Malware analysis Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe Malicious activity

Add for printing

File name:	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe
Full analysis:	https://app.any.run/tasks/912c9b8c-7cf2-464b-a9df-6941ab250a6c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 14, 2024, 16:47:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	F5980F17F44DA870072C5CE396EB01BF
SHA1:	22CE208ACB16875CDD9D42A794557A56068220C2
SHA256:	2F9079DF89E96A997A910F9243173AC60BFE625501452152F8AB281778E5696B
SSDEEP:	49152:xhx7dxx15qe01xtgx41J/StY/yuiYWLmgpaRZkDuZdTNACtn:JV1JALgvz4ACtn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Searches for installed software
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Checks Windows Trust Settings
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Potential Corporate Privacy Violation
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Reads Microsoft Outlook installation path
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Executable content was dropped or overwritten
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Reads Internet Explorer settings
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Process requests binary or script from the Internet
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
INFO
- Checks supported languages
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
  - WcInstaller.exe (PID: 7012)
- Checks proxy server information
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Reads the machine GUID from the registry
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
  - WcInstaller.exe (PID: 7012)
- Create files in a temporary directory
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
  - WcInstaller.exe (PID: 7012)
- Reads the computer name
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
  - WcInstaller.exe (PID: 7012)
- Sends debugging messages
  - WcInstaller.exe (PID: 7012)
- Creates files or folders in the user directory
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Reads the software policy settings
  - Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe (PID: 4092)
- Application launched itself
  - msedge.exe (PID: 872)
  - msedge.exe (PID: 7424)
  - msedge.exe (PID: 788)
- Manual execution by a user
  - msedge.exe (PID: 872)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 872)
  - msedge.exe (PID: 6656)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (49.6)
.exe	\|	DOS Executable Generic (49.5)
.vxd	\|	VXD Driver (0.7)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2022:04:16 09:34:08+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	8
CodeSize:	4237824
InitializedDataSize:	1083392
UninitializedDataSize:	-
EntryPoint:	0x3f8020
OSVersion:	5.2
ImageVersion:	5.2
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.0.100.6
ProductVersionNumber:	1.0.100.6
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	CHIP Digital GmbH
FileDescription:	CHIP Secured Installer
FileVersion:	1.0.100.6
LegalCopyright:	Copyright 2021 CHIP Digital GmbH
ProductName:	LgInstall
ProductVersion:	1.0.100.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

173

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

788

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://webcf.bitdriverupdater.com/bitdrvupdt/instlr/build/10020/bitdurtsetup.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

872

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument https://webcf.bitdriverupdater.com/bitdrvupdt/instlr/build/10020/bitdurtsetup.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

892

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6656 --field-trial-handle=2328,i,11921069338646277446,15289765020801452167,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

1448

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=2328,i,11921069338646277446,15289765020801452167,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

1688

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4924 --field-trial-handle=2328,i,11921069338646277446,15289765020801452167,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

1700

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5140 --field-trial-handle=2328,i,11921069338646277446,15289765020801452167,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

2224

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3728 --field-trial-handle=2328,i,11921069338646277446,15289765020801452167,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

2248

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x294,0x298,0x29c,0x288,0x2a4,0x7fffd2775fd8,0x7fffd2775fe4,0x7fffd2775ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

3728

"C:\Users\admin\AppData\Local\Temp\Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe"

C:\Users\admin\AppData\Local\Temp\Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe

—

explorer.exe

User:

admin

Company:

CHIP Digital GmbH

Integrity Level:

MEDIUM

Description:

CHIP Secured Installer

Exit code:

3221226540

Version:

1.0.100.6

Modules

Images
c:\users\admin\appdata\local\temp\windows 10 iso - 64 bit - chip installer _obsfp.exe
c:\windows\system32\ntdll.dll

3852

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7320 --field-trial-handle=2328,i,11921069338646277446,15289765020801452167,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Add for printing

Total events

3 306

Read events

3 303

Write events

Delete events

Modification events


(PID) Process:	(4092) Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4092) Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4092) Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

223

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3D8AD8F11C8292F0A6BCF51E71BCA94C		binary
		MD5:D42981A26DC9AB18073A4B8E6ABD6B72	SHA256:31A43C05AC359A373FAA2C0A97652A2327BD40D34E5016C9614249461DEB2A43
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751		binary
		MD5:3DFCA46E00FFA4795C72A41375F159D3	SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\Local\Temp\OperaSetup_exe_89142024448159133414909\OperaSetup.exe		executable
		MD5:4F7551828E54B3FDA0E31C7446D2FB30	SHA256:0AF0E75D0C1EFE201324557563677EA515278E6C59BAFCE11248DCA8FBB73782
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F684E6769524618A8940F5122623C4		binary
		MD5:C7D416B3FB4557D452F9B55DA4B4BA9B	SHA256:C04C9886300D4CED161B636E136F64349649031A2599EE97104D05F5BF585D95
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\PPD_Bit-Driver-Updater_1[1].png		image
		MD5:4FA788C006BA2C165DFB15A20DD408D8	SHA256:AA0A1A9E282167A2A8BA84CED85760DF64311B6A2F60BF44E7BB17AAD3780C95
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\easyprogresscampaign-progress-bitsolucians[1].htm		html
		MD5:9B2AFFEC375CD2607511F8E77AF8923F	SHA256:93FB2064AA42B2FDF959CA019217604C68478AB1A6A03C803F6AFDAB5C7027F6
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\Local\Temp\WcInstaller_exe_29142024448152099016909\WcInstaller.exe		executable
		MD5:0B8820B253ECF593FD3C81D38361E378	SHA256:4F03951CA69CBCCB6694B78382308832E707274497BC935C1F2242B0E8DF331B
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\Local\Temp\OperaSetup_exe_89142024448159133414909\OperaSetup_exe.parts		executable
		MD5:4F7551828E54B3FDA0E31C7446D2FB30	SHA256:0AF0E75D0C1EFE201324557563677EA515278E6C59BAFCE11248DCA8FBB73782
7012	WcInstaller.exe	C:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txt		binary
		MD5:36148FD28B2EE264B263F2BF56CE5501	SHA256:4106E1B243538DB4E15D9E54C371E5A5A30FF864ADBE2C0287A47B6C607371E5
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	C:\Users\admin\AppData\Local\Temp\WcInstaller_exe_29142024448152099016909\WcInstaller_exe.parts		executable
		MD5:0B8820B253ECF593FD3C81D38361E378	SHA256:4F03951CA69CBCCB6694B78382308832E707274497BC935C1F2242B0E8DF331B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	HEAD	200	3.160.150.82:80	http://cdn.winriser.com/winriser/app/build/10018/wrsetup.exe	unknown	—	—	suspicious
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	HEAD	200	104.19.159.224:80	http://webcompanion.com/nano_download.php?partner=CH220501	unknown	—	—	malicious
6536	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6536	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	GET	200	184.24.77.50:80	http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgOdAgnIraL4lDWowBGbYHeuTw%3D%3D	unknown	—	—	whitelisted
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	GET	206	104.19.159.224:80	http://webcompanion.com/nano_download.php?partner=CH220501	unknown	—	—	malicious
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	GET	200	184.24.77.64:80	http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgNr9Zw09vfQMK3gFNdzxEDkzQ%3D%3D	unknown	—	—	whitelisted
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	GET	206	3.160.150.82:80	http://cdn.winriser.com/winriser/app/build/10018/wrsetup.exe	unknown	—	—	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6880	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	83.125.106.237:443	chip-cluster.de	3U TELECOM GmbH	DE	unknown
3260	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
8	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
8	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
google.com	172.217.18.110	whitelisted
chip-cluster.de	83.125.106.237	unknown
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	40.126.31.67 40.126.31.73 20.190.159.68 20.190.159.2 20.190.159.4 20.190.159.73 40.126.31.71 20.190.159.71	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
d8kkkzr1spalx.cloudfront.net	18.245.33.162 18.245.33.190 18.245.33.13 18.245.33.67	whitelisted

Threats

PID	Process	Class	Message
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	Potentially Bad Traffic	ET POLICY Executable served from Amazon S3
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
4092	Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe	Misc activity	ET INFO EXE - Served Attached HTTP

Add for printing

Process	Message
WcInstaller.exe	filePath is C:\Users\admin\AppData\Local\Temp\WcInstaller_exe_29142024448152099016909\WcInstaller.exe

General Info

Windows 10 ISO - 64 Bit - CHIP Installer _ObSFp.exe

F5980F17F44DA870072C5CE396EB01BF

22CE208ACB16875CDD9D42A794557A56068220C2

2F9079DF89E96A997A910F9243173AC60BFE625501452152F8AB281778E5696B

49152:xhx7dxx15qe01xtgx41J/StY/yuiYWLmgpaRZkDuZdTNACtn:JV1JALgvz4ACtn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Searches for installed software

Checks Windows Trust Settings

Potential Corporate Privacy Violation

Reads Microsoft Outlook installation path

Executable content was dropped or overwritten

Reads Internet Explorer settings

Process requests binary or script from the Internet

INFO

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Create files in a temporary directory

Reads the computer name

Sends debugging messages

Creates files or folders in the user directory

Reads the software policy settings

Application launched itself

Manual execution by a user

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings