3f208f4e0dacb8661d7659d2a030f36e

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2024-Apr-12 08:01:40
Detected languages English - United States
Debug artifacts C:\vsts-new\Installers\MetaInstaller\BGAUpdatePack\Release\BGAUpdate.pdb
CompanyName © 2024 Microsoft Corporation
FileDescription BGA Update Pack
FileVersion 2.0.0.34
InternalName BGAUpdatePack.exe
LegalCopyright © 2024 Microsoft Corporation. All rights reserved.
OriginalFilename BGAUpdatePack.exe
ProductName BGA Update Pack
ProductVersion 2.0.0.34

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C# v7.0 / Basic .NET
.NET DLL -> Microsoft
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • rundll32.exe
 Contains references to internet browsers:
  • chrome.exe
  • firefox.exe
 May have dropper capabilities:
  • CurrentVersion\Run
 Contains another PE executable:
  • This program cannot be run in DOS mode.
 Contains domain names:
  • .bing.com
  • .google.com
  • .yahoo.com
  • azurewebsites.net
  • bing.co.jp
  • browserdefaults4.azurewebsites.net
  • cacerts.digicert.com
  • clients2.google.com
  • crl.microsoft.com
  • crl3.digicert.com
  • crl4.digicert.com
  • developer.microsoft.com
  • digicert.com
  • docs.microsoft.com
  • duckduckgo.com
  • ecosia.org
  • github.com
  • go.microsoft.com
  • google.com
  • http://cacerts.digicert.com
  • http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
  • http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
  • http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
  • http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
  • http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
  • http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
  • http://crl.microsoft.com
  • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0
  • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
  • http://crl3.digicert.com
  • http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
  • http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
  • http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
  • http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
  • http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
  • http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
  • http://crl3.digicert.com/sha2-assured-ts.crl02
  • http://crl4.digicert.com
  • http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
  • http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
  • http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
  • http://crl4.digicert.com/sha2-assured-ts.crl0
  • http://james.newtonking.com
  • http://james.newtonking.com/projects/json
  • http://ocsp.digicert.com0A
  • http://ocsp.digicert.com0C
  • http://ocsp.digicert.com0K
  • http://ocsp.digicert.com0N
  • http://ocsp.digicert.com0O
  • http://ocsp.digicert.com0X
  • http://schemas.microsoft.com
  • http://schemas.microsoft.com/SMI/2005/WindowsSettings
  • http://schemas.microsoft.com/SMI/2016/WindowsSettings
  • http://schemas.microsoft.com/appx/manifest/com/windows10
  • http://schemas.microsoft.com/appx/manifest/desktop/windows10
  • http://schemas.microsoft.com/appx/manifest/foundation/windows10
  • http://www.bing.com
  • http://www.bing.com/
  • http://www.digicert.com
  • http://www.digicert.com/CPS0
  • http://www.microsoft.com
  • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
  • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
  • http://www.microsoft.com/pkiops/Docs/Repository.htm0
  • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
  • http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010
  • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
  • http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010
  • http://www.microsoft.com/pkiops/docs/primarycps.htm0
  • http://www.microsoft.com0
  • http://www.w3.org
  • http://www.w3.org/2000/xmlns/
  • http://www.w3.org/2001/XMLSchema-instance
  • https://browserdefaults4.azurewebsites.net
  • https://browserdefaults4.azurewebsites.net/api/metainstaller/UpdBGAErrors?
  • https://browserdefaults4.azurewebsites.net/api/metainstaller/UpdBGAUpsellsInstalls?
  • https://browserdefaults4.azurewebsites.net/api/metainstaller/UpdBGAUpsellsOffers?
  • https://browserdefaults4.azurewebsites.net/api/metainstaller/getnotificationtext?
  • https://browserdefaults4.azurewebsites.net/api/metainstaller/getnotificationvartype?
  • https://clients2.google.com
  • https://clients2.google.com/service/update2/crx
  • https://developer.microsoft.com
  • https://developer.microsoft.com/en-us/windows/uwp-community-toolkit
  • https://docs.microsoft.com
  • https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation
  • https://github.com
  • https://go.microsoft.com
  • https://go.microsoft.com/fwlink/?LinkId
  • https://go.microsoft.com/fwlink/?linkid
  • https://ipv4.icanhazip.com
  • https://ipv4.icanhazip.com/
  • https://ntp.msn.com
  • https://ntp.msn.com/edge/ntp
  • https://www.bing.com
  • https://www.bing.com/?pc
  • https://www.bing.com/msrewards/api/v1/servicestatus
  • https://www.bing.com/new?form
  • https://www.bing.com/sa/simg/favicon-etonb.ico
  • https://www.digicert.com
  • https://www.digicert.com/CPS0
  • https://www.microsoft.com
  • https://www.microsoft.com/favicon.ico
  • https://www.microsoftnews.com
  • https://www.microsoftnews.com/?pc
  • https://www.msn.com
  • https://www.msn.com/?pc
  • https://www.newtonsoft.com
  • https://www.newtonsoft.com/json
  • https://www.newtonsoft.com/jsonschema
  • https://www.nuget.org
  • https://www.nuget.org/packages/Newtonsoft.Json.Bson
  • icanhazip.com
  • ipv4.icanhazip.com
  • james.newtonking.com
  • microsoft.com
  • microsoftnews.com
  • msn.co.jp
  • newtonking.com
  • newtonsoft.com
  • nine.com.au
  • ntp.msn.com
  • nuget.org
  • office.com
  • outlook.com
  • schemas.microsoft.com
  • windows.com
  • windowsphone.com
  • www.bing.com
  • www.digicert.com
  • www.microsoft.com
  • www.microsoftnews.com
  • www.msn.com
  • www.newtonsoft.com
  • www.nuget.org
  • www.w3.org
  • yahoo.com
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to SHA256
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegSetValueExW
  • RegQueryValueExW
  • RegCloseKey
  • RegDeleteValueW
  • RegCreateKeyExW
  • RegOpenKeyExW
  • RegDeleteKeyExW
Malicious The PE is possibly a dropper. Resource 129 detected as a PE Executable.
Resource 131 detected as a PE Executable.
Resources amount for 99.1551% of the executable.
Info The PE is digitally signed. Signer: Microsoft Corporation
Issuer: Microsoft Code Signing PCA 2011
Safe VirusTotal score: 0/70 (Scanned on 2024-04-25 07:24:44) All the AVs think this file is safe.

Hashes

MD5 3f208f4e0dacb8661d7659d2a030f36e
SHA1 07fe69fd12637b63f6ae44e60fdf80e5e3e933ff
SHA256 d3c12e642d4b032e2592c2ba6e0ed703a7e43fb424b7c3ab5b2e51b53d1d433b
SHA3 80139f344570da6ecd8e4b80e921643b9b0fbe8f8999059b8d7f8b291d510d92
SSDeep 393216:1JmA6wjj314+lu3aEjdAynz9EHmiqEYDJDj/:vt314mmsyzKGiqEk
Imports Hash 39671aec6dcae76789dbe66880797414

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2024-Apr-12 08:01:40
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x17800
SizeOfInitializedData 0x111be00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000079F0 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x19000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x1137000
SizeOfHeaders 0x400
Checksum 0x1138c9f
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6672d30afb0aa405ab3376ee18b608dc
SHA1 6b8f039835104d1b9a115ad954e5650e89430914
SHA256 de11db047a1ee2542ba9c7dd25d7b338cb1bda40da7bafecd905c4ff7ccab536
SHA3 9a487b169e640983e1ea8356d02a029da94c9d0b513f26c32a0bcbc602f06394
VirtualSize 0x17799
VirtualAddress 0x1000
SizeOfRawData 0x17800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.59859

.rdata

MD5 3a4c08f35c8e323ddc629906ec70dd69
SHA1 49a46142fa4657bb3e804622a006113028145ee1
SHA256 88fb80927b217a36ce153cc96226b1900c5a851859bee2ad844a920e847734cc
SHA3 a195e5f7135b57688be0dedc270d4d70ed96480c76ed9765e2488ee72c06fd3d
VirtualSize 0x8a18
VirtualAddress 0x19000
SizeOfRawData 0x8c00
PointerToRawData 0x17c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.85318

.data

MD5 a0d4e012e4b3b16209c8aaffb0393b74
SHA1 457d9d9b41a63aed6a8c01f9534b2576d78f8ee5
SHA256 c6e931cce76849e3bd287347ca3d5410e1dcc5a24ac24179a58393f22e22a6b9
SHA3 90fad7100128a395cd00cf4744c2edad14c12f557d431cec548eab51402fb970
VirtualSize 0x1604
VirtualAddress 0x22000
SizeOfRawData 0xc00
PointerToRawData 0x20800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.43673

.rsrc

MD5 08c4170ee296807d9ba5c5573fd48f86
SHA1 43bf952b9b486c98b494b3284a761a92bb9f1088
SHA256 a986d5dc605d6dcee5805766d2874e9af344901e9e95a4ef63f7b0c521517164
SHA3 cbbc6ea208904cba38e4ea2c334621b6bdcfd0cae671d3ed3e9a2af0e7e410ad
VirtualSize 0x11103d0
VirtualAddress 0x24000
SizeOfRawData 0x1110400
PointerToRawData 0x21400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.86988

.reloc

MD5 cbb3c1abb0050b753c4032608afe7a13
SHA1 6f4465e1ae72f023dd7e49a8f11af4e76494391d
SHA256 d844060022b657f1b83f0cf80ce77f08d40a2ce88d3a42320ab5d9fbfabe6f96
SHA3 8ebdfa355952a00a0ec95319685abbb2f31823bb266d73e62280c94c192a0b5a
VirtualSize 0x14a0
VirtualAddress 0x1135000
SizeOfRawData 0x1600
PointerToRawData 0x1131800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.39524

Imports

KERNEL32.dll FindResourceW
FindResourceExW
GetModuleHandleW
DecodePointer
CloseHandle
CreateFileW
DeleteFileW
GetModuleFileNameW
HeapDestroy
HeapAlloc
HeapFree
SizeofResource
HeapSize
GetProcessHeap
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetSystemTime
GetConsoleMode
LockResource
LoadResource
DeleteCriticalSection
InitializeCriticalSectionEx
GetLastError
RaiseException
HeapReAlloc
MultiByteToWideChar
GetConsoleOutputCP
FlushFileBuffers
SetFilePointerEx
GetStringTypeW
SetStdHandle
LCMapStringW
IsDebuggerPresent
OutputDebugStringW
EnterCriticalSection
LeaveCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetProcAddress
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
SetLastError
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetStdHandle
WriteFile
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
ADVAPI32.dll RegSetValueExW
RegQueryValueExW
RegCloseKey
RegDeleteValueW
RegCreateKeyExW
RegOpenKeyExW
RegDeleteKeyExW
SHELL32.dll SHGetFolderPathAndSubDirW
SHLWAPI.dll PathFileExistsW
RPCRT4.dll UuidCreate
UuidToStringA
RpcStringFreeA

Delayed Imports

129

Type BINARY
Language English - United States
Codepage UNKNOWN
Size 0x110b5b8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.87068
Detected Filetype PE Executable
MD5 526cf1a72c92ee03e607f7ceb66dbd69
SHA1 05af6d9dff50ecaf15a2e170589f8448b919e539
SHA256 c60df5e52f642c159e6cfb8a2884707d4fa4c85d4460049de7759d2c92bdddf8
SHA3 7fa78a9e2f0d3a451eae5b55b62dc2c891f1edea1aa40fad9024c333aef72ad7

131

Type BINARY
Language English - United States
Codepage UNKNOWN
Size 0x4820
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.54304
Detected Filetype PE Executable
MD5 5ec2bd09fda7bf86a84953baa1039f1e
SHA1 7dcbea5546e71d30e57e52ef8b99c91ec6e73e78
SHA256 2a679ba8589c7dd57ad014a55cb8680c91071a9e5f2eb982de77ff2ac7032937
SHA3 7307e88902e9fdb2ebfcfc0060242def2ff4265ef153c6891523d47f30d4e8a2

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x348
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.44984
MD5 c02a899901d1c66b8350408874467b3e
SHA1 c2e51ec386302c1f97f5bef736b860b22f821d89
SHA256 375394cac7d62e19621d8de5cf542e3ac918c00b6885635bd7a706cfe1842816
SHA3 ed2b3fb0efd7dd4f069b90bf4eb67822a3df2887efb60f925aa8f3065153fd48

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 2.0.0.34
ProductVersion 2.0.0.34
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName © 2024 Microsoft Corporation
FileDescription BGA Update Pack
FileVersion (#2) 2.0.0.34
InternalName BGAUpdatePack.exe
LegalCopyright © 2024 Microsoft Corporation. All rights reserved.
OriginalFilename BGAUpdatePack.exe
ProductName BGA Update Pack
ProductVersion (#2) 2.0.0.34
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2024-Apr-12 08:01:40
Version 0.0
SizeofData 97
AddressOfRawData 0x201dc
PointerToRawData 0x1eddc
Referenced File C:\vsts-new\Installers\MetaInstaller\BGAUpdatePack\Release\BGAUpdate.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2024-Apr-12 08:01:40
Version 0.0
SizeofData 20
AddressOfRawData 0x20240
PointerToRawData 0x1ee40

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2024-Apr-12 08:01:40
Version 0.0
SizeofData 944
AddressOfRawData 0x20254
PointerToRawData 0x1ee54

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2024-Apr-12 08:01:40
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x420614
EndAddressOfRawData 0x42061c
AddressOfIndex 0x422ddc
AddressOfCallbacks 0x4191cc
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0xbc
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x42200c
SEHandlerTable 0x42017c
SEHandlerCount 18

RICH Header

XOR Key 0x9ac38463
Unmarked objects 0
ASM objects (27412) 10
C++ objects (27412) 144
C objects (27412) 18
C objects (30034) 19
ASM objects (30034) 18
C++ objects (30034) 45
Imports (27412) 15
Total imports 115
C++ objects (LTCG) (30154) 2
Resource objects (30154) 1
151 1
Linker (30154) 1

Errors

<-- -->