Malware analysis Resource Hacker - CHIP Installer _8aR5p.exe Malicious activity

Add for printing

File name:	Resource Hacker - CHIP Installer _8aR5p.exe
Full analysis:	https://app.any.run/tasks/39e0940f-b80b-4b40-ba5d-ca5a46a8ad7c
Verdict:	Malicious activity
Analysis date:	July 15, 2024, 13:29:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	F5980F17F44DA870072C5CE396EB01BF
SHA1:	22CE208ACB16875CDD9D42A794557A56068220C2
SHA256:	2F9079DF89E96A997A910F9243173AC60BFE625501452152F8AB281778E5696B
SSDEEP:	49152:xhx7dxx15qe01xtgx41J/StY/yuiYWLmgpaRZkDuZdTNACtn:JV1JALgvz4ACtn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Scans artifacts that could help determine the target
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Drops the executable file immediately after the start
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - reshacker_setup_527.exe (PID: 6392)
  - reshacker_setup_527.tmp (PID: 6368)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - ResourceHacker.exe (PID: 3724)
- Checks Windows Trust Settings
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Reads Microsoft Outlook installation path
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Executable content was dropped or overwritten
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - reshacker_setup_527.exe (PID: 6392)
  - reshacker_setup_527.tmp (PID: 6368)
- Reads Internet Explorer settings
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Searches for installed software
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Changes Internet Explorer settings (feature browser emulation)
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Reads the Windows owner or organization settings
  - reshacker_setup_527.tmp (PID: 6368)
- Creates file in the systems drive root
  - ResourceHacker.exe (PID: 3724)
INFO
- Checks supported languages
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - reshacker_setup_527.exe (PID: 6392)
  - ResourceHacker.exe (PID: 3724)
  - reshacker_setup_527.tmp (PID: 6368)
  - identity_helper.exe (PID: 6296)
- Creates files or folders in the user directory
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Checks proxy server information
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - ResourceHacker.exe (PID: 3724)
  - slui.exe (PID: 1332)
- Reads the computer name
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - ResourceHacker.exe (PID: 3724)
  - reshacker_setup_527.tmp (PID: 6368)
  - identity_helper.exe (PID: 6296)
- Process checks Internet Explorer phishing filters
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Reads the software policy settings
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - slui.exe (PID: 6988)
  - slui.exe (PID: 1332)
- Create files in a temporary directory
  - reshacker_setup_527.exe (PID: 6392)
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
  - reshacker_setup_527.tmp (PID: 6368)
- Reads the machine GUID from the registry
  - Resource Hacker - CHIP Installer _8aR5p.exe (PID: 6044)
- Reads Environment values
  - ResourceHacker.exe (PID: 3724)
- Creates files in the program directory
  - reshacker_setup_527.tmp (PID: 6368)
- Creates a software uninstall entry
  - reshacker_setup_527.tmp (PID: 6368)
- Reads Microsoft Office registry keys
  - ResourceHacker.exe (PID: 3724)
  - msedge.exe (PID: 2216)
- Manual execution by a user
  - msedge.exe (PID: 2216)
- Drops the executable file immediately after the start
  - msedge.exe (PID: 6672)
- Application launched itself
  - msedge.exe (PID: 2216)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (49.6)
.exe	\|	DOS Executable Generic (49.5)
.vxd	\|	VXD Driver (0.7)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2022:04:16 09:34:08+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	8
CodeSize:	4237824
InitializedDataSize:	1083392
UninitializedDataSize:	-
EntryPoint:	0x3f8020
OSVersion:	5.2
ImageVersion:	5.2
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.0.100.6
ProductVersionNumber:	1.0.100.6
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	CHIP Digital GmbH
FileDescription:	CHIP Secured Installer
FileVersion:	1.0.100.6
LegalCopyright:	Copyright 2021 CHIP Digital GmbH
ProductName:	LgInstall
ProductVersion:	1.0.100.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

209

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

764

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7172 --field-trial-handle=2316,i,12123414416359469994,11201344874610396558,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

764

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7140 --field-trial-handle=2316,i,12123414416359469994,11201344874610396558,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1060

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2e8,0x2fc,0x7ffd9e115fd8,0x7ffd9e115fe4,0x7ffd9e115ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1292

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3880 --field-trial-handle=2316,i,12123414416359469994,11201344874610396558,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1332

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1924

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7252 --field-trial-handle=2316,i,12123414416359469994,11201344874610396558,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1968

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6012 --field-trial-handle=2316,i,12123414416359469994,11201344874610396558,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2008

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3628 --field-trial-handle=2316,i,12123414416359469994,11201344874610396558,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2216

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.de/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2276

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6500 --field-trial-handle=2316,i,12123414416359469994,11201344874610396558,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

29 994

Read events

29 708

Write events

264

Delete events

Modification events


(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:	write	Name:	Resource Hacker - CHIP Installer _8aR5p.exe
Value: 11000
(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6044) Resource Hacker - CHIP Installer _8aR5p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6368) reshacker_setup_527.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: E018000075DA500ABBD6DA01
(PID) Process:	(6368) reshacker_setup_527.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 6652FE54258FCA088DE3E89FA564E99F8A37C67084434A582121FC8D37471636

Add for printing

Executable files

Suspicious files

680

Text files

227

Unknown types

Dropped files

PID	Process	Filename		Type
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751		binary
		MD5:3DFCA46E00FFA4795C72A41375F159D3	SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3A3937EBB9BC6E1543DBBEB9C0959B14		der
		MD5:A8CCEBB426F9D86AD6DF8286BDC93E20	SHA256:25615E10A51A8A959A57323E0095F9ED894BDC1674B0CE544524740F5B4BEFD2
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E5CE0DC33338C2049C0E8893A179720E		binary
		MD5:9A3F5EB482CD9996C82E198ACA36212D	SHA256:914F20408CC02BC01522905E5A5969FDE42D241502A4064E5EAE362F05332C4E
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E5CE0DC33338C2049C0E8893A179720E		binary
		MD5:5686F3DCA82BA73580B75D739130D74A	SHA256:87C966B0FEA6072DF648AABAA1777A5D8E1BD308ACD90F8ADE5E94104F13E551
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\PPD_Bit-Driver-Updater_1[1].png		image
		MD5:4FA788C006BA2C165DFB15A20DD408D8	SHA256:AA0A1A9E282167A2A8BA84CED85760DF64311B6A2F60BF44E7BB17AAD3780C95
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\easyprogresscampaign-progress-bitsolucians[1].htm		html
		MD5:9B2AFFEC375CD2607511F8E77AF8923F	SHA256:93FB2064AA42B2FDF959CA019217604C68478AB1A6A03C803F6AFDAB5C7027F6
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3A3937EBB9BC6E1543DBBEB9C0959B14		binary
		MD5:230F8B0E5CEFEC07276AEFC4F5C92677	SHA256:39404333AF4451E82897467DBDCC15DC0ED353437946CF165A00C15BE277B22A
6368	reshacker_setup_527.tmp	C:\Users\admin\AppData\Local\Temp\is-6QB84.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\Local\Temp\reshacker_setup_527_exe_771520241293520527448\reshacker_setup_527_exe.parts		executable
		MD5:02EB693DCFB90A696D191BADBCF314CE	SHA256:246457363396DCEA4CC3D19CE2A431897BAC948AE1694D3E87CC0EBAF2EA39F5
6044	Resource Hacker - CHIP Installer _8aR5p.exe	C:\Users\admin\AppData\Local\Temp\reshacker_setup_527_exe_771520241293520527448\reshacker_setup_527.exe		executable
		MD5:02EB693DCFB90A696D191BADBCF314CE	SHA256:246457363396DCEA4CC3D19CE2A431897BAC948AE1694D3E87CC0EBAF2EA39F5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

204

DNS requests

175

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3716	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6044	Resource Hacker - CHIP Installer _8aR5p.exe	GET	200	2.16.202.114:80	http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgP%2FTrdGuXxbcSOe1t%2B0db79LQ%3D%3D	unknown	—	—	whitelisted
6044	Resource Hacker - CHIP Installer _8aR5p.exe	GET	200	2.16.202.114:80	http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgQ3yyeRD4b7hBj%2FX2Li0MzZMg%3D%3D	unknown	—	—	whitelisted
4656	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6044	Resource Hacker - CHIP Installer _8aR5p.exe	GET	200	116.203.169.156:80	http://static.chip-secured-download.de/gfx/progress/BitGuardian/PPD_Bit-Driver-Updater_1.png	unknown	—	—	unknown
4392	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3068	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7128	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2248	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4656	SearchApp.exe	23.53.43.147:443	www.bing.com	Akamai International B.V.	DE	unknown
—	—	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
—	—	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4656	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6044	Resource Hacker - CHIP Installer _8aR5p.exe	83.125.106.237:443	chip-cluster.de	3U TELECOM GmbH	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.186.46	whitelisted
www.bing.com	23.53.43.147 23.53.43.96 23.53.43.106 23.53.43.122 13.107.21.200 204.79.197.200 2.16.110.121 2.16.110.170 2.16.110.171 2.16.110.176	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.52.120.96 95.101.149.131	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
chip-cluster.de	83.125.106.237	unknown
login.live.com	20.190.159.73 40.126.31.67 40.126.31.73 20.190.159.68 20.190.159.0 20.190.159.23 20.190.159.75 20.190.159.64	whitelisted
go.microsoft.com	23.213.166.81	whitelisted
nexusrules.officeapps.live.com	52.111.236.23	whitelisted

Threats

PID	Process	Class	Message
6864	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
6864	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD

Add for printing

No debug info

General Info

Resource Hacker - CHIP Installer _8aR5p.exe

F5980F17F44DA870072C5CE396EB01BF

22CE208ACB16875CDD9D42A794557A56068220C2

2F9079DF89E96A997A910F9243173AC60BFE625501452152F8AB281778E5696B

49152:xhx7dxx15qe01xtgx41J/StY/yuiYWLmgpaRZkDuZdTNACtn:JV1JALgvz4ACtn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Scans artifacts that could help determine the target

Drops the executable file immediately after the start

SUSPICIOUS

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads Microsoft Outlook installation path

Executable content was dropped or overwritten

Reads Internet Explorer settings

Searches for installed software

Changes Internet Explorer settings (feature browser emulation)

Reads the Windows owner or organization settings

Creates file in the systems drive root

INFO

Checks supported languages

Creates files or folders in the user directory

Checks proxy server information

Reads the computer name

Process checks Internet Explorer phishing filters

Reads the software policy settings

Create files in a temporary directory

Reads the machine GUID from the registry

Reads Environment values

Creates files in the program directory

Creates a software uninstall entry

Reads Microsoft Office registry keys

Manual execution by a user

Drops the executable file immediately after the start

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats