| Category | Started On | Completed On | Duration | Cuckoo Version |
|---|---|---|---|---|
| FILE | 2022-11-24 13:21:06.668012 | 2022-11-24 13:21:32.548357 | 25 seconds | 2.0-dev |
| Machine | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| win7cuckoo | win7 Clone 1 | VirtualBox | 2022-11-24 13:21:07 | 2022-11-24 13:21:32 |
File Details
| File name | 85a14613cfb9fb8b13d9c7bcd2b8fb6aa73d0b96.exe |
|---|---|
| File size | 939560 bytes |
| File type | PE32+ executable (GUI) x86-64, for MS Windows |
| CRC32 | 675927BA |
| MD5 | 2cbebe2799f12effb1c953b01ba9aefc |
| SHA1 | 85a14613cfb9fb8b13d9c7bcd2b8fb6aa73d0b96 |
| SHA256 | 3f28b1bc371dee659e5637556948bde42de7a1398e5dc65373135714ae6d88b8 |
| SHA512 | acebf157b76ab4c5f54b70486dbe0e71eb37d292aac0bad40b5d2eed185d88913f1764b4e96bd1c442fa69ff01f1013d07c45fb438d55ec1117fae79329b73c6 |
| Ssdeep | None |
| PEiD | None matched |
| Yara |
|
| VirusTotal | File not found on VirusTotal |
MetaFlows Scores
Metaflows Analysis Results (Signatures=50, Anomalies=0, PEiD=0, Yara=0, VT[1669314100]=0): Snort Events=0, AV Events=0
Total Score=50
Total Score=50
Signatures
has_pdb details
This executable has a PDB path
antivm_memory_available details
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
pe_features details
The executable contains unknown PE section names indicative of a packer (could be a false positive)
nolookup_communication details
Communicates with host for which no DNS query was performed
packer_entropy details
The binary likely contains encrypted or compressed data indicative of a packer
Screenshots
Static Analysis
Version Infos
| LegalCopyright: | Copyright 2022 Google LLC. All rights reserved. |
| InternalName: | mini_installer |
| CompanyShortName: | |
| FileVersion: | 107.0.5304.108 |
| CompanyName: | Google LLC |
| ProductShortName: | Chrome Installer |
| ProductName: | Google Chrome Installer |
| LastChange: | 294f9da25eeda7ddca937d7c70b92d53a71745dc-refs/branch-heads/5304@{#1197} |
| ProductVersion: | 107.0.5304.108 |
| FileDescription: | Google Chrome Installer |
| Official Build: | 1 |
| Translation: | 0x0409 0x04b0 |
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00003125 | 0x00003200 | 6.0596542828 |
| .rdata | 0x00005000 | 0x0000136c | 0x00001400 | 4.32759072939 |
| .data | 0x00007000 | 0x000000d0 | 0x00000200 | 0.798640562162 |
| .pdata | 0x00008000 | 0x00000264 | 0x00000400 | 2.67197774534 |
| .00cfg | 0x00009000 | 0x00000028 | 0x00000200 | 0.325533638474 |
| .retplne | 0x0000a000 | 0x0000005c | 0x00000200 | 0.845848782355 |
| .voltbl | 0x0000b000 | 0x0000000c | 0x00000200 | 0.22401940744 |
| .rsrc | 0x0000c000 | 0x000db10c | 0x000db200 | 7.99923961528 |
| .reloc | 0x000e8000 | 0x00000048 | 0x00000200 | 0.809340626997 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| B7 | 0x000e5dbc | 0x00000812 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7-zip archive data, version 0.3 |
| B7 | 0x000e5dbc | 0x00000812 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7-zip archive data, version 0.3 |
| RT_ICON | 0x000e65d0 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | data |
| RT_RCDATA | 0x000e68b8 | 0x0000000f | LANG_ENGLISH | SUBLANG_ENGLISH_US | ASCII text, with no line terminators |
| RT_GROUP_ICON | 0x000e68c8 | 0x00000014 | LANG_ENGLISH | SUBLANG_ENGLISH_US | MS Windows icon resource - 1 icon |
| RT_VERSION | 0x000e68dc | 0x0000045c | LANG_ENGLISH | SUBLANG_ENGLISH_US | data |
| RT_MANIFEST | 0x000e6d38 | 0x000003d2 | LANG_ENGLISH | SUBLANG_ENGLISH_US | XML document text |
Imports
Library SHELL32.dll:
• 0x140005bc8 - CommandLineToArgvW
Library KERNEL32.dll:
• 0x140005bd8 - CloseHandle
• 0x140005be0 - CreateDirectoryW
• 0x140005be8 - CreateFileW
• 0x140005bf0 - CreateProcessW
• 0x140005bf8 - DosDateTimeToFileTime
• 0x140005c00 - DuplicateHandle
• 0x140005c08 - EnumResourceNamesW
• 0x140005c10 - ExitProcess
• 0x140005c18 - ExpandEnvironmentStringsW
• 0x140005c20 - FindResourceW
• 0x140005c28 - FreeLibrary
• 0x140005c30 - GetCommandLineW
• 0x140005c38 - GetCurrentProcess
• 0x140005c40 - GetEnvironmentVariableW
• 0x140005c48 - GetExitCodeProcess
• 0x140005c50 - GetFileAttributesW
• 0x140005c58 - GetFileInformationByHandleEx
• 0x140005c60 - GetLastError
• 0x140005c68 - GetModuleFileNameW
• 0x140005c70 - GetModuleHandleW
• 0x140005c78 - GetProcAddress
• 0x140005c80 - GetProcessHeap
• 0x140005c88 - GetSystemInfo
• 0x140005c90 - GetVolumeInformationW
• 0x140005c98 - GetVolumePathNameW
• 0x140005ca0 - HeapAlloc
• 0x140005ca8 - HeapFree
• 0x140005cb0 - LoadLibraryExA
• 0x140005cb8 - LoadLibraryExW
• 0x140005cc0 - LoadResource
• 0x140005cc8 - LocalAlloc
• 0x140005cd0 - LocalFileTimeToFileTime
• 0x140005cd8 - LocalFree
• 0x140005ce0 - LockResource
• 0x140005ce8 - MultiByteToWideChar
• 0x140005cf0 - RaiseException
• 0x140005cf8 - ReadFile
• 0x140005d00 - SetFileInformationByHandle
• 0x140005d08 - SetFilePointer
• 0x140005d10 - SetLastError
• 0x140005d18 - SetProcessWorkingSetSize
• 0x140005d20 - SizeofResource
• 0x140005d28 - Sleep
• 0x140005d30 - VirtualProtect
• 0x140005d38 - VirtualQuery
• 0x140005d40 - WaitForSingleObject
• 0x140005d48 - WideCharToMultiByte
• 0x140005d50 - WriteFile
• 0x140005d58 - lstrcmpiW
• 0x140005d60 - lstrlenW
Strings
!This program cannot be run in DOS mode.$
`.rdata
@.data
.pdata
@.00cfg
@.retplne\
.voltbl
@.reloc
AVVWSH
8[_^A^
AWAVAUATVWUSH
([]_^A\A]A^A_
AWAVATVWSH
[_^A\A^A_
AVVWUSH
@[]_^A^
AWAVAUATVWUSH
[]_^A\A]A^A_
AWAVVWSH
@[_^A^A_
AWAVVWUSH
([]_^A^A_
AWAVAUATVWUSH
[]_^A\A]A^A_
D$8fA9
AWAVVWSH
0[_^A^A_
AVVWSH
8[_^A^
AWAVAUATVWUSH
H[]_^A\A]A^A_
AWAVVWSH
[_^A^A_
AWAVATVWSH
([_^A\A^A_
AWAVAUATVWUSH
[]_^A\A]A^A_
AVVWUSH
[]_^A^
D$DDtRH
|$ UATAUAVAWH
t'HcG<
H;|80u
A_A^A]A\]
QRAPAQH
HAYAXZY
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
FDICreate
FDIDestroy
FDICopy
LLD PDB.
C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetTokenInformation
OpenProcessToken
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
SystemFunction036
ADVAPI32.dll
CommandLineToArgvW
CloseHandle
CreateDirectoryW
CreateFileW
CreateProcessW
DosDateTimeToFileTime
DuplicateHandle
EnumResourceNamesW
ExitProcess
ExpandEnvironmentStringsW
FindResourceW
FreeLibrary
GetCommandLineW
GetCurrentProcess
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetFileInformationByHandleEx
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetVolumeInformationW
GetVolumePathNameW
HeapAlloc
HeapFree
LoadLibraryExA
LoadLibraryExW
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LockResource
MultiByteToWideChar
RaiseException
ReadFile
SetFileInformationByHandle
SetFilePointer
SetLastError
SetProcessWorkingSetSize
SizeofResource
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcmpiW
lstrlenW
SHELL32.dll
KERNEL32.dll
RetpolineV1
RetpolineV1
RetpolineV1
RetpolineV1
&Ho2>P
DS<'t>
avcl=?^
xYI!}1{xR
Y1Q&[7
Kx/I"l E<
$w&i>@
6-ZOi/r
Q3=^A<=|
Au-lJ^e
.iP/y.
T5i#_G
f_-nD#s{Q5-
h5OiE10
3*w>Ti
t7fVWA?
!q#KzX&
]bK`d*i
{#o)4X
9DN2(zj:
vQM.lS
3D@-Z;a
tv<T=z
;UlN)u
`_Q!Tk
gac{?P
L_NFUe
2lD/6z8
/0q'b4
MB{ScZ
g/>Mo'
?262]D
NfL"Nn
_D"<0"p
-cc2!r
p_4G|8
SQ7RU&h
jS-UCw
ffd+Di
P269>s
8<{q>[
rPQ-Wj
Jw TAq
8!-?rXSl
#US|R=
)q>~/+
6Z:4kI
aLBtY-
d% fH)C
Y?wgwCSS
.DmzNam8
yRY"7P
ATF8'2
pz~%uB
"S0#8e
#xFL}A
qcH`~NU
%'_$\)
u'_Vat
x5F_/cr
['HJBt
ZujO\F
L# {({
Ta3$XR
t3A5;{4
{@w5%:
XQHy4-_
":5Q{Xw
WPDZr3l
{P#8h/S
s+yf$$
WVRUt~
)5WFOO
s*<r8>
PE)N>@`
2ozG LH
iXd7aN
F,[^XH
z@Nh(B^e
YhaA%!/
<YD^(6
EaOD3T
@WU;&;Z
3FSi|-
A+D"UX
q8;<-[O%$q
hWuf9$~&
dfOp q
s6"J"Z5
\u"s~O
)Cdf>\
f!<hNPH
EO-}aH
+Y)s+)
^kE gL
F /Fiq0
3w&@]Em
Cw^~):h]
?%epai
;^B rq
r^OlI=s
'T^ beTqW
$|G<:E
z%6"Qq
]{b^'q
M`5<~N
$b/*-:#c
PVKmJ7j
mm])=/
9^<0Pt
"k^~Th
q:Khxyp+^
h,n {8^
w>1|Y%
wyE.2D
AjH<k&
fS?FnO
aSv(3{Xs
gf$t_~C*
r>XB>.M
!?)a;l>
!"?@I+7
[._N.Y
y4qq^ry'
04n<l;
/$VayL6T
'Dm+wHoZ(
ss1UMj
Vf5En^
WJ&yjZ
qMhdS{y
BK14Wh
1fC(|$
+_iMB-
AtOkHg{
_GP=wq=`
.#ET[S?M
n+S![}
oeB#jH
A8^mTj
pU70V~
w>`[Cu
EeWQJ[-e
STqIt`o
ebE@~2|
rb;ER$
Lc==c}
1n8BHg
No[zZ?+Ps
tm'c\$
NZJ)-)2
G%5ZRAz3
!kEdQ]
@9jZ.)
-rfchW
B/xX+s
Gl<WPTBY
N`i>uo
7ZIzDI
F?"[A5N
CW@5B{*
{.I>\y
'$ZNC~
z!MQj?
WT!^.\
N[)jK5
5H26<k
&`vV>N`+
\>`J)Z.
<F56$sb
J-O':
Tt)voB
3/ns2&
+rP(\C
y:cg g
Z[EUP/
x8{;J+S
OG7sI_D
edg^P!>
f15z#u
8k&~"/
5IZTme
WJ^KY+
Oa.0!7
8?}q/w
U3684w
\e8jrz
qo"9<}
wa@'5)<P
r6&ov
a!"+(D]
XAuwmb
=0DsSs
lKwUA1
m.U\gd
\Hfj!;]
$}8zUK
?UE5</
\^Hhk,
;1hkjX
B&G?rH
>$M3+?
11P 5/!
QfUPOI
N6r#EN
_8>tP^#
:D1GaB=F
yRgE 2V$3/
7d!WZ+_"
V3bnNA
&oMumd
?KS&;;ns
7RNqe1
Bl"TMo=
{$SejL
OUUF/n
~1>_T*;
/Ek#>>{
" c`_a
\X-q`5
e)jrvD
= p}!p
H_N+jl5
Y%hvHt
Xqqg?4Z
P4k'U@I
9A0K:#U8^
QXCZ75N
]589FO
wESu$X
(AV=ZA
fb'm<"
u/AkO*
ocF?B]7
c()l\*5:
;},9r_|g6
~+p"SQ
x$s!Zg
6 {kiv
-S%QqF
0Y`I A\4
\7_{cd
ev5N~~
=5g>I1IC
uuLd Sw
2r(Ro)
jic\MM
"9U!5S
t[uR#M
u^\0Ks9
~+s6b@
3(~(V{
2~;~BeV)F
L6Ro{`
>=+Bm/^
dO3a6Re
X39;&P
r7b|J8
||mm$^
gF pP:
M?uFQ#"
o(d@H.
hnvY6Z
mdW9?/
.1aaf~
F|h[gM
&631Xlrs
Q!:x'F
X"fyg#1
.S<|VU
BhHV`t
JdIs/
Aek%-)
uZ~CI'
J%Tnm
<uxwg#
`3@:'(
<^s{ly
qh<=@\
]~ou3W
U1*X[i
)8{iIs
]{ou0x
"cN{.|
!p7 9B1*
}qe>&~U
#GaAN-_H
&DByML
P:K*jB&
h ^Mfd
l>jULh
<AeaiZ
-=kX.t}
fopK@q\
ze$|UY
7ecHS8
juP(%
'\@5|&
bJP&j*f
5exY}a
Gpch|^-*
+owh@oizRJ
^~gZUk
W4&4Y;}=
#\"`ZH
?.L~ei1
hSOSk@
uRiz7Ti#=
c>&DzHD
<3/& r
rN|U`^
N%\WSn
2tehpRM
*'w~0J
mu*2Fe
xF&D[X
:2DZtg
wD[&L9
[.S{ M
!^"~95%Y7
^9=RHH
~n4f|&
]]+2$I
lG2C7Ra(kB&W4
A'o?
:CGkHr
x=[!Yf
arm4P#RsG4
=%uedeq-
K4Sm1
<;hJPL]
5f+'rM&
FvE'{'
:2?ym/
fCPcal
uuE%K7
c;27'e
u)t Z5
!SZ0:n
+F_<s2|)
`~:EEB
V%Bbp,
M+5j3v7
$g#`.~/
F'!:gwc
CnsV24
fg>-F2%
Q!N)yq
j32lJa8)
8fD_,gS=
:$7[24ga
Y|tg;\
h}\K"_O
W'B0vk*
t6XE!a>Q
XAH#DtSnZk
klL+k@+R
^v23mA
?D_8Cz
hKI!G/
?@}*@A
VW, q1N
Vw&y\W
[bJknr
kg[C=Po
4idZ)t
It)j*a0
=<b]PuB
(-XQ.,
%BrVeg[`b5
?_l&:R
Cb=tvs
tcsm< y
B;+N9h
ilhiDZ
on%$85
v$-%7d
$(kL>*
K;*,V9
1aZ-+Ta
Z&E9CDGW.F
?yQNBUF
Xbx8Z2s]
n31@QH
PB0m!E
SU^#X=y
F/ srO
Yu gMUoo
pkBW$FtdB
6c2esa
mFD[.\d"
j->5uY
5YPO{C
Ox_[)v
>}q>vB
2+[69n
?h-L6b
wQ31zz
et][Ql$L
aN&ok2
%%3clN
bz->](&
'ON6a7
y{qQ2g
\U$wKk
vvk7E[e
12CJz~
f5 !mQ
uGVFFSm
j4uEP*
$[?Um\
X%o89@
olY'VI
>Spgnm]
u5Npdf
YsPC'Qx
RX> !0
`*f7 CJ
u)7_Kq
N/2>Bjf
`gn9k$f
8T'XE2
.M44pFQ
iu]zEE'%
|^4o>?h
O0fZ8"
u$J {ST
=XvYvXH~
W^9z?fPI
$UlBNM
MH>m1#T9'
udLukt
ZwshcI
_-eJRF+
1o)>PI
yQoa)7
T\[4 6
J jY(y3(k
-FWhn|
5b0td7
\?bGtcZ
-nd9'r?~
=1o^6W
7|^#PT
Q+5&dT
>GlM*4
` `QY<$
zJq;ExJ
r|c~n5
nU!!LA
<Y+I<ZS2
5!#6cD
.? Cxh@
61!_cgK
?+_lbK
3e>43"
uhr& ee
Ws~CF~6<
;% b@!.
7bIy#`
?Q`xx[
N &UV
7|*5Cw
H}(R$:
|Kv%/R
W wS~W<
M%)D*4J-
#q]uda
G;iXG+
2`IKVC
>JQ1$G`0sy
Amxw^}
"<V&$_
(9*F-/
%zMju 7]
wvaF.+[
Aemh~HA
Ay7G9<,
|Xa>2X
VaK$"/
8WFC()
.[EjH|.
P7FBs\
2S&\G}
;<&?[P
H"(-2c
kbT1[F
{$pA"+
MivUT;
Dl~>[]-
?Nn}nW
R:'jZ~
79=BjE)
,zgy~M.
7vMSOg@(
(~by,|
z1(MYB)
.2g+MI\
IR(OEV
;F-}_!
Z7K.\t
F`XAUJ
AWvkL3o
A:~j>0]
Cf[JnP%x
t!2`l5
-5!+GG
?] #V_
D8nY<?
@Jl:Y9
|_vVeR4G
_V[Q O
j#&`0|
R<2]*G
%b`J.Pl
G@cJ'#,
=Y9B,*
<opVsa
x0qcFt"
}ptB.t
AD#VLL}=@
5K`*RN
4 =X;Y?Q:=z
W[b,_g
}Bw3Z{
VH*Ne&
-46UG`3
s&>^Hk
}A80@P
eSkH mz;
-2]:Uq
`SjeTk
ez|DZ7B
]Q\KI&a
EGFb- V
/<@f4N
FyPja/q
=fCX:kw
mTsvuPx
A9Zecd^+
sM2_WL
}BkC~5^
Ya.zG){
1 ]H7!
rf]_x8
7wR(EN
4ShU!|`>
KU>X\%
O;^]z)
S|* XlL
1TDbRoM
LZ_T>oQh
:$?BXk
4/95#FZ
4M]~Hg
">J(K2J
vp MO)Sy
{>E570
:9<|n+
IOye&OI
O@SG"i:;gZb
5:$2cM
Y[9cil
w1:AZU[b
CWE9ko
-^w2y?
d l?(3
@_r`WJ
WUw-e<0)h
2W%>.H
f&}h7S
,`&_;Q=
fvm:o2
Z ejt;
K%Enx8
{D![s@
?oYK0_;
HxnqEk
AH%Mr\
vwzxU|
a:"FM0O6
|m-.b-
D_g89t
Jt(DxBRy
6jcOJ=
B_`!^RP
lbRra<
u@FetB
6ZCsm8
)85ACT
NP47I,
Ya,<V2X
cVieb2
3d-r?E
%}yiy#
=>*i1y
d.3S?=
z&A?vy.
gW#[U?
qt<55J.
vC\)~W t
|}qM5`O
).e_N.;
V.d2@I
*Xu;^L>}
pdm1O.
qxP+ f
O/7inr=b"
Nr7\#~B
)]=WI5
LD:HDkQ
,eR.Gb^
|&r@`1
kwwnvg
{D<!XH
^CnjN#
zB-U2uS
,F:75{
waW$Y)
')=hjA`
>|v>.{O
D$NX^XnrV
yQ?n{]A$2
mW4E\]
78c;<]z-
w3J'|v
J#2\dj
[*\BD8
-LFY%k/
"_ Zwq
GEd1Z'
=cc V2
x@BWKO0E
ld?n-l
9q8{L7:=
-#p=+e
3DroCO
3:T7Z
TRU[=n
amjky`;
g|3[YI
aT"<;U
mK~q'W9
S,QFY5
n{q}Ib
b;Ed N
q>&VVE
Qh-vqN
p]>J3ow
TM*`25
}HNx>c
X#_k{e
!'/IjQ:T
~h8Wj"-
u[W:-i
KHx|[{}
9?,#xC
$r2bj2
0h"b4v{=
XbWbUZ;!
_F8&xi^yv
wprW;N
qy5VLX28
F\ORn_
=Mr*,H
P#2778
uZJ8>yK
aQ8!pU
6c3d{V
6CD^MT
,yY\Qf$
PsoIC-f
,xp_l(
V>(#kI
=$@u{Wv
Ck]y7e
uf?C'.'
(J\vBD
LZV=A@%R
N_t?*&
8Mr>:A
2R{TWA
I&x')~
ddAl}Ui
SkSsY%
wlb.692
u)DlAI
dy!Nw&
c"=u29(I
n/B>(s
b\5 GC
O,iov@
Oi:EIET
@#]_aHG
t%=8cV
`\A0H4*
\PAku9~;
rN5ONy
#{^r&(
l/Ox,=
PZY->d
Y^~:#-
F*%!RL
f4BK>n
rUYl5w
7QY<J`
S`y]5,
G>OPW3
o-c=yWv{
Lr@5<;
-5=CeQw
r,y~<7;
z0*pSE
Fny~cp
nmTJpg
:3 v$t
'D)2tVx6
i}--=2G
ih G{71
%5T9Tb1cN
M~v.~s
.5'Ad>
jEN7#I)
bbU~xX-
ovqCM
W wf DV
ByA8eV
=.De(S
0DVaICL
jzQiLt
cvTzKzZ<
]\{\u;
&5PMf>\
eXxm1:
y=ppGS
F[G+mF
u!}b`I
Q:P ik
P?[6H|F
R\l6Z&j
R6Zn7S
A<eh\0
A)A,CW
gRA-aB
p`n<28
~-u5Lf
t5S$;~/
s~9:UIy
N#mQ>%Xk
F8xS0F
Jf}*ro
cM=(S=
}`%6?#_
Huno3$N
t{!987
K(Id&Kfi
C#PEam
.k5Td$
vb[;{n
Bn4L? M
6-%Ld
9en[S,x`
v~(h[y>i
g;^c00>
,rge "
6UxX)g
S$nHLp
TQv_H~
r[|VYS
!qW[CX
;zblo$yUhM
Ul%QFTHI
ck0g2@
k[f1dE9u
#Q4n kf
;'+U{W
[n`T4/
)vq%OJJ
<Ve4_e
E>AHv^Am
z<rZ.$
mI=ugx
KOqUQl
.Z({('op
-~Y(a#Q
ghwn@a
_SD] X}
c|*=U^d
1s.,*I
NUDId&
NO?iB0
ISo.$n*s
wM/!&8S?
{>`-:b&G
CQ$,`':
.h;zec=M
zDLf\3
md3P)sh
^1$u"
ubKIs|
`HqC>d
"v/VcF9
77XqA0r
auX~'u
MH41o3] zhp
*n4[:oV
LP#%+-
G8:#p5O
[L7li
`W3'Jm
@,086<
3<%q'M
rD;3'^
5:0<3<2
HRN/(jQ
.imc{A
UubP[Y
A}'<{S
1]9YS1_W
-yi12.
k 0o?'\H
T!I|c%
M4(^G.)`i
jjl[O5z
BaJ,nY
uG,?bo
oFCF;4
_Q[SJa=
*/`7bC
g_?f`8
CkgM5KER
=Yld=*
B0p9.L#
=##cY\A0u
:GcPM#t
"rja7{
D(I0xR
L4eHr{=
yjFU1kn
ta3mzA
n/wD+!
t<x[p=
kXG='H
`@5XWP
tHF~17
bh='2N
iTWm?r
<(Lv|(
TukO`$7
{hebUo
b TTp,
DVu1l#
):hXoz
8.L%nV
:RW:Z@
c'HeGL
(>)adO
DQq>+8O
lf/,T6
yIHf|I
O?q.NQ
oyNhNZ
[FQ{gv
Ue4*=`6
Q~sMKl
)@t86-G
fM?#`F
>C>1U (o
;yL}nx<
l&:t88
k^VlI[
_z$(qeR
j*D|b^
B"V~-(
p3r=xLL
[ ZhFZ
H@*i:3k
,Z~Iel
fp>+-8w
I<kQ0b[
}s0\?v
,e4Rv^q
*tcJ5/)g
sG{'LL
W5)ZM1
^`ZVsy
K;@'x> ^
pB&iC}h
Z,GO^$O2
QK,:(l
]tyVYL
5Ilf`~
;|I s*
j}~QG1
MytIDFem
N<+[Up[W
'MsO2L
TpnCN~
q{-0B6
8[0o?oq
z0g''U?,9
=;\_"#
&#z]9~3
D5Xr4[
I$?w,a
l8UZJ>
r,jL w
Qu$|nR
36#PC"
=%a9x4
9?nod%h
?5nQLAN\
PS`^!(
mWZzrK
d(,Fyz*
bL<V#=
`r:HdR
PoY>lG?:
5#*C$N
L[5#HB
#6yQ<D
?^i@:-
=e-t( ~j|
w^STF:z
_9-Xgd
/ecJYo'
DU1-Ehj
e0h+kp
RhRk<,KKp`zXU
"+1e{+
HBX|&Eq
O8?pc=
Lb$ >kz
$nbGpZ
}$iK<?
P%Y|C}.
80w p3
:dTjQdl0i6b
q,IGD6b
2p D3$
naIdR4
moSw>p
|vd5J5"
x@cKBJ
,3;9Qp
q3>Q!?
fdf])?
Y~^[Z4
(XfZ3yc
yJRJ"8>/q
$WnlaJ
s,pnfJ
k`+LAr
QAp7}?
_IuL+:
R1#96g
QfPr#[Fo
N\:!~*@Q
1GKE'y-
9H2DQC
U$wuzXL6
S|jxKx
c@YSZk
x>fDyz},
x6_KYdo
vU9aw^
*&\iOB1
.wE6:*
\Q?/\%c
0AV\`:
S:fH$[%M
rMkY*/
oto}j!
pq3~heg
e11Q?9
"f.`eJ
[Fh^(:
3d~.86
'oxw1>
Uibgh:
/y +C_N
wS^|A*
} .D&T
G}Mv!T)
9sFub>
:Q2QU\1
BSr-w-d
_&26^w
m'u$Bl
eerd1N
n GZ!
I[DK";
/ [.!Cu
>r},R,>F|
:ul0o7
6D5)j~
r"0M-c
;x]s"u
iiOU(=f
iXBZR]H
`kYgOeV
B?: .PYc
MyjsVc
V::0U5w\
dNECiu\,
1ot!LD
TQ_h/uG!
OiMUzS-pC
6i3LyG
7N:`Pm
{\H`@%
~1Pq#T
BtGQI)
uJ2p&"
'b#PVg
D#@)62
4$D_{8
`\8`As
$S='=v
mEs]y*
}i@Wp#
$&u1sob
|&|"dZ
iQU,fn
@2d~mk
i "RI6s=
\jwRid
P(KlhE
wH#U@`
AX#k9<$@
'd&Q?3
Qub21s
tw<ah`4o7
KIGDFal
{{&jYEb|
>T]7#S
>k[B0P
*:3=Q]~u
Gq^h:IpJ
jQ%!t[\
Lb<R;+
:n -(%.
f!'!<V 1<
gO7L:w
O^7==h
[:<8r8
of sH&;
KkU#g0;
o32<?"U
2xaR;n
*=^|[B
QK7V#v
`RJ"\o?
@5t{)q
k?BV7L
lY0ow2WP
9:h#&#
K$+Wc'>y
[lQ?5sW
f9t+kG
BcOwP6)
_FCWIw
>mouR3e
l~[7G[
_Ac5hh
$/}(Jq
D6^ZUKN
8/r-Vnq
DcXUzG
pd+1:]
I Fm1Lm
QH*)z'
$BuE(>
Af=bTs
S1q|u%
S1On>|b6
KurR)3
*^}9XK
# p)KI
nbl]Y.
% Bhz~~*
7}}.0.
W mIhp
f>io5w
9d{tz5
Crv0U5Y
)<sc<(
g`AAF!
A)YAU[
CmGCU,
X,mym}I
Uc\;wm
K^vRU|
vcxo&`
Lw] `8
BfZslu
qnUPb6
JJ&q`O
%EUrIy}0
P6=@b(
zwA$#D
J;tTw
4JRD3-b
daIv{X
nT^[!1
<>N yD[
(aB\Ti{
}z2#_&_akh
>4</Ta
k~(),~
}[:SjY
VVB"Vux
`hV_}f
WEc[88
,8,3ZWp
i& U8n
cdkBxg
63sTTt
)dsYA}
J}@8Ne
xSpdyrS
1lLg6I
2^m`c
TN$/=s
Zn!%3`d:
$*=gC|
j/:n x
Kpa?z.Am
lZ4JV+4
n{a-tG
Bm/!Uo
1C7(7c
[e7rS*c
\iUM:h6
;5LIx(
5Ku1kP
[VJ!>ohh
VlmX2}/
>aR/C+
S6"_*}
qxaCfKNG
saED3
`Z;e{^!2
T-qgDO
N -'%!
+tfE'fG
LmDseQ
tqbVNY
04mCVk
WV)Z=}
I"~*a,7Y
[}Xlcdy
Qh!Oo[
b_bq$z-|
d4fY58
VFv{j(
U'2\sC
UG|?:Nx[
A Lp2G
Yy.%s&O
T'#9|q$
H([%97
G2duH
^I~DyTib
4%i8I%
5~j hE~V@
g_73^X
YRM4\(.R
Z'Wq$Y
^spmEm
VxO"m0
&C%mxu
BWx{l$6
s0+Tsx
3K<%Gp
enaK4V
4A]c&V
1Z 8oB
3|Dh@
\O%f}S
"6:^;U==5$E9
#&~E{W
Ev"4YxKl
1LB%n'
7-`NKg`
!7+FVEH}J
R<dHiA
]kWp9q
|@PL#B
tnFIKb
Sj[}%qU
Z\$ugF
uhDN^#
*aQn&'1
gmzNvV.
mYow$&O
%QgIp<
*Q1G^=
j_<+eE
6*)m?O
.f%d(y
";/vTgK
Gbpaq?c
vl<:b]
]^A2N3
pz+Il;*
.8gaMz
kz+Je8m
C`>f/I7
>$U`\t29,
4+Ckny
9ZKg+g
]*#&[%
ib;JO9
o1Nfdha
={d1Z]
\5 7vPPN
:jgORM
2.%_SbO!
'dX'[[W
3jE|GRJ
eON?)$
iJtVYq
J0l<=g
f9I^BG
|NXze_
XlnL`n5
V9&J0lG[
It8<^l
KQv}Vm3
P\_\kL
)t]a2^_
-%ol;8
0B$as^h
jI`N-w
yXq %e5
XX`'8R
n:#B4a)
$Nj{Av
$@l&kZ
O={|g`
GuC m!
Bzb"HfMMS
d%NBT9>wc
CVFjYGL
Fjks?H
vAii#T)
Ngho@_Z
3FLB4r?|vbOp
ggg.P#@
? ]vf2
:\Tx_]
}0\!Bz"0
t~c=g{
r2PZg
0YMYq!<
H>mQlg
`{Ti-+
1fb$'da G
`;jGkG?k
)dN46a
[4*[!T
{\3Fok
% O\BA
HT|.6?O
k'p;:Zs
,ub4z_
tr9oj
jr%D+m
[7F vr2
WC)uo)
<,&f p
S<zk6I
uc7GiA3f
X: ])M5
*A&WF>X
`0iWcKL`y
QaP6,I
q,<]T@
e)~zVB
6:FG?H
mJL[lr
:if6Wtx
@MH3N
!2BOGw
%6UYl'
g:6YIS
Wcb"eCaEmp
=F+-sX
mNjag.
M27JUF6<
CR$?nfT1
Xx Q{F
?&\mV:
K^@EQy;
k>sxB#
DR$iyn
3Z,`tc
g>yFd
KQcDLT
HCgH_]
{\13#x
*Gy`8d
7j/n U
%Popl'
DKlsJ5
{;F:]
,!0ur[via}
}1QZW{EN8
AvXg$nq-
"FI.:>
Y\RPZt
\M2PT,Iwwem
Bmd^Aig
KP-qW!
is4=dRE
;*zeO'!
WKdti>
JP/(X /
j>.!48
~WDbau
gOkr^&6
7Q%t1z
<b"Oz^
P@HEdP#
,! F0_.
TV a_:
T 8/OUZ
"*&^2W
46EtH@
-5~QAv8
Y1/_RzX9
bno8&N
2BB41
e)8}aHJ/
)4'L'u
8Zw|qQ{
Y\Tr7x
?YAe%X<MM?S
&<ZE1w
|KTJOm
]D[yP1
i+1WQod`
9z0y\a
h5KLI{
+T93h3g
(N\yt`:
Ha{,qvr
x8eZ_)_
?i$4m;
e9}KYu
zr]{1c
Oj!KY>
u (<ET!(
T#HY-)
TtToWw
d:"uT}
9d'8tI
/9^U_e
M?L""$
\dsu- #
pIC$9-
$MJ=j$.
)PZg&}
A2M,j
B8netl
wfTvju
( ;ZmX
iG&D1pj
;/dc(D
|U^XlmDs
[F7O/-
t3VQ'GF
PLts{D2cY
6l}/c?^
a)M%/=
JdZ^\MY
19\:CcM
]!scAhUU5
^5x27iJ
-\S~'-
`JPK@u
l`K0tGb
lA)L0#
KgyR7w
g4h pR
nETMZU
]N+dy_
E.-Ls6I
ek\hER"
3/~DBe
ZPe>g.
A]w{uw
h|:fe6
qv~Z"*/Eg
F'h0 (
Pgf9k*
m`ovv7
u6eP+
`uXlgg
BMm#Jn
?[nuI?cB
fUD(!z
<^:}=#
]R&6s.
~'}#yqe
_@K P^
0ksr[Z
+}K^D!
Qs=6tr
exx+<e-
_AdimB
},0n"#
2\`Xe`"_
%H:Myp=
S6 H\VY
\L)-M@
:=,xOU
5-z}12
Rm]j{+S
)[7&oP!
0V VnnI
ij6Ar<
{&F+VIb
@e-@qA
(F<*P
sS3CWL
L~( |O
|TfNs&
!}) W#
cwGrn
h&kh~m
)'MK9vE
b5 $;9O
E8aVE&
y5155AM/
_5=5xz
*gH6tRf
GG/o43F
|W='oS
Ym5P1HJ
Q}Ri,V
ex&W6z
CE"Ii>O
KudHIb
6QAvvI
.j#ZrH
X9YdE x
GF)9(@
.%2d<,
Sz],N0u)
l]uzaO*z
5LZV=f
F",'$"
kb6|gt
MRswX3
iJm@7@VQ
aQjil'
o SBn{
VBp!`R
t[KWARa
>YOJ
;*F)6m
VZ`-gr
1)imvK
](x#j8{]k
D lv8?
U@ZXQy
F_# t]u&
L t@,>
olj[`h
A5M^^x
~hH*aC
2F3ihd
rZFv!8
^0Wb{<
&(z4CG
<_7Q?E e
$_*cS)3
f+u, ^O5
'K(&?iFc)
Za\>,p
7\%LxgU
@\x!cBB
P?W*2c
9WtONI
&HK|%|^
|5o~#`
gNU bX
dyG.8Ix
[g DDp
nQsyX3
wJKvv_i}
@EDl"|x
hifOVK>
tn:H2"Z.3
|d2C(J
/,zI"A
^,R'\A
,Ld<hW
L5B@_+
R$ZxER
v]eUf@
h~>n6N
MfeaM^
>sU&{
~VaXE"
9kT}Me
SQ^*5ItA
*slci~
+:Za.,
jMtVENC
}^L\<6
@q 3oN
GgHgel}
K4dR_6
7Vf]h(
4Y:Rd^
-,[DI1
P5^d 93
f]2&OC
58x]3C"v/~_zD
~y7X:g
fVN\ao[
;$F[bY
d`'Yh`
EYy)^,
yMu`CXN
PVI9hvj
Gu'P%Azo
t,>0[$
rwOJes
|mpL%J
d s/0x_8
bp$K+M
/ )bq
g3[s;4E
2C4]uV
BzZh{s
BRz1KP
}`}\6I
bY`t6*E<
L#L1I}
""(wwww
*"'wwww
wwwwww
wwwwwww
wwwwwwww
wwwwwwwwx
wwwwwwwx
107.0.5304.107
<?xml version="1.0" encoding="UTF-8"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"/></dependentAssembly></dependency><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><maxversiontested Id="10.0.18362.0"/></application></compatibility></assembly>
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
DigiCert Inc1
www.digicert.com1!0
DigiCert Trusted Root G40
210429000000Z
360428235959Z0i1
DigiCert, Inc.1A0?
8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10
[K]taM?
SA|X=G
http://ocsp.digicert.com0A
5http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
2http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
jj@0HK4
DigiCert, Inc.1A0?
8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10
210702000000Z
240710235959Z0d1
California1
Mountain View1
Google LLC1
Google LLC0
Mhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Mhttp://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0>
http://www.digicert.com/CPS0
http://ocsp.digicert.com0\
Phttp://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
ZNH[@?
&-)EyC
Unknown issuer0
130101100000Z
130401100000Z0
Dummy certificate0
Gact2.0Omaha
DigiCert, Inc.1A0?
8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
#O-nr7
o8Bn<v"]
20221124042244Z
DigiCert, Inc.1;09
2DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA0
220921000000Z
331121235959Z0F1
DigiCert1$0"
DigiCert Timestamp 2022 - 20
Ihttp://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://ocsp.digicert.com0X
Lhttp://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
(f*^[0
DigiCert Inc1
www.digicert.com1!0
DigiCert Trusted Root G40
220323000000Z
370322235959Z0c1
DigiCert, Inc.1;09
2DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA0
http://ocsp.digicert.com0A
5http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
2http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
DigiCert Inc1
www.digicert.com1$0"
DigiCert Assured ID Root CA0
220801000000Z
311109235959Z0b1
DigiCert Inc1
www.digicert.com1!0
DigiCert Trusted Root G40
]J<0"0i3
v=Y]Bv
http://ocsp.digicert.com0C
7http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
~qj#k"
DigiCert, Inc.1;09
2DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
221124042244Z0+
/1(0&0$0"
Qkw6 K
KERNEL32.DLL
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{8237E44A-0054-442C-B6B6-EA0509993955}
{401C381F-E0DE-4B85-8BD8-3F3F14FBDA57}
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
--system-level
--chrome-beta
--chrome-dev
--chrome-sxs
--cleanup
--chrome-frame
GoogleUpdateIsMachine
%WINDIR%\system32\cabinet.dll
%SYSTEMROOT%\system32\cabinet.dll
C:\Windows\system32\cabinet.dll
D:PAI(A;;FA;;;BA)(A;OIIOCI;GA;;;BA)(A;;FA;;;SY)(A;OIIOCI;GA;;;SY)(A;OIIOCI;GA;;;CO)(A;;FA;;;
setup.exe
chrome
install-archive
update-setup-exe
new-setup-exe
previous-version
ChromeInstallerCleanup
InstallerError
InstallerExtraCode1
InstallerResult
UninstallString
Software\Google\Update\ClientState\
Software\Google
0123456789ABCDEF
CHROME_PATCH.PACKED.7Z
SETUP_PATCH.PACKED.7Z
3chrome_patch.chrome_diff
#setup_patch.diff
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Google LLC
FileDescription
Google Chrome Installer
FileVersion
107.0.5304.108
InternalName
mini_installer
LegalCopyright
Copyright 2022 Google LLC. All rights reserved.
ProductName
Google Chrome Installer
ProductVersion
107.0.5304.108
CompanyShortName
Google
ProductShortName
Chrome Installer
LastChange
294f9da25eeda7ddca937d7c70b92d53a71745dc-refs/branch-heads/5304@{#1197}
Official Build
VarFileInfo
Translation
Dropped Files
Network Analysis
Hosts Involved
| IP Address |
|---|
| 23.54.60.151 |
| 70.186.27.9 |
| 8.8.8.8 |
DNS Requests
| Domain | IP Address |
|---|---|
| armmf.adobe.com | 23.1.100.158 |
| dns.msftncsi.com | 131.107.255.255 |
| teredo.ipv6.microsoft.com | 54.241.176.34 |
| ipv6.msftncsi.com |
HTTP Requests
| URL | Data |
|---|---|
| http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3679CA35668772304D30A5FB873B0FA77BB70D54.crt?911320f9b04be75f | GET /msdownload/update/v3/static/trustedr/en/3679CA35668772304D30A5FB873B0FA77BB70D54.crt?911320f9b04be75f HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: ctldl.windowsupdate.com |
Behavior Summary
File-Written
- C:\Users\Harry Dresden\AppData\Local\Temp\CR_983DA.tmp\CHROME_PATCH.PACKED.7Z
- C:\Users\Harry Dresden\AppData\Local\Temp\CR_983DA.tmp\SETUP_PATCH.PACKED.7Z
File-Opened
- C:\Users\Harry Dresden\AppData\Local\Temp\CR_983DA.tmp\CHROME_PATCH.PACKED.7Z
- C:\Users\Harry Dresden\AppData\Local\Temp\CR_983DA.tmp\
- C:\
- C:\Users\Harry Dresden\AppData\Local\Temp\CR_983DA.tmp\SETUP_PATCH.PACKED.7Z
Directory-Created
- C:\Users\Harry Dresden\AppData\Local\Temp\CR_983DA.tmp
Registry Key-Opened
- HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
- HKEY_CURRENT_USER\Software\Google
Registry Key-Read
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
- HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
- HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
Processes
registry filesystem process services network synchronization