Malware analysis googletoolbarinstaller_updater_signed.exe Malicious activity

Add for printing

File name:	googletoolbarinstaller_updater_signed.exe
Full analysis:	https://app.any.run/tasks/cfea4280-3965-450b-9982-4f7e43510995
Verdict:	Malicious activity
Analysis date:	July 11, 2019, 16:52:20
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	E07728F85C48F56645C2D2A4BE8AACF5
SHA1:	A8345E02BCE2075D53B091FB8C95BB052D8E5E7A
SHA256:	60B49FBFC3D98134FD35D9BFE45DB96985947FDFD0BE5221F9FB774A577FC07C
SSDEEP:	12288:m5xMvWsU705oDm38AezWs/U1EWtA6UJTiLAxT/7MAjNbk:ixMvMzDq8AeP/U1EWO1T3Twok

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Changes settings of System certificates
  - googletoolbarinstaller_updater_signed.exe (PID: 3772)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3904)
- Application was dropped or rewritten from another process
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3568)
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 3312)
  - SearchWithGoogleUpdate_CA8A7236098B8F9A.exe (PID: 2932)
  - GoogleUpdaterService.exe (PID: 3848)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 2168)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 2944)
  - GoogleUpdaterService.exe (PID: 2176)
  - GoogleToolbarNotifier.exe (PID: 3644)
  - GoogleToolbarNotifier.exe (PID: 2528)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3880)
  - GoogleToolbarUser_32.exe (PID: 3108)
  - GoogleToolbarUser_32.exe (PID: 2476)
  - GoogleToolbarNotifier.exe (PID: 864)
  - GoogleToolbarNotifier.exe (PID: 1100)
  - GoogleUpdaterService.exe (PID: 3660)
  - GoogleUpdateSetup_5CC4B0F53D73AD88.exe (PID: 944)
  - TFRE062.tmp (PID: 3720)
  - GoogleToolbarNotifier.exe (PID: 2184)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 2632)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3904)
  - GoogleUpdate.exe (PID: 3104)
- Loads dropped or rewritten executable
  - googletoolbarinstaller_updater_signed.exe (PID: 3772)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3568)
  - GoogleToolbarNotifier.exe (PID: 3644)
  - GoogleToolbarNotifier.exe (PID: 2528)
  - iexplore.exe (PID: 3168)
  - svchost.exe (PID: 848)
  - iexplore.exe (PID: 2720)
  - GoogleToolbarUser_32.exe (PID: 2476)
  - GoogleToolbarNotifier.exe (PID: 864)
  - GoogleToolbarNotifier.exe (PID: 1100)
  - TFRE062.tmp (PID: 3720)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3904)
  - GoogleUpdate.exe (PID: 3104)
- Loads the Task Scheduler DLL interface
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 3312)
  - GoogleUpdaterService.exe (PID: 3848)
SUSPICIOUS
- Application launched itself
  - googletoolbarinstaller_updater_signed.exe (PID: 3292)
- Reads Internet Cache Settings
  - googletoolbarinstaller_updater_signed.exe (PID: 3772)
- Adds / modifies Windows certificates
  - googletoolbarinstaller_updater_signed.exe (PID: 3772)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3904)
- Executable content was dropped or overwritten
  - googletoolbarinstaller_updater_signed.exe (PID: 3772)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3568)
  - msiexec.exe (PID: 3080)
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 3312)
  - SearchWithGoogleUpdate_CA8A7236098B8F9A.exe (PID: 2932)
  - GoogleToolbarNotifier.exe (PID: 1100)
  - iexplore.exe (PID: 2720)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3904)
  - GoogleUpdateSetup_5CC4B0F53D73AD88.exe (PID: 944)
- Creates files in the program directory
  - googletoolbarinstaller_updater_signed.exe (PID: 3772)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3568)
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 3312)
  - SearchWithGoogleUpdate_CA8A7236098B8F9A.exe (PID: 2932)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 2944)
  - GoogleToolbarUser_32.exe (PID: 2476)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3904)
  - GoogleUpdateSetup_5CC4B0F53D73AD88.exe (PID: 944)
- Creates a software uninstall entry
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3568)
- Creates COM task schedule object
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3568)
  - GoogleToolbarNotifier.exe (PID: 3644)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3904)
- Executed via COM
  - GoogleToolbarNotifier.exe (PID: 2528)
  - GoogleToolbarNotifier.exe (PID: 864)
  - GoogleToolbarNotifier.exe (PID: 1100)
  - GoogleToolbarNotifier.exe (PID: 2184)
  - GoogleUpdateOnDemand.exe (PID: 768)
  - GoogleUpdateOnDemand.exe (PID: 2876)
  - GoogleUpdateOnDemand.exe (PID: 2700)
  - GoogleUpdateOnDemand.exe (PID: 2988)
- Executed as Windows Service
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3880)
  - GoogleUpdaterService.exe (PID: 3660)
- Creates files in the Windows directory
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3880)
  - TFRE062.tmp (PID: 3720)
- Starts Internet Explorer
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3880)
- Starts application with an unusual extension
  - GoogleUpdaterService.exe (PID: 3660)
- Removes files from Windows directory
  - TFRE062.tmp (PID: 3720)
INFO
- Creates a software uninstall entry
  - msiexec.exe (PID: 3080)
- Changes internet zones settings
  - iexplore.exe (PID: 3168)
- Creates files in the user directory
  - iexplore.exe (PID: 2720)
- Application launched itself
  - iexplore.exe (PID: 3168)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 2720)
- Reads internet explorer settings
  - iexplore.exe (PID: 2720)
- Reads settings of System Certificates
  - iexplore.exe (PID: 2720)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:10:31 23:55:14+01:00
PEType:	PE32
LinkerVersion:	8
CodeSize:	293376
InitializedDataSize:	230400
UninitializedDataSize:	-
EntryPoint:	0x27539
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	7.5.8231.2252
ProductVersionNumber:	7.5.8231.2252
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Google Inc.
LegalCopyright:	Copyright © 2000-2014
FileDescription:	Google Toolbar Installer
ProductName:	Google Toolbar for Internet Explorer
ProductVersion:	7, 5, 8231, 2252
FileVersion:	7, 5, 8231, 2252
OriginalFileName:	GoogleToolbarInstaller.exe
InternalName:	GoogleToolbarInstaller

