Malware analysis Install-GooglePlayGames-DeveloperEmulator-Stable.exe Malicious activity

Add for printing

File name:	Install-GooglePlayGames-DeveloperEmulator-Stable.exe
Full analysis:	https://app.any.run/tasks/4ec3e089-f38c-42d0-b996-02accfcdf5f2
Verdict:	Malicious activity
Analysis date:	November 07, 2024, 10:36:56
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	0803615AA102AFE28EB297C2BFDB54BE
SHA1:	B2CF3781A5F830008D498D4DA5BAE08EF662C7B4
SHA256:	36427B83E4A646307780AAD0E7CAC45EEFCF956DBD6D7799981C5FF43E1B0E4E
SSDEEP:	98304:sJOajhYAsUeyS0KTFnY1viV7azuAYy9gSPWAgVuyDztsyLFHJiePAZrPI5D+PeZJ:FRcJoRZew/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 6136)
  - updater.exe (PID: 3000)
- Application launched itself
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 6136)
  - updater.exe (PID: 3000)
  - updater.exe (PID: 6148)
  - updater.exe (PID: 3960)
  - updater.exe (PID: 6436)
  - updater.exe (PID: 4808)
  - updater.exe (PID: 6896)
  - updater.exe (PID: 6676)
  - updater.exe (PID: 6220)
- Executable content was dropped or overwritten
  - updater.exe (PID: 3000)
  - updater.exe (PID: 6220)
  - HPE-24.9.1554.1-CIP_3pdev_prod.exe (PID: 7904)
  - 7zr.exe (PID: 7204)
  - GooglePlayGamesServicesInstaller.exe (PID: 7480)
  - InstallHypervisor.exe (PID: 7732)
- Executes as Windows Service
  - updater.exe (PID: 6220)
  - updater.exe (PID: 6148)
  - updater.exe (PID: 6436)
  - updater.exe (PID: 6896)
  - updater.exe (PID: 6676)
- Checks Windows Trust Settings
  - updater.exe (PID: 3000)
- Starts CMD.EXE for commands execution
  - HPE-24.9.1554.1-CIP_3pdev_prod.exe (PID: 7904)
- Drops a system driver (possible attempt to evade defenses)
  - 7zr.exe (PID: 7204)
  - InstallHypervisor.exe (PID: 7732)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - HPE-24.9.1554.1-CIP_3pdev_prod.exe (PID: 7904)
- Drops 7-zip archiver for unpacking
  - HPE-24.9.1554.1-CIP_3pdev_prod.exe (PID: 7904)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - HPE-24.9.1554.1-CIP_3pdev_prod.exe (PID: 7904)
- Process drops legitimate windows executable
  - 7zr.exe (PID: 7204)
- The process drops C-runtime libraries
  - 7zr.exe (PID: 7204)
- Starts SC.EXE for service management
  - InstallHypervisor.exe (PID: 7732)
- The process executes via Task Scheduler
  - updater.exe (PID: 4808)
INFO
- Checks supported languages
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 6136)
  - updater.exe (PID: 3000)
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 4312)
  - updater.exe (PID: 4700)
  - updater.exe (PID: 6148)
  - updater.exe (PID: 632)
  - updater.exe (PID: 6220)
  - updater.exe (PID: 3864)
- Reads the computer name
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 6136)
  - updater.exe (PID: 3000)
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 4312)
  - updater.exe (PID: 6148)
  - updater.exe (PID: 6220)
- Process checks computer location settings
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 6136)
- Creates files in the program directory
  - Install-GooglePlayGames-DeveloperEmulator-Stable.exe (PID: 4312)
  - updater.exe (PID: 3000)
  - updater.exe (PID: 4700)
  - updater.exe (PID: 6220)
- Process checks whether UAC notifications are on
  - updater.exe (PID: 3000)
  - updater.exe (PID: 6220)
  - updater.exe (PID: 6148)
- Checks proxy server information
  - updater.exe (PID: 3000)
- Reads the machine GUID from the registry
  - updater.exe (PID: 3000)
- Creates files or folders in the user directory
  - updater.exe (PID: 3000)
- Reads the software policy settings
  - updater.exe (PID: 6148)
  - updater.exe (PID: 3000)
- Manual execution by a user
  - Bootstrapper.exe (PID: 2068)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:10:14 03:02:02+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	3359232
InitializedDataSize:	6839808
UninitializedDataSize:	-
EntryPoint:	0x1b6fd0
OSVersion:	10
ImageVersion:	-
SubsystemVersion:	10
Subsystem:	Windows GUI
FileVersionNumber:	131.0.6776.0
ProductVersionNumber:	131.0.6776.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Google LLC
FileDescription:	Google Installer
FileVersion:	131.0.6776.0
InternalName:	Google Installer(x86)
LegalCopyright:	Copyright 2024 Google LLC. All rights reserved.
OriginalFileName:	UpdaterSetup.exe
ProductName:	Google Installer
ProductVersion:	131.0.6776.0
CompanyShortName:	Google
ProductShortName:	GoogleUpdater
LastChange:	9375f838d3d59edadc27380f48f0f1c166dc626b-refs/branch-heads/6776@{#1}
OfficialBuild:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

172

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

632

"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x1046290,0x104629c,0x10462a8

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe

—

updater.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

Google Updater

Exit code:

Version:

131.0.6776.0

Modules

Images
c:\program files (x86)\google\googleupdater\131.0.6776.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

1752

C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping6148_1382834453\installer_output3480161093\GooglePlayGamesServicesInstaller.exe

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6148_1382834453\installer_output3480161093\GooglePlayGamesServicesInstaller.exe

GooglePlayGamesServicesInstaller.exe

User:

SYSTEM

Company:

Google

Integrity Level:

SYSTEM

Description:

Google Play Games Services Installer

Exit code:

40001

Version:

0.0.1

Modules

Images
c:\windows\systemtemp\chrome_unpacker_beginunzipping6148_1382834453\installer_output3480161093\googleplaygamesservicesinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2068

"C:\Program Files\Google\Play Games Developer Emulator\Bootstrapper.exe"

C:\Program Files\Google\Play Games Developer Emulator\Bootstrapper.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Play Games

Exit code:

Version:

1.0.0.14

Modules

Images
c:\program files\google\play games developer emulator\bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2224

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

7zr.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2360

"C:\WINDOWS\system32\netsh.exe" advfirewall firewall add rule dir=in action=allow enable=yes profile=domain,private,public protocol=udp "description=Google Play Games Developer Emulator Service" "name=Google Play Games Developer Emulator Service" "program=C:\Program Files\Google\Play Games Developer Emulator\current\emulator\crosvm.exe"

C:\Windows\System32\netsh.exe

—

HPE-24.9.1554.1-CIP_3pdev_prod.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2360

"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x1046290,0x104629c,0x10462a8

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe

—

updater.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

Google Updater

Version:

131.0.6776.0

Modules

Images
c:\program files (x86)\google\googleupdater\131.0.6776.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

3000

"C:\WINDOWS\SystemTemp\Google4312_1773279880\bin\updater.exe" --install=appguid={C601E9A4-03B0-4188-843E-80058BF16EF9}&appname=GPG_Developer_Emulator_Stable&needsadmin=true&ap=prod --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/enterprise_companion/*=2,*/chrome/updater/*=2 --expect-elevated

C:\Windows\SystemTemp\Google4312_1773279880\bin\updater.exe

Install-GooglePlayGames-DeveloperEmulator-Stable.exe

User:

admin

Company:

Google LLC

Integrity Level:

HIGH

Description:

Google Updater

Exit code:

Version:

131.0.6776.0

Modules

Images
c:\windows\systemtemp\google4312_1773279880\bin\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3864

"C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=131.0.6776.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x1046290,0x104629c,0x10462a8

C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe

—

updater.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

Google Updater

Exit code:

Version:

131.0.6776.0

Modules

Images
c:\program files (x86)\google\googleupdater\131.0.6776.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

3928

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

InstallHypervisor.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3960

"C:\WINDOWS\SystemTemp\Google6692_1868942047\bin\updater.exe" --silent --install=appguid={5B9D6427-8AB1-42D0-9F13-4EE089071B8E}&appname=Google+Desktop+Services&needsadmin=true --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2

C:\Windows\SystemTemp\Google6692_1868942047\bin\updater.exe

—

GooglePlayGamesServicesInstaller.exe

User:

SYSTEM

Company:

Google LLC

Integrity Level:

SYSTEM

Description:

GoogleUpdater (x86)

Exit code:

Version:

127.0.6512.0

Modules

Images
c:\windows\systemtemp\google6692_1868942047\bin\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

32 361

Read events

23 062

Write events

9 269

Delete events

Modification events


(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	pv
Value: 131.0.6776.0
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	name
Value: GoogleUpdater
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	pv
Value: 131.0.6776.0
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	name
Value: GoogleUpdater
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7405F538-1185-5D46-BDE0-8FD5C0DBFF39}
Operation:	write	Name:	AppID
Value: {7405F538-1185-5D46-BDE0-8FD5C0DBFF39}
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7405F538-1185-5D46-BDE0-8FD5C0DBFF39}
Operation:	write	Name:	LocalService
Value: GoogleUpdaterInternalService131.0.6776.0
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7405F538-1185-5D46-BDE0-8FD5C0DBFF39}
Operation:	write	Name:	ServiceParameters
Value: --com-service
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC1132BC-C84F-5D90-9BB6-3D44C6394B28}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(3000) updater.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5BB0C40-8078-5D97-80DD-2C8F4510263D}\TypeLib
Operation:	write	Name:	Version
Value: 1.0

Add for printing

Executable files

111

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4312	Install-GooglePlayGames-DeveloperEmulator-Stable.exe	C:\Windows\SystemTemp\Google4312_587959133\UPDATER.PACKED.7Z		—
		MD5:—	SHA256:—
3000	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json		binary
		MD5:4A2784F1CA879E8FBBD97E39D0DE3CC9	SHA256:2BCD0A4051B1FA5B0444CEE9FD9F7341FAFE1EAE36659511926EBEFBA648DEE9
3000	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\updater.log		text
		MD5:26C9A5B47C6FF216BE796BEC4E5BE5EC	SHA256:2C889D3C7C14AFF93681BD9572A89500891F0DD7DD25514474405A1A183FAD1A
6148	updater.exe	C:\Windows\SystemTemp\chrome_url_fetcher_6148_1012990249\-c601e9a4-03b0-4188-843e-80058bf16ef9-_24.9.1554.1_all_acc762zmap7lbxrpa4dx3dgjawoq.crx3		—
		MD5:—	SHA256:—
6148	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\crx_cache\{c601e9a4-03b0-4188-843e-80058bf16ef9}_1.a5b878c7daf13e30a49a68da71a29ece7d7e79843fe09f0a1cc06e9d5d07e1b4		—
		MD5:—	SHA256:—
6148	updater.exe	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6148_1681817687\HPE-24.9.1554.1-CIP_3pdev_prod.exe		—
		MD5:—	SHA256:—
3000	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\c817464e-a03e-42c2-9cff-7dc43895229b.tmp		binary
		MD5:4A2784F1CA879E8FBBD97E39D0DE3CC9	SHA256:2BCD0A4051B1FA5B0444CEE9FD9F7341FAFE1EAE36659511926EBEFBA648DEE9
3000	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\updater.exe		executable
		MD5:E2937E33C2554EECC37C804A7F99F8B7	SHA256:5DDE29F028E75EE72F50902D20C41B699EF8FC5C294F04A321DEAC6909FFE409
6220	updater.exe	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe		executable
		MD5:E2937E33C2554EECC37C804A7F99F8B7	SHA256:5DDE29F028E75EE72F50902D20C41B699EF8FC5C294F04A321DEAC6909FFE409
3000	updater.exe	C:\Program Files (x86)\Google\GoogleUpdater\131.0.6776.0\uninstall.cmd		text
		MD5:FBC297EE9060D4256192E4EDB98CAD1B	SHA256:099592FFA867124D16C0C6D868AF1214FD2B7180FA76E4EEE01ABF2A5CF8F044

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1552	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3000	updater.exe	GET	200	216.58.212.131:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
3000	updater.exe	GET	200	172.217.18.99:80	http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDzySkSNBgXtBKLijHUmMxR	unknown	—	—	whitelisted
3000	updater.exe	GET	200	172.217.16.131:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
6148	updater.exe	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/Play/itfdqccpil4j3mcu2kh4axgdj4_24.9.1554.1/-c601e9a4-03b0-4188-843e-80058bf16ef9-_24.9.1554.1_all_acc762zmap7lbxrpa4dx3dgjawoq.crx3	unknown	—	—	whitelisted
7448	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6952	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
—	—	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
4360	SearchApp.exe	2.23.209.140:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6944	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	23.32.185.131	whitelisted
google.com	142.250.186.142	whitelisted
www.bing.com	2.23.209.140 2.23.209.132 2.23.209.133 2.23.209.137 2.23.209.135 2.23.209.189 2.23.209.130 2.23.209.131 2.23.209.141 2.23.209.154 2.23.209.156 2.23.209.175 2.23.209.158 2.23.209.177 2.23.209.150 2.23.209.160 2.23.209.161 2.23.209.176 2.23.209.187 2.23.209.182 2.23.209.185 2.23.209.186 2.23.209.183 2.23.209.193	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
update.googleapis.com	142.250.186.131	whitelisted
dl.google.com	142.250.74.206	whitelisted
ocsp.pki.goog	216.58.212.131 172.217.18.3	whitelisted
c.pki.goog	172.217.16.131 172.217.18.3	whitelisted
o.pki.goog	172.217.18.99 172.217.16.131	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Bootstrapper.exe	"C:\Program Files\Google\Play Games Developer Emulator\24.9.1554.1\Applicator.exe" "anv" "24.9.1554.1" %1 %2
Bootstrapper.exe	apply-new-version command line found:
Bootstrapper.exe	Creating Omaha COM objects for invoking apply-new-version.
Bootstrapper.exe	Invoking apply-new-version.
Applicator.exe	Flag not found (proceeding with HAXM): Response status code does not indicate success: 404 (Not Found).
InstallHypervisor.exe	I0000 00:00:1730976118.795552 3924 battlestar_recorder_delegate.cc:95] Successfully initialized recorder using log source value: 1518
Applicator.exe	C:\Program Files\Google\Play Games Developer Emulator\current\service\InstallHypervisor.exe exited with code 0
Bootstrapper.exe	Omaha completed invoking apply-new-version with exit code 0.
Bootstrapper.exe	Start Service /emulator.
Service.exe	I0000 00:00:1730976121.299719 6172 battlestar_recorder_delegate.cc:95] Successfully initialized recorder using log source value: 1518

General Info

Install-GooglePlayGames-DeveloperEmulator-Stable.exe

0803615AA102AFE28EB297C2BFDB54BE

B2CF3781A5F830008D498D4DA5BAE08EF662C7B4

36427B83E4A646307780AAD0E7CAC45EEFCF956DBD6D7799981C5FF43E1B0E4E

98304:sJOajhYAsUeyS0KTFnY1viV7azuAYy9gSPWAgVuyDztsyLFHJiePAZrPI5D+PeZJ:FRcJoRZew/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Executable content was dropped or overwritten

Executes as Windows Service

Checks Windows Trust Settings

Starts CMD.EXE for commands execution

Drops a system driver (possible attempt to evade defenses)

Uses NETSH.EXE to delete a firewall rule or allowed programs

Drops 7-zip archiver for unpacking

Uses NETSH.EXE to add a firewall rule or allowed programs

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts SC.EXE for service management

The process executes via Task Scheduler

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Process checks whether UAC notifications are on

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the software policy settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings