Malware analysis GoogleAdsEditorSetup.exe Malicious activity

Add for printing

File name:	GoogleAdsEditorSetup.exe
Full analysis:	https://app.any.run/tasks/dc1eb32f-d0d7-4d7e-9548-aa35050501f7
Verdict:	Malicious activity
Analysis date:	December 23, 2024, 10:04:54
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	F12BE6329AD5C32288226A0764CBC1AD
SHA1:	7EA420165A9F3AC72568B3AFFF14713671BD7ABD
SHA256:	58BE45B33283C9DDA8BB3E8256383B565C820F53121FA79222B1A7AAF3C032C8
SSDEEP:	98304:CvPHTg70qMK46SByzYBh9RWEdpa5pIIJjtOBJOWrLav4us1/nqj2xzG+oo2IJ5XL:KfgTw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - updater.exe (PID: 6740)
SUSPICIOUS
- Application launched itself
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6852)
  - updater.exe (PID: 6944)
- Executable content was dropped or overwritten
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6852)
- Reads security settings of Internet Explorer
  - updater.exe (PID: 6740)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 2212)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 2212)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 2212)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 2212)
INFO
- The sample compiled with english language support
  - GoogleAdsEditorSetup.exe (PID: 6696)
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6852)
  - msiexec.exe (PID: 2212)
- Reads the computer name
  - GoogleAdsEditorSetup.exe (PID: 6696)
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6852)
  - updater.exe (PID: 6944)
  - msiexec.exe (PID: 2212)
  - google_ads_editor.exe (PID: 6348)
  - ShellExperienceHost.exe (PID: 2012)
  - google_ads_editor.exe (PID: 3672)
  - QtWebEngineProcess.exe (PID: 2084)
- Checks supported languages
  - GoogleAdsEditorSetup.exe (PID: 6696)
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6768)
  - updater.exe (PID: 6852)
  - updater.exe (PID: 6872)
  - updater.exe (PID: 6944)
  - updater.exe (PID: 6964)
  - msiexec.exe (PID: 2212)
  - google_ads_editor_launcher.exe (PID: 4300)
  - handler.exe (PID: 1296)
  - google_ads_editor.exe (PID: 6348)
  - ShellExperienceHost.exe (PID: 2012)
  - identity_helper.exe (PID: 6640)
  - google_ads_editor.exe (PID: 3672)
  - QtWebEngineProcess.exe (PID: 2084)
  - identity_helper.exe (PID: 5540)
  - handler.exe (PID: 2072)
- Create files in a temporary directory
  - GoogleAdsEditorSetup.exe (PID: 6696)
  - updater.exe (PID: 6944)
  - msiexec.exe (PID: 6472)
- Process checks whether UAC notifications are on
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6852)
  - updater.exe (PID: 6944)
- Creates files or folders in the user directory
  - updater.exe (PID: 6768)
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6852)
  - updater.exe (PID: 6944)
  - google_ads_editor.exe (PID: 6348)
  - handler.exe (PID: 1296)
  - msiexec.exe (PID: 2212)
- Checks proxy server information
  - updater.exe (PID: 6740)
  - updater.exe (PID: 6944)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 2212)
  - google_ads_editor.exe (PID: 6348)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 2212)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2212)
- Sends debugging messages
  - google_ads_editor_launcher.exe (PID: 4300)
  - google_ads_editor.exe (PID: 6348)
  - ShellExperienceHost.exe (PID: 2012)
  - google_ads_editor.exe (PID: 3672)
  - QtWebEngineProcess.exe (PID: 2084)
- Manual execution by a user
  - google_ads_editor_launcher.exe (PID: 4300)
  - msedge.exe (PID: 4576)
  - google_ads_editor.exe (PID: 3672)
- Reads the software policy settings
  - msiexec.exe (PID: 2212)
- Reads the time zone
  - google_ads_editor.exe (PID: 6348)
- Process checks computer location settings
  - QtWebEngineProcess.exe (PID: 2084)
  - google_ads_editor.exe (PID: 6348)
- Application launched itself
  - msedge.exe (PID: 4576)
  - msedge.exe (PID: 432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:11:11 16:02:03+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	3429376
InitializedDataSize:	6935040
UninitializedDataSize:	-
EntryPoint:	0x1be4e0
OSVersion:	10
ImageVersion:	-
SubsystemVersion:	10
Subsystem:	Windows GUI
FileVersionNumber:	132.0.6833.0
ProductVersionNumber:	132.0.6833.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Google LLC
FileDescription:	Google Installer
FileVersion:	132.0.6833.0
InternalName:	Google Installer (x86)
LegalCopyright:	Copyright 2024 Google LLC. All rights reserved.
OriginalFileName:	UpdaterSetup.exe
ProductName:	Google Installer
ProductVersion:	132.0.6833.0
CompanyShortName:	Google
ProductShortName:	GoogleUpdater
LastChange:	fba838c6a3184f5070b77238fdbbca1b3d990105-refs/branch-heads/6833@{#1}
OfficialBuild:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

