Malware analysis IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe Malicious activity

Add for printing

File name:	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe
Full analysis:	https://app.any.run/tasks/8ea6fbaf-0afc-4da4-9270-c25cce61f119
Verdict:	Malicious activity
Analysis date:	July 10, 2024, 14:09:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	F5980F17F44DA870072C5CE396EB01BF
SHA1:	22CE208ACB16875CDD9D42A794557A56068220C2
SHA256:	2F9079DF89E96A997A910F9243173AC60BFE625501452152F8AB281778E5696B
SSDEEP:	49152:xhx7dxx15qe01xtgx41J/StY/yuiYWLmgpaRZkDuZdTNACtn:JV1JALgvz4ACtn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
  - iview462g_x64_setup.exe (PID: 6756)
- Actions looks like stealing of personal data
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Scans artifacts that could help determine the target
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
  - iview462g_x64_setup.exe (PID: 6756)
- Searches for installed software
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Changes Internet Explorer settings (feature browser emulation)
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Reads Microsoft Outlook installation path
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Checks Windows Trust Settings
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Executable content was dropped or overwritten
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
  - iview462g_x64_setup.exe (PID: 6756)
- Reads Internet Explorer settings
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- The process creates files with name similar to system file names
  - iview462g_x64_setup.exe (PID: 6756)
- Creates a software uninstall entry
  - iview462g_x64_setup.exe (PID: 6756)
- Reads the date of Windows installation
  - iview462g_x64_setup.exe (PID: 6756)
INFO
- Checks supported languages
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
  - iview462g_x64_setup.exe (PID: 6756)
  - i_view64.exe (PID: 5884)
  - identity_helper.exe (PID: 7128)
- Reads the computer name
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
  - iview462g_x64_setup.exe (PID: 6756)
  - i_view64.exe (PID: 5884)
  - identity_helper.exe (PID: 7128)
- Checks proxy server information
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Reads the software policy settings
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Reads the machine GUID from the registry
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Create files in a temporary directory
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
  - iview462g_x64_setup.exe (PID: 6756)
- Creates files or folders in the user directory
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
  - iview462g_x64_setup.exe (PID: 6756)
- Process checks Internet Explorer phishing filters
  - IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe (PID: 2452)
- Creates files in the program directory
  - iview462g_x64_setup.exe (PID: 6756)
- Reads product name
  - iview462g_x64_setup.exe (PID: 6756)
- Reads Microsoft Office registry keys
  - iview462g_x64_setup.exe (PID: 6756)
  - msedge.exe (PID: 6196)
  - msedge.exe (PID: 4180)
- Process checks computer location settings
  - iview462g_x64_setup.exe (PID: 6756)
- Application launched itself
  - msedge.exe (PID: 6196)
  - msedge.exe (PID: 4180)
- Reads Environment values
  - iview462g_x64_setup.exe (PID: 6756)
- Manual execution by a user
  - msedge.exe (PID: 4180)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (49.6)
.exe	\|	DOS Executable Generic (49.5)
.vxd	\|	VXD Driver (0.7)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2022:04:16 09:34:08+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	8
CodeSize:	4237824
InitializedDataSize:	1083392
UninitializedDataSize:	-
EntryPoint:	0x3f8020
OSVersion:	5.2
ImageVersion:	5.2
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.0.100.6
ProductVersionNumber:	1.0.100.6
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	CHIP Digital GmbH
FileDescription:	CHIP Secured Installer
FileVersion:	1.0.100.6
LegalCopyright:	Copyright 2021 CHIP Digital GmbH
ProductName:	LgInstall
ProductVersion:	1.0.100.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

168

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

736

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4980 --field-trial-handle=2484,i,16839739950291410632,5670080248346934298,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1384

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=2484,i,16839739950291410632,5670080248346934298,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1768

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5012 --field-trial-handle=2484,i,16839739950291410632,5670080248346934298,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2008

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x2fc,0x300,0x304,0x2f8,0x310,0x7ffd9ac95fd8,0x7ffd9ac95fe4,0x7ffd9ac95ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2088

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4528 --field-trial-handle=2484,i,16839739950291410632,5670080248346934298,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2360

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5056 --field-trial-handle=2484,i,16839739950291410632,5670080248346934298,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2452

"C:\Users\admin\AppData\Local\Temp\IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe"

C:\Users\admin\AppData\Local\Temp\IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe

explorer.exe

User:

admin

Company:

CHIP Digital GmbH

Integrity Level:

HIGH

Description:

CHIP Secured Installer

Exit code:

Version:

1.0.100.6

Modules

Images
c:\users\admin\appdata\local\temp\irfanview (64 bit) - chip installer _zzqmx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

3660

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3664 --field-trial-handle=2484,i,16839739950291410632,5670080248346934298,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3676

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2372,i,5679700675442308146,17171403147592530540,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3840

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x260,0x264,0x268,0x25c,0x274,0x7ffd9ac95fd8,0x7ffd9ac95fe4,0x7ffd9ac95ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

17 249

Read events

17 028

Write events

215

Delete events

Modification events


(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:	write	Name:	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe
Value: 11000
(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2452) IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6756) iview462g_x64_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\i_view64.exe
Operation:	write	Name:	FriendlyAppName
Value: IrfanView 64-bit
(PID) Process:	(6756) iview462g_x64_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IrfanView64
Operation:	write	Name:	DisplayName
Value: IrfanView 4.67 (64-bit)

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E5CE0DC33338C2049C0E8893A179720E		binary
		MD5:263E3FD807F18A6A72B52BEA7258F216	SHA256:B6A44520D87AD35A2A78DED57C4A289620CC5C7A13234961C6BB6322638D17E7
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E5CE0DC33338C2049C0E8893A179720E		binary
		MD5:366D419132528E4616B8AF7D4A65AF8F	SHA256:B25A2922BF8BB96AFD9B924D2F1386810C42AD70984A580A17615917762582AF
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\easyprogresscampaign-progress-bitsolucians[1].htm		html
		MD5:9B2AFFEC375CD2607511F8E77AF8923F	SHA256:93FB2064AA42B2FDF959CA019217604C68478AB1A6A03C803F6AFDAB5C7027F6
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\Local\Temp\iview462g_x64_setup_exe_57102024209332459681925\iview462g_x64_setup_exe.parts		executable
		MD5:23E49038BEAB7B7EF3098C72097110A2	SHA256:15306B139AE4713B88095C4F8ECBD3FF7655D77D3D519FD86572ACE7EA836520
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3A3937EBB9BC6E1543DBBEB9C0959B14		binary
		MD5:EB8BF4B1449F589B5012378BC03BFD54	SHA256:238A243CF3524A14EC56CEA8143BAD22509A448FF55A89D4251C0EB5D4B537E3
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\Local\Temp\iview462g_x64_setup_exe_57102024209332459681925\iview462g_x64_setup.exe		executable
		MD5:23E49038BEAB7B7EF3098C72097110A2	SHA256:15306B139AE4713B88095C4F8ECBD3FF7655D77D3D519FD86572ACE7EA836520
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\PPD_Bit-Driver-Updater_1[1].png		image
		MD5:4FA788C006BA2C165DFB15A20DD408D8	SHA256:AA0A1A9E282167A2A8BA84CED85760DF64311B6A2F60BF44E7BB17AAD3780C95
6756	iview462g_x64_setup.exe	C:\Program Files\IrfanView\i_changes.txt		text
		MD5:882852D1D9037F7E87F4BB8A884399CA	SHA256:E077CC887F565A10733B42684A9890081EF7B33312B98EE4DF2CD9A56D1D9316
6756	iview462g_x64_setup.exe	C:\Program Files\IrfanView\Plugins\Video.dll		executable
		MD5:BAF102263743085A16A714C9091FEC5C	SHA256:409461D271D23BD6BCE09020A45A55FF5DF42E14D57225AD25BFD31222FFDAB1
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751		binary
		MD5:3DFCA46E00FFA4795C72A41375F159D3	SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

108

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1776	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
3656	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
4656	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	unknown
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	GET	200	2.16.241.8:80	http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgP%2FTrdGuXxbcSOe1t%2B0db79LQ%3D%3D	unknown	—	—	unknown
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	GET	200	2.16.241.8:80	http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgQ3yyeRD4b7hBj%2FX2Li0MzZMg%3D%3D	unknown	—	—	unknown
6876	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
6876	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
5452	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
5812	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	GET	200	116.203.169.156:80	http://static.chip-secured-download.de/gfx/progress/BitGuardian/PPD_Bit-Driver-Updater_1.png	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1972	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2140	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
1776	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
1776	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6004	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2452	IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe	83.125.106.237:443	chip-cluster.de	3U TELECOM GmbH	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.186.46	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.35.229.160 88.221.169.152	whitelisted
chip-cluster.de	83.125.106.237	unknown
www.bing.com	92.123.104.41 92.123.104.37 92.123.104.52 92.123.104.42 92.123.104.56 92.123.104.38 92.123.104.47 92.123.104.51 92.123.104.53 2.23.209.148 2.23.209.141 2.23.209.153 2.23.209.154 2.23.209.142 2.23.209.149 2.23.209.143 2.23.209.144 2.23.209.150	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.160.22 20.190.160.17 40.126.32.68 40.126.32.76 20.190.160.14 40.126.32.72 20.190.160.20 40.126.32.138	whitelisted
go.microsoft.com	69.192.162.125	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

IrfanView (64 Bit) - CHIP Installer _ZzqMx.exe

F5980F17F44DA870072C5CE396EB01BF

22CE208ACB16875CDD9D42A794557A56068220C2

2F9079DF89E96A997A910F9243173AC60BFE625501452152F8AB281778E5696B

49152:xhx7dxx15qe01xtgx41J/StY/yuiYWLmgpaRZkDuZdTNACtn:JV1JALgvz4ACtn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

Scans artifacts that could help determine the target

SUSPICIOUS

Reads security settings of Internet Explorer

Searches for installed software

Changes Internet Explorer settings (feature browser emulation)

Reads Microsoft Outlook installation path

Checks Windows Trust Settings

Executable content was dropped or overwritten

Reads Internet Explorer settings

The process creates files with name similar to system file names

Creates a software uninstall entry

Reads the date of Windows installation

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Process checks Internet Explorer phishing filters

Creates files in the program directory

Reads product name

Reads Microsoft Office registry keys

Process checks computer location settings

Application launched itself

Reads Environment values

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests