AZORult: Now, as A Signed “Google Update” January 28, 2019 https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update
This is sneaky indeed. So it's best to only trust a handful of certificates, and I wonder how you can stop apps from replacing legitimate apps inside C:\Program Files. This is something that should not have been possible in Windows, you should not be able to modify folders that do not belong to you! But a good HIPS would alert that the GoogleUpdate.exe app had been changed, they monitor this via checksum.