update_0bd0.exe

It runs as a Windows 64-bit kernel mode device driver named “GGSAFER Driver”. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Ruawotunquarasd’. The file has been seen being downloaded from www.filecroco.com and multiple other hosts.
MD5:
7215ee9c7d9dc229d2921a40e899ec5f

SHA-1:
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA-256:
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
12/25/2024 11:36:12 PM UTC  (a few moments ago)

File size:
0 Bytes

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\appdata\local\temp\update_0bd0.exe

File PE Metadata
OS bitness:
Win64

Approved Shell Extension
Name:
.contact shell extension handler

CLSID:
{8082C5E6-4C27-48ec-A809-B8E1122E8F97}


Driver
Display name:
GGSAFER Driver

Service name:
GGSAFERDriver

Type:
Kernel device driver (KernelDriver)


2 Mozilla Extensions
Name:
59D317DB041748fdB89B47E6F96058F3@jetpack.xpi

Display:
JsInjectExtension

Id:
59D317DB041748fdB89B47E6F96058F3@jetpack

Description:
“JsInjectExtension”

Name:
59D317DB041748fdB89B47E6F96058F3@defext.xpi

Display:
Default Extension

Id:
59D317DB041748fdB89B47E6F96058F3@defext

Description:
“Default Firefox Extension Helper”


Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Ruawotunquarasd

Command:
"C:\users\{user}\appdata\roaming\yvsoordy\upxisie.exe"


The file update_0bd0.exe has been discovered within the following programs.

AmiBroker 5.60.2  by AmiBroker.com
www.amibroker.com
About 2% of users remove it
Billy Hatcher  by SEGA
www.sega-europe.com
5% remove it
CasinoClub  by Boss Media AB
About 8% of users remove it
Command & Conquer: Red Alert 3 – Uprising is a real-time strategy video game. Uprising picks up on where the Allied Campaign of the original game left off. Four "mini-campaigns" are available, one for each faction in Red Alert 3 and a bonus one.
www.commandandconquer.com
3% remove it
gotomaxx PDFMAILER  by gotomaxx GmbH
Publisher's description - “PDF Converter PDFMAILER is now equipped with a "Social Extension", distributed the documents on social networks such as Facebook or Twitter. So just a few handles to discuss, for example, an advertisement or to promote special offers.”
www.gotomaxx.com
About 1% of users remove it
Heroes of Might and Magic 3 Complete is a digital video game distributed through the DRM-free GOG service. This game can be run from the optional download manager or directly downloaded through the cloud.
www.gog.com
3% remove it
Site Studio  by Effective Studios
www.effectivestudios.it
About 1% of users remove it
World Watch 10  by Express Technologies Corporation
www.ExpressTechnologiesCorporation.com
About 5% of users remove it
 
Powered by Should I Remove It?

The file update_0bd0.exe has been seen being distributed by the following 24 URLs.

http://www.filecroco.com/files/.../32bit_Win7_Win8_Win81_Win10_R281.exe

http://ababasoft.com/.../mnemonicgame.exe

http://cead.aeduvirtual.com.br/201601/mod/.../notes_export_word.php?i=3908

http://zalacznik.wp.pl/.../0/.../list.txt?tsn=1453883809435&zalf=Nowe&wid=11436&p=1.1&o2=1&t=TEXT&ct=N0JJVA==&cs=dXRmLTg=&s=1

http://www.salavirtual.lfg.com.br/mod/.../notes_export_word.php?i=10883

http://aimware.net/.../panel.php?action=download&get=client

http://perf.gepseguridad.com/?q=Homefront MULTI5SKIDROW

https://icfironworks.atlassian.net/wiki/download/attachments/.../wss-common-webparts-3.0.properties?version=1&modificationDate=1424966160314&api=v2

http://mp3juices.lol/dl.php?name=Fall Out Boy "Centuries Final" POP MIX&source=sc&id=167854788

http://pixelus.alephd.com/post_msft?GAa8=617185&e9iH=2282668482617936984&2jSB=0.3&-Z06=0.3&b6lE=0.1028&vKcZ=5489963844858545265&Dsph=69132&L4DK=161453&0ZGY=45649648&wziz=1.19&DH5k=187.39.145.218&7Z7R=90456&PASL=Piracicaba&9VuX=BR&Fsrl=1&aNVl=1&rZzC=http://www.windowsmedia.com/.../home.aspx

https://col127.afx.ms/.../GetAttachment.aspx?file=68774f5a-aa5e-483c-afb8-6cf9a2f60474.txt&ct=dGV4dC9wbGFpbg_3d_3d&name=dGV4dF8wLnR4dA_3d_3d&inline=0&rfc=0&empty=False&cid=55533264cdef6fb4&shared=1&entryPt=download&biciPrevious=10ee813f-31c7-48d2-abd7-5d4d79e4005c_02fd245f821_5709&hm__login=marciomolinari&hm__domain=hotmail.com&ip=10.12.220.8&d=d2494&mf=0&hm__ts=Tue, 10 Nov 2015 01:37:52 GMT&st=marciomolinari&hm__ha=01_ae1f71f4b83055885eb0c7f0f95f1082dce8afb0c3fc82c850f937cf631d35ad&oneredir=1

http://cead.aeduvirtual.com.br/201602/mod/.../notes_export_word.php?i=5919

Scan update_0bd0.exe - Powered by Reason Core Security