198

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

432

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

524

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5500 --field-trial-handle=2312,i,2478424681762129013,6288574974125536417,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

524

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3596 --field-trial-handle=2312,i,2478424681762129013,6288574974125536417,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1172

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6264 --field-trial-handle=2388,i,6975781403482044706,8980377555785255402,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1192

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5572 --field-trial-handle=2312,i,2478424681762129013,6288574974125536417,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1296

"C:/Users/admin/AppData/Local/Google/Google Ads Editor/14.8.5.0/crashpad/handler/handler.exe" --database=C:/Users/admin/AppData/Local/Google/Google-AdWords-Editor/crashpad --metrics-dir=C:/Users/admin/AppData/Local/Google/Google-AdWords-Editor/crashpad --url=https://clients2.google.com/cr/report --annotation=product=Google_Ads_Editor --annotation=version=14.8.5.0 --initial-client-data=0x684,0x688,0x68c,0x680,0x568,0x7ff7c32219d8,0x7ff7c3221998,0x7ff7c32219a8

C:\Users\admin\AppData\Local\Google\Google Ads Editor\14.8.5.0\crashpad\handler\handler.exe

—

google_ads_editor.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\google\google ads editor\14.8.5.0\crashpad\handler\handler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1400

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5032 --field-trial-handle=2312,i,2478424681762129013,6288574974125536417,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1476

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3796 --field-trial-handle=2388,i,6975781403482044706,8980377555785255402,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1864

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2832 --field-trial-handle=2312,i,2478424681762129013,6288574974125536417,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2012

"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Shell Experience Host

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll

Add for printing

Total events

24 355

Read events

23 511

Write events

834

Delete events

Modification events


(PID) Process:	(6740) updater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	pv
Value: 132.0.6833.0
(PID) Process:	(6740) updater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	name
Value: GoogleUpdater
(PID) Process:	(6740) updater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	pv
Value: 132.0.6833.0
(PID) Process:	(6740) updater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:	write	Name:	name
Value: GoogleUpdater
(PID) Process:	(6740) updater.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\Interface\{22F5EF75-BBDC-577C-B017-16B4FD4158CA}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(6740) updater.exe	Key:	HKEY_CLASSES_ROOT\Interface\{22F5EF75-BBDC-577C-B017-16B4FD4158CA}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(6740) updater.exe	Key:	HKEY_CLASSES_ROOT\WOW6432Node\Interface\{09B9B539-CED5-580D-9A01-BA781058B406}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(6740) updater.exe	Key:	HKEY_CLASSES_ROOT\Interface\{09B9B539-CED5-580D-9A01-BA781058B406}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(6740) updater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	GoogleUpdaterTaskUser132.0.6833.0
Value: "C:\Users\admin\AppData\Local\Google\GoogleUpdater\132.0.6833.0\updater.exe" --wake
(PID) Process:	(6740) updater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{f7a0263c-9459-4a49-bdd5-aa35e1c35151}
Operation:	write	Name:	usagestats
Value: 0

