Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 24, 2024, 7:36 a.m.	May 24, 2024, 7:42 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fe2f9e211bfaf529c92bc28cb847da46`
SHA256	`45ce3a3af747982ccad8442572b2d8fb684af8f9eed37a18fd9867d6ff32eb97`
CRC32	`8A125183`
ssdeep	`24576:Jw8KjKjGFygcc23L1/NVOmOSGb6E3ecS4fzrjxJh9UZXlpbPvC7xtYUrEmFlo+LT:PKjKWQc2b1FVgbjrjxPe1pbPSQm1FloS`
PDB Path	TEST_mi_exe_stub.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

ChromeSetup.exe "C:\Users\test22\AppData\Local\Temp\ChromeSetup.exe"
2600
- GoogleUpdate.exe "C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={AF2C9DFF-41AA-A7A6-61E9-1F4ACFE5BC9E}&lang=en-GB&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBD&installdataindex=empty"
  2664
  - GoogleUpdate.exe "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
    2740
  - GoogleUpdate.exe "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
    2812
    - GoogleUpdateComRegisterShell64.exe "C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
      2872
    - GoogleUpdateComRegisterShell64.exe "C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
      2928
    - GoogleUpdateComRegisterShell64.exe "C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
      2984
  - GoogleUpdate.exe "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zMy43IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezUzMzVGMjk0LTM4N0YtNEIwRi04MDIyLTQwQTA1OTY0NzZEQX0iIHVzZXJpZD0iezkzMjI1RDIxLUJDQkEtNDBCRi1CNDBDLTVCNUIyQTFFQUVBQ30iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9Ins2OTJGNDNCOS00QzA0LTQzNDMtQUNEOC0wMTgzQTREOThDMjR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjUiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEuMy4zMy43IiBuZXh0dmVyc2lvbj0iMS4zLjM2LjE1MiIgbGFuZz0iZW4tR0IiIGJyYW5kPSJDSEJEIiBjbGllbnQ9IiIgaWlkPSJ7QUYyQzlERkYtNDFBQS1BN0E2LTYxRTktMUY0QUNGRTVCQzlFfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI0NDA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    3056
  - GoogleUpdate.exe "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={AF2C9DFF-41AA-A7A6-61E9-1F4ACFE5BC9E}&lang=en-GB&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBD&installdataindex=empty" /installsource taggedmi /sessionid "{5335F294-387F-4B0F-8022-40A0596476DA}"
    940

Name	Response	Post-Analysis Lookup
www.google.com		172.217.25.164
clients2.googleusercontent.com	CNAME googlehosted.l.googleusercontent.com A 172.217.24.97	172.217.161.225
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
accounts.google.com	A 108.177.125.84	64.233.188.84
r1---sn-3u-bh2ss.gvt1.com	A 211.114.64.12 CNAME r1.sn-3u-bh2ss.gvt1.com	211.114.64.12
clientservices.googleapis.com		142.250.206.195
www.gstatic.com		172.217.25.163
accounts.google.com		64.233.188.84
apis.google.com	A 172.217.27.46 CNAME plus.l.google.com	172.217.161.238
play.google.com		142.250.207.110
www.google.com	A 216.58.200.228 A 172.217.27.36	172.217.25.164
_googlecast._tcp.local
dns.google	A 8.8.8.8 A 8.8.4.4	8.8.4.4
play.google.com	A 172.217.24.78	142.250.207.110
dns.google		8.8.4.4
clientservices.googleapis.com	A 142.251.222.195	142.250.206.195
clients2.googleusercontent.com	CNAME googlehosted.l.googleusercontent.com	172.217.161.225
apis.google.com	CNAME plus.l.google.com	172.217.161.238
www.gstatic.com	A 142.251.222.195	172.217.25.163
r1---sn-3u-bh2ss.gvt1.com	CNAME r1.sn-3u-bh2ss.gvt1.com	211.114.64.12

