776978417266187
                      RT_STRING0x84b0780x7bcdataEnglishUnited States0.597979797979798
                      RT_STRING0x84b8340x822dataEnglishUnited States0.4966378482228626
                      RT_STRING0x84c0580x844dataEnglishUnited States0.5363894139886578
                      RT_STRING0x84c89c0x256dataEnglishUnited States0.7224080267558528
                      RT_STRING0x84caf40xccdataEnglishUnited States0.7009803921568627
                      RT_STRING0x84cbc00xcedataEnglishUnited States0.970873786407767
                      RT_STRING0x84cc900xf2dataEnglishUnited States0.871900826446281
                      RT_STRING0x84cd840xdcdataEnglishUnited States0.7909090909090909
                      RT_STRING0x84ce600x242dataEnglishUnited States0.6678200692041523
                      RT_STRING0x84d0a40x3aedataEnglishUnited States0.4447983014861996
                      RT_STRING0x84d4540x366dataEnglishUnited States0.6091954022988506
                      RT_STRING0x84d7bc0x3b0dataEnglishUnited States0.6038135593220338
                      RT_STRING0x84db6c0x390dataEnglishUnited States0.5537280701754386
                      RT_STRING0x84defc0x2f4dataEnglishUnited States0.6917989417989417
                      RT_STRING0x84e1f00x332Targa image data - RLE 1074 x 1072 x 32 +1072 +1082 "A\0045\004 "EnglishUnited States0.5158924205378973
                      RT_STRING0x84e5240x36cdataEnglishUnited States0.5901826484018264
                      RT_STRING0x84e8900x376dataEnglishUnited States0.6557562076749436
                      RT_STRING0x84ec080x33edataEnglishUnited States0.5783132530120482
                      RT_STRING0x84ef480x1eedataEnglishUnited States0.7246963562753036
                      RT_GROUP_ICON0x84f1380x5adataEnglishUnited States0.7333333333333333
                      RT_VERSION0x84f1940x44cdataEnglishUnited States0.43636363636363634
                      RT_MANIFEST0x84f5e00x3d2XML 1.0 document, ASCII text, with very long lines (864)EnglishUnited States0.5398773006134969

                      Imports

                      DLLImport
                      ADVAPI32.dllAddAce, AllocateAndInitializeSid, BuildTrusteeWithSidW, ChangeServiceConfigW, CheckTokenMembership, CloseServiceHandle, ConvertSidToStringSidW, ConvertStringSidToSidW, CopySid, CreateProcessAsUserW, CreateServiceW, DeleteService, DuplicateTokenEx, EqualSid, FreeSid, GetAce, GetAclInformation, GetLengthSid, GetNamedSecurityInfoW, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorLength, GetSecurityDescriptorOwner, GetSecurityDescriptorSacl, GetSecurityInfo, GetSidIdentifierAuthority, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, ImpersonateLoggedOnUser, InitializeAcl, InitializeSecurityDescriptor, InitializeSid, IsValidAcl, IsValidSecurityDescriptor, IsValidSid, LookupAccountSidW, MakeAbsoluteSD, MakeSelfRelativeSD, OpenProcessToken, OpenSCManagerW, OpenServiceW, OpenThreadToken, QueryServiceConfigW, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExW, RegisterTraceGuidsW, RevertToSelf, SetEntriesInAclW, SetNamedSecurityInfoW, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityInfo, TraceEvent, UnregisterTraceGuids
                      dbghelp.dllSymCleanup, SymFromAddr, SymGetLineFromAddr64, SymGetSearchPathW, SymInitialize, SymSetOptions, SymSetSearchPathW
                      OLEAUT32.dllLoadTypeLib, SafeArrayAccessData, SafeArrayCreateVector, SafeArrayDestroy, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayGetVartype, SafeArrayUnaccessData, SysAllocString, SysAllocStringByteLen, SysAllocStringLen, SysFreeString, SysStringLen, SystemTimeToVariantTime, VariantClear
                      SHELL32.dllCommandLineToArgvW, SHGetFolderPathW, SHGetKnownFolderPath, ShellExecuteExW
                      USER32.dllAllowSetForegroundWindow, CharUpperW, CreateWindowExW, DestroyWindow, GetActiveWindow, GetClientRect, GetMonitorInfoW, GetParent, GetWindow, GetWindowLongW, GetWindowRect, MapWindowPoints, MessageBoxExW, MonitorFromWindow, SetForegroundWindow, SetWindowPos, UnregisterClassW
                      KERNEL32.dllAcquireSRWLockExclusive, AcquireSRWLockShared, AssignProcessToJobObject, CloseHandle, CompareStringW, CopyFileW, CreateDirectoryW, CreateEventW, CreateFileA, CreateFileMappingW, CreateFileW, CreateMutexW, CreateProcessW, CreateToolhelp32Snapshot, DecodePointer, DeleteCriticalSection, DeleteFileW, DeleteProcThreadAttributeList, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumResourceNamesW, EnumSystemLocalesW, ExitProcess, ExpandEnvironmentStringsW, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FindResourceW, FlushFileBuffers, FlushViewOfFile, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetDriveTypeW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesExW, GetFileAttributesW, GetFileInformationByHandle, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoW, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessId, GetProcessMitigationPolicy, GetProcessTimes, GetProductInfo, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadPreferredUILanguages, GetThreadPriority, GetTickCount, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserPreferredUILanguages, GetVersionExW, GetWindowsDirectoryW, GlobalAlloc, GlobalFree, GlobalMemoryStatusEx, HeapAlloc, HeapDestroy, HeapFree, HeapReAlloc, HeapSetInformation, HeapSize, InitOnceExecuteOnce, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeProcThreadAttributeList, InitializeSListHead, InitializeSRWLock, InterlockedPushEntrySList, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, IsWow64Process, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalFree, LockFileEx, LockResource, MapViewOfFile, MoveFileExW, MoveFileW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, OutputDebugStringW, Process32FirstW, Process32NextW, ProcessIdToSessionId, QueryFullProcessImageNameW, QueryPerformanceCounter, QueryPerformanceFrequency, QueryThreadCycleTime, RaiseException, ReadConsoleW, ReadFile, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RemoveDirectoryW, ReplaceFileW, ResetEvent, RtlCaptureStackBackTrace, RtlUnwind, SetCurrentDirectoryW, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetFilePointer, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetProcessWorkingSetSize, SetStdHandle, SetThreadInformation, SetThreadPriority, SetUnhandledExceptionFilter, SizeofResource, Sleep, SleepConditionVariableSRW, SwitchToThread, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TzSpecificLocalTimeToSystemTime, UnhandledExceptionFilter, UnlockFileEx, UnmapViewOfFile, UnregisterWaitEx, UpdateProcThreadAttribute, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WTSGetActiveConsoleSessionId, WaitForSingleObject, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrcmpiW
                      ole32.dllCoAddRefServerProcess, CoCreateInstance, CoImpersonateClient, CoInitializeEx, CoRegisterClassObject, CoRegisterInitializeSpy, CoReleaseServerProcess, CoResumeClassObjects, CoRevertToSelf, CoRevokeClassObject, CoRevokeInitializeSpy, CoSetProxyBlanket, CoTaskMemFree, CoUninitialize, IIDFromString, StringFromGUID2
                      Secur32.dllGetUserNameExW
                      WTSAPI32.dllWTSEnumerateSessionsW, WTSFreeMemory, WTSQuerySessionInformationW
                      USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, EnterCriticalPolicySection, LeaveCriticalPolicySection, UnloadUserProfile
                      WINHTTP.dllWinHttpAddRequestHeaders, WinHttpCloseHandle, WinHttpConnect, WinHttpGetProxyForUrl, WinHttpOpen, WinHttpOpenRequest, WinHttpQueryHeaders, WinHttpReadData, WinHttpReceiveResponse, WinHttpSendRequest, WinHttpSetOption, WinHttpSetStatusCallback
                      SHLWAPI.dllPathMatchSpecW
                      ntdll.dllNtDeleteKey
                      WINMM.dlltimeGetTime

                      Exports

                      NameOrdinalAddress
                      GetHandleVerifier10x4a8a90

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:02:31:15
                      Start date:27/05/2024
                      Path:C:\Users\user\Desktop\oBX1n79NgQ.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\oBX1n79NgQ.exe"
                      Imagebase:0x430000
                      File size:8'730'176 bytes
                      MD5 hash:DE2E32E7E89454A112C83F0C5A86CC45
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:2
                      Start time:02:31:15
                      Start date:27/05/2024
                      Path:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8D0CD419-2DAC-C85B-BCFF-DB2D99044B99}&lang=en&browser=5&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
                      Imagebase:0x4d0000
                      File size:4'794'656 bytes
                      MD5 hash:95222FAEEAB2CEBE9502F2E123D5DD2A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      • Detection: 0%, Virustotal, Browse
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:3
                      Start time:02:31:16
                      Start date:27/05/2024
                      Path:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SystemTemp\Google7068_1700592644\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x8d965c,0x8d9668,0x8d9674
                      Imagebase:0x4d0000
                      File size:4'794'656 bytes
                      MD5 hash:95222FAEEAB2CEBE9502F2E123D5DD2A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:4
                      Start time:02:31:17
                      Start date:27/05/2024
                      Path:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update-internal
                      Imagebase:0xd40000
                      File size:4'794'656 bytes
                      MD5 hash:95222FAEEAB2CEBE9502F2E123D5DD2A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      • Detection: 0%, Virustotal, Browse
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:5
                      Start time:02:31:17
                      Start date:27/05/2024
                      Path:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674
                      Imagebase:0xd40000
                      File size:4'794'656 bytes
                      MD5 hash:95222FAEEAB2CEBE9502F2E123D5DD2A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:6
                      Start time:02:31:18
                      Start date:27/05/2024
                      Path:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --system --windows-service --service=update
                      Imagebase:0xd40000
                      File size:4'794'656 bytes
                      MD5 hash:95222FAEEAB2CEBE9502F2E123D5DD2A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:7
                      Start time:02:31:18
                      Start date:27/05/2024
                      Path:C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x114965c,0x1149668,0x1149674
                      Imagebase:0xd40000
                      File size:4'794'656 bytes
                      MD5 hash:95222FAEEAB2CEBE9502F2E123D5DD2A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:8
                      Start time:02:31:22
                      Start date:27/05/2024
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Imagebase:0x7ff62c440000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:10
                      Start time:02:31:28
                      Start date:27/05/2024
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                      Imagebase:0x7ff62c440000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:11
                      Start time:02:31:28
                      Start date:27/05/2024
                      Path:C:\Windows\System32\SgrmBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\SgrmBroker.exe
                      Imagebase:0x7ff7648e0000
                      File size:329'504 bytes
                      MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:12
                      Start time:02:31:29
                      Start date:27/05/2024
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      Imagebase:0x7ff62c440000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:13
                      Start time:02:31:29
                      Start date:27/05/2024
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                      Imagebase:0x7ff62c440000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:15
                      Start time:02:31:29
                      Start date:27/05/2024
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                      Imagebase:0x7ff62c440000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:16
                      Start time:02:31:29
                      Start date:27/05/2024
                      Path:C:\Windows\System32\svchost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      Imagebase:0x7ff62c440000
                      File size:55'320 bytes
                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:17
                      Start time:02:32:29
                      Start date:27/05/2024
                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Imagebase:0x7ff773c00000
                      File size:468'120 bytes
                      MD5 hash:B3676839B2EE96983F9ED735CD044159
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:18
                      Start time:02:32:29
                      Start date:27/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6684c0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:19
                      Start time:02:33:12
                      Start date:27/05/2024
                      Path:C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe
                      Wow64 process (32bit):
                      Commandline:"C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\125.0.6422.113_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4180_536941199\bdefe0a9-9fa1-476d-abba-f730b9c95120.tmp"
                      Imagebase:
                      File size:113'062'448 bytes
                      MD5 hash:081A95E1BC6A90E22F4ABA75947B111A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      • Detection: 0%, Virustotal, Browse
                      Has exited:false

                      Disassembly

                      No disassembly