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	31-Oct-2016 22:55:14
Detected languages:	Bulgarian - Bulgaria Catalan - Spain Chinese - PRC Chinese - Taiwan Croatian - Croatia Czech - Czech Republic Danish - Denmark Dutch - Netherlands English - United Kingdom English - United States Estonian - Estonia Finnish - Finland French - France German - Germany Greek - Greece Hindi - India Hungarian - Hungary Icelandic - Iceland Indonesian - Indonesia (Bahasa) Italian - Italy Japanese - Japan Korean - Korea Latvian - Latvia Lithuanian - Lithuania Norwegian - Norway (Bokmal) Polish - Poland Portuguese - Brazil Portuguese - Portugal Romanian - Romania Russian - Russia Serbian - Serbia (Cyrillic) Slovak - Slovakia Slovenian - Slovenia Spanish - Spain (International sort) Swedish - Sweden Thai - Thailand Turkish - Turkey Ukrainian - Ukraine Vietnamese - Viet Nam
Debug artifacts:	componentinstaller.pdb
CompanyName:	Google Inc.
LegalCopyright:	Copyright © 2000-2014
FileDescription:	Google Toolbar Installer
ProductName:	Google Toolbar for Internet Explorer
ProductVersion:	7, 5, 8231, 2252
FileVersion:	7, 5, 8231, 2252
OriginalFilename:	GoogleToolbarInstaller.exe
InternalName:	GoogleToolbarInstaller

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F0

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	31-Oct-2016 22:55:14
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00047826	0x00047A00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.63139
.rdata	0x00049000	0x00010F94	0x00011000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.40925
.data	0x0005A000	0x0000BD48	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.12538
.rsrc	0x00066000	0x000200E0	0x00020200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.50255
.reloc	0x00087000	0x00004EE8	0x00005000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	4.94542

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.07475	1120	Latin 1 / Western European	UNKNOWN	RT_MANIFEST
2	3.15112	1384	Latin 1 / Western European	UNKNOWN	RT_ICON
3	7.93602	21046	Latin 1 / Western European	UNKNOWN	RT_ICON
4	3.37587	9640	Latin 1 / Western European	UNKNOWN	RT_ICON
5	2.34854	4264	Latin 1 / Western European	UNKNOWN	RT_ICON
6	4.51688	1128	Latin 1 / Western European	UNKNOWN	RT_ICON
10	2.6341	90	Latin 1 / Western European	UNKNOWN	RT_GROUP_ICON
16	0.545897	36	Latin 1 / Western European	Serbian - Serbia (Cyrillic)	RT_STRING
1701	3.95465	1464	Latin 1 / Western European	Serbian - Serbia (Cyrillic)	RT_STRING
1702	3.18543	114	Latin 1 / Western European	Serbian - Serbia (Cyrillic)	RT_STRING

Imports


ADVAPI32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
USERENV.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

768

"C:\Program Files\Google\Update\1.3.34.11\GoogleUpdateOnDemand.exe" -Embedding

C:\Program Files\Google\Update\1.3.34.11\GoogleUpdateOnDemand.exe

—

svchost.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Update

Exit code:

Version:

1.3.34.11

Modules

Images
c:\program files\google\update\1.3.34.11\googleupdateondemand.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

848

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\windanr.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll

864

"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -Embedding

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

—

svchost.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

GoogleToolbarNotifier

Exit code:

Version:

4, 1, 509, 1944

Modules

Images
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\google\googletoolbarnotifier\5.12.11510.1228\gtn.dll
c:\windows\system32\gdi32.dll

944

"C:\Program Files\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe" /install "runtime=true&needsadmin=True&brand=GGOT" /installsource toolbar /silent

C:\Program Files\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe

GoogleToolbarManager_8B0481A9A34D47CD.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Update Setup

Exit code:

Version:

1.3.21.107

Modules

Images
c:\program files\google\google toolbar\component\googleupdatesetup_5cc4b0f53d73ad88.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1100

"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -Embedding

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

svchost.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

GoogleToolbarNotifier

Exit code:

Version:

4, 1, 509, 1944

Modules

Images
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\google\googletoolbarnotifier\5.12.11510.1228\gtn.dll
c:\windows\system32\user32.dll

1696

"C:\Program Files\Google\Update\GoogleUpdate.exe" /ondemand

C:\Program Files\Google\Update\GoogleUpdate.exe

—

GoogleUpdateOnDemand.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

Google Installer

Exit code:

Version:

1.3.33.23

Modules

Images
c:\program files\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

2168

"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_8B0481A9A34D47CD.exe" /postinstall /sid:S-1-5-21-1302019708-1500728564-335382590-1000 /sid:S-1-5-21-1302019708-1500728564-335382590-1000 /dont_elevate /installwindow:524650

C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_8B0481A9A34D47CD.exe

—

googletoolbarinstaller_updater_signed.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Toolbar Manager

Exit code:

Version:

7, 5, 8231, 2252

Modules

Images
c:\program files\google\google toolbar\component\googletoolbarmanager_8b0481a9a34d47cd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2176

"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" /Service

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

—

GoogleUpdaterService_B33FC4DD36A473C6.exe

User:

admin

Company:

Google

Integrity Level:

HIGH

Description:

gusvc

Exit code:

Version:

2.4.2617.4952.beta

Modules

Images
c:\program files\google\common\google updater\googleupdaterservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll

2184

"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -Embedding

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

—

svchost.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

GoogleToolbarNotifier

Exit code:

Version:

4, 1, 509, 1944

Modules

Images
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\google\googletoolbarnotifier\5.12.11510.1228\gtn.dll
c:\windows\system32\user32.dll

2296

"C:\Program Files\Google\Update\GoogleUpdate.exe" /ondemand

C:\Program Files\Google\Update\GoogleUpdate.exe

—

GoogleUpdateOnDemand.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

Google Installer

Exit code:

Version:

1.3.33.23

Modules

Images
c:\program files\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

Add for printing

Total events

2 614

Read events

1 602

Write events

984

Delete events

Modification events


(PID) Process:	(3292) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3292) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Google\Google Toolbar\Branding
Operation:	write	Name:	sin
Value: 0
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Google\Google Toolbar\Branding
Operation:	write	Name:	ein
Value: 1
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Google\Google Toolbar
Operation:	write	Name:	test
Value: 23710
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\googletoolbarinstaller_updater_signed_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\googletoolbarinstaller_updater_signed_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\googletoolbarinstaller_updater_signed_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\googletoolbarinstaller_updater_signed_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(3772) googletoolbarinstaller_updater_signed.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\googletoolbarinstaller_updater_signed_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3772	googletoolbarinstaller_updater_signed.exe	C:\Users\admin\AppData\Local\Temp\Google Toolbar\gt6EDB.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Program Files\Google\Google Toolbar\Component\cmp710F.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Users\admin\AppData\Local\Temp\Google Toolbar\gt7120.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Program Files\Google\Google Toolbar\Component\cmp75C4.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Users\admin\AppData\Local\Temp\Google Toolbar\gt7604.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Program Files\Google\Google Toolbar\Component\cmp7827.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Users\admin\AppData\Local\Temp\Google Toolbar\gt7848.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Program Files\Google\Google Toolbar\Component\cmp7A8B.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Users\admin\AppData\Local\Temp\Google Toolbar\gt7A9B.tmp		—
		MD5:—	SHA256:—
3772	googletoolbarinstaller_updater_signed.exe	C:\Program Files\Google\Google Toolbar\Component\cmp7B87.tmp		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3772	googletoolbarinstaller_updater_signed.exe	GET	302	172.217.22.110:80	http://cache.pack.google.com/edgedl/toolbar/components/GoogleToolbar_32_38A4BBA9EA6D142A.dll.lz	US	html	453 b	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	302	172.217.22.110:80	http://cache.pack.google.com/edgedl/toolbar/components/GoogleToolbarDynamic_mui_en_4D8162B8670AA63C.dll.lz	US	html	464 b	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	302	172.217.22.110:80	http://cache.pack.google.com/edgedl/toolbar/components/GoogleToolbarDynamic_32_4DC8E820B2954571.dll.lz	US	html	460 b	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	302	172.217.22.110:80	http://cache.pack.google.com/edgedl/toolbar/components/GoogleToolbarManager_8B0481A9A34D47CD.exe.lz	US	html	457 b	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	302	172.217.22.110:80	http://cache.pack.google.com/edgedl/toolbar/components/GoogleUpdaterService_B33FC4DD36A473C6.exe.lz	US	html	457 b	whitelisted
2720	iexplore.exe	GET	302	216.58.205.238:80	http://toolbar.google.com/tbredir?r=di&l=en&v=7.5&tbbrand=	US	html	190 b	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	302	172.217.22.110:80	http://cache.pack.google.com/edgedl/toolbar/components/SearchWithGoogleUpdate_CA8A7236098B8F9A.exe.lz	US	html	459 b	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	200	173.194.151.104:80	http://r2---sn-4g5e6ne6.c.pack.google.com/edgedl/toolbar/components/GoogleToolbarUser_32_13D64232A255CA16.exe.lz?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-4g5e6ne6&ms=nvh&mt=1562863878&mv=m&mvi=1&pl=24&shardbypass=yes	US	lzma	143 Kb	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	200	173.194.188.169:80	http://r4---sn-4g5edns6.c.pack.google.com/edgedl/toolbar/components/GoogleToolbar_32_38A4BBA9EA6D142A.dll.lz?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-4g5edns6&ms=nvh&mt=1562863878&mv=m&mvi=3&pl=24&shardbypass=yes	US	lzma	89.8 Kb	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	GET	200	173.194.187.102:80	http://r1---sn-4g5e6nsr.c.pack.google.com/edgedl/toolbar/components/GoogleToolbarDynamic_32_4DC8E820B2954571.dll.lz?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-4g5e6nsr&ms=nvh&mt=1562863878&mv=m&mvi=0&pl=24&shardbypass=yes	US	lzma	1.11 Mb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3772	googletoolbarinstaller_updater_signed.exe	173.194.188.42:80	r5---sn-4g5ednse.c.pack.google.com	Google Inc.	US	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	173.194.151.104:80	r2---sn-4g5e6ne6.c.pack.google.com	Google Inc.	US	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	173.194.165.169:80	r3---sn-4g5edney.c.pack.google.com	Google Inc.	US	whitelisted
2720	iexplore.exe	216.58.205.238:80	toolbar.google.com	Google Inc.	US	whitelisted
3772	googletoolbarinstaller_updater_signed.exe	173.194.164.137:80	r3---sn-4g5e6nle.c.pack.google.com	Google Inc.	US	whitelisted
2720	iexplore.exe	172.217.22.4:80	www.google.com	Google Inc.	US	whitelisted
3168	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2720	iexplore.exe	172.217.21.238:80	tools.google.com	Google Inc.	US	whitelisted
2720	iexplore.exe	172.217.22.42:80	fonts.googleapis.com	Google Inc.	US	whitelisted
2720	iexplore.exe	172.217.23.130:80	www.googleadservices.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
cache.pack.google.com	172.217.22.110	whitelisted
r4---sn-4g5edns6.c.pack.google.com	173.194.188.169	whitelisted
r1---sn-4g5e6nsr.c.pack.google.com	173.194.187.102	whitelisted
r5---sn-4g5ednse.c.pack.google.com	173.194.188.42	whitelisted
r2---sn-4g5e6ne6.c.pack.google.com	173.194.151.104	whitelisted
r3---sn-4g5edney.c.pack.google.com	173.194.165.169	whitelisted
r3---sn-4g5e6nle.c.pack.google.com	173.194.164.137	whitelisted
toolbar.google.com	216.58.205.238	whitelisted
www.google.com	172.217.22.4	malicious
www.bing.com	204.79.197.200 13.107.21.200	whitelisted

Threats

No threats detected

Add for printing

Process	Message
GoogleUpdate.exe	LOG_SYSTEM: [GoogleUpdate:goopdate]: ERROR - Cannot create ETW log writer

General Info

googletoolbarinstaller_updater_signed.exe

E07728F85C48F56645C2D2A4BE8AACF5

A8345E02BCE2075D53B091FB8C95BB052D8E5E7A

60B49FBFC3D98134FD35D9BFE45DB96985947FDFD0BE5221F9FB774A577FC07C

12288:m5xMvWsU705oDm38AezWs/U1EWtA6UJTiLAxT/7MAjNbk:ixMvMzDq8AeP/U1EWO1T3Twok

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes settings of System certificates

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Loads the Task Scheduler DLL interface

SUSPICIOUS

Application launched itself

Reads Internet Cache Settings

Adds / modifies Windows certificates

Executable content was dropped or overwritten

Creates files in the program directory

Creates a software uninstall entry

Creates COM task schedule object

Executed via COM

Executed as Windows Service

Creates files in the Windows directory

Starts Internet Explorer

Starts application with an unusual extension

Removes files from Windows directory

INFO

Creates a software uninstall entry

Changes internet zones settings

Creates files in the user directory

Application launched itself

Reads Internet Cache Settings

Reads internet explorer settings

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests