home

google chrome.exe

DarwenDLM Downloader

Superb Alpha (Fried Cookie Ltd.)

The Fried Cookie installer utilizes the InstallCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application google chrome.exe by Superb Alpha (Fried Cookie) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download Google's Chrome web browser but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
Superb Alpha (Fried Cookie Ltd.)  (signed and verified)

Product:
DarwenDLM Downloader

Version:
1.0.5.53112

MD5:
a49cf42238654daa2f83c8cbd7560a3e

SHA-1:
442f7843a6074880c8ef160b1cb9e00aa2daa085

SHA-256:
f5fa1fd97f1aeb5666fd3e55eccd0d1fad267859960d6d00f900d9c9bd542490

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/28/2024 2:43:38 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.FC.Installer (M)
16.4.29.6

File size:
1.1 MB (1,176,024 bytes)

Product version:
1.0.5.53112

Original file name:
ClickOnceSetup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\google chrome.exe

Digital Signature
Signed by:
Superb Alpha (Fried Cookie Ltd.)

Authority:
GlobalSign nv-sa

Valid from:
12/17/2015 1:00:57 PM

Valid to:
6/22/2016 4:48:43 PM

Subject:
CN=Superb Alpha (Fried Cookie Ltd.), O=Superb Alpha (Fried Cookie Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11217F30BAAF40AF8D13BE6DB4153600593E

File PE Metadata
Compilation timestamp:
2/23/2016 12:21:42 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:p2KFgeCz+fqwhZBYfH7NLRsksYTqFTG+hsazNvFsms9B9:prmHzDwhZAZLdCTGisazNvFsz9f

Entry address:
0x11742E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.1 MB (1,136,128 bytes)

The file google chrome.exe has been seen being distributed by the following URL.

http://www.flashuniverseranch.com/c?x=/Y37ACimfDZiJnsDxOU7tYmTRRv0AJ4hTkVtS18SyvQ=&c=1cON2rP8 MEYtzJv 6LXLUkF2Gx2meCz448sEDTPKEb89ldFYDVLIHPavWOopSuL25/.../LeMqQwe6TKEXHmflHvQm4jjV9uZiKsrw9qNhVyoAPo9W8aayjPyLlfAGQ&downloadAs=Google Chrome.exe

Remove google chrome.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.