File name:

LicenseCrawler - CHIP-Installer.exe

Full analysis: https://app.any.run/tasks/5075d418-7b84-468b-93e6-8253b8cd971c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 22, 2019, 07:30:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

AF72306A68434E0C43848600B87D1B27

SHA1:

46A65A84B39998B5B4333F21C545CD9D9C5C93C6

SHA256:

E81FBE35DEF1876898336A07B080F99B296C9FB76A99418D6005A3748046F10E

SSDEEP:

24576:Xq5TfcdHj4fmbo2qfjzPhHyOjgu2Fzny1gdjgsA5k:XUTsamExbjg9jgQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • dmr_72.exe (PID: 3848)

    • Application was dropped or rewritten from another process

      • avast_free_antivirus_setup_online.exe (PID: 3368)
      • dmr_72.exe (PID: 3848)
      • avast_free_antivirus_setup_online.exe (PID: 3556)
      • instup.exe (PID: 3996)
      • instup.exe (PID: 3424)
      • sbr.exe (PID: 3932)
      • LicenseCrawler.exe (PID: 3140)

    • Downloads executable files from the Internet

      • dmr_72.exe (PID: 3848)
      • avast_free_antivirus_setup_online.exe (PID: 3368)

    • Loads dropped or rewritten executable

      • LicenseCrawler.exe (PID: 3140)
      • instup.exe (PID: 3996)

    • Changes the autorun value in the registry

      • instup.exe (PID: 3424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • LicenseCrawler - CHIP-Installer.exe (PID: 2456)
      • avast_free_antivirus_setup_online.exe (PID: 3368)
      • dmr_72.exe (PID: 3848)
      • avast_free_antivirus_setup_online.exe (PID: 3556)
      • instup.exe (PID: 3424)
      • instup.exe (PID: 3996)
      • WinRAR.exe (PID: 3892)

    • Creates files in the user directory

      • dmr_72.exe (PID: 3848)

    • Reads internet explorer settings

      • dmr_72.exe (PID: 3848)

    • Adds / modifies Windows certificates

      • dmr_72.exe (PID: 3848)

    • Creates files in the Windows directory

      • avast_free_antivirus_setup_online.exe (PID: 3368)
      • avast_free_antivirus_setup_online.exe (PID: 3556)
      • instup.exe (PID: 3996)
      • instup.exe (PID: 3424)

    • Low-level read access rights to disk partition

      • avast_free_antivirus_setup_online.exe (PID: 3368)
      • avast_free_antivirus_setup_online.exe (PID: 3556)
      • instup.exe (PID: 3996)
      • instup.exe (PID: 3424)

    • Creates files in the program directory

      • avast_free_antivirus_setup_online.exe (PID: 3556)
      • instup.exe (PID: 3996)

    • Removes files from Windows directory

      • instup.exe (PID: 3996)
      • instup.exe (PID: 3424)

    • Starts itself from another location

      • instup.exe (PID: 3996)

    • Searches for installed software

      • dmr_72.exe (PID: 3848)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • LicenseCrawler - CHIP-Installer.exe (PID: 2456)
      • instup.exe (PID: 3424)

    • Reads settings of System Certificates

      • dmr_72.exe (PID: 3848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:13 10:43:21+01:00
PEType: PE32
LinkerVersion: 11
CodeSize: 344064
InitializedDataSize: 987136
UninitializedDataSize: 1515520
EntryPoint: 0x1c68d0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.9.10.0
ProductVersionNumber: 2.9.10.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: German
CharacterSet: Unicode
FileVersion: 2.9.10.0
Comments: CHIP Secured Installer
FileDescription: CHIP Secured Installer
ProductVersion: 2.9.10.0
LegalCopyright: Copyright © 2019 Chip Digital GmbH
CompanyName: CHIP Digital GmbH
InternalName: CHIP Secured Installer
ProductName: CHIP Secured Installer
OriginalFileName: CHIP Secured Installer

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 13-Mar-2019 09:43:21
Detected languages:
  • English - United Kingdom
  • German - Germany
FileVersion: 2.9.10.0
Comments: CHIP Secured Installer
FileDescription: CHIP Secured Installer
ProductVersion: 2.9.10.0
LegalCopyright: Copyright © 2019 Chip Digital GmbH
CompanyName: CHIP Digital GmbH
InternalName: CHIP Secured Installer
ProductName: CHIP Secured Installer
OriginalFilename: CHIP Secured Installer

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 13-Mar-2019 09:43:21
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00172000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00173000
0x00054000
0x00053C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.93604
.rsrc
0x001C7000
0x000F1000
0x000F0E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.39466

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.32366
1444
Latin 1 / Western European
German - Germany
RT_MANIFEST
4
3.75291
9640
Latin 1 / Western European
English - United Kingdom
RT_ICON
7
3.34702
1428
Latin 1 / Western European
English - United Kingdom
RT_STRING
8
3.2817
1674
Latin 1 / Western European
English - United Kingdom
RT_STRING
9
3.28849
1168
Latin 1 / Western European
English - United Kingdom
RT_STRING
10
3.28373
1532
Latin 1 / Western European
English - United Kingdom
RT_STRING
11
3.26322
1628
Latin 1 / Western European
English - United Kingdom
RT_STRING
12
3.25812
1126
Latin 1 / Western European
English - United Kingdom
RT_STRING
99
2.0815
20
Latin 1 / Western European
English - United Kingdom
RT_GROUP_ICON
166
2.68292
80
Latin 1 / Western European
English - United Kingdom
RT_MENU

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.DLL
MPR.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start licensecrawler - chip-installer.exe dmr_72.exe explorer.exe no specs explorer.exe no specs avast_free_antivirus_setup_online.exe winrar.exe no specs avast_free_antivirus_setup_online.exe winrar.exe instup.exe licensecrawler.exe no specs instup.exe sbr.exe no specs licensecrawler - chip-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2456"C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exe" C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exe
explorer.exe
User:
admin
Company:
CHIP Digital GmbH
Integrity Level:
HIGH
Description:
CHIP Secured Installer
Exit code:
0
Version:
2.9.10.0
Modules
Images
c:\users\admin\appdata\local\temp\licensecrawler - chip-installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
2784C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3112"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\licensecrawler_2.1.2301.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3140"C:\Users\admin\AppData\Local\Temp\Rar$EXa3892.37444\LicenseCrawler\LicenseCrawler.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3892.37444\LicenseCrawler\LicenseCrawler.exeWinRAR.exe
User:
admin
Company:
Martin Klinzmann
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.01.2301
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3892.37444\licensecrawler\licensecrawler.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rar$exa3892.37444\licensecrawler\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3368"C:\Users\admin\AppData\Local\Temp\DMR\Downloads\152e221a8bef8d2d13c58f995563a1a1\c36806329dd1ca55ff7a96fec0779424\avast_free_antivirus_setup_online.exe" /SILENT C:\Users\admin\AppData\Local\Temp\DMR\Downloads\152e221a8bef8d2d13c58f995563a1a1\c36806329dd1ca55ff7a96fec0779424\avast_free_antivirus_setup_online.exe
dmr_72.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
2.1.1279.0
Modules
Images
c:\users\admin\appdata\local\temp\dmr\downloads\152e221a8bef8d2d13c58f995563a1a1\c36806329dd1ca55ff7a96fec0779424\avast_free_antivirus_setup_online.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3424"C:\Windows\Temp\asw.83c72f9aa07f3dad\New_13030941\instup.exe" /cookie:mmm_cip_ppi_002_599_m /edat_dir:C:\Windows\Temp\asw.8d77844b5617f669 /edition:1 /ga_clientid:94209c7b-0ef6-4fd6-831e-5085f8303a05 /guid:e119c0ee-43d6-4bad-a0fd-ad609c86941f /online_installer /prod:ais /sfx /sfxstorage:C:\Windows\Temp\asw.83c72f9aa07f3dad /SILENTC:\Windows\Temp\asw.83c72f9aa07f3dad\New_13030941\instup.exe
instup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
19.3.4241.0
Modules
Images
c:\windows\temp\asw.83c72f9aa07f3dad\new_13030941\instup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
3556"C:\Windows\Temp\asw.8d77844b5617f669\avast_free_antivirus_setup_online.exe" /SILENT /cookie:mmm_cip_ppi_002_599_m /ga_clientid:94209c7b-0ef6-4fd6-831e-5085f8303a05 /edat_dir:C:\Windows\Temp\asw.8d77844b5617f669C:\Windows\Temp\asw.8d77844b5617f669\avast_free_antivirus_setup_online.exe
avast_free_antivirus_setup_online.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
19.3.4241.0
Modules
Images
c:\windows\temp\asw.8d77844b5617f669\avast_free_antivirus_setup_online.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3672"C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exe" C:\Users\admin\AppData\Local\Temp\LicenseCrawler - CHIP-Installer.exeexplorer.exe
User:
admin
Company:
CHIP Digital GmbH
Integrity Level:
MEDIUM
Description:
CHIP Secured Installer
Exit code:
3221226540
Version:
2.9.10.0
Modules
Images
c:\users\admin\appdata\local\temp\licensecrawler - chip-installer.exe
c:\systemroot\system32\ntdll.dll
3848"C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54439828 -chipderedesign -fc6b6e4b84fe4aae9082c6161ec4930d - -BLUB2 -bhyrryigpengvmjc -2456C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe
LicenseCrawler - CHIP-Installer.exe
User:
admin
Company:
Chip Digital GmbH
Integrity Level:
HIGH
Description:
CHIP Secured Installer
Exit code:
0
Version:
2.9.10.0
Modules
Images
c:\users\admin\appdata\local\temp\dmr\dmr_72.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3892"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\licensecrawler_2.1.2301.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
9 165
Read events
6 329
Write events
2 836
Delete events
0

Modification events

(PID) Process:(2456) LicenseCrawler - CHIP-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2456) LicenseCrawler - CHIP-Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3848) dmr_72.exeKey:HKEY_CURRENT_USER\Software\OCS
Operation:writeName:CID
Value:
661b878e-975f-4599-8734-b17dc440936e
(PID) Process:(3848) dmr_72.exeKey:HKEY_CURRENT_USER\Software\OCS
Operation:writeName:PID
Value:
chipderedesign
(PID) Process:(3848) dmr_72.exeKey:HKEY_CURRENT_USER\Software\OCS
Operation:writeName:lastPID
Value:
chipderedesign
(PID) Process:(3848) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3848) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3848) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3848) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3848) dmr_72.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
23
Suspicious files
34
Text files
47
Unknown types
2

Dropped files

PID
Process
Filename
Type
3556avast_free_antivirus_setup_online.exeSetup.log
MD5:
SHA256:
2456LicenseCrawler - CHIP-Installer.exeC:\Users\admin\AppData\Local\Temp\DMR\bhyrryigpengvmjc.dattext
MD5:
SHA256:
3848dmr_72.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\progress[1].htmhtm
MD5:
SHA256:
2456LicenseCrawler - CHIP-Installer.exeC:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exeexecutable
MD5:
SHA256:
3848dmr_72.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\main[1].csstext
MD5:
SHA256:
3848dmr_72.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\main[1].jstext
MD5:
SHA256:
3848dmr_72.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\jquery[1].jstext
MD5:
SHA256:
3848dmr_72.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\MarselisSlabWeb[1].eoteot
MD5:
SHA256:
3848dmr_72.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\error[1]text
MD5:
SHA256:
3848dmr_72.exeC:\Users\admin\Downloads\licensecrawler_2.1.2301.zipcompressed
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
56
DNS requests
58
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3848
dmr_72.exe
GET
200
5.9.198.83:80
http://api.chip-secured-download.de/geoip/geoip.php?ip=36322e3231342e36372e313836&givezip=true
DE
text
14 b
malicious
3848
dmr_72.exe
GET
200
5.9.198.84:80
http://static.chip-secured-download.de/gfx/pagead/AVAST/avast-buttons-v1-feb18.gif
DE
image
36.6 Kb
suspicious
3848
dmr_72.exe
GET
200
5.9.198.83:80
http://api.chip-secured-download.de/downloaderContent/main.css?v=1461939270
DE
text
1.65 Kb
malicious
3848
dmr_72.exe
GET
200
5.9.198.83:80
http://api.chip-secured-download.de/newbrandmachine/chipderedesign?cid=54439828&scid=&headline1=4C6963656E7365437261776C6572&headline2=434849502D444F574E4C4F4144&euid=366639636331626331306538356565633137636264653832&icon=68747470733A2F2F7777772E636869702E64652F69692F352F382F392F352F392F322F322F663964306162626339613035663033332E6A7067&screenshot=68747470733A2F2F7777772E636869702E64652F69692F352F382F392F352F392F322F322F623431383265623035366135343330372E6A7067&MetaRating=35&lang=en
DE
binary
121 Kb
malicious
3848
dmr_72.exe
GET
302
23.45.107.220:80
http://downloaderapi.chip.de/download/54439828/?app_key=c6bbb44ff3856592ea1486159ac37d8e
NL
html
307 b
whitelisted
3848
dmr_72.exe
GET
200
5.9.198.84:80
http://static.chip-secured-download.de/gfx/pagead/Amazon/Amazon-Feb-Test.png
DE
image
31.3 Kb
suspicious
3848
dmr_72.exe
GET
200
5.9.198.83:80
http://api.chip-secured-download.de/downloaderContent/jquery.js
DE
text
32.2 Kb
malicious
3848
dmr_72.exe
GET
200
5.9.198.83:80
http://api.chip-secured-download.de/downloaderContent/main.js?v=12
DE
text
2.74 Kb
malicious
3848
dmr_72.exe
GET
200
2.16.186.59:80
http://dl.cdn.chip.de/downloads/5895922/licensecrawler_2.1.2301.zip?cid=33927477&platform=chip&1553239550-1553247050-b8cb73-B-22c8e94d010d75df683816ce4f944580
unknown
compressed
1.37 Mb
whitelisted
3848
dmr_72.exe
GET
200
5.9.198.83:80
http://api.chip-secured-download.de/downloaderContent/MarselisSlabWeb.eot?&1440165143
DE
eot
61.7 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3848
dmr_72.exe
176.9.97.244:80
api.chip-secured-download.de
Hetzner Online GmbH
DE
malicious
3368
avast_free_antivirus_setup_online.exe
172.217.16.142:80
www.google-analytics.com
Google Inc.
US
whitelisted
3368
avast_free_antivirus_setup_online.exe
77.234.45.54:80
v7event.stats.avast.com
AVAST Software s.r.o.
DE
unknown
3848
dmr_72.exe
2.16.186.59:80
dl.cdn.chip.de
Akamai International B.V.
whitelisted
3556
avast_free_antivirus_setup_online.exe
172.217.16.142:80
www.google-analytics.com
Google Inc.
US
whitelisted
3848
dmr_72.exe
5.9.198.83:80
api.chip-secured-download.de
Hetzner Online GmbH
DE
malicious
3996
instup.exe
8.8.8.8:53
Google Inc.
US
malicious
3848
dmr_72.exe
2.18.69.143:443
bits.avcdn.net
Akamai International B.V.
whitelisted
3996
instup.exe
5.62.53.220:443
shepherd.ff.avast.com
US
unknown
3996
instup.exe
89.249.74.49:80
h6891735.iavs9x.u.avast.com
M247 Ltd
GB
unknown

DNS requests

Domain
IP
Reputation
api.chip-secured-download.de
  • 5.9.198.83
  • 176.9.97.244
unknown
ocs1.chdi-server.de
  • 5.9.175.19
unknown
static.chip-secured-download.de
  • 5.9.198.84
  • 176.9.97.245
suspicious
downloaderapi.chip.de
  • 23.45.107.220
whitelisted
bits.avcdn.net
  • 2.18.69.143
whitelisted
service.chip-secured-download.de
  • 176.9.97.244
  • 5.9.198.83
malicious
dl.cdn.chip.de
  • 2.16.186.59
  • 2.16.186.72
whitelisted
www.google-analytics.com
  • 172.217.16.142
whitelisted
v7event.stats.avast.com
  • 77.234.45.54
  • 5.62.40.204
  • 77.234.45.53
whitelisted
iavs9x.u.avast.com
  • 2.16.186.104
  • 2.16.186.50
whitelisted

Threats

PID
Process
Class
Message
3848
dmr_72.exe
A Network Trojan was detected
MALWARE [PTsecurity] DownloadSponsor inbound artifact m1
3848
dmr_72.exe
A Network Trojan was detected
MALWARE [PTsecurity] DownloadSponsor inbound artifact m1
3848
dmr_72.exe
A Network Trojan was detected
MALWARE [PTsecurity] DownloadSponsor img_welcome PNG artifact
3848
dmr_72.exe
A Network Trojan was detected
MALWARE [PTsecurity] DownloadSponsor inbound artifact m1
3848
dmr_72.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3848
dmr_72.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3848
dmr_72.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3848
dmr_72.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3368
avast_free_antivirus_setup_online.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LicenseCrawler - CHIP-Installer.exe