Add for printing

Executable files

Suspicious files

403

Text files

304

Unknown types

Dropped files

PID	Process	Filename		Type
6696	GoogleAdsEditorSetup.exe	C:\Users\admin\AppData\Local\Temp\Google6696_248289246\UPDATER.PACKED.7Z		—
		MD5:—	SHA256:—
6740	updater.exe	C:\Users\admin\AppData\Local\Google\GoogleUpdater\132.0.6833.0\uninstall.cmd		text
		MD5:FBC297EE9060D4256192E4EDB98CAD1B	SHA256:099592FFA867124D16C0C6D868AF1214FD2B7180FA76E4EEE01ABF2A5CF8F044
6944	updater.exe	C:\Users\admin\AppData\Local\Temp\chrome_url_fetcher_6944_1438723045\-f7a0263c-9459-4a49-bdd5-aa35e1c35151-_14.8.5.0_all_pnm2fztgyawxwx764doa4yzlli.crx3		—
		MD5:—	SHA256:—
6944	updater.exe	C:\Users\admin\AppData\Local\Google\GoogleUpdater\crx_cache\{f7a0263c-9459-4a49-bdd5-aa35e1c35151}_1.9ac01002e6d5953f8a46a4317292b36e996a668dca08975b0ab66244b2eca20d		—
		MD5:—	SHA256:—
6944	updater.exe	C:\Users\admin\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping6944_1638816080\google_ads_editor.msi		—
		MD5:—	SHA256:—
6852	updater.exe	C:\Users\admin\AppData\Local\Google\Update\GoogleUpdate.exe		executable
		MD5:9DB9D09B6A58E5C09773F754504AC148	SHA256:C294551059A85542127811249B8E725D3AB885EFDD4996B201DB588899769E85
6852	updater.exe	C:\Users\admin\AppData\Local\Google\GoogleUpdater\132.0.6833.0\63bcbd98-828a-494c-a0e6-4631600ba1f1.tmp		binary
		MD5:AA2D0C0C72BB528CF4168EA91C1C9A56	SHA256:E03E9D262CA3B7D19E37C3A69C7D8B46BD3F5542AA555A17D864071C28257B2C
6740	updater.exe	C:\Users\admin\AppData\Local\Google\GoogleUpdater\132.0.6833.0\updater.exe		executable
		MD5:9DB9D09B6A58E5C09773F754504AC148	SHA256:C294551059A85542127811249B8E725D3AB885EFDD4996B201DB588899769E85
2212	msiexec.exe	C:\Windows\Installer\142ff8.msi		—
		MD5:—	SHA256:—
6740	updater.exe	C:\Users\admin\AppData\Local\Google\GoogleUpdater\40356f26-2566-4e05-ac3e-197c678f6d2c.tmp		binary
		MD5:88BD7C8114993ADB9D7903AFA0A526C9	SHA256:BB3C4B90702246FDF6C3698037DE42BF1949B5028C354647AA65024373F341A4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
640	svchost.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
640	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	updater.exe	GET	—	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/misc/act6o6k5qhzdgc43wsx45ymtvwza_14.8.5.0/-f7a0263c-9459-4a49-bdd5-aa35e1c35151-_14.8.5.0_all_pnm2fztgyawxwx764doa4yzlli.crx3	unknown	—	—	whitelisted
6740	updater.exe	GET	200	142.250.185.227:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
6740	updater.exe	GET	200	172.217.16.131:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6284	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6284	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3832	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	2.23.209.189:443	www.bing.com	Akamai International B.V.	GB	unknown
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
640	svchost.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
640	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6944	updater.exe	142.250.184.227:443	update.googleapis.com	GOOGLE	US	unknown
6740	updater.exe	142.250.186.142:443	dl.google.com	GOOGLE	US	whitelisted
6740	updater.exe	142.250.185.227:80	ocsp.pki.goog	GOOGLE	US	whitelisted
6944	updater.exe	34.104.35.123:80	edgedl.me.gvt1.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	2.23.209.189 2.23.209.176 2.23.209.181 2.23.209.182 2.23.209.177 2.23.209.186 2.23.209.185 2.23.209.179 2.23.209.183 104.126.37.128 104.126.37.139 104.126.37.186 104.126.37.179 104.126.37.136 104.126.37.178 104.126.37.185 104.126.37.130 104.126.37.144	whitelisted
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 40.127.240.158 20.72.205.209	whitelisted
google.com	142.250.184.206 142.250.186.110	whitelisted
crl.microsoft.com	2.20.245.138 2.20.245.137	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
update.googleapis.com	142.250.184.227 142.250.185.131	whitelisted
dl.google.com	142.250.186.142	whitelisted
ocsp.pki.goog	142.250.185.227	whitelisted
edgedl.me.gvt1.com	34.104.35.123	whitelisted
c.pki.goog	172.217.16.131	whitelisted

Threats

No threats detected

Add for printing

Process	Message
google_ads_editor_launcher.exe	Launching "C:\\Users\\admin\\AppData\\Local\\Google\\Google Ads Editor\\14.8.5.0\\google_ads_editor.exe"
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\icuutils.cc:135:util::IcuInit())" Word break iterator created successfully.
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\icuutils.cc:145:util::IcuInit())" Number formatter created successfully.
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\icuutils.cc:106:util::IcuInit())" Collator rules retrieved.
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\icuutils.cc:126:util::IcuInit())" Collator adjusted with custom rule.
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\icuutils.cc:58:util::IcuInit())" Init ICU "75.1" with locale: "en_US"
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\icuutils.cc:98:util::IcuInit())" Collator opened successfully.
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\editorapplication.cc:292:EditorApplication::EditorApplication())" Completed QGuiApplication initialization.
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\config.cc:288:Config::Init())" Running with command line: "C:\\Users\\admin\\AppData\\Local\\Google\\Google Ads Editor\\14.8.5.0\\google_ads_editor.exe C:\\Users\\admin\\AppData\\Local\\Google\\Google Ads Editor\\google_ads_editor_launcher.exe"
google_ads_editor.exe	"(C:\\tmpfs\\src\\piper\\branches\\ads_editor_14_8_release_branch\\googleclient\\ads\\adwords\\editor\\src\\config.cc:287:Config::Init())" Beginning app config initialization.

General Info

GoogleAdsEditorSetup.exe

F12BE6329AD5C32288226A0764CBC1AD

7EA420165A9F3AC72568B3AFFF14713671BD7ABD

58BE45B33283C9DDA8BB3E8256383B565C820F53121FA79222B1A7AAF3C032C8

98304:CvPHTg70qMK46SByzYBh9RWEdpa5pIIJjtOBJOWrLav4us1/nqj2xzG+oo2IJ5XL:KfgTw

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Process drops legitimate windows executable

Reads the Windows owner or organization settings

The process drops C-runtime libraries

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Create files in a temporary directory

Process checks whether UAC notifications are on

Creates files or folders in the user directory

Checks proxy server information

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Creates a software uninstall entry

Sends debugging messages

Manual execution by a user

Reads the software policy settings

Reads the time zone

Process checks computer location settings

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings