Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BrowserUpdate.exe

Overview

General Information

Sample name:BrowserUpdate.exe
Analysis ID:1472046
MD5:696b3679926998b45c806a1068ffcb75
SHA1:87a680e3018d3604eea9b1d28915fac5172f30df
SHA256:393b1fdda7c4af084743c56c27585366567a8446c6438753d20b0b9ee3e72541
Infos:

Detection

MicroClip
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MicroClip
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

  • System is w10x64
  • BrowserUpdate.exe (PID: 1220 cmdline: "C:\Users\user\Desktop\BrowserUpdate.exe" MD5: 696B3679926998B45C806A1068FFCB75)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
BrowserUpdate.exeJoeSecurity_MicroClipYara detected MicroClipJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2205746713.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MicroClipYara detected MicroClipJoe Security
      00000000.00000000.2108717389.00007FF7E2DC8000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MicroClipYara detected MicroClipJoe Security
        Process Memory Space: BrowserUpdate.exe PID: 1220JoeSecurity_MicroClipYara detected MicroClipJoe Security
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
          Source: BrowserUpdate.exeStatic PE information: certificate valid
          Source: Binary string: MpGear.pdb source: BrowserUpdate.exe
          Source: Binary string: BTR.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: KSLDriver.pdb source: BrowserUpdate.exe
          Source: Binary string: KSLD.pdb source: BrowserUpdate.exe
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb source: BrowserUpdate.exe
          Source: Binary string: offreg.pdbH source: BrowserUpdate.exe
          Source: Binary string: KSLDriver.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: MsMpEngCP.pdb source: BrowserUpdate.exe
          Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: BrowserUpdate.exe, 00000000.00000002.2226332115.00007FF7E53C8000.00000080.00000001.01000000.00000003.sdmp, BrowserUpdate.exe, 00000000.00000000.2111947960.00007FF7E5386000.00000080.00000001.01000000.00000003.sdmp
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release\updater.exe.pdb0 source: BrowserUpdate.exe
          Source: Binary string: BTR.pdb source: BrowserUpdate.exe
          Source: Binary string: MsMpEngSvc.pdb source: BrowserUpdate.exe
          Source: Binary string: mpengine.pdb source: BrowserUpdate.exe
          Source: Binary string: MsMpEngSvc.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: offreg.pdb source: BrowserUpdate.exe
          Source: Binary string: KSLD.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: MsMpEngCP.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: BrowserUpdate.exe, 00000000.00000002.2226332115.00007FF7E53C8000.00000080.00000001.01000000.00000003.sdmp, BrowserUpdate.exe, 00000000.00000000.2111947960.00007FF7E5386000.00000080.00000001.01000000.00000003.sdmp
          Source: Binary string: MpGear.pdbGCTL source: BrowserUpdate.exe
          Source: Binary string: mpengine.pdbOGPS source: BrowserUpdate.exe
          Source: unknownDNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
          Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.110
          Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.110
          Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.110
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
          Source: BrowserUpdate.exeString found in binary or memory: http://.css
          Source: BrowserUpdate.exeString found in binary or memory: http://.jpg
          Source: BrowserUpdate.exeString found in binary or memory: http://.ocx.cabhtml:file::LowTelemetry
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: BrowserUpdate.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
          Source: BrowserUpdate.exeString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
          Source: BrowserUpdate.exeString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: BrowserUpdate.exeString found in binary or memory: http://earth.google.com/kml/2.0
          Source: BrowserUpdate.exeString found in binary or memory: http://earth.google.com/kml/2.1
          Source: BrowserUpdate.exeString found in binary or memory: http://earth.google.com/kml/2.2
          Source: BrowserUpdate.exeString found in binary or memory: http://html4/loose.dtd
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: BrowserUpdate.exeString found in binary or memory: http://ocsp.digicert.com0X
          Source: BrowserUpdate.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
          Source: BrowserUpdate.exeString found in binary or memory: http://support.google.com/installer/
          Source: BrowserUpdate.exeString found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
          Source: BrowserUpdate.exeString found in binary or memory: http://wails.localhost/runtime.WindowReload();msSmartScreenProtection-//ietf//dtd
          Source: BrowserUpdate.exeString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
          Source: BrowserUpdate.exeString found in binary or memory: http://www.digicert.com/CPS0
          Source: BrowserUpdate.exeString found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
          Source: BrowserUpdate.exeString found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
          Source: BrowserUpdate.exeString found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerEvalError
          Source: BrowserUpdate.exeString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdWarning:
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/gml
          Source: BrowserUpdate.exeString found in binary or memory: http://www.opengis.net/gml/3.2
          Source: BrowserUpdate.exeString found in binary or memory: http://www.opengis.net/gml/3.3/exr
          Source: BrowserUpdate.exe, 00000000.00000002.2201160563.000000C000496000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.opengis.net/kml/2.2
          Source: BrowserUpdate.exeString found in binary or memory: http://www.topografix.com/GPX/1/1
          Source: BrowserUpdate.exeString found in binary or memory: https://clients2.google.com/cr/report
          Source: BrowserUpdate.exeString found in binary or memory: https://crashpad.chromium.org/
          Source: BrowserUpdate.exeString found in binary or memory: https://crashpad.chromium.org/bug/new
          Source: BrowserUpdate.exeString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
          Source: BrowserUpdate.exeString found in binary or memory: https://dl.google.com/update2/installers/icons/
          Source: BrowserUpdate.exeString found in binary or memory: https://github.com/gin-gonic/gin/blob/master/docs/doc.md#dont-trust-all-proxies
          Source: BrowserUpdate.exeString found in binary or memory: https://m.google.com/devicemanagement/data/api
          Source: BrowserUpdate.exeString found in binary or memory: https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies
          Source: BrowserUpdate.exeString found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflict%s%sthis%s
          Source: BrowserUpdate.exeString found in binary or memory: https://update.googleapis.com/service/update2/json
          Source: BrowserUpdate.exeString found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo
          Source: BrowserUpdate.exeString found in binary or memory: https://www.apple.com/appleca/0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: GetRawInputDatamemstr_b291d2fe-0
          Source: BrowserUpdate.exeStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
          Source: BrowserUpdate.exeStatic PE information: Resource name: BINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
          Source: BrowserUpdate.exeStatic PE information: Resource name: BINARY type: PE32+ executable (DLL) (console) x86-64, for MS Windows
          Source: BrowserUpdate.exeStatic PE information: Resource name: RT_STRING type: 0421 Alliant compact executable not stripped
          Source: BrowserUpdate.exeStatic PE information: Resource name: RT_STRING type: PDP-11 executable not stripped
          Source: BrowserUpdate.exeStatic PE information: Resource name: RT_STRING type: PDP-11 separate I&D executable not stripped
          Source: BrowserUpdate.exeStatic PE information: Number of sections : 17 > 10
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4903000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMsMpEngCP.exeZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E3897000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameupdater.exeH vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: GetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ENG:OFNSET:SetOriginalFileNameProcess:process:// vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameCreatorProcessId<Process ProcessId="%u" ProcessCreationTime="%llu" CreatorProcessId="%u" CreatorProcessCreationTime="%llu" Name="%s" IsExcluded="%u" IsFriendly="%u"> vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SecondParameterBM_RegistryKeyDeleteBM_RegistryKeyRenameBM_RegistryDeleteValueBM_RegistrySetValueBM_OpenFileBM_DeleteFileBM_RegistryKeyCreateBM_FileMetaDataBM_ProcessCreateBM_RawWriteBM_NetworkDetectionBM_ProcessStartBM_NetworkDataSendBM_NetworkConnectBM_RemoteThreadCreateBM_BootSectorChangeBM_Etw_PsSetLoadImageNotifyRoutineBM_EngineInternalBM_Etw_SetEventHookBM_Etw_TerminateProcessBM_ModuleLoadBM_ArDetectionBM_RegistryBlockDeleteBM_RegistryBlockSetBM_Etw_OpenThreadBM_Etw_OpenProcessBM_Etw_RegisterShutdownBM_Etw_RegisterLastShutdownBM_Etw_NtAdjustPrivilegesBM_Etw_RegisterInputDevicesBM_Etw_WriteMemoryBM_Etw_SetThreadContextBM_RegistryBlockReplaceBM_RegistryBlockRestoreBM_DesktopBM_VolumeMountBM_RegistryRestoreBM_Etw_CreateLinkBM_RegistryBlockRenameBM_RegistryReplaceBM_Etw_SetWindowsHookBM_Etw_BlockExploitBM_CreateFolderBM_Etw_GetAsyncKeyStateBM_BlockOpenProcessBM_OpenProcessBM_Etw_CodeInjectionBM_RegistryBlockCreateBM_EnumFolderBM_Etw_WMIExecMethodBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_ENFORCEBM_RenameFolderBM_Etw_DirEnumBM_Etw_AllocVmLocalBM_Etw_WMIActivityNewBM_Etw_ClearLogBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_AUDITBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_AUDITBM_HardLinkFileBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_AUDITBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_ENFORCEBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_ENFORCEBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_AUDITBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_ENFORCEBM_Etw_CredEnumerateBM_Etw_CredReadCredentialsBM_Etw_CredFindBestCredentialBM_Etw_CredReadDomainCredentialsBM_DLPBM_CopyFileBM_Etw_OCTAGON_PROCESS_TAMPERING_AUDITBM_Etw_OCTAGON_PROCESS_TAMPERING_ENFORCEBM_TaintBM_Etw_VaultGetUniqueCredentialBM_Amsi_MatchBM_Amsi_ScanBM_Etw_CredBackupCredentialsBM_Etw_CredReadByTokenHandleBM_Etw_VaultEnumerateCredentialsBM_Etw_VaultFindCredentialsBM_Etw_LogonFailureBM_Etw_LogonSuccessBM_Etw_AccountPasswordChangedBM_Etw_UserAccountChangedBM_Etw_BITSCreateBM_Etw_LDAPSearchBM_Etw_ScheduledTaskUpdateBM_Etw_ScheduledTaskCreateBM_Etw_ExploitProtectionBM_Etw_UserAccountCreatedBM_Network_VolumeBM_Network_PortOpenBM_Etw_HiveHistoryClearBM_Etw_AccountPasswordResetBM_SignatureTriggerBM_OriginalFileNameBM_Etw_UnloadDriverBM_Etw_LoadDriverBM_Etw_UnloadDeviceBM_Etw_LoadDeviceBM_Etw_ResumeThreadBM_Etw_SuspendThreadBM_Etw_ResumeProcessBM_Etw_SuspendProcessBM_Etw_ServiceHostStartedBM_Etw_ServiceChangeAccountInfoBM_Network_FailureBM_Etw_ServiceStartedBM_Etw_ServiceStopBM_Etw_ProtectVmLocalBM_Etw_ServiceChangeBinaryPathBM_Etw_ServiceChangeStartTypeAL""L"%ls""%hS"BM_Etw_AllocVmRemoteBM_Etw_ProtectVmRemoteBM_Etw_V2CodeInjectionBM_Etw_ReadVmRemoteATTR_%08lxSigSeqThreatName{0, %ls, __attr_none__, %ls, %ls}0x%lXError while processing Event, i.e you're missing an event.Error while processing Event: ID = [%d], HR = [%lx]IsPePlusIsPeFileInfoIsPacked vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E444F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCompanyNameCommentsLegalCopyrightProductNameFileDescriptionLegalTrademarksPeStaticCRC3LengthCRC1IatSkipCRC3CRC2CopyrightCommentsArchitectureTrademarksFileVersionPeStaticsEpSecSectionKCRC2KCRC1KCRC3InternalNameFileDescriptionOriginalFileNamePEUnknownx86ia64x64 vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4906000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMsMpEngSvc.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4906000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamempengine.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000000.2109357931.00007FF7E4906000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMpGear.dllZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \Unknown member: doshdr.%spevars not availableUnknown member: pehdr.%sInvalid index in DataDirectory: %dInvalid index in opclog: %dInvalid index in fopclog2: %dInvalid index in epcode: %dInvalid index in fopclog: %dUnknown member: peattributes.%sInvalid section %d or bigger than NumberOfSection=%d!__mmap_ex() failedpe_fofs_to_mofs failed!__mmap_ex(%d) failedmmap_patch(): buffer is emptymmap_patch_buff() failedpe_mofs_to_fofs(%d) failedUfsSeekRead(%d) failedImageName is NULLStringCchCopyA failedFileDescriptionInternalNameCompanyNamepe.get_versioninfo() failed to create the StringVersionIterator: %sInvalid sigattr_head indexpe.vm_search: mask_size != buffer_sizeInvalid index in netmetadata.tokens: %dpe.get_fixedversioninfo() failed to create the StringVersionIterator: %sFileVersionFileTypeFileSubtypeFileDateOriginalFilenameProductVersionFileFlagsMaskFileFlagsFileOSpe.metadata_decode: decode failed for 0x%xInvalid index in v->imps: %dfnrvape.metadata_decode: Invalid field index %d (should be 1-based)9m vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ClearOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $OFNAllowIdenticalNamesClearOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mZOriginalFileNameMaintenanceWindow vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mZOriginalFileNameMaintenanceWindowprocessed%zd files in Moac, %zd skipped (cached), %zd filename setOriginalFileName Maintenance:HintENG:OFNPROCESSED:) vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .?AVCMaintenanceOriginalFileNameTask@@ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBTR.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoffreg.dllj% vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKSLDriver.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exe, 00000000.00000002.2206356467.00007FF7E4631000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKSLD.sysZ vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFilenameupdater.exeH vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: GetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: SetOriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: ENG:OFNSET:SetOriginalFileNameProcess:process:// vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFileName vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: OriginalFileNameCreatorProcessId<Process ProcessId="%u" ProcessCreationTime="%llu" CreatorProcessId="%u" CreatorProcessCreationTime="%llu" Name="%s" IsExcluded="%u" IsFriendly="%u"> vs BrowserUpdate.exe
          Source: BrowserUpdate.exeBinary or memory string: SecondParameterBM_RegistryKeyDeleteBM_RegistryKeyRenameBM_RegistryDeleteValueBM_RegistrySetValueBM_OpenFileBM_DeleteFileBM_RegistryKeyCreateBM_FileMetaDataBM_ProcessCreateBM_RawWriteBM_NetworkDetectionBM_ProcessStartBM_NetworkDataSendBM_NetworkConnectBM_RemoteThreadCreateBM_BootSectorChangeBM_Etw_PsSetLoadImageNotifyRoutineBM_EngineInternalBM_Etw_SetEventHookBM_Etw_TerminateProcessBM_ModuleLoadBM_ArDetectionBM_RegistryBlockDeleteBM_RegistryBlockSetBM_Etw_OpenThreadBM_Etw_OpenProcessBM_Etw_RegisterShutdownBM_Etw_RegisterLastShutdownBM_Etw_NtAdjustPrivilegesBM_Etw_RegisterInputDevicesBM_Etw_WriteMemoryBM_Etw_SetThreadContextBM_RegistryBlockReplaceBM_RegistryBlockRestoreBM_DesktopBM_VolumeMountBM_RegistryRestoreBM_Etw_CreateLinkBM_RegistryBlockRenameBM_RegistryReplaceBM_Etw_SetWindowsHookBM_Etw_BlockExploitBM_CreateFolderBM_Etw_GetAsyncKeyStateBM_BlockOpenProcessBM_OpenProcessBM_Etw_CodeInjectionBM_RegistryBlockCreateBM_EnumFolderBM_Etw_WMIExecMethodBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_ENFORCEBM_RenameFolderBM_Etw_DirEnumBM_Etw_AllocVmLocalBM_Etw_WMIActivityNewBM_Etw_ClearLogBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_AUDITBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_AUDITBM_HardLinkFileBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_AUDITBM_Etw_OCTAGON_DANGEROUS_DEVICE_PRESENT_ENFORCEBM_Etw_OCTAGON_DRIVER_DISPATCH_REDIRECTION_ENFORCEBM_Etw_OCTAGON_PROCESS_TOKEN_TAMPERING_AUDITBM_Etw_OCTAGON_RUNTIME_CI_FAILURE_ENFORCEBM_Etw_CredEnumerateBM_Etw_CredReadCredentialsBM_Etw_CredFindBestCredentialBM_Etw_CredReadDomainCredentialsBM_DLPBM_CopyFileBM_Etw_OCTAGON_PROCESS_TAMPERING_AUDITBM_Etw_OCTAGON_PROCESS_TAMPERING_ENFORCEBM_TaintBM_Etw_VaultGetUniqueCredentialBM_Amsi_MatchBM_Amsi_ScanBM_Etw_CredBackupCredentialsBM_Etw_CredReadByTokenHandleBM_Etw_VaultEnumerateCredentialsBM_Etw_VaultFindCredentialsBM_Etw_LogonFailureBM_Etw_LogonSuccessBM_Etw_AccountPasswordChangedBM_Etw_UserAccountChangedBM_Etw_BITSCreateBM_Etw_LDAPSearchBM_Etw_ScheduledTaskUpdateBM_Etw_ScheduledTaskCreateBM_Etw_ExploitProtectionBM_Etw_UserAccountCreatedBM_Network_VolumeBM_Network_PortOpenBM_Etw_HiveHistoryClearBM_Etw_AccountPasswordResetBM_SignatureTriggerBM_OriginalFileNameBM_Etw_UnloadDriverBM_Etw_LoadDriverBM_Etw_UnloadDeviceBM_Etw_LoadDeviceBM_Etw_ResumeThreadBM_Etw_SuspendThreadBM_Etw_ResumeProcessBM_Etw_SuspendProcessBM_Etw_ServiceHostStartedBM_Etw_ServiceChangeAccountInfoBM_Network_FailureBM_Etw_ServiceStartedBM_Etw_ServiceStopBM_Etw_ProtectVmLocalBM_Etw_ServiceChangeBinaryPathBM_Etw_ServiceChangeStartTypeAL""L"%ls""%hS"BM_Etw_AllocVmRemoteBM_Etw_ProtectVmRemoteBM_Etw_V2CodeInjectionBM_Etw_ReadVmRemoteATTR_%08lxSigSeqThreatName{0, %ls, __attr_none__, %ls, %ls}0x%lXE<