Windows Analysis Report
PhotoScapeSetup_V3-7.exe

Overview

General Information

Sample name:	PhotoScapeSetup_V3-7.exe
Analysis ID:	1417084
MD5:	b7cc1eb9650ff6a6a3cb5260efd7226f
SHA1:	ee7ab40509910dcc737ec487ea9c41a664464760
SHA256:	dd37f4ea7133c48f5181b2d0b9ead52fb05cf64bd4180eb35cb1530e4aac3ce4
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	34
Range:	0 - 100

Signatures

Found evasive API chain checking for user administrative privileges

Writes many files with high entropy

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924CD4 CryptQueryObject,GetLastError,	10_2_6C924CD4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924D94 lstrcmpA,CryptDecodeObject,CryptDecodeObject,GetLastError,LocalAlloc,CryptDecodeObject,	10_2_6C924D94
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924D27 CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,GetLastError,	10_2_6C924D27
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924E70 lstrcmpA,CryptDecodeObject,GetLastError,FileTimeToSystemTime,	10_2_6C924E70
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9284A8 CryptStringToBinaryA,CryptStringToBinaryA,	10_2_6C9284A8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C926451 CryptUnprotectData,GetLastError,LocalFree,	10_2_6C926451
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924460 CryptReleaseContext,	10_2_6C924460
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9246B4 CryptAcquireContextW,CryptCreateHash,CryptDestroyHash,CloseHandle,CreateFileW,GetFileSizeEx,ReadFile,CryptHashData,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,CloseHandle,CryptDestroyHash,CloseHandle,CryptDestroyHash,_memcmp,CryptDestroyHash,CryptDestroyHash,	10_2_6C9246B4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9263BF CryptProtectData,LocalFree,	10_2_6C9263BF
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927D80 CryptAcquireContextW,CryptReleaseContext,	10_2_6C927D80
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927DC1 CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	10_2_6C927DC1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927E03 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptDecodeObjectEx,GetLastError,CryptCreateHash,	10_2_6C927E03
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927F38 CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,	10_2_6C927F38
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C925403 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,	10_2_6C925403
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C92343A CryptHashData,	10_2_6C92343A
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E508C LoadLibraryW,GetProcAddress,FreeLibrary,CryptAcquireContextW,CryptGenRandom,FreeLibrary,CryptReleaseContext,FreeLibrary,	10_2_6C8E508C
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C92519C CryptQueryObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,	10_2_6C92519C

Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAse0EVOFAsoCF96o87qMgLlZaNAaDHIdXQg6YafkRgIiAt4ttlvzs8IsmHejtx0T6TmvYNerqOyl1Nl82ZRHO7kDJrqcI38fhdwPLnx0CtAxSmOtwwO77JYinfnSSkSRC8ynNIIUFUYNT/sLBek+ilu9msa0zddtn6zk3TnLtbV1mpqCSJV9cuTk8bMWYkMVjcYHEVr10L3a2BQu4UBok0P6senSnhYWKYSwN0dMBzbO8naf0r0REPAPO2oPZuFUov6EiYMZ5fV2/P33cVAG4dOXy23pyiGIalES8QH/4LOTOAjek43xAyg9uBpN2pNnSwqa0Jcf8tk9NXOJY/jmi6wIDAQAB-----END PUBLIC KEY-----

memstr_c4635a41-b

Phishing

Source: http://photoscape.org/ps/main/afterinstall.php?v=3.7	HTTP Parser: No favicon
Source: http://photoscape.org/ps/main/afterinstall.php?v=3.7	HTTP Parser: No favicon
Source: http://photoscape.org/ps/main/afterinstall.php?v=3.7	HTTP Parser: No favicon
Source: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8935297298522731&output=html&h=250&adk=2668570439&adf=2525469968&w=300&lmt=1711637023&channel=1479983659&ad_type=text_image&format=300x250_as&color_bg=FFFFFF&color_border=FFFFFF&color_link=0000FF&color_text=666666&color_url=666666&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&wgl=1&dt=1711637021195&bpp=865&bdt=3904&idt=1852&shv=r20240326&mjsv=m202403200101&ptt=5&saldr=sd&abxe=1&correlator=2244882728464&frm=20&pv=2&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=696&ady=412&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670%2C31082176&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7ClE%7C&abl=CS&pfx=0&fu=0&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1...	HTTP Parser: No favicon
Source: https://tpc.googlesyndication.com/sodar/sodar2/225/runner.html	HTTP Parser: No favicon
Source: https://www.google.com/recaptcha/api2/aframe	HTTP Parser: No favicon

Compliance

Uses 32bit PE files

Source: PhotoScapeSetup_V3-7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Window detected: Thank you for downloading PhotoScape.OptionsI Agree - installCancelBy installing PhotoScape you agree to thePhotoScape End User License Agreement. Photoscape is a fun and easy photo editing software that enables you to fix and enhance photos.Photoscape is provided free of charge.

Source: PhotoScapeSetup_V3-7.exe

Static PE information: certificate valid

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49766 version: TLS 1.2

Source:	Binary string: goopdateres_unsigned_ms.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcr90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2120397499.0000000002905000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2004669595.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_fa.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lt.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ru.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ru.dll.9.dr
Source:	Binary string: goopdateres_unsigned_el.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_tr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_tr.dll.9.dr
Source:	Binary string: goopdateres_unsigned_de.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_de.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bg.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_bg.dll.9.dr
Source:	Binary string: goopdateres_unsigned_mr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_gu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdateres_unsigned_sr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_th.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_th.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdbH source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler64.exe.9.dr
Source:	Binary string: psmachine_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, psmachine.dll.9.dr
Source:	Binary string: goopdateres_unsigned_am.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_am.dll.9.dr
Source:	Binary string: goopdateres_unsigned_cs.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_lv.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ta.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb( source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_es-419.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es-419.dll.9.dr
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler.exe.9.dr
Source:	Binary string: mi_exe_stub.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000002.3259072193.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000000.2089761210.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe.8.dr
Source:	Binary string: goopdateres_unsigned_pt-BR.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-BR.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_id.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: npGoogleUpdate3_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_zh-TW.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000000A.00000002.3258616779.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GoogleUpdate.exe, 0000000A.00000000.2097000811.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GUT2393.tmp.9.dr, GoogleUpdate.exe.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_sw.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_it.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: goopdateres_unsigned_pt-PT.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-PT.dll.9.dr
Source:	Binary string: goopdateres_unsigned_vi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ja.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ja.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb ) source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_sv.dll.9.dr
Source:	Binary string: goopdateres_unsigned_es.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es.dll.9.dr
Source:	Binary string: goopdateres_unsigned_is.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_is.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ro.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ro.dll.9.dr
Source:	Binary string: goopdateres_unsigned_uk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ca.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ca.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_nl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_nl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_ko.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_et.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcp90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2118851699.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_iw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_iw.dll.9.dr
Source:	Binary string: goopdateres_unsigned_no.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_te.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ur.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ur.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fil.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdbpmxt source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_pl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_en-GB.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_fi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ml.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: psuser_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_hu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_en.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_da.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ar.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\srcs\syncclient\googleclient\apps\webdrive_sync\windows\gdapi\criteriachecker\Build\gdapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003759208.0000000002905000.00000004.00000020.00020000.00000000.sdmp, gdapi.dll.0.dr
Source:	Binary string: goopdateres_unsigned_zh-CN.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_kn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr

Spreading

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00405B6C FindFirstFileW,FindClose,	0_2_00405B6C
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00405B6C FindFirstFileW,FindClose,	7_2_00405B6C
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_0040654D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_0040654D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00405B8C FindFirstFileW,FindClose,	8_2_00405B8C
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_004029F1 FindFirstFileW,	8_2_004029F1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EADA9 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EADA9
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C910D29 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C910D29
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EAEE3 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EAEE3
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EA47E _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EA47E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9106CC _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C9106CC
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E462D FindFirstFileW,_memset,FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,	10_2_6C8E462D
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E4770 GetFileAttributesW,GetLastError,_memset,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_6C8E4770
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C949B30 _memset,FindFirstFileW,FindFirstFileW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,_memset,FindFirstFileW,_memset,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,FindClose,	10_2_6C949B30
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EB099 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EB099

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8F0776 _memset,GetLogicalDriveStringsW,_memset,QueryDosDeviceW,__wcsnicmp,

10_2_6C8F0776

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to behavior

Networking

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /update.php?app=photoscape&version=1,0,0,1302&exec=first&lang=en&langid=09:02 HTTP/1.1Cache-Control: no-cacheHost: update.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53611343372_5a3e5c1a4b_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=1 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53607995578_9f405c0807_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=2 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602413635_d86ce036a5_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=3 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602740402_76d58954cf_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=4 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=5 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=6 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53612486510_25cd8bf366_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=7 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.22.74.171 104.22.74.171
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C928AB3 HttpQueryInfoW,_strtol,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,

10_2_6C928AB3

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 28 Mar 2024 14:31:58 GMTServer: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-PatchX-Powered-By: PHP/5.2.6-1+lenny8X-Frame-Options: DENYVary: Accept-EncodingContent-Encoding: gzipContent-Length: 5041Keep-Alive: timeout=5, max=19Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 5b 49 73 23 37 96 3e 17 7f 05 3a 1d 61 49 b6 32 b9 8b 8b 48 ba b5 97 3c 55 96 a6 c4 aa b2 4f 0c 30 13 24 b3 94 4c a4 01 a4 28 55 b5 23 fa 30 ff a1 7b 6e 13 73 99 98 b9 cd 9c 3c 11 73 f3 1f 71 f4 2f 99 f7 80 dc 48 51 9b 4b 45 5b c5 4c e0 e1 3d e0 6d f8 b0 b0 f7 27 db 2e f5 fe 74 78 76 30 fc e9 fc 88 cc d4 3c 20 e7 6f f7 5f 9d 1e 10 cb 2e 97 df d7 0f ca e5 c3 e1 21 f9 f1 e5 f0 f5 2b 52 75 2a e4 42 09 df 55 e5 f2 d1 0f 16 b1 66 4a 45 dd 72 79 b1 58 38 8b ba c3 c5 b4 3c 7c 53 be 46 2e 55 6c 96 3c da 52 b7 71 3c e5 59 83 92 6d 0f 4a 3d 2c c7 2f 46 3d f8 7a 7d 34 dc 23 2f 87 c3 73 fb e8 9f df 9e be eb 5b 07 3c 54 2c 54 f6 f0 26 62 16 71 cd 5b df 52 ec 5a 95 b1 e9 2e 71 67 54 48 a6 fa b1 9a d8 6d ab 0c 4c e6 4c 51 12 d2 39 eb 5b 57 4c f8 93 1b fb aa 5a 68 7b f9 f3 eb 45 14 8f 6b df b2 f3 37 3f 7e ff ea 43 ab f1 f1 9d 7a fb 6d e7 07 b7 3a fb 18 5f d5 fd da f0 a7 1f cf cf de 2d 22 d9 d7 fc 74 a7 0c bf 8b 78 fc 81 b9 aa c0 ed 7c c6 15 3f f2 7c c5 c5 2a f1 25 bb 59 70 e1 c9 02 f5 b1 60 6c 9b e8 36 db c4 b4 da 26 17 7c a2 16 54 60 85 e0 53 41 e7 db e4 24 e0 8b 6d b2 1f 70 0e 2f 6f 98 f4 3f 42 ed 05 8b 7c ba 4d 8e 81 02 de 8e fd 40 31 91 0f 38 12 3c 62 42 dd f4 2d 3e ed 2a 5f 05 6c b5 97 17 2e 05 25 ae 6f e0 cf e9 b4 d8 00 ed 29 c1 a0 b2 ee d0 39 fd c8 43 ba 90 8e cb e7 e5 08 39 49 e4 a4 ad ec cf a7 e5 49 e0 bb 97 a2 5c ad 34 5b 95 4e b5 d1 ac ed 8c ea ad 49 8d 75 58 b5 51 1b 71 e7 43 34 bd 43 6a 2c 82 15 99 89 0f ad 48 89 64 79 4e fd b0 ec f1 45 18 70 ea 41 7d 84 2c 4b 3d a9 6e 02 36 28 fd d9 9f 47 5c 28 62 21 a9 2b 65 59 32 60 eb 39 f0 68 ed f6 ca 09 55 4f ab 65 90 2b 83 74 09 5a c4 18 44 db c3 0f a7 99 3d c8 66 5e ce c5 16 39 4c a4 f7 ca 86 0f 48 77 85 1f 29 12 d0 70 1a 83 fe fa d6 07 7a 45 4d 21 f8 b7 c7 dd 78 0e 23 73 34 39 e9 13 eb 73 25 5b bb a5 49 1c ba ca e7 21 91 33 be 98 f9 1e db f4 bd 2d f2 a9 f4 e2 8a 0a c2 c7 1f 40 4c 26 77 ca d4 51 c0 f0 71 ff e6 d4 43 c2 dd d2 0b 7f 42 36 81 ce d1 3a 71 3c 5f 46 01 bd e9 f7 37 c6 01 77 2f 37 b6 4a 2f 5e dc aa 05 9e 1b 21 0f d9 06 34 67 81 64 77 d1 18 16 bb a5 5f 4a a0 72 ad 05 d0 51 d9 84 76 a9 37 e6 de 0d 51 3c 9a 53 31 f5 c3 be d5 b4 48 c0 26 aa f0 aa 19 82 63 40 d4 4e 20 00 ba 04 98 f0 20 d8 b5 b0 39 e4 27 fc 90 3d 8f ec f3 38 f4 a8 b8 21 a6 08 6a f3 ea b3 58 41 58 dc 26 49 3d c5 41 63 8d 7c f0 8e ee 0c 05 91 4f e0 80 01 17 5d f2 d5 64 32 d9 25 bf 14 28 88 e7 5f bd f8 44 16 be a7 66 5d 52 dd 89 ae 77 c9 8c f9 d3 99 82 b7 2a be 99 ce db c2 94 d5 b0 08 78 2a df a5 81 4d 03 7f 1a 76 c9 98 2b c5 e7 bb 24 d1 53 97 f8 61 e0 87 cc d6 ca da 25 63 ea 5e 4e 05 f6 b6 4b 94 a0 a1 8c c0 fe a1 22 10 1a 9b e8 cc 3a 30 65 79 3a b6 c7 c2 8e 94 cd a4 ad 84 ad

Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/15014451557_60c95fbeae_n.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/8313590481_6d3432188b.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/7183973231_2091b97512_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/15014451557_60c95fbeae_n.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/8313590481_6d3432188b.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/6547899949_425743f953_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/7183973231_2091b97512_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/6547899949_425743f953_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /swidget/xv6kiyug.gif HTTP/1.1Host: whos.amung.usConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /small/00/65.png HTTP/1.1Host: widgets.amung.usConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /small/00/65.png HTTP/1.1Host: widgets.amung.usConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_bg.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_btn_download_win.png HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_btn_download_win.png HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_bg.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pagead/ads?client=ca-pub-8935297298522731&output=html&h=250&adk=2668570439&adf=2525469968&w=300&lmt=1711637023&channel=1479983659&ad_type=text_image&format=300x250_as&color_bg=FFFFFF&color_border=FFFFFF&color_link=0000FF&color_text=666666&color_url=666666&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&wgl=1&dt=1711637021195&bpp=865&bdt=3904&idt=1852&shv=r20240326&mjsv=m202403200101&ptt=5&saldr=sd&abxe=1&correlator=2244882728464&frm=20&pv=2&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=696&ady=412&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670%2C31082176&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7ClE%7C&abl=CS&pfx=0&fu=0&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=1&uci=a!1&fsb=1&dtd=1871 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pagead/ads?client=ca-pub-8935297298522731&output=html&adk=1812271804&adf=3025194257&lmt=1711637023&plat=9%3A32776%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&plas=212x816_l%7C250x816_r&channel=1479983659&format=0x0&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&pra=7&wgl=1&easpi=0&asro=0&dt=1711637022060&bpp=2&bdt=4768&idt=1024&shv=r20240326&mjsv=m202403200101&ptt=9&saldr=aa&abxe=1&prev_fmts=300x250_as&nras=1&correlator=2244882728464&pv_ch=1479983659%2B&frm=20&pv=1&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=-12245933&ady=-12245933&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fsapi=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=32768&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=1035 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ng-assets/creative/assets/index-5ff488ba.css HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ng-assets/creative/assets/polyfills-a16f0012.js HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ng-assets/creative/assets/index-81e1956e.js HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /compressedFonts/RobotoRegular.woff2 HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /compressedFonts/RobotoBold.woff2 HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rtimp?sid=93e73409-ed11-11ee-a2ec-fee3b5cba93b&d=photoscape.org&cr=ext_ngt_start_fires8&a=imp&p=ZgWCIAAI2wEFKMz8AASJuVU0bTVd859SYxpALg&im=yAHntm2J_DrzRZkKtR-VSh1UoUtvEQ7LB7xmQtqOVreJnl4ws8GF1Zj8ohG-7t8YWNHHoTPily6B61_J54L8ccrHFCb6DlgRbTMbZTF3Ii7lj8Z0Dt94Xbf3Ar4pan1TFmgKi23yVjSQLKeHO-oe17W5fivE_J9yO242cskFijjD0bNhcc6nm7aoDafE_ONP5Aey0KdXX6VmUZ6HCKDaCiUFBGkwA0OrHZS5Fsaj2etRQHoa2Lfk19Jhr4Ylf93KD6u9V986_dBNvqizOKeTWhxOMT8mwvkU27qHGzC71BT49NVEUE49GVx7fQ_6jte0irPWaky_ltT1QZaQV7Ot8B1ybL7JZ_iih5AfnktOfpY&cbvp=2 HTTP/1.1Host: g.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: uid_cross=955fc8a8-ed11-11ee-8e21-6efff0164504; sid_cross=93e73409-ed11-11ee-a2ec-fee3b5cba93b
Source: global traffic	HTTP traffic detected: GET /pagead/adview?ai=CTiwfIIIFZoG2I_yZo9kPuZOSoAW9qs_Ndemi3NbEEsCNtwEQASAAYMmGgICAgPQPggEXY2EtcHViLTg5MzUyOTcyOTg1MjI3MzHIAQmoAwHIAwKqBNgBT9DgwsbBnmjRVqQWHTwfSqUUI2s5hmrst6L3gXWyA6URIMWaBM1Xaurzt56WysaggSNfQ7nhzx0av6aVVsm2eljtb6vK2VkTQ4lAS3v7FdKmN3EYk6622HTj4Ji36VlT6ZTLXJYm-ru3ElfGXHEdUzX2FPHaA4UFkkAvR5dMh-zkwxkcar_x8enm8eyDwyYdpF1kJS1ymDzOVcadm0vbsNRB5PKRHycU8h_Vpiv571ZFbHIFh7dcGYUgKYsjueOIuPCDyCva3S42O8YPLZnrGBpVGNFezED3gAaP47XZnZCGlfQBoAYhqAemvhuoB5bYG6gHqpuxAqgHg62xAqgH_56xAqgH35-xAqgHrb6xAtgHANIIIgiAYRABMgKKAjoJgECAwICAgKAoSL39wTpY7K3W5piXhQOACgH6CwIIAYAMAdAVAYAXAbIXGgoYEhRwdWItODkzNTI5NzI5ODUyMjczMRgA&sigh=fqOsiaPwmxY&uach_m=%5BUACH%5D&cid=CAQSTgB7FLtqWmja4rx2mwPibEli-QVCZskYxTcJW8xRg42QpAn21PGYe0IOak8VJGfbNMPV9BMnhlgy-IDWQp07h2u_NYcoFMvhoDXRyJ8f5hgB&cbvp=2&vis=1 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8935297298522731&output=html&h=250&adk=2668570439&adf=2525469968&w=300&lmt=1711637023&channel=1479983659&ad_type=text_image&format=300x250_as&color_bg=FFFFFF&color_border=FFFFFF&color_link=0000FF&color_text=666666&color_url=666666&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&wgl=1&dt=1711637021195&bpp=865&bdt=3904&idt=1852&shv=r20240326&mjsv=m202403200101&ptt=5&saldr=sd&abxe=1&correlator=2244882728464&frm=20&pv=2&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=696&ady=412&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670%2C31082176&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7ClE%7C&abl=CS&pfx=0&fu=0&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=1&uci=a!1&fsb=1&dtd=1871Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: test_cookie=CheckForPermission
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/aframe HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
Source: global traffic	HTTP traffic detected: GET /link/link.php?version=installer&topic=afterinstall&v=3.7 HTTP/1.1Host: photoscape.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/main/afterinstall.php?v=3.7 HTTP/1.1Host: photoscape.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/second.css HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /update.php?app=photoscape&version=1,0,0,1302&exec=first&lang=en&langid=09:02 HTTP/1.1Cache-Control: no-cacheHost: update.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /ps/images/gb-br-pt-es-tr-th-jp-cn-kr.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/images/tabicon.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /65535/53611343372_5a3e5c1a4b_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /ps/images/gb-br-pt-es-tr-th-jp-cn-kr.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/images/tabicon.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=1 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53607995578_9f405c0807_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=2 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602413635_d86ce036a5_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=3 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602740402_76d58954cf_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=4 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=5 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=6 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53612486510_25cd8bf366_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=7 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close

Source: unknown

DNS traffic detected: queries for: tools.google.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1711636967055&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ftp://http://HTTP/1.0
Source: GoogleUpdate.exe	String found in binary or memory: http://clients2.google.com/cr/report
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://clients2.google.com/cr/reportUpdate2ClientCustomDatalangcheckpoint
Source: GoogleUpdate.exe	String found in binary or memory: http://clients5.google.com/tbproxy/usagestats
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://clients5.google.com/tbproxy/usagestatshttp://www.google.com/support/installer/?http://tools.g
Source: GoogleUpdate.exe	String found in binary or memory: http://cr-tools.clients.google.com/service/check2
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://cr-tools.clients.google.com/service/check2GUR.tmpSOFTWARE
Source: Mooii_GDrive.exe, 00000008.00000002.3258794961.000000000041E000.00000004.00000001.01000000.0000000E.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2096866195.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, goopdateres_ar.dll.9.dr, goopdateres_lv.dll.9.dr, goopdateres_ja.dll.9.dr, goopdateres_ca.dll.9.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Mooii_GDrive.exe, 00000008.00000002.3258794961.000000000041E000.00000004.00000001.01000000.0000000E.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2096866195.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, goopdateres_ar.dll.9.dr, goopdateres_lv.dll.9.dr, goopdateres_ja.dll.9.dr, goopdateres_ca.dll.9.dr	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://dev.exiv2.org/projects/exiv2
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://flickr.com
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/Iptc4xmpCoreIPTC
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/iptcCiAdrCityContact
Source: PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/iptcExtAddlModelInfoAdditional
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://krug.nnm.ru/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://ns.iview-multimedia.com/mediapro/1.0/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://ns.iview-multimedia.com/mediapro/1.0/mediaproEventEventTextFixture
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: PhotoScapeSetup_V3-7.exe, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, Mooii_GDrive.exe, 00000008.00000002.3258794961.000000000041E000.00000004.00000001.01000000.0000000E.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2096866195.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, goopdateres_ar.dll.9.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://photoscape.co.kr/
Source: PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://photoscape.org
Source: PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://photoscape.org/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.0000000003294000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.0000000000872000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.000000000084E000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.00000000032A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.728
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.00000000032A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.79EA
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2359262559.0000000000614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7C:
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.0000000003294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7iiEQ
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7open
Source: GoogleSetup.exe, 00000007.00000002.3261601203.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=aftertoolbarinstall&v=
Source: splwow64.exe, 00000011.00000003.2400726497.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000011.00000003.2399643352.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/
Source: GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/)
Source: GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/P4
Source: GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/Q
Source: GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2C
Source: GoogleUpdate.exe, 0000000A.00000003.2686893031.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2H
Source: GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2S-
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://update.photoscape.org/
Source: GoogleSetup.exe, 00000007.00000003.2082288790.000000000289F000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3261601203.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://update.photoscape.org/install.php?v=
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://update.photoscape.org/install.php?v=3.7&offer=
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://update.photoscape.org/update.php?app=photoscape&version=&link/image.php?topic=intro&count=%dl
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/1.0/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/1.0/digiKamTagsListTags
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/1.0/kipihttp://www.digikam.org/ns/kipi/1.0/MicrosoftPhotohttp://ns.microso
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/kipi/1.0/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/kipi/1.0/kipiEnfuseInputFilesEnfuse
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.exiv2.org/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.exiv2.org/%%EndComments%%EndComments%%Page:%%Page:
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.exiv2.org/%%LanguageLevel:
Source: Mooii_Toolbar_Omaha.exe.7.dr	String found in binary or memory: http://www.google.com
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/accounts/tos?hl=kohttp://www.google.com/accounts/tos?hl=jahttp://www.google.co
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/intl/en_ALL/images/logo.gif
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/robots.txt
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://www.google.com/robots.txthttps://www.google.com/robots.txthttp://www.google.com/intl/en_ALL/i
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/support/installer/?
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr	String found in binary or memory: http://www.google.com/support/installer/?http://tools.google.com/service/update2NetConfigautoUseTest
Source: Mooii_GDrive.exe, 00000008.00000002.3259423656.0000000000525000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.google.comV
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.ijg.org
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.metadataworkinggroup.com/schemas/regions/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.metadataworkinggroup.com/schemas/regions/mwg-rsRegionsRegionsRegionInfoMain
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GTGCAPI.exe.0.dr	String found in binary or memory: http://www.photoscape.org
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2006108181.0000000002901000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2005405370.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp, license_k.htm.0.dr	String found in binary or memory: http://www.photoscape.org/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.photoscape.org/Copyright
Source: chromecache_1754.15.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=fccs&
Source: GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686893031.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/I
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/Y
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/i
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update26756634-1003
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update27J
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2iW
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2ni
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2nig
Source: GoogleUpdate.exe, 0000000A.00000003.2686893031.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2o
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/y
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com:443/service/update2
Source: GoogleUpdate.exe	String found in binary or memory: https://www.google.com/robots.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49766 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00404B88 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404B88

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EFE67 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,

10_2_6C8EFE67

Creates a DirectInput object (often for capturing keystrokes)

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectDrawCreateEx

memstr_3c14bb71-5

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe entropy: 7.99754699332	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\cartoon\headband002.png entropy: 7.99242178904	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\christmas\christmas_logo_006.png entropy: 7.99253024764	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\balloon\cali_01.png entropy: 7.99129817168	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\frame\pattern16.png entropy: 7.99622911328	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_006.png entropy: 7.99496152479	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_005.png entropy: 7.99183712386	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_003.png entropy: 7.99121031659	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_002.png entropy: 7.99149344577	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_019.png entropy: 7.99040807009	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_016.png entropy: 7.99017455401	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_013.png entropy: 7.99141800131	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_011.png entropy: 7.99112751782	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_010.png entropy: 7.991285243	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_030.png entropy: 7.9924672935	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_029.png entropy: 7.99225280988	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_028.png entropy: 7.99228733312	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_026.png entropy: 7.9950252294	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_025.png entropy: 7.99109344273	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_024.png entropy: 7.99351717316	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_023.png entropy: 7.99186711009	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_033.png entropy: 7.99102084616	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_032.png entropy: 7.99093110397	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_045.png entropy: 7.99056093715	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_044.png entropy: 7.99244316697	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_043.png entropy: 7.99101357552	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_050.png entropy: 7.99352255967	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_049.png entropy: 7.99481027175	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_056.png entropy: 7.99269074664	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_051.png entropy: 7.99294667376	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\etc\glove02.png entropy: 7.9904242673	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_059.png entropy: 7.99227688145	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_058.png entropy: 7.99435805396	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_057.png entropy: 7.99372142375	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair07.png entropy: 7.99307490323	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair06.png entropy: 7.99179863316	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair05.png entropy: 7.99362999296	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair04.png entropy: 7.99237674694	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair03.png entropy: 7.99312959209	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hear01.png entropy: 7.99377701795	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower005.png entropy: 7.99275001627	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower004.png entropy: 7.99321434423	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower003.png entropy: 7.99072089261	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower002.png entropy: 7.99100011408	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower001.png entropy: 7.99133040665	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower006.png entropy: 7.9923558352	Jump to dropped file

System Summary

Contains functionality to communicate with device drivers

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C9325DA: __snprintf_s,CreateFileW,DeviceIoControl,CloseHandle,CloseHandle,

10_2_6C9325DA

Contains functionality to delete services

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8F6113 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

10_2_6C8F6113

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EBDD6 _memset,CreateProcessAsUserW,

10_2_6C8EBDD6

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	0_2_004033E9
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	7_2_004033E9
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_0040340C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	8_2_0040340C

Detected potential crypto function

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00406947	0_2_00406947
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00404451	0_2_00404451
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 2_2_0040598E	2_2_0040598E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 3_2_0040598E	3_2_0040598E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 6_2_0040598E	6_2_0040598E
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00406947	7_2_00406947
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00404451	7_2_00404451
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00404471	8_2_00404471
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00406E28	8_2_00406E28
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_004067FE	8_2_004067FE
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF45CC	9_2_00CF45CC
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF4FB6	9_2_00CF4FB6
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442262	10_2_00442262
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00446814	10_2_00446814
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442B09	10_2_00442B09
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442F15	10_2_00442F15
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442735	10_2_00442735
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00443335	10_2_00443335
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00443DA0	10_2_00443DA0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95AC28	10_2_6C95AC28
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95CDC0	10_2_6C95CDC0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96CF13	10_2_6C96CF13
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95A854	10_2_6C95A854
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96E9A4	10_2_6C96E9A4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96C9D1	10_2_6C96C9D1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C946BA4	10_2_6C946BA4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9627C5	10_2_6C9627C5
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C960727	10_2_6C960727
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95A381	10_2_6C95A381
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C971C41	10_2_6C971C41
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96DB15	10_2_6C96DB15
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95B454	10_2_6C95B454
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96D455	10_2_6C96D455
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C963653	10_2_6C963653
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95B034	10_2_6C95B034
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C971310	10_2_6C971310

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: String function: 00401F02 appears 42 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8F3456 appears 70 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E2D4E appears 37 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E1000 appears 35 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C9593EE appears 35 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C95CD58 appears 70 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E2A13 appears 177 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E3D9B appears 35 times

PE file contains executable resources (Code or Archives)

Source: goopdateres_ca.dll.9.dr	Static PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
Source: goopdateres_fil.dll.9.dr	Static PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
Source: goopdateres_hu.dll.9.dr	Static PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
Source: goopdateres_ms.dll.9.dr	Static PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
Source: goopdateres_th.dll.9.dr	Static PE information: Resource name: RT_STRING type: PDP-11 overlaid pure executable not stripped
Source: goopdateres_tr.dll.9.dr	Static PE information: Resource name: RT_STRING type: 370 XA sysV pure executable not stripped
Source: goopdateres_vi.dll.9.dr	Static PE information: Resource name: RT_STRING type: iAPX 286 executable small model (COFF) not stripped

Sample file is different than original file name gathered from version info

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2123001334.000000000290D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePhotoScape.EXE vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2120397499.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCR90.DLL^ vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2118851699.0000000002903000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCP90.DLL^ vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMFC90.DLL@ vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGTGCAPI.EXE vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegdiplusj% vs PhotoScapeSetup_V3-7.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gcapi_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gtapi_signed.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gdapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gcapi_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gtapi_signed.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gdapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gcapi_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gtapi_signed.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gdapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: acgenral.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msxml3.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: acgenral.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90eng.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90enu.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90eng.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90enu.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90loc.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: riched32.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: netprofm.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: npmproxy.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dui70.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: duser.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: explorerframe.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: thumbcache.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: globinputhost.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: structuredquery.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: atlthunk.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.storage.search.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: twinapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: ntshrui.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: actxprxy.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: networkexplorer.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.staterepositoryps.dll

Uses 32bit PE files

Source: PhotoScapeSetup_V3-7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.rans.evad.winEXE@40/1194@79/12

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EC079 GetCurrentProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

10_2_6C8EC079

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00403FDF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00403FDF

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,		10_2_6C8F6A6F
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,		10_2_6C8F6674

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EE8E0 CreateToolhelp32Snapshot,_memset,Process32FirstW,CloseHandle,Process32NextW,

10_2_6C8EE8E0

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00402218 CoCreateInstance,

0_2_00402218

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe

Code function: 9_2_00CF1CDB __EH_prolog3_GS,memset,GetTempFileNameW,FindResourceW,LoadResource,LockResource,CreateFileW,SizeofResource,SetFilePointerEx,CloseHandle,

9_2_00CF1CDB

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C948DB4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,StartServiceW,CloseServiceHandle,

10_2_6C948DB4

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8F5BA0 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,		10_2_6C8F5BA0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8F5B03 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,		10_2_6C8F5B03

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File created: C:\Program Files (x86)\PhotoScape

Jump to behavior

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File created: C:\Users\user\Desktop\PhotoScape.lnk

Jump to behavior

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Mutant created: NULL
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\GS-1-5-21-2246122658-3693405117-2476756634-1003{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\G{0E900C7B-04B0-47f9-81B0-F8D94F2DF01B}
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\G{A9A86B93-B54E-4570-BE89-42418507707B}

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File created: C:\Users\user\AppData\Local\Temp\nse1C.tmp

Jump to behavior

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Command line argument: DllEntry

10_2_00441569

Source: PhotoScapeSetup_V3-7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO thumb(initcreate, initmodify, inifsize, imgtcreate, imgtmodify, imgfsize, version, image, imgname, ininame) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE thumb SET initcreate = ?, initmodify = ?, inifsize = ?, imgtcreate = ?, imgtmodify = ?, imgfsize = ?, version = ?, image = ?, imgname = ? WHERE ininame = ?;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'CREATE TRIGGER vacuum_db.' \|\| substr(sql, 16, 1000000) FROM sqlite_master WHERE type='trigger'SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';SELECT 'CREATE VIEW vacuum_db.' \|\| substr(sql,13,100000000) FROM sqlite_master WHERE type='view'SELECT 'CREATE UNIQUE INDEX vacuum_db.' \|\| substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'CREATE INDEX vacuum_db.' \|\| substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE TABLE vacuum_db.' \|\| substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'BEGIN EXCLUSIVE;PRAGMA vacuum_db.synchronous=OFFATTACH '%q' AS vacuum_db;cannot VACUUM from within a transaction
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE thumb(ininame text primary key, initcreate int, initmodify int, inifsize int, imgname text, imgtcreate int, imgtmodify int, imgfsize int, version int, image blob);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT fname FROM thumb;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE thumb(fname text primary key, tcreate int, tmodify int, fsize int, width int, height int, image blob);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO thumb(tcreate, tmodify, fsize, width, height, image, fname) VALUES (?, ?, ?, ?, ?, ?, ?);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE thumb SET tcreate = ?, tmodify = ?, fsize = ?, width = ? , height = ?, image = ? WHERE fname = ?;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: GTGCAPI.exe	String found in binary or memory: /launchgd
Source: GTGCAPI.exe	String found in binary or memory: /launchgc
Source: GTGCAPI.exe	String found in binary or memory: /launchgd
Source: GTGCAPI.exe	String found in binary or memory: /launchgc
Source: GTGCAPI.exe	String found in binary or memory: /launchgd
Source: GTGCAPI.exe	String found in binary or memory: /launchgc
Source: Mooii_GDrive.exe	String found in binary or memory: :\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&a
Source: Mooii_GDrive.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&
Source: GoogleUpdate.exe	String found in binary or memory: /installerdata=
Source: GoogleUpdate.exe	String found in binary or memory: Application update/install
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/support/installer/?
Source: PhotoScapeSetup_V3-7.exe	String found in binary or memory: -aDD$

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File read: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe "C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe"
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe"
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongccc
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasontcc
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongdcc
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /set
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe "C:\Users\user\AppData\Local\Temp\GoogleSetup.exe" ver=3.7&hwnd=132226&app=gd&ReasonGCCC=2&ReasonTCC=4&ReasonGDCC=0&lang=eng&
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe "C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe" /back:false
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Process created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe "C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe" /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1908,i,14191733424646554431,12677595766142232178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe "C:\Program Files (x86)\PhotoScape\PhotoScape.exe" /foreground
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongccc	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasontcc	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongdcc	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /set	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe "C:\Users\user\AppData\Local\Temp\GoogleSetup.exe" ver=3.7&hwnd=132226&app=gd&ReasonGCCC=2&ReasonTCC=4&ReasonGDCC=0&lang=eng&	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe "C:\Program Files (x86)\PhotoScape\PhotoScape.exe" /foreground	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe "C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe" /back:false	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Process created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe "C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe" /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1908,i,14191733424646554431,12677595766142232178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: PhotoScape.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\PhotoScape\PhotoScape.exe
Source: PhotoScape.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\PhotoScape\PhotoScape.exe
Source: Uninstall PhotoScape.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\PhotoScape\uninstall.exe
Source: PhotoScape.lnk1.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\PhotoScape\PhotoScape.exe
Source: Google Drive.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe

Window found: window name: msctls_updown32

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Automated click: I Agree - install
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Automated click: Next

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Window detected: Number of UI elements: 259
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Window detected: Number of UI elements: 22
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Window detected: Number of UI elements: 13

Source: PhotoScapeSetup_V3-7.exe

Static PE information: certificate valid

Source: PhotoScapeSetup_V3-7.exe

Static file information: File size 21025552 > 1048576

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: goopdateres_unsigned_ms.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcr90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2120397499.0000000002905000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2004669595.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_fa.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lt.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ru.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ru.dll.9.dr
Source:	Binary string: goopdateres_unsigned_el.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_tr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_tr.dll.9.dr
Source:	Binary string: goopdateres_unsigned_de.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_de.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bg.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_bg.dll.9.dr
Source:	Binary string: goopdateres_unsigned_mr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_gu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdateres_unsigned_sr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_th.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_th.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdbH source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler64.exe.9.dr
Source:	Binary string: psmachine_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, psmachine.dll.9.dr
Source:	Binary string: goopdateres_unsigned_am.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_am.dll.9.dr
Source:	Binary string: goopdateres_unsigned_cs.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_lv.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ta.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb( source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_es-419.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es-419.dll.9.dr
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler.exe.9.dr
Source:	Binary string: mi_exe_stub.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000002.3259072193.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000000.2089761210.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe.8.dr
Source:	Binary string: goopdateres_unsigned_pt-BR.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-BR.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_id.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: npGoogleUpdate3_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_zh-TW.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000000A.00000002.3258616779.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GoogleUpdate.exe, 0000000A.00000000.2097000811.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GUT2393.tmp.9.dr, GoogleUpdate.exe.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_sw.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_it.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: goopdateres_unsigned_pt-PT.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-PT.dll.9.dr
Source:	Binary string: goopdateres_unsigned_vi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ja.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ja.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb ) source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_sv.dll.9.dr
Source:	Binary string: goopdateres_unsigned_es.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es.dll.9.dr
Source:	Binary string: goopdateres_unsigned_is.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_is.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ro.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ro.dll.9.dr
Source:	Binary string: goopdateres_unsigned_uk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ca.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ca.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_nl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_nl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_ko.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_et.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcp90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2118851699.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_iw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_iw.dll.9.dr
Source:	Binary string: goopdateres_unsigned_no.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_te.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ur.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ur.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fil.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdbpmxt source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_pl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_en-GB.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_fi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ml.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: psuser_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_hu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_en.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_da.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ar.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\srcs\syncclient\googleclient\apps\webdrive_sync\windows\gdapi\criteriachecker\Build\gdapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003759208.0000000002905000.00000004.00000020.00020000.00000000.sdmp, gdapi.dll.0.dr
Source:	Binary string: goopdateres_unsigned_zh-CN.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_kn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405B93

PE file contains an invalid checksum

Source: GoogleUpdateSetup.exe.9.dr	Static PE information: real checksum: 0xbbeba should be: 0xc81d1
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x6228
Source: System.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x6228
Source: GoogleUpdateSetup_latest.exe.8.dr	Static PE information: real checksum: 0xbbeba should be: 0xc81d1
Source: System.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x11699
Source: UserInfo.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xc172
Source: KillProcDLL.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x12168
Source: uninstall.exe.0.dr	Static PE information: real checksum: 0x1417028 should be: 0x247ca
Source: nsDialogs.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x941f

PE file contains sections with non-standard names

Source: GdiPlus.dll.0.dr	Static PE information: section name: Shared
Source: GoogleUpdate.exe.9.dr	Static PE information: section name: .text/DE
Source: psmachine.dll.9.dr	Static PE information: section name: .orpc
Source: psuser.dll.9.dr	Static PE information: section name: .orpc

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 2_2_00406140 push eax; ret	2_2_0040616E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 3_2_00406140 push eax; ret	3_2_0040616E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 6_2_00406140 push eax; ret	6_2_0040616E
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF5E9D push ecx; ret	9_2_00CF5EB0
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF67A5 push ecx; ret	9_2_00CF67B8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00443D81 push ecx; ret	10_2_00443D94
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95CD9D push ecx; ret	10_2_6C95CDB0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9643F7 push ecx; ret	10_2_6C96440A

Source: msvcr90.dll.0.dr

Static PE information: section name: .text entropy: 6.92063892456726

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\KillProcDLL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_de.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	File created: C:\Users\user\AppData\Local\Temp\nsd2326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fa.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_th.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ru.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-TW.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_mr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_el.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-CN.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\npGoogleUpdate3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_tr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\psuser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\GdiPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\gdapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_cs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\Mooii_Photoscape_Chrome_New.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_iw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-PT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\psmachine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en-GB.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_vi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ca.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_nl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_it.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_uk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	File created: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ja.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_da.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\Mooii_Toolbar_Omaha.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ta.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_is.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_am.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_et.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_te.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ur.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es-419.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-BR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_no.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsr2076.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ko.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\gcapi_dll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_gu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_kn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\gtapi_signed.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Jump to dropped file

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8E1532 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,

10_2_6C8E1532

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScape\PhotoScape.lnk	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScape\Uninstall PhotoScape.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C948DB4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,StartServiceW,CloseServiceHandle,

10_2_6C948DB4

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C92144B _memset,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_6C92144B

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe

Window / User API: foregroundWindowGot 662

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\KillProcDLL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_de.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd2326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_th.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ru.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-TW.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_mr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-CN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_el.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\npGoogleUpdate3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_tr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\psuser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Program Files (x86)\PhotoScape\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Program Files (x86)\PhotoScape\GdiPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_cs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Mooii_Photoscape_Chrome_New.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_iw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-PT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en-GB.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\psmachine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_vi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ca.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_nl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_it.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_uk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ja.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_da.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Mooii_Toolbar_Omaha.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ta.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_is.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_am.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_et.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_te.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ur.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es-419.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-BR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_no.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr2076.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ko.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_gu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_kn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pl.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	API coverage: 7.8 %
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	API coverage: 5.7 %

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00405B6C FindFirstFileW,FindClose,	0_2_00405B6C
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00405B6C FindFirstFileW,FindClose,	7_2_00405B6C
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_0040654D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_0040654D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00405B8C FindFirstFileW,FindClose,	8_2_00405B8C
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_004029F1 FindFirstFileW,	8_2_004029F1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EADA9 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EADA9
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C910D29 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C910D29
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EAEE3 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EAEE3
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EA47E _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EA47E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9106CC _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C9106CC
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E462D FindFirstFileW,_memset,FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,	10_2_6C8E462D
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E4770 GetFileAttributesW,GetLastError,_memset,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_6C8E4770
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C949B30 _memset,FindFirstFileW,FindFirstFileW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,_memset,FindFirstFileW,_memset,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,FindClose,	10_2_6C949B30
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EB099 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EB099

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8F0776 _memset,GetLogicalDriveStringsW,_memset,QueryDosDeviceW,__wcsnicmp,

10_2_6C8F0776

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C959D57 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

10_2_6C959D57

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to behavior

Source: PhotoScape.exe, 00000010.00000003.2433353522.0000000007536000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vnj{qkeulieuli^oefM`V`FYN_CWKaFWNdCVMcI[RcAUK^t
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll Files (x86)@shell32.dll,-21817
Source: PhotoScape.exe, 00000010.00000003.2435229503.0000000008105000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: M!;)M,F6M0I9M&=/M$7,M-B6M;QEMUk_MNdXM0H<M4NAM5OBM(B5M0J=M?XJM2L;M.H6M%?/M"<,MD1M)C1M)C1M)C1M!:(M$;)M/G6M-H6M!>M">+M!=*M$?.M)D5M)C5N
Source: PhotoScapeSetup_V3-7.exe	Binary or memory string: XvMcI+

Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_00444291 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

10_2_00444291

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405B93

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe

Code function: 9_2_00CF6B8F GetProcessHeap,

9_2_00CF6B8F

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF5E37 SetUnhandledExceptionFilter,	9_2_00CF5E37
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF5330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00CF5330
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00444C16 SetUnhandledExceptionFilter,	10_2_00444C16
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00444291 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00444291
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00448B01 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__amsg_exit,	10_2_00448B01
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_004439CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_004439CE
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9560D4 InterlockedIncrement,CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,LeaveCriticalSection,	10_2_6C9560D4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C956347 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,LeaveCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,DeleteCriticalSection,CloseHandle,CloseHandle,InterlockedDecrement,DeleteCriticalSection,_fprintf,_memmove_s,	10_2_6C956347
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C958AF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6C958AF1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9566E2 SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,LeaveCriticalSection,	10_2_6C9566E2
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C956646 EnterCriticalSection,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,	10_2_6C956646
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C959E8D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6C959E8D
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95BE4D _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6C95BE4D

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8E4F44 __wcsicmp,SetForegroundWindow,ShellExecuteExW,AllowSetForegroundWindow,GetLastError,SetLastError,GetLastError,KiUserCallbackDispatcher,

10_2_6C8E4F44

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7			Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe "C:\Program Files (x86)\PhotoScape\PhotoScape.exe" /foreground			Jump to behavior

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8E71BD GetSecurityDescriptorDacl,_malloc,SetSecurityDescriptorDacl,

10_2_6C8E71BD

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EE2FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_6C8EE2FA

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_0044883D cpuid

10_2_0044883D

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,	10_2_00449613
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	10_2_6C964DB8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	10_2_6C966DD9
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	10_2_6C964EF3
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	10_2_6C964F2E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	10_2_6C9589DA
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	10_2_6C95E734
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	10_2_6C968190
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_6C9682B4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	10_2_6C9682F0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_6C96824F
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,	10_2_6C967DD6
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,_xtoa_s@20,	10_2_6C96BE8E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LcidFromHexString,GetLocaleInfoA,	10_2_6C967EB8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	10_2_6C967FC0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	10_2_6C967F4E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	10_2_6C96794A
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	10_2_6C967435
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	10_2_6C967686
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,	10_2_6C96B0AD
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	10_2_6C96506B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\scratch\antique01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\scratch\antique02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline08.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank05.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank06.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank07.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank08.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank09.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank10.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank11.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank12.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\book01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\book02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali09.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali10.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali11.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali12.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali13.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_deco01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\clip01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\clip02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot09.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot10.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot11.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot12.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot13.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\film01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\film02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\fold01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\fold02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\fold03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\innerline_black.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\innerline_white.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\mimic01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note05.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note09.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\paper01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\paper02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern09.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern10.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern11.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern12.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern13.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern14.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern15.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern16.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\printline01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\printline02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round_shadow01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round_shadow02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow_border01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow_border02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow_border03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\slidemount01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\slidemount02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\soccer01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\soccer02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stamp01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stamp02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stitch01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stitch02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\trans_border01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\trans_border02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\trans_border03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\wedding01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\wedding02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\wedding03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Code function: 2_2_004020B4 GetProcAddress,GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_004020B4

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C957782 GetUserNameW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,

10_2_6C957782

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Code function: 2_2_00402C99 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,

2_2_00402C99

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_0040609E GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040609E

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.16.156	unknown	United States	15169	GOOGLEUS	false
16.182.36.152	s3.amazonaws.com	United States	unknown	unknown	false
172.253.62.99	www.google.com	United States	15169	GOOGLEUS	false
172.253.62.147	unknown	United States	15169	GOOGLEUS	false
16.182.74.112	unknown	United States	unknown	unknown	false
104.22.74.171	whos.amung.us	United States	13335	CLOUDFLARENETUS	false
211.233.26.66	www.photoscape.org	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.80.92	cdn.bidbrain.app	United States	13335	CLOUDFLARENETUS	false
108.139.33.89	d3j7xsc0vda5xv.cloudfront.net	United States	16509	AMAZON-02US	false
18.160.38.87	unknown	United States	3	MIT-GATEWAYSUS	false

Private

IP
192.168.2.5

Contacted Domains

Name	IP	Active
d3j7xsc0vda5xv.cloudfront.net	108.139.33.89	true
s3.amazonaws.com	16.182.36.152	true
googleads.g.doubleclick.net	142.251.167.155	true
cdn.bidbrain.app	104.21.80.92	true
www.photoscape.org	211.233.26.66	true
tools.l.google.com	172.253.62.102	true
whos.amung.us	104.22.74.171	true
www.google.com	172.253.62.99	true
widgets.amung.us	104.22.74.171	true
update.photoscape.org	211.233.26.66	true
photoscape.org	211.233.26.66	true
g.bidbrain.app	104.21.80.92	true
live.staticflickr.com	unknown	unknown
tools.google.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://photoscape.org/ps/css/media/color_tabs_left.gif	false		high
https://s3.amazonaws.com/photoscape.org/img/flickr/6547899949_425743f953_m.jpg	false		high
http://photoscape.org/ps/css/media/color_tabs_right.gif	false		high
http://live.staticflickr.com/65535/53602740402_76d58954cf_m.jpg	false		high
http://photoscape.org/ps/main/afterinstall.php?v=3.7	false		high
https://widgets.amung.us/small/00/65.png	false		high
http://live.staticflickr.com/65535/53602413635_d86ce036a5_m.jpg	false		high
https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8935297298522731&output=html&adk=1812271804&adf=3025194257&lmt=1711637023&plat=9%3A32776%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&plas=212x816_l%7C250x816_r&channel=1479983659&format=0x0&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&pra=7&wgl=1&easpi=0&asro=0&dt=1711637022060&bpp=2&bdt=4768&idt=1024&shv=r20240326&mjsv=m202403200101&ptt=9&saldr=aa&abxe=1&prev_fmts=300x250_as&nras=1&correlator=2244882728464&pv_ch=1479983659%2B&frm=20&pv=1&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=-12245933&ady=-12245933&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fsapi=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=32768&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=1035	false		high
http://live.staticflickr.com/65535/53603496684_ed1483466f_m.jpg	false		high
http://photoscape.org/ps/css/media/color_tabs_left2.gif	false		high
https://s3.amazonaws.com/photoscape.org/img/201812/afterinstall_btn_download_win.png	false		high
http://photoscape.org/ps/css/second.css	false		high
https://cdn.bidbrain.app/ng-assets/creative/assets/index-5ff488ba.css	false	Avira URL Cloud: safe	unknown
https://cdn.bidbrain.app/compressedFonts/RobotoRegular.woff2	false	Avira URL Cloud: safe	unknown
http://live.staticflickr.com/65535/53607995578_9f405c0807_m.jpg	false		high
http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7	false		high
https://googleads.g.doubleclick.net/pagead/adview?ai=CTiwfIIIFZoG2I_yZo9kPuZOSoAW9qs_Ndemi3NbEEsCNtwEQASAAYMmGgICAgPQPggEXY2EtcHViLTg5MzUyOTcyOTg1MjI3MzHIAQmoAwHIAwKqBNgBT9DgwsbBnmjRVqQWHTwfSqUUI2s5hmrst6L3gXWyA6URIMWaBM1Xaurzt56WysaggSNfQ7nhzx0av6aVVsm2eljtb6vK2VkTQ4lAS3v7FdKmN3EYk6622HTj4Ji36VlT6ZTLXJYm-ru3ElfGXHEdUzX2FPHaA4UFkkAvR5dMh-zkwxkcar_x8enm8eyDwyYdpF1kJS1ymDzOVcadm0vbsNRB5PKRHycU8h_Vpiv571ZFbHIFh7dcGYUgKYsjueOIuPCDyCva3S42O8YPLZnrGBpVGNFezED3gAaP47XZnZCGlfQBoAYhqAemvhuoB5bYG6gHqpuxAqgHg62xAqgH_56xAqgH35-xAqgHrb6xAtgHANIIIgiAYRABMgKKAjoJgECAwICAgKAoSL39wTpY7K3W5piXhQOACgH6CwIIAYAMAdAVAYAXAbIXGgoYEhRwdWItODkzNTI5NzI5ODUyMjczMRgA&sigh=fqOsiaPwmxY&uach_m=%5BUACH%5D&cid=CAQSTgB7FLtqWmja4rx2mwPibEli-QVCZskYxTcJW8xRg42QpAn21PGYe0IOak8VJGfbNMPV9BMnhlgy-IDWQp07h2u_NYcoFMvhoDXRyJ8f5hgB&cbvp=2&vis=1	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=7	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=8	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=5	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=6	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=3	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=4	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=1	false		high
http://www.photoscape.org/link/image.php?topic=intro&count=2	false		high
http://photoscape.org/ps/images/tabicon.gif	false		high
http://photoscape.org/ps/css/media/color_tabs_right2.gif	false		high
https://s3.amazonaws.com/photoscape.org/img/flickr/7183973231_2091b97512_m.jpg	false		high
https://www.google.com/recaptcha/api2/aframe	false		high
https://cdn.bidbrain.app/compressedFonts/RobotoBold.woff2	false	Avira URL Cloud: safe	unknown
http://update.photoscape.org/update.php?app=photoscape&version=1,0,0,1302&exec=first&lang=en&langid=09:02	false		high
https://whos.amung.us/swidget/xv6kiyug.gif	false		high
https://s3.amazonaws.com/photoscape.org/img/201812/afterinstall_bg.jpg	false		high
http://photoscape.org/favicon.ico	false		high

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924CD4 CryptQueryObject,GetLastError,	10_2_6C924CD4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924D94 lstrcmpA,CryptDecodeObject,CryptDecodeObject,GetLastError,LocalAlloc,CryptDecodeObject,	10_2_6C924D94
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924D27 CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,GetLastError,	10_2_6C924D27
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924E70 lstrcmpA,CryptDecodeObject,GetLastError,FileTimeToSystemTime,	10_2_6C924E70
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9284A8 CryptStringToBinaryA,CryptStringToBinaryA,	10_2_6C9284A8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C926451 CryptUnprotectData,GetLastError,LocalFree,	10_2_6C926451
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C924460 CryptReleaseContext,	10_2_6C924460
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9246B4 CryptAcquireContextW,CryptCreateHash,CryptDestroyHash,CloseHandle,CreateFileW,GetFileSizeEx,ReadFile,CryptHashData,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,CloseHandle,CryptDestroyHash,CloseHandle,CryptDestroyHash,_memcmp,CryptDestroyHash,CryptDestroyHash,	10_2_6C9246B4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9263BF CryptProtectData,LocalFree,	10_2_6C9263BF
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927D80 CryptAcquireContextW,CryptReleaseContext,	10_2_6C927D80
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927DC1 CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	10_2_6C927DC1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927E03 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptDecodeObjectEx,GetLastError,CryptCreateHash,	10_2_6C927E03
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C927F38 CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,	10_2_6C927F38
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C925403 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,	10_2_6C925403
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C92343A CryptHashData,	10_2_6C92343A
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E508C LoadLibraryW,GetProcAddress,FreeLibrary,CryptAcquireContextW,CryptGenRandom,FreeLibrary,CryptReleaseContext,FreeLibrary,	10_2_6C8E508C
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C92519C CryptQueryObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,	10_2_6C92519C

Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp

memstr_c4635a41-b

Phishing

Source: http://photoscape.org/ps/main/afterinstall.php?v=3.7	HTTP Parser: No favicon
Source: http://photoscape.org/ps/main/afterinstall.php?v=3.7	HTTP Parser: No favicon
Source: http://photoscape.org/ps/main/afterinstall.php?v=3.7	HTTP Parser: No favicon
Source: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8935297298522731&output=html&h=250&adk=2668570439&adf=2525469968&w=300&lmt=1711637023&channel=1479983659&ad_type=text_image&format=300x250_as&color_bg=FFFFFF&color_border=FFFFFF&color_link=0000FF&color_text=666666&color_url=666666&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&wgl=1&dt=1711637021195&bpp=865&bdt=3904&idt=1852&shv=r20240326&mjsv=m202403200101&ptt=5&saldr=sd&abxe=1&correlator=2244882728464&frm=20&pv=2&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=696&ady=412&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670%2C31082176&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7ClE%7C&abl=CS&pfx=0&fu=0&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1...	HTTP Parser: No favicon
Source: https://tpc.googlesyndication.com/sodar/sodar2/225/runner.html	HTTP Parser: No favicon
Source: https://www.google.com/recaptcha/api2/aframe	HTTP Parser: No favicon

Compliance

Uses 32bit PE files

Source: PhotoScapeSetup_V3-7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Source: PhotoScapeSetup_V3-7.exe

Static PE information: certificate valid

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49766 version: TLS 1.2

Source:	Binary string: goopdateres_unsigned_ms.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcr90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2120397499.0000000002905000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2004669595.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_fa.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lt.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ru.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ru.dll.9.dr
Source:	Binary string: goopdateres_unsigned_el.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_tr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_tr.dll.9.dr
Source:	Binary string: goopdateres_unsigned_de.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_de.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bg.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_bg.dll.9.dr
Source:	Binary string: goopdateres_unsigned_mr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_gu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdateres_unsigned_sr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_th.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_th.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdbH source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler64.exe.9.dr
Source:	Binary string: psmachine_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, psmachine.dll.9.dr
Source:	Binary string: goopdateres_unsigned_am.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_am.dll.9.dr
Source:	Binary string: goopdateres_unsigned_cs.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_lv.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ta.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb( source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_es-419.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es-419.dll.9.dr
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler.exe.9.dr
Source:	Binary string: mi_exe_stub.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000002.3259072193.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000000.2089761210.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe.8.dr
Source:	Binary string: goopdateres_unsigned_pt-BR.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-BR.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_id.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: npGoogleUpdate3_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_zh-TW.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000000A.00000002.3258616779.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GoogleUpdate.exe, 0000000A.00000000.2097000811.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GUT2393.tmp.9.dr, GoogleUpdate.exe.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_sw.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_it.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: goopdateres_unsigned_pt-PT.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-PT.dll.9.dr
Source:	Binary string: goopdateres_unsigned_vi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ja.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ja.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb ) source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_sv.dll.9.dr
Source:	Binary string: goopdateres_unsigned_es.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es.dll.9.dr
Source:	Binary string: goopdateres_unsigned_is.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_is.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ro.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ro.dll.9.dr
Source:	Binary string: goopdateres_unsigned_uk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ca.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ca.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_nl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_nl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_ko.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_et.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcp90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2118851699.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_iw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_iw.dll.9.dr
Source:	Binary string: goopdateres_unsigned_no.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_te.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ur.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ur.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fil.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdbpmxt source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_pl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_en-GB.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_fi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ml.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: psuser_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_hu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_en.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_da.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ar.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\srcs\syncclient\googleclient\apps\webdrive_sync\windows\gdapi\criteriachecker\Build\gdapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003759208.0000000002905000.00000004.00000020.00020000.00000000.sdmp, gdapi.dll.0.dr
Source:	Binary string: goopdateres_unsigned_zh-CN.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_kn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr

Spreading

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00405B6C FindFirstFileW,FindClose,	0_2_00405B6C
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00405B6C FindFirstFileW,FindClose,	7_2_00405B6C
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_0040654D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_0040654D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00405B8C FindFirstFileW,FindClose,	8_2_00405B8C
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_004029F1 FindFirstFileW,	8_2_004029F1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EADA9 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EADA9
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C910D29 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C910D29
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EAEE3 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EAEE3
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EA47E _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EA47E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9106CC _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C9106CC
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E462D FindFirstFileW,_memset,FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,	10_2_6C8E462D
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E4770 GetFileAttributesW,GetLastError,_memset,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_6C8E4770
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C949B30 _memset,FindFirstFileW,FindFirstFileW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,_memset,FindFirstFileW,_memset,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,FindClose,	10_2_6C949B30
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EB099 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EB099

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8F0776 _memset,GetLogicalDriveStringsW,_memset,QueryDosDeviceW,__wcsnicmp,

10_2_6C8F0776

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to behavior

Networking

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /update.php?app=photoscape&version=1,0,0,1302&exec=first&lang=en&langid=09:02 HTTP/1.1Cache-Control: no-cacheHost: update.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53611343372_5a3e5c1a4b_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=1 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53607995578_9f405c0807_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=2 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602413635_d86ce036a5_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=3 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602740402_76d58954cf_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=4 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=5 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=6 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53612486510_25cd8bf366_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=7 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.22.74.171 104.22.74.171
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C928AB3 HttpQueryInfoW,_strtol,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,

10_2_6C928AB3

Source: global traffic

Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/15014451557_60c95fbeae_n.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/8313590481_6d3432188b.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/7183973231_2091b97512_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/15014451557_60c95fbeae_n.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/8313590481_6d3432188b.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/6547899949_425743f953_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/7183973231_2091b97512_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/flickr/6547899949_425743f953_m.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /swidget/xv6kiyug.gif HTTP/1.1Host: whos.amung.usConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /small/00/65.png HTTP/1.1Host: widgets.amung.usConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /small/00/65.png HTTP/1.1Host: widgets.amung.usConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_bg.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_btn_download_win.png HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_btn_download_win.png HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /photoscape.org/img/201812/afterinstall_bg.jpg HTTP/1.1Host: s3.amazonaws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pagead/ads?client=ca-pub-8935297298522731&output=html&h=250&adk=2668570439&adf=2525469968&w=300&lmt=1711637023&channel=1479983659&ad_type=text_image&format=300x250_as&color_bg=FFFFFF&color_border=FFFFFF&color_link=0000FF&color_text=666666&color_url=666666&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&wgl=1&dt=1711637021195&bpp=865&bdt=3904&idt=1852&shv=r20240326&mjsv=m202403200101&ptt=5&saldr=sd&abxe=1&correlator=2244882728464&frm=20&pv=2&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=696&ady=412&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670%2C31082176&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7ClE%7C&abl=CS&pfx=0&fu=0&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=1&uci=a!1&fsb=1&dtd=1871 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pagead/ads?client=ca-pub-8935297298522731&output=html&adk=1812271804&adf=3025194257&lmt=1711637023&plat=9%3A32776%2C16%3A8388608%2C17%3A32%2C24%3A32%2C25%3A32%2C30%3A1081344%2C32%3A32%2C41%3A32%2C42%3A32&plas=212x816_l%7C250x816_r&channel=1479983659&format=0x0&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&pra=7&wgl=1&easpi=0&asro=0&dt=1711637022060&bpp=2&bdt=4768&idt=1024&shv=r20240326&mjsv=m202403200101&ptt=9&saldr=aa&abxe=1&prev_fmts=300x250_as&nras=1&correlator=2244882728464&pv_ch=1479983659%2B&frm=20&pv=1&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=-12245933&ady=-12245933&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fsapi=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=32768&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=2&uci=a!2&fsb=1&dtd=1035 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ng-assets/creative/assets/index-5ff488ba.css HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ng-assets/creative/assets/polyfills-a16f0012.js HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ng-assets/creative/assets/index-81e1956e.js HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /compressedFonts/RobotoRegular.woff2 HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /compressedFonts/RobotoBold.woff2 HTTP/1.1Host: cdn.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://googleads.g.doubleclick.netsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rtimp?sid=93e73409-ed11-11ee-a2ec-fee3b5cba93b&d=photoscape.org&cr=ext_ngt_start_fires8&a=imp&p=ZgWCIAAI2wEFKMz8AASJuVU0bTVd859SYxpALg&im=yAHntm2J_DrzRZkKtR-VSh1UoUtvEQ7LB7xmQtqOVreJnl4ws8GF1Zj8ohG-7t8YWNHHoTPily6B61_J54L8ccrHFCb6DlgRbTMbZTF3Ii7lj8Z0Dt94Xbf3Ar4pan1TFmgKi23yVjSQLKeHO-oe17W5fivE_J9yO242cskFijjD0bNhcc6nm7aoDafE_ONP5Aey0KdXX6VmUZ6HCKDaCiUFBGkwA0OrHZS5Fsaj2etRQHoa2Lfk19Jhr4Ylf93KD6u9V986_dBNvqizOKeTWhxOMT8mwvkU27qHGzC71BT49NVEUE49GVx7fQ_6jte0irPWaky_ltT1QZaQV7Ot8B1ybL7JZ_iih5AfnktOfpY&cbvp=2 HTTP/1.1Host: g.bidbrain.appConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: uid_cross=955fc8a8-ed11-11ee-8e21-6efff0164504; sid_cross=93e73409-ed11-11ee-a2ec-fee3b5cba93b
Source: global traffic	HTTP traffic detected: GET /pagead/adview?ai=CTiwfIIIFZoG2I_yZo9kPuZOSoAW9qs_Ndemi3NbEEsCNtwEQASAAYMmGgICAgPQPggEXY2EtcHViLTg5MzUyOTcyOTg1MjI3MzHIAQmoAwHIAwKqBNgBT9DgwsbBnmjRVqQWHTwfSqUUI2s5hmrst6L3gXWyA6URIMWaBM1Xaurzt56WysaggSNfQ7nhzx0av6aVVsm2eljtb6vK2VkTQ4lAS3v7FdKmN3EYk6622HTj4Ji36VlT6ZTLXJYm-ru3ElfGXHEdUzX2FPHaA4UFkkAvR5dMh-zkwxkcar_x8enm8eyDwyYdpF1kJS1ymDzOVcadm0vbsNRB5PKRHycU8h_Vpiv571ZFbHIFh7dcGYUgKYsjueOIuPCDyCva3S42O8YPLZnrGBpVGNFezED3gAaP47XZnZCGlfQBoAYhqAemvhuoB5bYG6gHqpuxAqgHg62xAqgH_56xAqgH35-xAqgHrb6xAtgHANIIIgiAYRABMgKKAjoJgECAwICAgKAoSL39wTpY7K3W5piXhQOACgH6CwIIAYAMAdAVAYAXAbIXGgoYEhRwdWItODkzNTI5NzI5ODUyMjczMRgA&sigh=fqOsiaPwmxY&uach_m=%5BUACH%5D&cid=CAQSTgB7FLtqWmja4rx2mwPibEli-QVCZskYxTcJW8xRg42QpAn21PGYe0IOak8VJGfbNMPV9BMnhlgy-IDWQp07h2u_NYcoFMvhoDXRyJ8f5hgB&cbvp=2&vis=1 HTTP/1.1Host: googleads.g.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8935297298522731&output=html&h=250&adk=2668570439&adf=2525469968&w=300&lmt=1711637023&channel=1479983659&ad_type=text_image&format=300x250_as&color_bg=FFFFFF&color_border=FFFFFF&color_link=0000FF&color_text=666666&color_url=666666&url=http%3A%2F%2Fphotoscape.org%2Fps%2Fmain%2Fafterinstall.php%3Fv%3D3.7&wgl=1&dt=1711637021195&bpp=865&bdt=3904&idt=1852&shv=r20240326&mjsv=m202403200101&ptt=5&saldr=sd&abxe=1&correlator=2244882728464&frm=20&pv=2&ga_vid=1461180792.1711637021&ga_sid=1711637021&ga_hid=1015480240&ga_fc=1&u_tz=60&u_his=1&u_h=1024&u_w=1280&u_ah=984&u_aw=1280&u_cd=24&u_sd=1&adx=696&ady=412&biw=1263&bih=890&scr_x=0&scr_y=0&eid=44759876%2C44759927%2C44759837%2C44795921%2C95325976%2C95329024%2C95320377%2C95328826%2C31078668%2C31078670%2C31082176&oid=2&pvsid=2891480479766366&tmod=1628530264&uas=0&nvt=1&fc=896&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C984%2C1280%2C907&vis=1&rsz=%7C%7ClE%7C&abl=CS&pfx=0&fu=0&bc=23&bz=1&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=1&uci=a!1&fsb=1&dtd=1871Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: test_cookie=CheckForPermission
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/aframe HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: http://photoscape.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
Source: global traffic	HTTP traffic detected: GET /link/link.php?version=installer&topic=afterinstall&v=3.7 HTTP/1.1Host: photoscape.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/main/afterinstall.php?v=3.7 HTTP/1.1Host: photoscape.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/second.css HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/css,/;q=0.1Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /update.php?app=photoscape&version=1,0,0,1302&exec=first&lang=en&langid=09:02 HTTP/1.1Cache-Control: no-cacheHost: update.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /ps/images/gb-br-pt-es-tr-th-jp-cn-kr.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/images/tabicon.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/css/second.cssAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /65535/53611343372_5a3e5c1a4b_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /ps/images/gb-br-pt-es-tr-th-jp-cn-kr.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/images/tabicon.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_left2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /ps/css/media/color_tabs_right2.gif HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none)
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://photoscape.org/ps/main/afterinstall.php?v=3.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: photoscape.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: __utma=189524330.1461180792.1711637021.1711637021.1711637021.1; __utmb=189524330; __utmc=189524330; __utmz=189524330.1711637021.1.1.utmccn=(direct)\|utmcsr=(direct)\|utmcmd=(none); __gads=ID=71dca79e3b4251c2:T=1711637024:RT=1711637024:S=ALNI_MasHMM4J832DNbOyynYJ6yVVF-jRw; __gpi=UID=00000dd68478c1fd:T=1711637024:RT=1711637024:S=ALNI_MZP2ZEZNgQgWIk_XrANdkh_ANZBrQ; __eoi=ID=ebad8bc9e5c66b97:T=1711637024:RT=1711637024:S=AA-AfjbOZO8Nujokvfaf62rirJNS
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=1 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53607995578_9f405c0807_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=2 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602413635_d86ce036a5_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=3 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53602740402_76d58954cf_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=4 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=5 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=6 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53612486510_25cd8bf366_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=7 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53609662956_22a41671c7_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /link/image.php?topic=intro&count=8 HTTP/1.1Cache-Control: no-cacheHost: www.photoscape.orgAccept: /Connection: close
Source: global traffic	HTTP traffic detected: GET /65535/53603496684_ed1483466f_m.jpg HTTP/1.1Cache-Control: no-cacheHost: live.staticflickr.comAccept: /Connection: close

Source: unknown

DNS traffic detected: queries for: tools.google.com

Source: unknown

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ftp://http://HTTP/1.0
Source: GoogleUpdate.exe	String found in binary or memory: http://clients2.google.com/cr/report
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://clients2.google.com/cr/reportUpdate2ClientCustomDatalangcheckpoint
Source: GoogleUpdate.exe	String found in binary or memory: http://clients5.google.com/tbproxy/usagestats
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://clients5.google.com/tbproxy/usagestatshttp://www.google.com/support/installer/?http://tools.g
Source: GoogleUpdate.exe	String found in binary or memory: http://cr-tools.clients.google.com/service/check2
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://cr-tools.clients.google.com/service/check2GUR.tmpSOFTWARE
Source: Mooii_GDrive.exe, 00000008.00000002.3258794961.000000000041E000.00000004.00000001.01000000.0000000E.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2096866195.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, goopdateres_ar.dll.9.dr, goopdateres_lv.dll.9.dr, goopdateres_ja.dll.9.dr, goopdateres_ca.dll.9.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Mooii_GDrive.exe, 00000008.00000002.3258794961.000000000041E000.00000004.00000001.01000000.0000000E.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2096866195.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, goopdateres_ar.dll.9.dr, goopdateres_lv.dll.9.dr, goopdateres_ja.dll.9.dr, goopdateres_ca.dll.9.dr	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://dev.exiv2.org/projects/exiv2
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://flickr.com
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/Iptc4xmpCoreIPTC
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/iptcCiAdrCityContact
Source: PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/iptcExtAddlModelInfoAdditional
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://krug.nnm.ru/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://ns.iview-multimedia.com/mediapro/1.0/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://ns.iview-multimedia.com/mediapro/1.0/mediaproEventEventTextFixture
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: PhotoScapeSetup_V3-7.exe, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, Mooii_GDrive.exe, 00000008.00000002.3258794961.000000000041E000.00000004.00000001.01000000.0000000E.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2096866195.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, goopdateres_ar.dll.9.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://photoscape.co.kr/
Source: PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://photoscape.org
Source: PhotoScape.exe, 00000010.00000000.2373947094.0000000000942000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://photoscape.org/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.0000000003294000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.0000000000872000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.000000000084E000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.00000000032A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.728
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.00000000032A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.79EA
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2359262559.0000000000614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7C:
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2384645841.0000000003294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7iiEQ
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7open
Source: GoogleSetup.exe, 00000007.00000002.3261601203.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://photoscape.org/link/link.php?version=installer&topic=aftertoolbarinstall&v=
Source: splwow64.exe, 00000011.00000003.2400726497.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000011.00000003.2399643352.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/
Source: GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/)
Source: GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/P4
Source: GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/Q
Source: GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2C
Source: GoogleUpdate.exe, 0000000A.00000003.2686893031.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2H
Source: GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.google.com/service/update2S-
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3258951237.000000000041E000.00000004.00000001.01000000.0000000B.sdmp, GTGCAPI.exe.0.dr, Mooii_Toolbar_Omaha.exe.7.dr, Mooii_Photoscape_Chrome_New.exe.7.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://update.photoscape.org/
Source: GoogleSetup.exe, 00000007.00000003.2082288790.000000000289F000.00000004.00000020.00020000.00000000.sdmp, GoogleSetup.exe, 00000007.00000002.3261601203.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://update.photoscape.org/install.php?v=
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://update.photoscape.org/install.php?v=3.7&offer=
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://update.photoscape.org/update.php?app=photoscape&version=&link/image.php?topic=intro&count=%dl
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/1.0/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/1.0/digiKamTagsListTags
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/1.0/kipihttp://www.digikam.org/ns/kipi/1.0/MicrosoftPhotohttp://ns.microso
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/kipi/1.0/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.digikam.org/ns/kipi/1.0/kipiEnfuseInputFilesEnfuse
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.exiv2.org/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.exiv2.org/%%EndComments%%EndComments%%Page:%%Page:
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.exiv2.org/%%LanguageLevel:
Source: Mooii_Toolbar_Omaha.exe.7.dr	String found in binary or memory: http://www.google.com
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000002.2382443301.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001063011.0000000002912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/accounts/tos?hl=kohttp://www.google.com/accounts/tos?hl=jahttp://www.google.co
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/intl/en_ALL/images/logo.gif
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/robots.txt
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr	String found in binary or memory: http://www.google.com/robots.txthttps://www.google.com/robots.txthttp://www.google.com/intl/en_ALL/i
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/support/installer/?
Source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr	String found in binary or memory: http://www.google.com/support/installer/?http://tools.google.com/service/update2NetConfigautoUseTest
Source: Mooii_GDrive.exe, 00000008.00000002.3259423656.0000000000525000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.google.comV
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.ijg.org
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.metadataworkinggroup.com/schemas/regions/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.metadataworkinggroup.com/schemas/regions/mwg-rsRegionsRegionsRegionInfoMain
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp, GTGCAPI.exe.0.dr	String found in binary or memory: http://www.photoscape.org
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2006108181.0000000002901000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2005405370.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp, license_k.htm.0.dr	String found in binary or memory: http://www.photoscape.org/
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.photoscape.org/Copyright
Source: chromecache_1754.15.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=fccs&
Source: GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686893031.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/I
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/Y
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/i
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update26756634-1003
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update27J
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2iW
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2ni
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2nig
Source: GoogleUpdate.exe, 0000000A.00000003.2686893031.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687986984.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2688365803.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2858711548.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2859119227.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2686491410.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000003.2687289873.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/service/update2o
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com/y
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.google.com:443/service/update2
Source: GoogleUpdate.exe	String found in binary or memory: https://www.google.com/robots.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49766 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

0_2_00404B88

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EFE67 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,

10_2_6C8EFE67

Creates a DirectInput object (often for capturing keystrokes)

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectDrawCreateEx

memstr_3c14bb71-5

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe entropy: 7.99754699332	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\cartoon\headband002.png entropy: 7.99242178904	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\christmas\christmas_logo_006.png entropy: 7.99253024764	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\balloon\cali_01.png entropy: 7.99129817168	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\frame\pattern16.png entropy: 7.99622911328	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_006.png entropy: 7.99496152479	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_005.png entropy: 7.99183712386	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_003.png entropy: 7.99121031659	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_002.png entropy: 7.99149344577	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_019.png entropy: 7.99040807009	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_016.png entropy: 7.99017455401	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_013.png entropy: 7.99141800131	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_011.png entropy: 7.99112751782	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_010.png entropy: 7.991285243	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_030.png entropy: 7.9924672935	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_029.png entropy: 7.99225280988	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_028.png entropy: 7.99228733312	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_026.png entropy: 7.9950252294	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_025.png entropy: 7.99109344273	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_024.png entropy: 7.99351717316	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_023.png entropy: 7.99186711009	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_033.png entropy: 7.99102084616	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_032.png entropy: 7.99093110397	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_045.png entropy: 7.99056093715	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_044.png entropy: 7.99244316697	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_043.png entropy: 7.99101357552	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_050.png entropy: 7.99352255967	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_049.png entropy: 7.99481027175	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_056.png entropy: 7.99269074664	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_051.png entropy: 7.99294667376	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\etc\glove02.png entropy: 7.9904242673	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_059.png entropy: 7.99227688145	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_058.png entropy: 7.99435805396	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\travel\t_057.png entropy: 7.99372142375	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair07.png entropy: 7.99307490323	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair06.png entropy: 7.99179863316	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair05.png entropy: 7.99362999296	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair04.png entropy: 7.99237674694	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hair03.png entropy: 7.99312959209	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\makeup\hear01.png entropy: 7.99377701795	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower005.png entropy: 7.99275001627	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower004.png entropy: 7.99321434423	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower003.png entropy: 7.99072089261	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower002.png entropy: 7.99100011408	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower001.png entropy: 7.99133040665	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\icon\realpicture\flower006.png entropy: 7.9923558352	Jump to dropped file

System Summary

Contains functionality to communicate with device drivers

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C9325DA: __snprintf_s,CreateFileW,DeviceIoControl,CloseHandle,CloseHandle,

10_2_6C9325DA

Contains functionality to delete services

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8F6113 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

10_2_6C8F6113

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EBDD6 _memset,CreateProcessAsUserW,

10_2_6C8EBDD6

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	0_2_004033E9
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	7_2_004033E9
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_0040340C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	8_2_0040340C

Detected potential crypto function

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00406947	0_2_00406947
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00404451	0_2_00404451
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 2_2_0040598E	2_2_0040598E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 3_2_0040598E	3_2_0040598E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 6_2_0040598E	6_2_0040598E
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00406947	7_2_00406947
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00404451	7_2_00404451
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00404471	8_2_00404471
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00406E28	8_2_00406E28
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_004067FE	8_2_004067FE
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF45CC	9_2_00CF45CC
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF4FB6	9_2_00CF4FB6
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442262	10_2_00442262
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00446814	10_2_00446814
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442B09	10_2_00442B09
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442F15	10_2_00442F15
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00442735	10_2_00442735
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00443335	10_2_00443335
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00443DA0	10_2_00443DA0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95AC28	10_2_6C95AC28
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95CDC0	10_2_6C95CDC0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96CF13	10_2_6C96CF13
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95A854	10_2_6C95A854
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96E9A4	10_2_6C96E9A4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96C9D1	10_2_6C96C9D1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C946BA4	10_2_6C946BA4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9627C5	10_2_6C9627C5
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C960727	10_2_6C960727
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95A381	10_2_6C95A381
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C971C41	10_2_6C971C41
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96DB15	10_2_6C96DB15
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95B454	10_2_6C95B454
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C96D455	10_2_6C96D455
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C963653	10_2_6C963653
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95B034	10_2_6C95B034
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C971310	10_2_6C971310

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: String function: 00401F02 appears 42 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8F3456 appears 70 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E2D4E appears 37 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E1000 appears 35 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C9593EE appears 35 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C95CD58 appears 70 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E2A13 appears 177 times
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: String function: 6C8E3D9B appears 35 times

PE file contains executable resources (Code or Archives)

Source: goopdateres_ca.dll.9.dr	Static PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
Source: goopdateres_fil.dll.9.dr	Static PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
Source: goopdateres_hu.dll.9.dr	Static PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
Source: goopdateres_ms.dll.9.dr	Static PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
Source: goopdateres_th.dll.9.dr	Static PE information: Resource name: RT_STRING type: PDP-11 overlaid pure executable not stripped
Source: goopdateres_tr.dll.9.dr	Static PE information: Resource name: RT_STRING type: 370 XA sysV pure executable not stripped
Source: goopdateres_vi.dll.9.dr	Static PE information: Resource name: RT_STRING type: iAPX 286 executable small model (COFF) not stripped

Sample file is different than original file name gathered from version info

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2123001334.000000000290D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePhotoScape.EXE vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2120397499.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCR90.DLL^ vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2118851699.0000000002903000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCP90.DLL^ vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMFC90.DLL@ vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2001695381.0000000002903000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGTGCAPI.EXE vs PhotoScapeSetup_V3-7.exe
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegdiplusj% vs PhotoScapeSetup_V3-7.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gcapi_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gtapi_signed.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gdapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gcapi_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gtapi_signed.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gdapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gcapi_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gtapi_signed.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Section loaded: gdapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: acgenral.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: msxml3.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: acgenral.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90eng.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90enu.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90eng.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90enu.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mfc90loc.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: riched32.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: netprofm.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: npmproxy.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: dui70.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: duser.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: explorerframe.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: thumbcache.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: globinputhost.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: structuredquery.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: atlthunk.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.storage.search.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: twinapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: ntshrui.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: actxprxy.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: networkexplorer.dll
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Section loaded: windows.staterepositoryps.dll

Uses 32bit PE files

Source: PhotoScapeSetup_V3-7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.rans.evad.winEXE@40/1194@79/12

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EC079 GetCurrentProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

10_2_6C8EC079

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00403FDF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00403FDF

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,		10_2_6C8F6A6F
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,		10_2_6C8F6674

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EE8E0 CreateToolhelp32Snapshot,_memset,Process32FirstW,CloseHandle,Process32NextW,

10_2_6C8EE8E0

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00402218 CoCreateInstance,

0_2_00402218

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe

Code function: 9_2_00CF1CDB __EH_prolog3_GS,memset,GetTempFileNameW,FindResourceW,LoadResource,LockResource,CreateFileW,SizeofResource,SetFilePointerEx,CloseHandle,

9_2_00CF1CDB

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C948DB4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,StartServiceW,CloseServiceHandle,

10_2_6C948DB4

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8F5BA0 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,		10_2_6C8F5BA0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8F5B03 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,		10_2_6C8F5B03

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File created: C:\Program Files (x86)\PhotoScape

Jump to behavior

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File created: C:\Users\user\Desktop\PhotoScape.lnk

Jump to behavior

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Mutant created: NULL
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\GS-1-5-21-2246122658-3693405117-2476756634-1003{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\G{0E900C7B-04B0-47f9-81B0-F8D94F2DF01B}
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\G{A9A86B93-B54E-4570-BE89-42418507707B}

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File created: C:\Users\user\AppData\Local\Temp\nse1C.tmp

Jump to behavior

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Command line argument: DllEntry

10_2_00441569

Source: PhotoScapeSetup_V3-7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO thumb(initcreate, initmodify, inifsize, imgtcreate, imgtmodify, imgfsize, version, image, imgname, ininame) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE thumb SET initcreate = ?, initmodify = ?, inifsize = ?, imgtcreate = ?, imgtmodify = ?, imgfsize = ?, version = ?, image = ?, imgname = ? WHERE ininame = ?;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'CREATE TRIGGER vacuum_db.' \|\| substr(sql, 16, 1000000) FROM sqlite_master WHERE type='trigger'SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';SELECT 'CREATE VIEW vacuum_db.' \|\| substr(sql,13,100000000) FROM sqlite_master WHERE type='view'SELECT 'CREATE UNIQUE INDEX vacuum_db.' \|\| substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'CREATE INDEX vacuum_db.' \|\| substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE TABLE vacuum_db.' \|\| substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'BEGIN EXCLUSIVE;PRAGMA vacuum_db.synchronous=OFFATTACH '%q' AS vacuum_db;cannot VACUUM from within a transaction
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE thumb(ininame text primary key, initcreate int, initmodify int, inifsize int, imgname text, imgtcreate int, imgtmodify int, imgfsize int, version int, image blob);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT fname FROM thumb;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: CREATE TABLE thumb(fname text primary key, tcreate int, tmodify int, fsize int, width int, height int, image blob);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: INSERT INTO thumb(tcreate, tmodify, fsize, width, height, image, fname) VALUES (?, ?, ?, ?, ?, ?, ?);
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: UPDATE thumb SET tcreate = ?, tmodify = ?, fsize = ?, width = ? , height = ?, image = ? WHERE fname = ?;
Source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2114246136.0000000002900000.00000004.00000020.00020000.00000000.sdmp, PhotoScape.exe, 00000010.00000000.2371400481.00000000007B6000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: GTGCAPI.exe	String found in binary or memory: /launchgd
Source: GTGCAPI.exe	String found in binary or memory: /launchgc
Source: GTGCAPI.exe	String found in binary or memory: /launchgd
Source: GTGCAPI.exe	String found in binary or memory: /launchgc
Source: GTGCAPI.exe	String found in binary or memory: /launchgd
Source: GTGCAPI.exe	String found in binary or memory: /launchgc
Source: Mooii_GDrive.exe	String found in binary or memory: :\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&a
Source: Mooii_GDrive.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&
Source: GoogleUpdate.exe	String found in binary or memory: /installerdata=
Source: GoogleUpdate.exe	String found in binary or memory: Application update/install
Source: GoogleUpdate.exe	String found in binary or memory: http://www.google.com/support/installer/?
Source: PhotoScapeSetup_V3-7.exe	String found in binary or memory: -aDD$

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

File read: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe "C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe"
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe"
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongccc
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasontcc
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongdcc
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /set
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe "C:\Users\user\AppData\Local\Temp\GoogleSetup.exe" ver=3.7&hwnd=132226&app=gd&ReasonGCCC=2&ReasonTCC=4&ReasonGDCC=0&lang=eng&
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe "C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe" /back:false
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Process created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe "C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe" /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1908,i,14191733424646554431,12677595766142232178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe "C:\Program Files (x86)\PhotoScape\PhotoScape.exe" /foreground
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongccc	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasontcc	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /reasongdcc	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe "C:\Users\user\AppData\Local\Temp\GTGCAPI.exe" /set	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe "C:\Users\user\AppData\Local\Temp\GoogleSetup.exe" ver=3.7&hwnd=132226&app=gd&ReasonGCCC=2&ReasonTCC=4&ReasonGDCC=0&lang=eng&	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe "C:\Program Files (x86)\PhotoScape\PhotoScape.exe" /foreground	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe "C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe" /back:false	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Process created: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Process created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe "C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe" /silent /install "appguid={3C122445-AECE-4309-90B7-85A6AEF42AC0}&appname=Google%20Drive&needsadmin=true&brand=VLYS"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1908,i,14191733424646554431,12677595766142232178,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: PhotoScape.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\PhotoScape\PhotoScape.exe
Source: PhotoScape.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\PhotoScape\PhotoScape.exe
Source: Uninstall PhotoScape.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\PhotoScape\uninstall.exe
Source: PhotoScape.lnk1.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\PhotoScape\PhotoScape.exe
Source: Google Drive.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe

Window found: window name: msctls_updown32

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Automated click: I Agree - install
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Automated click: Next

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Window detected: Number of UI elements: 259
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Window detected: Number of UI elements: 22
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Window detected: Number of UI elements: 13

Source: PhotoScapeSetup_V3-7.exe

Static PE information: certificate valid

Source: PhotoScapeSetup_V3-7.exe

Static file information: File size 21025552 > 1048576

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source:	Binary string: goopdateres_unsigned_ms.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcr90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2120397499.0000000002905000.00000004.00000020.00020000.00000000.sdmp, PhotoScapeSetup_V3-7.exe, 00000000.00000003.2004669595.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_fa.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lt.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ru.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ru.dll.9.dr
Source:	Binary string: goopdateres_unsigned_el.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_tr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_tr.dll.9.dr
Source:	Binary string: goopdateres_unsigned_de.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_de.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bg.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_bg.dll.9.dr
Source:	Binary string: goopdateres_unsigned_mr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_gu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdateres_unsigned_sr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_th.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_th.dll.9.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdbH source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler64.exe.9.dr
Source:	Binary string: psmachine_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, psmachine.dll.9.dr
Source:	Binary string: goopdateres_unsigned_am.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_am.dll.9.dr
Source:	Binary string: goopdateres_unsigned_cs.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_lv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_lv.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ta.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdbp) source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\work\chromium\src\build\Release\gcapi_dll.pdb( source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003216266.0000000002909000.00000004.00000020.00020000.00000000.sdmp, gcapi_dll.dll.0.dr
Source:	Binary string: goopdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002AD9000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3265038387.000000006C979000.00000002.00000001.01000000.00000012.sdmp, GUT2393.tmp.9.dr, goopdate.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_es-419.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es-419.dll.9.dr
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, GoogleCrashHandler.exe.9.dr
Source:	Binary string: mi_exe_stub.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000002.3259072193.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000000.2089761210.0000000000CF7000.00000002.00000001.01000000.00000010.sdmp, GoogleUpdateSetup_latest.exe.8.dr
Source:	Binary string: goopdateres_unsigned_pt-BR.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-BR.dll.9.dr
Source:	Binary string: goopdateres_unsigned_hr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_id.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: npGoogleUpdate3_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_zh-TW.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000002.3259785509.0000000000E6E000.00000004.00000010.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003298000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091090955.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000000A.00000002.3258616779.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GoogleUpdate.exe, 0000000A.00000000.2097000811.000000000044C000.00000002.00000001.01000000.00000011.sdmp, GUT2393.tmp.9.dr, GoogleUpdate.exe.9.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003412000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_sw.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_it.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: MicrosoftWindowsGdiPlus-1.0.2600.2180-gdiplus.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2116640502.0000000002901000.00000004.00000020.00020000.00000000.sdmp, GdiPlus.dll.0.dr
Source:	Binary string: goopdateres_unsigned_pt-PT.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pt-PT.dll.9.dr
Source:	Binary string: goopdateres_unsigned_vi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_bn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ja.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ja.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: gtapi.pdb ) source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2002530269.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_sv.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_sv.dll.9.dr
Source:	Binary string: goopdateres_unsigned_es.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_es.dll.9.dr
Source:	Binary string: goopdateres_unsigned_is.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_is.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fr.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ro.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ro.dll.9.dr
Source:	Binary string: goopdateres_unsigned_uk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ca.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ca.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_nl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_nl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_ko.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_et.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: msvcp90.i386.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2118851699.0000000002903000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_iw.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_iw.dll.9.dr
Source:	Binary string: goopdateres_unsigned_no.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_te.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ur.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_ur.dll.9.dr
Source:	Binary string: goopdateres_unsigned_fil.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: mfc90.i386.pdbpmxt source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2117939007.0000000002902000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: goopdateres_unsigned_pl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr, goopdateres_pl.dll.9.dr
Source:	Binary string: goopdateres_unsigned_en-GB.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_fi.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ml.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sk.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: psuser_unsigned.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.0000000003459000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_hu.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_en.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.3263112671.00000000024A0000.00000002.00000001.00040000.00000021.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_da.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_ar.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.9.dr, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_sl.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: c:\srcs\syncclient\googleclient\apps\webdrive_sync\windows\gdapi\criteriachecker\Build\gdapi.pdb source: PhotoScapeSetup_V3-7.exe, 00000000.00000003.2003759208.0000000002905000.00000004.00000020.00020000.00000000.sdmp, gdapi.dll.0.dr
Source:	Binary string: goopdateres_unsigned_zh-CN.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr
Source:	Binary string: goopdateres_unsigned_kn.pdb source: GoogleUpdateSetup_latest.exe, 00000009.00000003.2092153553.000000000347E000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateSetup_latest.exe, 00000009.00000003.2091741940.0000000002CA3000.00000004.00000020.00020000.00000000.sdmp, GUT2393.tmp.9.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405B93

PE file contains an invalid checksum

Source: GoogleUpdateSetup.exe.9.dr	Static PE information: real checksum: 0xbbeba should be: 0xc81d1
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x6228
Source: System.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x6228
Source: GoogleUpdateSetup_latest.exe.8.dr	Static PE information: real checksum: 0xbbeba should be: 0xc81d1
Source: System.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x11699
Source: UserInfo.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xc172
Source: KillProcDLL.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x12168
Source: uninstall.exe.0.dr	Static PE information: real checksum: 0x1417028 should be: 0x247ca
Source: nsDialogs.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x941f

PE file contains sections with non-standard names

Source: GdiPlus.dll.0.dr	Static PE information: section name: Shared
Source: GoogleUpdate.exe.9.dr	Static PE information: section name: .text/DE
Source: psmachine.dll.9.dr	Static PE information: section name: .orpc
Source: psuser.dll.9.dr	Static PE information: section name: .orpc

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 2_2_00406140 push eax; ret	2_2_0040616E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 3_2_00406140 push eax; ret	3_2_0040616E
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Code function: 6_2_00406140 push eax; ret	6_2_0040616E
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF5E9D push ecx; ret	9_2_00CF5EB0
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF67A5 push ecx; ret	9_2_00CF67B8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00443D81 push ecx; ret	10_2_00443D94
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95CD9D push ecx; ret	10_2_6C95CDB0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9643F7 push ecx; ret	10_2_6C96440A

Source: msvcr90.dll.0.dr

Static PE information: section name: .text entropy: 6.92063892456726

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\KillProcDLL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_de.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	File created: C:\Users\user\AppData\Local\Temp\nsd2326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fa.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_th.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ru.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-TW.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_mr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_el.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-CN.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\npGoogleUpdate3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_tr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\psuser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Program Files (x86)\PhotoScape\GdiPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\gdapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_cs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\Mooii_Photoscape_Chrome_New.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_iw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-PT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\psmachine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en-GB.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_vi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ca.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_nl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_it.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_uk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	File created: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ja.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_da.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\Mooii_Toolbar_Omaha.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ta.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_is.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_am.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_et.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_te.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ur.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es-419.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-BR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_no.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsr2076.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ko.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\gcapi_dll.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_gu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_kn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	File created: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\Users\user\AppData\Local\Temp\gtapi_signed.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	File created: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Jump to dropped file

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

10_2_6C8E1532

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScape\PhotoScape.lnk	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScape\Uninstall PhotoScape.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C948DB4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,CloseServiceHandle,StartServiceW,CloseServiceHandle,

10_2_6C948DB4

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

10_2_6C92144B

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe

Window / User API: foregroundWindowGot 662

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\KillProcDLL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_de.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd2326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_th.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ru.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-TW.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_mr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_zh-CN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_el.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\npGoogleUpdate3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_tr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\psuser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Program Files (x86)\PhotoScape\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Program Files (x86)\PhotoScape\GdiPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_cs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Mooii_Photoscape_Chrome_New.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_iw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdate.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_lv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-PT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en-GB.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\psmachine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_vi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ca.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_nl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_it.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_uk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ja.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_da.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Mooii_Toolbar_Omaha.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ta.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_hu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_is.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_am.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_et.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_te.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ur.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_es-419.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pt-BR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_no.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr2076.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ko.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_fr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_sk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_gu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_ar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_kn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_en.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_bn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GUM2392.tmp\goopdateres_pl.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	API coverage: 7.8 %
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	API coverage: 5.7 %

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_00405B6C FindFirstFileW,FindClose,	0_2_00405B6C
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_00405B6C FindFirstFileW,FindClose,	7_2_00405B6C
Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	Code function: 7_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_0040654D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_0040654D
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_00405B8C FindFirstFileW,FindClose,	8_2_00405B8C
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	Code function: 8_2_004029F1 FindFirstFileW,	8_2_004029F1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EADA9 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EADA9
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C910D29 _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C910D29
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EAEE3 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EAEE3
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EA47E _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C8EA47E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9106CC _memset,FindFirstFileW,FindNextFileW,FindClose,	10_2_6C9106CC
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E462D FindFirstFileW,_memset,FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,	10_2_6C8E462D
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8E4770 GetFileAttributesW,GetLastError,_memset,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,	10_2_6C8E4770
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C949B30 _memset,FindFirstFileW,FindFirstFileW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,_memset,FindFirstFileW,_memset,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,FindClose,	10_2_6C949B30
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C8EB099 _memset,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_6C8EB099

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8F0776 _memset,GetLogicalDriveStringsW,_memset,QueryDosDeviceW,__wcsnicmp,

10_2_6C8F0776

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C959D57 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

10_2_6C959D57

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	File opened: C:\Users\user\AppData\Local\Temp\nsm78F.tmp\System.dll	Jump to behavior

Source: PhotoScape.exe, 00000010.00000003.2433353522.0000000007536000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vnj{qkeulieuli^oefM`V`FYN_CWKaFWNdCVMcI[RcAUK^t
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: GoogleUpdate.exe, 0000000A.00000002.3259752137.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll Files (x86)@shell32.dll,-21817
Source: PhotoScape.exe, 00000010.00000003.2435229503.0000000008105000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: M!;)M,F6M0I9M&=/M$7,M-B6M;QEMUk_MNdXM0H<M4NAM5OBM(B5M0J=M?XJM2L;M.H6M%?/M"<,MD1M)C1M)C1M)C1M!:(M$;)M/G6M-H6M!>M">+M!=*M$?.M)D5M)C5N
Source: PhotoScapeSetup_V3-7.exe	Binary or memory string: XvMcI+

Source: C:\Users\user\AppData\Local\Temp\GoogleSetup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Mooii_GDrive.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_00444291 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

10_2_00444291

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405B93

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe

Code function: 9_2_00CF6B8F GetProcessHeap,

9_2_00CF6B8F

Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF5E37 SetUnhandledExceptionFilter,	9_2_00CF5E37
Source: C:\Users\user\AppData\Local\Temp\GoogleUpdateSetup_latest.exe	Code function: 9_2_00CF5330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00CF5330
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00444C16 SetUnhandledExceptionFilter,	10_2_00444C16
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00444291 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00444291
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_00448B01 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__amsg_exit,	10_2_00448B01
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_004439CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_004439CE
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9560D4 InterlockedIncrement,CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,LeaveCriticalSection,	10_2_6C9560D4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C956347 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,LeaveCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,DeleteCriticalSection,CloseHandle,CloseHandle,InterlockedDecrement,DeleteCriticalSection,_fprintf,_memmove_s,	10_2_6C956347
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C958AF1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6C958AF1
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C9566E2 SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,LeaveCriticalSection,	10_2_6C9566E2
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C956646 EnterCriticalSection,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,	10_2_6C956646
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C959E8D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6C959E8D
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: 10_2_6C95BE4D _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6C95BE4D

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8E4F44 __wcsicmp,SetForegroundWindow,ShellExecuteExW,AllowSetForegroundWindow,GetLastError,SetLastError,GetLastError,KiUserCallbackDispatcher,

10_2_6C8E4F44

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://photoscape.org/link/link.php?version=installer&topic=afterinstall&v=3.7			Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Process created: C:\Program Files (x86)\PhotoScape\PhotoScape.exe "C:\Program Files (x86)\PhotoScape\PhotoScape.exe" /foreground			Jump to behavior

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8E71BD GetSecurityDescriptorDacl,_malloc,SetSecurityDescriptorDacl,

10_2_6C8E71BD

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C8EE2FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_6C8EE2FA

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_0044883D cpuid

10_2_0044883D

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,	10_2_00449613
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	10_2_6C964DB8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	10_2_6C966DD9
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	10_2_6C964EF3
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	10_2_6C964F2E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	10_2_6C9589DA
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	10_2_6C95E734
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	10_2_6C968190
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_6C9682B4
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	10_2_6C9682F0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	10_2_6C96824F
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,	10_2_6C967DD6
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,_xtoa_s@20,	10_2_6C96BE8E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LcidFromHexString,GetLocaleInfoA,	10_2_6C967EB8
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	10_2_6C967FC0
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	10_2_6C967F4E
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	10_2_6C96794A
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	10_2_6C967435
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	10_2_6C967686
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: GetLocaleInfoA,	10_2_6C96B0AD
Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	10_2_6C96506B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\antique_frame04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\scratch\antique01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\scratch\antique02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blackline08.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank05.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank06.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank07.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank08.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank09.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank10.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank11.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\blank12.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\book01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\book02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\border05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali09.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali10.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali11.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali12.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\cali13.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_deco01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\christmas_stick04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\clip01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\clip02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\curlborder06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot09.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot10.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot11.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot12.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\dot13.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\film01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\film02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\fold01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\fold02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\fold03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\gradient08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\innerline_black.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\innerline_white.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\instant04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\mimic01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note05.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\note09.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\paper01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\paper02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern07.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern08.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern09.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern10.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern11.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern12.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern13.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern14.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern15.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pattern16.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\pocket03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\printline01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\printline02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round_shadow01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\round_shadow02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow04.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow06.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow_border01.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow_border02.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\shadow_border03.bmp VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\slidemount01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\slidemount02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\soccer01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\soccer02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stamp01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stamp02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stitch01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\stitch02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape04.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\tape05.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\trans_border01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\trans_border02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\trans_border03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\wedding01.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\wedding02.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Program Files (x86)\PhotoScape\frame\wedding03.png VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\PhotoScape\PhotoScape.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Code function: 2_2_004020B4 GetProcAddress,GetLocalTime,GetSystemTime,GetTimeZoneInformation,

2_2_004020B4

Source: C:\Program Files (x86)\GUM2392.tmp\GoogleUpdate.exe

Code function: 10_2_6C957782 GetUserNameW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,

10_2_6C957782

Source: C:\Users\user\AppData\Local\Temp\GTGCAPI.exe

Code function: 2_2_00402C99 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,

2_2_00402C99

Source: C:\Users\user\Desktop\PhotoScapeSetup_V3-7.exe

Code function: 0_2_0040609E GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040609E

ID:	1417084
Product:	CloudBasic
Start time:	15:42:12
Start date:	28.03.2024
Sample:	PhotoScapeSetup_V3-7.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b7cc1eb9650ff6a6a3cb5260efd7226f
SHA1:	ee7ab40509910dcc737ec487ea9c41a664464760
SHA256:	dd37f4ea7133c48f5181b2d0b9ead52fb05cf64bd4180eb35cb1530e4aac3ce4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report PhotoScapeSetup_V3-7.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
PhotoScapeSetup_V3-7.exe