IP Address	Status	Action
108.177.125.84	Active	Moloch
142.250.204.110	Active	Moloch
142.250.206.234	Active	Moloch
142.250.76.131	Active	Moloch
142.250.76.142	Active	Moloch
142.251.222.195	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.225	Active	Moloch
172.217.24.78	Active	Moloch
172.217.24.97	Active	Moloch
172.217.25.170	Active	Moloch
172.217.25.174	Active	Moloch
172.217.27.36	Active	Moloch
172.217.27.46	Active	Moloch
211.114.64.12	Active	Moloch
216.58.200.228	Active	Moloch
34.104.35.123	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49245 -> 172.217.24.227:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49246 -> 172.217.24.227:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.101:49250	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.101:49250	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.101:49339 -> 172.217.24.227:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49344 -> 8.8.8.8:443	2047866	ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49245 172.217.24.227:443	C=US, O=Google Trust Services, CN=WR2	CN=upload.video.google.com	87:a0:28:7a:78:8a:cb:af:25:26:65:fb:d1:da:f0:82:e6:66:7c:71
TLS 1.2 192.168.56.101:49246 172.217.24.227:443	C=US, O=Google Trust Services, CN=WR2	CN=upload.video.google.com	87:a0:28:7a:78:8a:cb:af:25:26:65:fb:d1:da:f0:82:e6:66:7c:71
TLS 1.3 192.168.56.101:49328 142.250.204.110:443	None	None	None
TLS 1.3 192.168.56.101:49327 142.251.222.195:443	None	None	None
TLS 1.3 192.168.56.101:49329 216.58.203.67:443	None	None	None
TLS 1.3 192.168.56.101:49332 211.114.64.12:443	None	None	None
TLS 1.3 192.168.56.101:49334 216.58.200.228:443	None	None	None
TLS 1.3 192.168.56.101:49336 142.251.222.195:443	None	None	None
TLS 1.3 192.168.56.101:49340 172.217.27.46:443	None	None	None
TLS 1.2 192.168.56.101:49339 172.217.24.227:443	C=US, O=Google Trust Services, CN=WR2	CN=upload.video.google.com	87:a0:28:7a:78:8a:cb:af:25:26:65:fb:d1:da:f0:82:e6:66:7c:71
TLS 1.3 192.168.56.101:49342 172.217.24.78:443	None	None	None
TLS 1.3 192.168.56.101:49331 216.58.200.228:443	None	None	None
TLS 1.3 192.168.56.101:49348 142.250.206.234:443	None	None	None
TLS 1.3 192.168.56.101:49352 142.250.76.131:443	None	None	None
TLS 1.3 192.168.56.101:49345 8.8.4.4:443	None	None	None
TLS 1.3 192.168.56.101:49344 8.8.8.8:443	None	None	None
TLS 1.3 192.168.56.101:49346 8.8.8.8:443	None	None	None
TLS 1.3 192.168.56.101:49349 142.250.76.142:443	None	None	None
TLS 1.3 192.168.56.101:49350 172.217.25.174:443	None	None	None
TLS 1.3 192.168.56.101:49351 172.217.25.170:443	None	None	None
TLS 1.3 192.168.56.101:49326 172.217.27.36:443	None	None	None
TLS 1.3 192.168.56.101:49330 108.177.125.84:443	None	None	None
TLS 1.3 192.168.56.101:49343 172.217.24.97:443	None	None	None
UNDETERMINED 192.168.56.101:49338 142.251.222.195:443	None	None	None
UNDETERMINED 192.168.56.101:49333 216.58.200.228:443	None	None	None
UNDETERMINED 192.168.56.101:49337 142.251.222.195:443	None	None	None

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2024, 7:36 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 24, 2024, 7:36 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

TEST_mi_exe_stub.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2024, 7:36 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	B
resource name	GOOGLEUPDATE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST https://update.googleapis.com/service/update2
suspicious_features	POST method with no referer header				suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd

Performs some HTTP requests (6 events)

request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
request	HEAD http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
request	GET http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
request	POST https://update.googleapis.com/service/update2
request	POST https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd

Sends data using the HTTP POST Method (2 events)

request	POST https://update.googleapis.com/service/update2
request	POST https://update.googleapis.com/service/update2?cup2key=12:n6EyV-uvoCaVgxFxDQet4WSYiBFRf-2C5HNBwb81dao&cup2hreq=1617e93f4cc0a87c8eec0ba442964150753038fe712f2774cc7d587abbdc23fd

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 24, 2024, 7:36 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73262000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 7:36 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2024, 7:36 a.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2024, 7:36 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73262000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (50 out of 55 events)

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_SERBIAN_CYRILLIC

offset

0x001567f0

size

0x000001aa

Creates executable files on the filesystem (50 out of 67 events)

file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_en.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\GoogleCrashHandler.exe
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\GoogleUpdateBroker.exe
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_sw.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_gu.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\GoogleUpdateOnDemand.exe
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_te.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_id.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_nl.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_hu.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\GoogleCrashHandler64.exe
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_da.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_uk.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_ko.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_hi.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\GoogleUpdateCore.exe
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_lv.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_mr.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_en-GB.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_iw.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_pt-PT.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\GoogleUpdate.exe
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\psmachine.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_fi.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_ar.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_ru.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_ms.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_bn.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_sr.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_ca.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_it.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\psuser.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\psuser_64.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_tr.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_zh-CN.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_lt.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_et.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_zh-TW.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_es.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\psmachine_64.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_kn.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_fa.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_fr.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_ro.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_ur.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_is.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_sv.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_no.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_am.dll
file	C:\Program Files (x86)\Google\Temp\GUMEF70.tmp\goopdateres_sl.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 24, 2024, 7:36 a.m.	snapshot_handle: 0x000001cc process_name: GoogleUpdate.exe process_identifier: 2664	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 24, 2024, 7:36 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00135200', u'virtual_address': u'0x00022000', u'entropy': 7.988101199224517, u'name': u'.rsrc', u'virtual_size': u'0x001351b4'}

entropy

7.98810119922

description

A section with a high entropy has been found

entropy

0.906192744595

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 24, 2024, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 24, 2024, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 24, 2024, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 24, 2024, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 24, 2024, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

googleupdate.exe

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zMy43IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezUzMzVGMjk0LTM4N0YtNEIwRi04MDIyLTQwQTA1OTY0NzZEQX0iIHVzZXJpZD0iezkzMjI1RDIxLUJDQkEtNDBCRi1CNDBDLTVCNUIyQTFFQUVBQ30iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9Ins2OTJGNDNCOS00QzA0LTQzNDMtQUNEOC0wMTgzQTREOThDMjR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjUiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEuMy4zMy43IiBuZXh0dmVyc2lvbj0iMS4zLjM2LjE1MiIgbGFuZz0iZW4tR0IiIGJyYW5kPSJDSEJEIiBjbGllbnQ9IiIgaWlkPSJ7QUYyQzlERkYtNDFBQS1BN0E2LTYxRTktMUY0QUNGRTVCQzlFfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI0NDA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

Communicates with host for which no DNS query was performed (8 events)

host	142.250.204.110
host	142.250.206.234
host	142.250.76.131
host	142.250.76.142
host	172.217.161.225
host	172.217.25.170
host	172.217.25.174
host	45.33.6.223

Installs itself for autorun at Windows startup (9 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\(Default)	reg_value	C:\Program Files (x86)\Google\Update\1.3.36.152\psmachine_64.dll

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 141 events)

file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ko.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_pt-BR.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_sw.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\psuser_64.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_is.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_de.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ja.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_fr.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_fa.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ur.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_zh-TW.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_iw.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_da.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_th.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_sv.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\psuser.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_am.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ru.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ar.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ca.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_sl.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_hr.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateCore.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_kn.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ms.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_en.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_sr.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_pl.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_lt.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ta.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdate.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_el.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_hi.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\psmachine.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateComRegisterShell64.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_et.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_id.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleUpdateOnDemand.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_hu.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_zh-CN.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_en-GB.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_gu.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_vi.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_te.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_sk.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_es-419.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_it.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_tr.dll

ChromeSetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All