Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 19:00:15	2025-06-12 19:31:13	1858 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,303 [root] INFO: Date set to: 20250611T19:36:26, timeout set to: 1800
2025-06-11 20:36:26,104 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-11 20:36:26,119 [root] DEBUG: Storing results at: C:\mZmWgxH
2025-06-11 20:36:26,119 [root] DEBUG: Pipe server name: \\.\PIPE\gxpNJC
2025-06-11 20:36:26,119 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 20:36:26,119 [root] INFO: analysis running as an admin
2025-06-11 20:36:26,119 [root] INFO: analysis package specified: "exe"
2025-06-11 20:36:26,119 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 20:36:27,119 [root] DEBUG: imported analysis package "exe"
2025-06-11 20:36:27,119 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 20:36:27,119 [lib.common.common] INFO: wrapping
2025-06-11 20:36:27,119 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 20:36:27,119 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ChromeCacheView.exe
2025-06-11 20:36:27,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 20:36:27,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 20:36:27,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 20:36:27,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 20:36:27,307 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 20:36:27,338 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 20:36:27,432 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 20:36:27,447 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 20:36:27,463 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 20:36:27,463 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 20:36:27,463 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 20:36:27,463 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 20:36:27,463 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 20:36:27,463 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 20:36:27,463 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 20:36:27,463 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 20:36:27,463 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 20:36:27,463 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 20:36:27,463 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 20:36:27,463 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 20:36:27,463 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 20:36:27,463 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 20:36:38,869 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 20:36:38,869 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 20:36:38,869 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 20:36:38,869 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 20:36:38,869 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 20:36:38,869 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 20:36:38,869 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 20:36:38,869 [modules.auxiliary.disguise] INFO: Disguising GUID to 5cb1f9c1-8350-4f7b-8488-0b9f5262cdbf
2025-06-11 20:36:38,869 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 20:36:38,869 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 20:36:38,869 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 20:36:38,869 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 20:36:38,869 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 20:36:38,869 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 20:36:38,869 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 20:36:38,869 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 20:36:38,869 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 20:36:38,869 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 20:36:38,885 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 20:36:38,885 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 20:36:38,885 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 20:36:38,885 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 20:36:38,885 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 20:36:38,885 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 20:36:38,885 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 20:36:38,916 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-11 20:36:38,916 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 20:36:38,916 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 20:36:38,916 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 20:36:38,916 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 20:36:38,916 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 20:36:38,916 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 20:36:38,916 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\yLKHDT.dll, loader C:\tmpjeo7jmad\bin\wBsGnKoA.exe
2025-06-11 20:36:38,979 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 20:36:38,979 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\yLKHDT.dll.
2025-06-11 20:36:39,010 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 20:36:39,010 [root] INFO: Disabling sleep skipping.
2025-06-11 20:36:39,010 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 20:36:39,010 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 20:36:39,010 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 20:36:39,010 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 20:36:39,010 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 20:36:39,026 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 20:36:39,026 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 20:36:39,026 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 20:36:39,041 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822C30000, thread 2940, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-11 20:36:39,041 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 20:36:39,041 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 20:36:39,041 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 20:36:39,041 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\yLKHDT.dll.
2025-06-11 20:36:39,056 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 20:36:39,0 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 19:00:15	2025-06-12 19:30:53	none

File Details

File Name	ChromeCacheView.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	258936 bytes
MD5	97b311d4999f52d9c35d23779d7156f0
SHA1	b42a56e0df01aba3b3f5c057a63331851d602dda
SHA256	595d7da260383f8daf1b1f5e827def644c524aaa3efb4869123b3d50fea485be [VT] [MWDB] [Bazaar]
SHA3-384	20e6b6edaa5ec6b7f123f4e14b60547e6472022491ace08d6720f1ba4002fd373b44f60f2cb2dd1f83a85a8dc9f42017
CRC32	C6D73505
TLSH	T19D4412A5FB746A90D1D084345D87C872EE92FD32E19849968EC0F96F3D37781AE8601F
Ssdeep	6144:lZ2e9zndaGpdJHTiJT2Xjix0mqF3JGj9jipnDiQZOpB:C8AGpdJAT8j00mqFZMjipVZOb
PE	File Strings BinGraph Vba2Graph VirusTotal

;\CCA(

V\&D8!

L<bhp]

&$" T

lkjihgf

/}6o

tz+RK

j!+)j

+.P:(?

%USERTrust RSA Certification Authority

Pim0"

d>dl~

5dt~'

d<a^8

Lfl`p`

,P`WB;`]

N4|F

55555

K,Agj>

4%S65

I|wm.:

>PF `

Y&y0!

"a tC

`%^jC

i++)w

!UalOc

np-&.

B<RT

fb&?$

llA,T

}~$;Z

!OYyB

d(a0|

4"-t[

nopqrstuvwxyz{|}~

3;G7+A{\m

7hypot

n$|X8

WruO4:

c\HBI2

r2>KC

edcba`

HduJ#

"$vbZ

`O_AC

*nivN

6*L,0

HsW(7

bC@GA

o?@tH

-=';?

WGX5t

T]$Q#

'.4^6

[.m j

;%` zU

V4\0Xv

r}Rta2?

KTlV8

i)|!(e(

comdlg32.dll

(A-,3

:EmpiS

C::4O)

amU!+)h

b>TUZ

9p_nV

040904b0

190909000000Z

:9^EP

uBAGH

181102000000Z

|g~}.

}T@q$

=;fuFNYb

gfFNHH9r$Of.

FG2<U

m8XX1

>sqrt2

~S(db

F4sUV

KERNEL32.DLL

FkmpJ

^@40t

,\hP"

ANP+`

4:v1>8

p.b|.

ir2ZF

RxF?RbU

o5BGn

y9:;<=

Y>Qvb

(7Q?

(&m$^Ih

U W0uy

kt9'1

_RiPB

HD@<8

N(/clr)<)

y%IA:

8<dhL

vh'aDfZRh=+P

8BvfLJ

uVLD=

R50c!F~4

PjY]<

6b|5$T

csByx

Sectigo RSA Time Stamping CA0

ZG c+c

Ou']^

[Lrbnyl

(E,y0

,pZ[(

ghEp#?=`

S!C'K

qDv9<

ARuNi

i1#QNAN

|<d{D

@yiD9c\

k&bl^

hrl9V&

m+u,8m

PSFXl

vzqg

"V;NS

%$!.A

7Xo 6

JJuda

i08@P`

nPv`~p

7{l\B'

y}NJMy

LoadLibraryA

LJJfxgFREE

YKYYy

aHePG0

m_z;H s

Us|us]BC

vooUYh

H}:6f

zA5M,

E4~4X

n5x3t3o@

Nk>EJL

mt^Ju~

"tY]r8\

zjdt4O1

(2j V

4J;-9

b|f2Fx

', '"61:

^.o 3

x6.t:

x=4 :

=tyS!

u"`hX:

Ph~3D

zFT0v

Tt79LW2N

On-y[

!#rPH

^VW;.A

lHL4WT

*9&!$

07Bx7

5`ds}p

]0!..

p>D0LINE

SINGfOMA

pwp`y

d]hmiV\

`;&NS9Bo

MIh]Ay

301231235959Z0|1

48,AuDfv4

2 {B/%F

q>!5;

Wto=

A4i4J

9NT0&m

:~("$C

4!UXB<V

R4<?:<

OQ8Ja

+kw^[X`

wOO*oP

yId("x

8Ea$N

;" v

I0G0E

Fg2"=

[1];[

j''t{

~XU}k(

!:[u`

)FDl@

TRE/C`M

alHgN

`NJFB

http://ocsp.usertrust.com0

xnZH HB

fA@BA

V'EC?8P

%9_%m

TP?-]

201023000000Z

\JHg&XT~N>

"222rrrr2222

Rt7#v

b^iODrkr

aHMv,ja

1vc8bVH

t8qSV

bR]==

F {D,

034s}n

][oInT

-Wnt<F

FileDescription

t+F7UE

V.]"

^hnFk

rxV: 6D

jap!?

https://sectigo.com/CPS0C

hjlnprtvz|

n~zzc

$Uc}VT

."-ZW

WN{ 2

]vA@.

--G-$

.wnm^2px;

NXkS$

;<[`aN

aA4,HVE

iM"C*z

urxhW

/3b;)

t9hu3

ex|T23:h

PP1t|3

2%Ga2

~|O[`

++im$

\2Nm f

8lEth

QknH8

5".i(

&$D=E?f

C;=|pG$Z/o

PyL}W

S0c[C

#TDY!

>F8^|

8W QC

KX89G<t

Gx^S/X

`_pzg_

GK*o*W

?<8i*

kln?l

(pAIa

7pOBu

6t$\N

f3- A

L@P}8

A|$V#

;_)0x

_`5j?h

-"H_US'

skf="

9} nu

$;tQB

k=<zd

`3w2I

.pIzQ@

y77777

JBc&J

<4Pt,y

9csm;

bj?y}

rOxTB

mVyi-

(tWV=

CPNR)

l<[#Y

ChromeCacheView

Greater Manchester1

NNNPTX

V@Ydx

+(US)

fHCY-%

f^[Fx=

p3r$l(s

&.5NPh.D

<<N`r

3Q 6L

{JR_a

+q<{

Cnc!ax

"yFj)

`uHD+8

CBs{X',

8,Ap]4!3d

'{BSW

Uj:PUr

P'7 mhF

u4,kf

Q'Pw8

T*bLHD=X

'wz-\

bBbSd

LqR\TK

ChromeCacheView.exe

~|X+XJ8

.WyS7

I<R:Q

h00>

>u"/P

=nSWA

zzSSLmnmm

%8]D^

%C3%n4ZjtfEXP

_?,dy

9O8t?

#?E>

HH:mm:{~

VA^5(

-.Qy_Y.F

~Zs7a

]iKLJ

W&,g,

@YEqx

4Gh9fj

Tj8;H,^

(FFKYu

VP8X `+

G`.u@

/\JA{

| NOT

|myffk

T&iGEEB

#0)Jh\XH-

L[ &3

<, }g

'Je!J

tNIt?

F58@9

[C]e=P

njYMp

W> <,p/

AvYau4

g/lz]4

nUSgSM

$Op@?T`[E@

.rsrc

@0~i]

Nxsp~BA|

1`0A@@J

PP'RC

C_[$c

FiTtS

x")!h1q

jPKYH

Mr$#m"L

rFX$q1

<p("IF'

PC7QCy

S+tK1#c

txH G

;uYxM$~

Mx|B`@k

\(0)/

,j!.V

OriginalFilename

"K(}%nk

<_/XcR

ueI?a

LALPHOK

2:ISBN

"^0[E

<S,;01$"

2008 - 2022 Nir Sofer

;jvq4

C5550Y

})-.s

Sfu(,

.JPGr

!rByFV

{,)v_

(GFFZH

6RK_m

@I@v'

:g@a\B

y7LvC

e.vrdb.

[1FL@

G\K*xqY

_;L;@y

!t^L@4(

%EoWf

}9 1Nl

!~-{t

OL)9%

W X&$

>Zu>.

y_2}^

|vS8H

$=pG-

, vJ;0X

F8 $,

@2;s

GeX B>

a9@*@

FX@g`X

Xp@hX

I~[/E

#Sectigo RSA Time Stamping Signer #20

[@w/B

32Ao2

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

\TnI-

VirtualProtect

YU;{Hv

ChqHZS

NSD|0

$6uDI

D0yJ"

s[i;K

;:BF

PhLi\

mmmmmmmmm888X77

^WSyBC

+GhKg$

GDtbsV

tB@ZN

Gv+ySV

@Zd_'

#`7P\

X~''v

6M,04

456789:;<=>?@ABCDEFGHIJKLMNO_

RCp08B

jrj88

zi|m\I

ToTzSe

.?AV._F

Z"yz0"K

dbrary

f9~\t N

'7lL Hi

CX#$KO9

{`='a

!"#$%&'()*+,-./0123

2<`aa

j0h0?

).j()

po]>9f

+`u S

raIy9X

6R6+Zr

_dUs@

0Q+`

]WGE,

2;B8|\

,zyJz

!`cJN

ato.9^

B*:Cul(

a\bMP

G0E*>

nts;@iX

9^lW|+B

Ht'HuE;

=0;09

n'v{j

O@G`|

D9t =_/!

E4SQCQDK

,ipbf

1sL#h

F\DlN

e0f.9

_Y:"5<

IFJo/

"b}b*X

'XTw@

21N888

u>9~,~n

E;:X.

hV //

N_U9203

<br>e@u

<z$u]

BRJjR

K`=ec

6mkySCll

z?aUY

h!@e<

y`2G*

GJ!3!

|5d^u

:MPN`-

8uzfAEq

miI&.

QP*CX

rr.KERNEL32.DL

l9rtgl

V RLIuU

oF F

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

2hE4w

SHGetMalloc

COMCTL32.dll

Zin_dQQSU

W-`0|@

NirSoft

a2hXz

gto/S

Q+noV<;

kOuzo

i=ci+.

!ddd84

n&^8{x-s

kOWO\o|!3

R1.CG

2&-jWp

mpt to ~

n. `.rz2b

#&//&`

3HtMP

YLxkt

(@t@%

-7lR-

4rrrr,$

.u+9`

*p@#Z

\$(WTrU(

bad allocation

~:/H_

^.P !

y)*+,-

BcPDz

NT@w(\

nxxG3

`P|X |

-TLYZ5

D8<r l

~EtGn m

jTez/

{mN]8

Fu+OH

ht:lt

5;FJ$,XEK4<

q@ZkU<Dp

WV!s+U

=o=%2F

D;J`ey,

L($$G

t%n25

-1z;$

@;C8}2

n8W3b

tN`1h+

%USERTrust RSA Certification Authority0

CoInitialize

FfPggb

F*}'l

(w.Bdb

hJSONdnyN

@wl.8

*Dp&l:

put/o

?&9OD^

P)K!E

o3x`du@y

{p)HE

N3V,b

Di_d$S0

^(ja?

3G.^'

(Z8D>

Waf4M

].SRS

`abclfghijklm

d6pL@:

^t;12O

oh tV:

%XL&d

qaiSSo

r:0Lu

4,$`rrr

65#g'

R_T5Y

-2K0$Sm)

a;tP15

;bZ+:

mmmmm

!piC

~5l48qD

DVDs7]>

p;ZDx#

|hXvB=

:DtAP+

-64OS

hnajax`

`)xt]

&bA<l

)A6vG

/AHl7

S m;jZ

S6(l

WQ"r7 \

sc4bP

Heeq$

s8G1r

)_WMK

w;UR!

q"Sym

(<-t$

r`.QM

LegalCopyright

/}W{[

+*G|&

TFt1b

)q{$+

^L8t'

7|zA&u

a!:`$R

t_iom

{*Ow0

hL83n

xn'd

YE*q0

.<(cA

_OEM]

hU^m2

6ts:@

4\-+@

A4$p.

pD"A2

MN,_#

yC2\A)

I0]tOw

)"_`e

TLa#i

j t2+

846H^

[*'HrE

<.9^p

dnZqT

Sectigo RSA Code Signing CA

n''CPgR/S

^dBQa[

H6L>P

eF6*:

0#gcIDB

B<tux

DbhOG

T^&d%er bug

dg<KU

M0~2LxX

,[ ]#,5

<1|uB

R"x71

0ot}L

KUs$G

C!H&L

dlBNvz!/u{1?cmR^

9"!6FC*

jVW~M

.CP{t%|9

> M~|

New Jersey1

0vA4O

2Rich1

^8888888888X7

028EIp

4kE3M

8WhFPW

7&aTym#

s1$~g

Gf95)1

CsI D6

:B,*'T

320122235959Z0

FoF FFF

EgK :

D9LF|X

Kk*+$

h|sLH"

]Q/)`

@SgF9D

&$P.P

E&\B`"

o:GxYsf

WNWHcN{T

fj".T\CMek2>x

-S_xP

` h0p@

g7f{pc

&& t

@@II;

lmrtjo

i234<:@N*M

DATA[ *N

qH1Ob

NGF1%Y

FA,_u

m@N&(

N5f%|t

(UK)q

Gab}I

f;L4u

190502000000Z

@0QQk

[\H\p

20220112165704Z

_Od#WD

F<Yv8

nX)8`~

tj=R_{|

x3X?RG

Gt!guc

!*guQs

+.+0Rd

Scan0Sm

M+}RC

yoWuB

Hg``!

Z5>HQVw,ciA0~

3oOeM

:HtAF6

jNf^md

&H;qu

$*c(&X,

-=0/$

-<352

$W||t

a(:!)

pG Eeb8R

8SkKB

23N222<

F(u}cB

VY ZV6

c1x5$

.`AVg

c]-xos

iLCI:

B_ Y@`

E{(M{

3D\84

uF.xA

<awy:

c^S6:

{w"2?

(L3wSu

rKL.U

io0bR7_^

?|b<:

&<rhH>

MAsHU

22299992222

8qZ{J

"){"0

D.C.

]F872

zSSLn

$s$*VdE

$#ktIj

'%d2q

\!i*}b

K%WG~

,Ct3y

1|Bx8

qxVfaa

N*u8F

| Vq3

pt+lN

caBL@

&^_P~

([\Ggp

\5E|@+

mY1rw

F?Qc'A

G0G4wp

T(jx\\

4.4 Uh

KqF\Q

'ache-

72=R,G!

pqh8_

VTRPJ

&yc0X

5Hf&g

SHELL32.dll

t!Y:T

1\Lq

</dependency>

=WyK

{wxj;Y

A@HY4

skcdUG

DFGXK

88888

^~V+dUi

<h|P4|

W_Bb%

:3E:X

Z=ZsC/Ss

FPFQhjRJp"t{

^cP/F

`8]5(A

gI=+s

z@Ba$

DBM&(

f6"ntac

qvQtb

88_X8

g<nNaw

T,4VX

F2l2~

!amO)

`eI4D

BWEy5

8?>0d(X

i*1Ie 688Z

0bG\[

~@jm^

3T&<`

ADVAPI32.dll

2`?-qX!

d#6hW

lK@2n

90705

@/8 X

m&CBc

lr(jV

(WxV \

2$S(7n*

RM%[e

1.0"</a>

FindTextW

:Gj"NY

"POSTf

ar'UA-

ds@2#

MmV})

4:f+p

WilI5>faq

;t016

R+Yiz$r

CompanyName

)*FIU

V -Mc

%B\I(

RQXa

w!NULL

NBKl\3

gDcG|0j

")9GLy

nP#Jr*

sLwq6

qFuomi

kHe?6

1)J!Qw

X?{Xq

||Qp"VxV

TVZ)+h

{_r,8

4M(,08<

S8f$[

Y[mNH

[!'n>

;F<j<

TE.0kaEN

|xIgM\

%HIt,h

V|MsJp

hNIpN

F`PMd

"F )F

chvebru

l;. #L$is

BW*`p

s^68(l

, <Xw

u - z

>fs&V;

https://sectigo.com/CPS0D

#|x#z

*~Z%@e0

WUpKN

56e8rk

&B:=

948_<

http://ocsp.sectigo.com0

,$?$=

dD/48R;

`/si_

)=_0$

zC#`_y

ib[h;

!b*O

dqe-KO{/3

aGj?W

GZ`tE

LuxvK

9SG;=|

7n34q

eO="K

9V@N!#

6p(0p

VC20XC00]

jXH<0

"LZk`

7ymy

Tj0^t

pgxV_

*.yg(

numw7sO7

M+.DJ

D(@6"

N!p4j

en\u

f&8u^

Cl4e0

a44iJXB$

NC0zc)

V^*o#

A<5X-

i>2%d

$dh9TE

s<h3@3

O'Sx<XB

\DEFGH

+?iKV

m8XX71

X{8=@

H$Sr9

aMLTx

7&F|If

0+P\,

'3@F|(

L8]&a

pxWb)

$^BOu

]Xs`B=P@N

:Se>Xg

RJc$PA

*PJ8h;

220112165704Z0?

bbbbf

Q;A+Tm

pqqFW

4&kT'

4D@HD

Y`&47

/>wqc

s=C,h

ekWeH

ZblAk3

B)*\-

6Q[nm

3CjZ\

H;er 8^|

K#FT`

.vt5x0<

Ph@X

ONMLKJIHGFEDCBA@?>=<;:9876543210

ALTER

co7 -

"t^9(uZ

RF5FH

OHbf&

K?7GQ

P2rIn

8PAu+

0frB +]

V)Y>`(

<58=4f

K/a E

D[j`o

[.r6

TFlush

s.'`IVZ

u}h=33

<9>='

FN?LJ

H3Q|!18

X)fmQ!Z

zo-Yj

_]&xH

[@) w

Y88888

)9u$Pa

UXH`D

y aB~

v`^5Z

Vj-^VC

(8HLH

m7#iv

siM}+

m8XXX1

jBuC?

#KX^r

zP]T}

40,408

!Wp#-

PatBlt

|ap"g&s

dS\$k

P40*r

-<Kak

>"ZP#

VarFileInfo

as7B*

0,Fp)<

o n&6

230909235959Z0q1

(;rS08#O

~87u_

Eq`N

8@PMU

4a:Nqhd

EW<Kx

w/h,U

SwIPv

g&#824

h8zl{

(]5d&G p

+p4uH

v's+sfg<

0TsY&

A,TY6

ag[&lE

1F`iP

U+E#DB

V;<?;`l

A(<<hyau

-so.x0

9op<O

Jersey City1

0O,a~i

nSaveIm

6O. -

7D"N>r

JYD8'c

;dobt=

8p|[9

h36bF

,%(5;

FiL74

2d>kX

X_P%c

FE~Fp`%

^5MO-

p!*Cd(

3f9}?

END x

f9|0u

5FlD8

?9. A

CUdh1

yv<m3

s4Of

yRF:$

Chv(N,

'#Y_O;

LODe?FlsFree

Rt4U`

;atlp(

_^@@%

"5cCW+

//bb@o

P2B0'

la,d`

~ZF:c

`L"Vc7

h~cvM

f4H8T

ooooFFoooo

nC7">

xQP.9cX

X3s'K4

y55555

&kzpt

idna\

hutdow

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

0V:63f

6Bf #

T&C2+

(,(m|

''8<INn'm@$@D

x86m%

Genuu

); }php?._

P4V.#t

th,C

J8>Et!<

:)?~_

(4Jz.@x

380118235959Z0}1

ofiQdlm=0

8rQP~

/.-,+*)('&%$#"!

'C#cKA|

}JR6~

Mi+]&8R-

Q2MB$

l/mVv

!Mh}S

*%N =

H`z7|

g4[5&

PRCfJA

.33F\

nHXz~P

"54^5

!DOCTYPE

. 3%.

wfLD^@d,

@efXK

VZ#-DLU[3=h

Lc1l[u

Sectigo RSA Time Stamping CA

oR*H`

pbNS4x

$7Hv@ll=n

e)5*-

71351171

~(@gmR

GR ,P&0

j?5H=

yotW. I

,Vc;I7

p".HM

Sectigo RSA Code Signing CA0

|~$WI

i>nWG

wk,;+

+HC;L

K7Bd&

tFV"V

vifTp&

^B7T0Q

RqR&6

MPST~D

]#Fcu

,N0KB

B#^4@zj

8%CH^

pDTD/x

(e.g.

(:RX|

@1z@2`8j

WWK7P

\vTML;wi}^n

f=G%"5

:pdc?5z+X["

WDG,r3

p4}q~

*~N~0

0kBX1~

|dVLD

]_KEA

Y0qwU

r!=8OJ

34<1ZD

v(}wuA

4"laL

StringFileInfo

e$h"0

? ] s

ole32.dll

p96bJm

Ee~/bDlc

dP9Nn

C{.l:o

z@D&kc~

XT66ZY

WXp!h

t7Sj@k

@*(gd

EncodePoi

U\8h(

v.hX3

FVAQPW

HIbKG

dF8c

lG5RE<

TYqsG

^6@[S

l,ad6

RIa]*

<l`P@4

%pRJJ

lID;q

]EqSe

>8859

LT|=:

u3QZUKZ@

ojX]|px

^h$C=

u(uMa"

:b8;g

a9{8tX

,x),5\

oYJHpa

1c"4~

#CfU7

ETt?t

DVlu|

a<(_X

6Xtb83

pT`?ZaC

7H$cv

@@rt^

>-<ZB

WPzR0

sc@Tix

ai&R)EU

h0f0?

ngp!--u

uMP_[

t05 c)3

ri&(U

std5puRaE

RCC{P

Salford1

G`VPu

rKph+

T/Pc

210098;

S Wu'

49PkPh0

":(|q&z

G"hLp

#$%&'(y

``p[`

zxe100%

hyu^cWS

aVPh1dg

LT>:t!x

IIQPP

)hAEx

TBCXYZ

RR~i#

bn0s}Q_@r~aoPq

0vpSR

vjiX?

A=VT0

<22333

K2jJV t

IArFy'

.mixcrt

333f3

1q<J7

?.I|?

$!:4f

A64Ndx

Fm(u{

w o %

</assembly>PA

HQ h(

c ;"n

{tJr8

)iYVk$

q]s||`

/^\s+|

zLrrbh

HqVs!1

[Gu2ej

'P4=(

pwhd@

p|prQ

support@nirsoft.net0

#<4|4

:48Z<v-

-\D^r

XYZ[\

mRARTU

vQ`a6

<x9<a

jj^^b[uvC

bO?[a

;$`lh

ri[u/

YfxCx

VS_VERSION_INFO

f3fff

4`-`9:

`6HF g

A;L|U

#Sectigo RSA Time Stamping Signer #2

RL ;+'a

[S,xL9"u&\P

Or{ox sD

f(,L<T

F_8eyv

pP"8T

$ >:a

sQT}*

yZ `'

Yc+/7m

%f/R,fP8

)ekvy

<SCRIPTR

Nir Sofer0

@!["pw

3r>"

I+4PV

@& d4

. ;NX}3

0lqxrP

#RO\$

uOm!\k,

f'_aa

y\XTPL

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

uwIV>R

k n@Y+

`^^^~

GC%m

0l,\o

!Qd|?

@8D@

\1\T]

t4T8`4

,Ld\a

Gc^xx;

K=^\m]

^Y>a1

(h/D8

;II$@\/

Sectigo Limited1%0#

[+'#tN<(

8"3hr

L;.w"-V

pwh%

GetProcAddress

'mgG}wB

F\<wt

*\1W*

zh-c0

ProductName

JvV$s

D5XAN

lhelp32S

j YP

:x6PSg

"uG9NDuBVf

gfghF

0Io

|Tag?

G/+#%

rd2<4

iK_ZRjC

b>&(b

ExitProcess

\zD$0

c=.W=

FRKPKVh

XA&x

0f#\X

lXjhb7+

[gunW

9Q2j(

@\qID

qInAg

n{){jB6h

AndS:nCj

6`2R@=fk

`%&!"

+xB_4~C

]IMrV

9aHpjbF

FileVersion

+=T0z(N

q,<i[

'Liw

WdowSt

=d20G-

ITMAP7D

g90uTL

YAQ(H+

~HyP^

F9FLW0

P~6-U~/W

{zyxwvutsrqp

EtZfx

FshoAModule&Fi

RIUv)

B*<_]

)<b^fMM^

\d0c`e

UTF-816LE'NI

`>A|_

NV>6:d

eFAQs|

</dependentAssembly>

f;9t+FAA"v

pP#Vj

`TCF"

x@x#6)+

cNeA 0

ti-!L

"BCh+

(~8r|(

9Vht9U

t+DPI,x

4~f9.u

TYha*

$hP't

uQ=r};8

<,6P%

`-4/qA,

h+W2p

bPXd:!

#j]xZ

&+S(y

M&P<@

Cx^ t

tAHt7

.6]Pm|

x\=9!j

woD[lT

Z;EYF

As?H3GSor!

n[0];

siZ,4]

&udvi

)6R`U

)(fTo

s|/<i

MceIc

p`R@(<O

|:BW0u\n

=!G#:

r5i/p

GDI32.dll

D;QpHP

e"EWU

V?:34

mwwqs

~HBRL

,0PGU"!

kRNAx

*umQ`t

QxaSP

d;MK4

L%U0

SpAf .fV

B;Ve6

uE}K`

6Ju6q

,FEY

5'BYK

_?&v*`

+3pSi

I$&P;

aseZxs

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

0qI(wLF

ageBoxbUSER

Dakar 21, Unit 821

wc)\)=

Nir Sofer1

InternalName

h0`[h

-4f$}

Dg4`

|/S^L.

tGHt.

4_.oi

Elehmd

<p\g(m

cz22c

j) 0^!

LPPTT)

UqWGBB-+

.MIPW

AGVcru

;XlDm

"{/NX

hx1Pq

PGtyIv

:`IT>

tvuujh

PQWV3

{wg`)-

666666y

<" BX

VbT^&

GetDC

887777y

nYf!x

PY 8PX

6uty^

$('''',04

EXXch_E

LEWXuLbw

zv3eR

'`bIP

t$WP[j

S1d%X

g>:XGJ

~Anem

XW_3d

bbb9999bbbb

+tj;A

S^1Q%g

|_yuh

TLOSS#7,

0FMdGEuJ9-

<tWv,4

6, ^J

zzzSLn

OExRWL

kC8]

fD5DT

0{ PUBL

,_j4LJ

tplhd`y

m.aHPv

-"qGv

skGdiplus

j*8qj

f%BKL8

(\YK"

;9^u6

B}s'd

lrM+r

kbnel

oY.o<

vP:C-

v0fXW:

gL'Ig

peB/+@

h0'vJ.j8

<@X(2

G84\[

GdHp%

niv 'P

zzSSLn

|8lDg

",toZ

5!7%bt

<0:08

={.^[X

/,~P&

N)(1~'N

.o7wS

%}wvP

P Q](

YYG;;|

B!\"}

8ZEN^+

eEM!Z&

)(*v+

rl*Dc

~VRF"

VKuENK

1Pg8Q

8]if~T

`D|t(h$DV"L

g{xg'"

QU[Ac#J^W!

GntN](.k

"v[88

m8XX7

xz:#ul

:iGAJ

MySUW)l

p c%lZ

l$,)|

Sectigo Limited1$0"

!This program cannot be run in DOS mode.

oZ%pb

xd^yG

EP%3C

~w"}W

5=z"X

E&y8T0

(tly.

{PVSv

l-k.b

K?:W8

V&s/)

~w4F8}

]0;]4tWBT

T n'2

g@@vop2

>g1-

3'DP0

USER32.dll

WS`Hk

ftfF2

=S=Y\

+GoyA

PDHxpj

[Ee,T

Vt.M)$J

has m

5 %G,l

Pl&hD

LY"X*

zc%C1

Ekj4`!

lqW'*

\i<T@

pip<T{g

W=8Bl<

{uvl@

eUf!0A

oc}oa

>+A'-''

#*~H,S

$s'Wed

)2G@O,c7-

/|.]Af0

;Ln@)zX

sRAB/

+\18g

Tjh E

f0jQuS;u

6:%+H

<G&Iw

H{|\B

t0JJr<

<S6xk7!-C[

xGu;R;s

zC,YKT

lV<++

@n&6P

7DCW-

4|BVN

.tfVU

V{86;

Marwf

>howX

./012

xvd`s

u|bC|H

$;\7Q

r%WCD

Translation

pb5ZQ

(0mL[<

SNZbI

1!_?r

@$|kL

D^]2.

\[ZYXf

@(8J0C

S5ZAg

h$0<?

-TZTY

hvlswi

l.>c=t3

Fh.c`a

5=lXXC

s'dT_6

ProductVersion

b('8P=

g0e0>

Hw49f<g)

D+"~,

T6Pi.

0D9V<t

Bp%-7

B*LK-1H

%`N_V

c; ua

@#CiT

tDeC<

SMda]t

rRj;B7|

ofGiWV

M8 l2

JHv|je$

8Sj=-

qdIX,

The USERTRUST Network1.0,

R'}')

mw~xml"s

JiH@@

AGIj.

<GQ,$

+ J'H

MnZ/rs

+<#:F

K<Hp,/m#

\*7;+

|a52l

xRc}S5

8mbe6i

,%DxZ

~eilaI

^_sc0R

Td,Fd

`eh %W`4

t,I}Ov

@(,B

=SSHi

"HC()WT8

]{7u+4a0

,7J3&;

<,(4O

1Gfu,KK

:N%/9

2L5H_

888888887

ujSWj

~.S*<

0XE`~

(0k%_S

76666

F0}#\

Aa56u-

&S4)U'`

* <Y/

x<U8u

Kj0dj

(tw\trWH

o KPBf

RB!Tp

Ujf*Vi

_9+Ch

6PZM?jP

nibzq

V1P75

!z2.O

)PL2S_

NfbrlD

4* ##80n

UPZU8$

BOO,h,/K

5rxl!

|KT`H

7qlmm

~0lifeTback

CZQpv

LdDq-

tbPg&H

hafh}

:Me`g

d)Hgd

Sectigo Limited1,0*

G.:6tlo%

9~{,=

345678y

1J+jN

.XPlJR

vD I+

*:lIt]&

zOwaw`

}.f4b

HTTP-.1

~X1CI

K~^;7C

dsv%!

X`WcH

*LK7p

d, M

A*?"d

`6NM$

76543y

asi(

(&t D>

:h20k

sV[&uc

XPTPSW

te4p

7Bhigh

5(:Z&

t=P3p+

_dk_*`kX

z5Wsw.l~K

V1na~

xOoYY9

!fo4$8

{g8GWEBP

+u,9j

5yo%dC

jTnp3%

/;mEc

VeD!~4,db

,WQGD

y`#c`

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

#jYhRB_

znfN84

4'zn7[

B99t]

3BUXa

oF8j$^

Oes[d

0E]5{2

RegCloseKey

wCorExitPr

() Mk

rHLPTX[/B+H0

P<RlLlq

k>O["*

u'w]y

Dd+v~f

pCmd ~t

,FAEV

2`FV8

<7654Ny

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x0008aa60	0x00048c63	0x00048c63	4.0	2022-01-12 16:55:07	e25aab61b610a6308aa82a7d334d06ec		3e759f70667a63504b04cde2158970b8	c785e1ab1a27164bea8371d63949c9ee	79f0e8e0e0f2f333

Version Infos

CompanyName	NirSoft
FileDescription	ChromeCacheView
FileVersion	2.31
InternalName	ChromeCacheView
LegalCopyright	Copyright Â© 2008 - 2022 Nir Sofer
OriginalFilename	ChromeCacheView.exe
ProductName	ChromeCacheView
ProductVersion	2.31
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
UPX0	0x00000400	0x00001000	0x0004f000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00000400	0x00050000	0x0003b000	0x0003ae00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.94
.rsrc	0x0003b200	0x0008b000	0x00002000	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.32

Overlay

Offset	0x0003d200
Size	0x00002178

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_CURSOR	0x00083748	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.21	None
RT_CURSOR	0x0008387c	0x00000134	LANG_HEBREW	SUBLANG_DEFAULT	7.24	None
RT_BITMAP	0x000839b0	0x000004e8	LANG_HEBREW	SUBLANG_DEFAULT	7.78	None
RT_BITMAP	0x00083e98	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.97	None
RT_BITMAP	0x00083f70	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.01	None
RT_ICON	0x0008b74c	0x000002e8	LANG_HEBREW	SUBLANG_DEFAULT	0.96	None
RT_ICON	0x0008ba38	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	1.88	None
RT_ICON	0x0008bb64	0x000008a8	LANG_HEBREW	SUBLANG_DEFAULT	4.57	None
RT_ICON	0x0008c410	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	4.11	None
RT_MENU	0x00085268	0x000009c0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.78	None
RT_MENU	0x00085c28	0x000002cc	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.54	None
RT_MENU	0x00085ef4	0x00000012	LANG_HEBREW	SUBLANG_DEFAULT	4.17	None
RT_DIALOG	0x00085f08	0x000000a2	LANG_HEBREW	SUBLANG_DEFAULT	6.63	None
RT_DIALOG	0x00085fac	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	7.55	None
RT_DIALOG	0x00086244	0x000002ea	LANG_HEBREW	SUBLANG_DEFAULT	7.59	None
RT_DIALOG	0x00086530	0x000006e6	LANG_HEBREW	SUBLANG_DEFAULT	7.77	None
RT_DIALOG	0x00086c18	0x000000fa	LANG_HEBREW	SUBLANG_DEFAULT	7.10	None
RT_DIALOG	0x00086d14	0x00000134	LANG_HEBREW	SUBLANG_DEFAULT	7.24	None
RT_DIALOG	0x00086e48	0x00000336	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.60	None
RT_STRING	0x00087180	0x0000020c	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.37	None
RT_STRING	0x0008738c	0x00000024	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.95	None
RT_STRING	0x000873b0	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.08	None
RT_STRING	0x000874c8	0x00000044	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.72	None
RT_STRING	0x0008750c	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.39	None
RT_STRING	0x000876f8	0x000000a0	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.54	None
RT_STRING	0x00087798	0x000000b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.82	None
RT_STRING	0x00087850	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.02	None
RT_ACCELERATOR	0x00087978	0x00000098	LANG_HEBREW	SUBLANG_DEFAULT	6.69	None
RT_GROUP_CURSOR	0x00087a10	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.02	None
RT_GROUP_CURSOR	0x00087a24	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	4.32	None
RT_GROUP_ICON	0x0008c97c	0x0000003e	LANG_HEBREW	SUBLANG_DEFAULT	2.71	None
RT_VERSION	0x0008c9c0	0x000002e8	LANG_HEBREW	SUBLANG_DEFAULT	3.37	None
RT_MANIFEST	0x0008ccac	0x0000016a	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.07	None

Imports

Name	Address
RegCloseKey	0x48cecc

Name	Address

Name	Address
FindTextW	0x48cedc

Name	Address
PatBlt	0x48cee4

Name	Address
LoadLibraryA	0x48ceec
ExitProcess	0x48cef0
GetProcAddress	0x48cef4
VirtualProtect	0x48cef8

Name	Address
CoInitialize	0x48cf00

Name	Address
SHGetMalloc	0x48cf08

Name	Address
GetDC	0x48cf10

Reports: JSON

Statistics (33.48)

Usage

Processing ( 33.27 seconds )

30.889 ProcessMemory
2.159 CAPE
0.212 BehaviorAnalysis
0.004 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.007 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.001 antidebug_devices
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 qulab_files
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 lokibot_mutexes

Reporting ( 0.15 seconds )

0.136 CAPASummary
0.011 JsonDump

Signatures

Queries the keyboard layout

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: ChromeCacheView.exe, PID 4268

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': 'UPX0', 'raw_address': '0x00000400', 'virtual_address': '0x00001000', 'virtual_size': '0x0004f000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000080', 'entropy': '0.00'}

unknown section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00050000', 'virtual_size': '0x0003b000', 'size_of_data': '0x0003ae00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.94'}

The binary likely contains encrypted or compressed data

section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00050000', 'virtual_size': '0x0003b000', 'size_of_data': '0x0003ae00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.94'}

Steals private information from local Internet browsers

file: C:\Users\Packager\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data

file: C:\Users\Packager\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4268 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\SystemResources\ChromeCacheView.exe.mun
C:\Users\Packager\AppData\Local\Temp\ChromeCacheView_lng.ini
C:\Windows\System32\oleaut32.dll
C:\Windows\System32\msctf.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\ChromeCacheView.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\System32\cfgmgr32.dll
\Device\DeviceApi\CMApi
C:\Windows
C:\Users\Packager\AppData\Local\Temp\ChromeCacheView.cfg
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Google\Chrome\User Data\Local State
C:\Users\Packager\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
C:\Users\Packager\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data
C:\Users\Packager\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*
C:\Users\Packager\AppData\Local\Temp\report.html

C:\Users\Packager\AppData\Local\Temp\ChromeCacheView.cfg

C:\Users\Packager\AppData\Local\Temp\report.html

HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ChromeCacheView.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:4268:168:WilStaging_02
Local\SM0:4268:64:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.