popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ChromeSetup.exe

Emotet Gen1 PhysicalDrive NMap NSIS Generic Malware .NET framework(MSIL) UPX Downloader ASPack Antivirus Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Javascript_Blob Anti_VM OS Processor Check PE File MZP Format PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 6, 2024, 9:50 a.m. Aug. 6, 2024, 9:52 a.m.
Size 1.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e963c6226c89fbe3d8617658681fb54d
SHA256 cb76d6d2532773334a0b2c7cbea7e587b4adbedd17ac1977669b3011383d93e5
CRC32 40D3965F
ssdeep 24576:xKzcVkyEq9DRho1jFP8ltPP01Ws7+wFPEl9ix4fpUzoQDt+egElxdqFWVCGC3JA:xKzcCyEq9DRho/ctH01Ws74rA4RUBDHv
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet
  • Generic_Malware_Zero - Generic Malware
  • mzp_file_format - MZP(Delphi) file format
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
142.250.71.195 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49246 -> 142.250.71.195:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.103:49246
142.250.71.195:443 		C=US, O=Google Trust Services, CN=WR2 CN=upload.video.google.com c4:3f:12:39:d2:ec:4c:2c:1c:0a:a6:18:8e:2a:97:2c:d8:c2:7e:af

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2
request POST https://update.googleapis.com/service/update2
request POST https://update.googleapis.com/service/update2
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f65000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73da1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75201000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73491000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73351000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732b5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73da1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75201000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73245000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73da1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74031000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75201000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730a5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73071000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73045000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730a5000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_id.dll
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\OLicenseHeartbeat.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_hu.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_lt.dll
file C:\Program Files (x86)\Mozilla Thunderbird\updater.exe
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_zh-TW.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\psuser.dll
file C:\Program Files (x86)\Microsoft Office\Office15\WORDICON.EXE
file C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe
file C:\Program Files (x86)\Microsoft Office\Office15\MSQRY32.EXE
file C:\Program Files (x86)\Microsoft Office\Office15\GROOVE.EXE
file C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssvagent.exe
file C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
file C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdateBroker.exe
file C:\Windows\svchost.com
file C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
file C:\Python27\Scripts\easy_install.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_pt-BR.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ca.dll
file C:\ProgramData\Oracle\Java\javapath\java.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_bn.dll
file C:\Program Files (x86)\Microsoft Office\Office15\XLICONS.EXE
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_cs.dll
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\MSOICONS.EXE
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\ODeploy.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\LICLUA.EXE
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\psuser_64.dll
file C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleCrashHandler64.exe
file C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
file C:\Program Files (x86)\Java\jre1.8.0_131\bin\unpack200.exe
file C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE
file C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\FLTLDR.EXE
file C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_sl.dll
file C:\Program Files (x86)\Microsoft Office\Office15\IEContentService.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_tr.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_am.dll
file C:\Program Files (x86)\EditPlus\editplus.exe
file C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE
file C:\Program Files (x86)\Microsoft Office\Office15\PDFREFLOW.EXE
file C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\setup.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_fa.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_en.dll
cmdline "C:\Windows\svchost.com" "C:\PROGRA~2\Google\Update\GOOGLE~1.EXE" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2AA72171-DCD8-0DB0-CFF4-B63743E618C4}&lang=en&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=ONGR&installdataindex=empty" /installsource taggedmi /sessionid "{0ED5C233-4594-49BF-9FAF-053B370AD400}"
file C:\Users\test22\AppData\Local\Temp\3582-490\ChromeSetup.exe
file C:\Windows\svchost.com
file C:\Users\test22\AppData\Local\Temp\3582-490\ChromeSetup.exe
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000218
process_name: taskhost.exe
process_identifier: 1540
1 1 0

Process32NextW

 snapshot_handle: 0x00000218
process_name: SearchProtocolHost.exe
process_identifier: 416
1 1 0

Process32NextW

 snapshot_handle: 0x00000218
process_name: SearchFilterHost.exe
process_identifier: 1132
1 1 0

Process32NextW

 snapshot_handle: 0x00000218
process_name: ChromeSetup.exe
process_identifier: 2116
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
process googleupdate.exe
cmdline "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zMy43IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezBFRDVDMjMzLTQ1OTQtNDlCRi05RkFGLTA1M0IzNzBBRDQwMH0iIHVzZXJpZD0iezc0MTk1QTBBLUJCQUMtNERFQy1BRkQ1LTdGODhFQTM0NkRBM30iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9InsyRTc5RUExNy0wNjg0LTRDMjgtQjYxRC1GNDI3OEJCNDNGMkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjUiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEuMy4zNi4xMDEiIG5leHR2ZXJzaW9uPSIxLjMuMzYuMzcyIiBsYW5nPSJlbiIgYnJhbmQ9Ik9OR1IiIGNsaWVudD0iIiBpaWQ9InsyQUE3MjE3MS1EQ0Q4LTBEQjAtQ0ZGNC1CNjM3NDNFNjE4QzR9Ij48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQxODciLz48L2FwcD48L3JlcXVlc3Q-
host 142.250.71.195
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) reg_value C:\Windows\svchost.com "%1" %*
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910}\InProcServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910}\InProcServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910}\InProcServer32\(Default) reg_value C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\GoogleUpdate.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_gu.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_id.dll
file C:\Program Files (x86)\Google\Temp\GUMC1A5.tmp
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_lt.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ro.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_da.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\GoogleUpdateOnDemand.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_el.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_fr.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_zh-TW.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\psuser.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_it.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_sv.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_hu.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ta.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_sw.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\psmachine.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_sr.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_es.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_en-GB.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ca.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_bn.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_fil.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\GoogleCrashHandler64.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_kn.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_cs.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_iw.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\psmachine_64.dll
file C:\Program Files (x86)\Google\Temp\GUTC1B7.tmp
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_sl.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\psuser_64.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_no.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\GoogleUpdateComRegisterShell64.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ur.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_uk.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_fi.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_pt-BR.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_es-419.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ru.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\GoogleUpdateSetup.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_mr.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_tr.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ar.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\GoogleCrashHandler.exe
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_am.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_zh-CN.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_ml.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_pt-PT.dll
file C:\Program Files (x86)\Google\Temp\GUMC1B6.tmp\goopdateres_fa.dll
Bkav W32.NeshtaB.PE
Lionic Virus.Win32.Neshta.n!c
Elastic Windows.Virus.Neshta
Cynet Malicious (score: 100)
CAT-QuickHeal W32.Neshta.C8
Skyhigh BehavesLike.Win32.HLLP.tc
ALYac Win32.Neshta.A
Cylance Unsafe
VIPRE Win32.Neshta.A
Sangfor Virus.Win32.Neshta.a
K7AntiVirus Virus ( 00556e571 )
BitDefender Win32.Neshta.A
K7GW Virus ( 00556e571 )
Cybereason malicious.26c89f
Arcabit Win32.Neshta.A
Baidu Win32.Virus.Neshta.a
VirIT Win32.Delf.FE
Symantec W32.Neshuta
tehtris Generic.Malware
ESET-NOD32 Win32/Neshta.A
APEX Malicious
McAfee W32/HLLP.41472.e
Avast Win32:Apanas [Trj]
ClamAV Win.Trojan.Neshuta-1
Kaspersky Virus.Win32.Neshta.a
Alibaba Virus:Win32/Neshta.3bb
NANO-Antivirus Trojan.Win32.Winlock.fmobyw
MicroWorld-eScan Win32.Neshta.A
Rising Virus.Neshta!1.EFA5 (CLASSIC)
Emsisoft Win32.Neshta.A (B)
F-Secure Malware.W32/Neshta.A
DrWeb Win32.HLLP.Neshta
Zillya Virus.Neshta.Win32.1
TrendMicro PE_NESHTA.A
McAfeeD Real Protect-LS!E963C6226C89
Trapmine malicious.high.ml.score
FireEye Generic.mg.e963c6226c89fbe3
Sophos W32/Neshta-D
SentinelOne Static AI - Malicious PE
Jiangmin Virus.Neshta.a
Google Detected
Avira W32/Neshta.A
MAX malware (ai score=89)
Antiy-AVL Virus/Win32.Neshta.a
Kingsoft Win32.Neshta.nl.30720
Gridinsoft Virus.Neshta.A.sd!yf
Xcitium Win32.Neshta.A@3ypg
Microsoft Virus:Win32/Neshta.A
ViRobot Win32.Neshta.Gen.A
ZoneAlarm Virus.Win32.Neshta.a