Create Interactive Tour

Windows Analysis Report
Snipping Tool Plus - CHIP Installer _Pvujx.exe

Overview

General Information

Sample Name:	Snipping Tool Plus - CHIP Installer _Pvujx.exe
Analysis ID:	779040
MD5:	f5980f17f44da870072c5ce396eb01bf
SHA1:	22ce208acb16875cdd9d42a794557a56068220c2
SHA256:	2f9079df89e96a997a910f9243173ac60bfe625501452152f8ab281778e5696b
Infos:

Detection

Score:	28
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	62
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

PE file contains sections with non-standard names

Creates processes with suspicious names

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64_ra

Snipping Tool Plus - CHIP Installer _Pvujx.exe (PID: 1592 cmdline: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe MD5: F5980F17F44DA870072C5CE396EB01BF)

explorer.exe (PID: 6400 cmdline: C:\Windows\explorer.exe" /n /select,"C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe.lnk MD5: D7874DD30BA935AAED6F730A0ED84610)

explorer.exe (PID: 6584 cmdline: C:\Windows\explorer.exe" /select,"C:\Users\alfredo\Downloads\SnippingToolPlusv3-4-1-0.zip MD5: D7874DD30BA935AAED6F730A0ED84610)

explorer.exe (PID: 6432 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: D7874DD30BA935AAED6F730A0ED84610)

outsrf220429.exe (PID: 6476 cmdline: "C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe" null MD5: 2670D3FCFECE2FA02CBE00AF6E462BFA)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

133174844577776824.exe (PID: 6560 cmdline: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe MD5: 98BDFFE59B649724E7DB0148DC3A3CC8)

chrome.exe (PID: 1568 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-gpu --new-window https://chrome.google.com/webstore/detail/outsurf/eiamiknkelfkfombkabmpdanicllfohk MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 2516 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1700,i,7417051785048858462,14921285242444709930,131072 /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

explorer.exe (PID: 6624 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: D7874DD30BA935AAED6F730A0ED84610)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x58bd1:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13 0x216ed8:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13
C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x58bd1:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13 0x216ed8:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13
C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x58bd1:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13 0x216ed8:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000000.1625584276.000001979EBC2000.00000002.00000001.01000000.00000011.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x589d1:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13 0x216cd8:$xo1: ^\x13\|\x13i\x13z\x13\x7F\x13\x7F\x13r\x13<\x13&\x13=\x13#\x13

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Virustotal: Detection: 11%

Perma Link

Bitcoin Miner

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Snipping Tool Plus - CHIP Installer _Pvujx.exe

Compliance

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.212.44.250:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.26.182.112:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.212.44.250:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.158.249.69:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.122.207.2:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.57.167.243:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49768 version: TLS 1.2

PE / OLE file has a valid certificate

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: chip-cluster.de

Source: global traffic

HTTP traffic detected: GET /gfx/progress/BitGuardian/PPD_Bit-Driver-Updater_1.png HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: static.chip-secured-download.deConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.212.44.250:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.26.182.112:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.212.44.250:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.158.249.69:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 83.125.106.237:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.122.207.2:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.57.167.243:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.208.31.180:443 -> 192.168.2.3:49768 version: TLS 1.2

System Summary

Source: 0000000E.00000000.1625584276.000001979EBC2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13

Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe

Process Stats: CPU usage > 98%

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: Number of sections : 11 > 10

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Virustotal: Detection: 11%

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

File read: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe" /n /select,"C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe.lnk
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe "C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe" null
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process created: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe" /select,"C:\Users\alfredo\Downloads\SnippingToolPlusv3-4-1-0.zip
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe "C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe" null
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe" /n /select,"C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe.lnk
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe" /select,"C:\Users\alfredo\Downloads\SnippingToolPlusv3-4-1-0.zip
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-gpu --new-window https://chrome.google.com/webstore/detail/outsurf/eiamiknkelfkfombkabmpdanicllfohk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1700,i,7417051785048858462,14921285242444709930,131072 /prefetch:8
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-gpu --new-window https://chrome.google.com/webstore/detail/outsurf/eiamiknkelfkfombkabmpdanicllfohk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1700,i,7417051785048858462,14921285242444709930,131072 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

File created: C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\easyprogresscampaign-progress-bitsolucians[1].htm

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

File created: C:\Users\alfredo\AppData\Local\Temp\temp.html

Source: classification engine

Classification label: sus28.spyw.winEXE@25/18@38/132

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

File read: C:\Windows\win.ini

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ec23d1294499b4ffba61f212cb1217cd\mscorlib.ni.dll
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ec23d1294499b4ffba61f212cb1217cd\mscorlib.ni.dll

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Mutant created: \Sessions\1\BaseNamedObjects\600103638113301
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_02

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	File read: C:\Windows\System32\drivers\etc\hosts

Executable creates window controls seldom found in malware

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Window found: window name: TButton

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE file has a big code size

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static file information: File size 5331520 > 1048576

PE / OLE file has a valid certificate

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: certificate valid

PE file has a big raw section

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40aa00

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Source: Snipping Tool Plus - CHIP Installer _Pvujx.exe

Static PE information: section name: .didata

Persistence and Installation Behavior

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: \snipping tool plus - chip installer _pvujx.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: \snipping tool plus - chip installer _pvujx.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: \snipping tool plus - chip installer _pvujx.exe
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: \snipping tool plus - chip installer _pvujx.exe

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release_exe.parts	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup_exe.parts	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts	Jump to dropped file

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release_exe.parts	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	File created: C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140.dll	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	File created: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	File created: C:\Users\alfredo\AppData\Roaming\stubinstaller\msvcp140.dll	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup_exe.parts	Jump to dropped file
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	File created: C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	File created: C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release.exe (copy)	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe TID: 6868	Thread sleep time: -150000s >= -30000s
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe TID: 6916	Thread sleep time: -60000s >= -30000s
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe TID: 6872	Thread sleep time: -30000s >= -30000s
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe TID: 6580	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Dropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release_exe.parts	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Dropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup.exe (copy)	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Dropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup_exe.parts	Jump to dropped file
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Dropped PE file which has not been started: C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release.exe (copy)	Jump to dropped file

Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 105 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 175 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 175 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 175 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 175 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 175 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 175 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Registry key enumerated: More than 175 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Window / User API: threadDelayed 805

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Memory allocated: 6F20000 memory reserve \| memory write watch
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Memory allocated: 7020000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Memory allocated: 7280000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Memory allocated: 72A0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Memory allocated: 72C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Memory allocated: AEE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Memory allocated: AF00000 memory reserve \| memory write watch

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Process information queried: ProcessInformation

Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe

Thread delayed: delay time: 922337203685477

Anti Debugging

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe

Memory written: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe base: 4010B0B2D8

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe" /n /select,"C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe.lnk
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe" /select,"C:\Users\alfredo\Downloads\SnippingToolPlusv3-4-1-0.zip

Language, Device and Operating System Detection

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe	Queries volume information: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe VolumeInformation
Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	Queries volume information: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct

Source: C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe

File opened: C:\Users\alfredo\AppData\Roaming\Mozilla\Firefox\profiles.ini

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	111 Process Injection	11 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Modify Registry	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	11 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	21 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Source	Detection	Scanner	Label	Link
Snipping Tool Plus - CHIP Installer _Pvujx.exe	4%	ReversingLabs
Snipping Tool Plus - CHIP Installer _Pvujx.exe	11%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release.exe (copy)	8%	ReversingLabs
C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe (copy)	0%	ReversingLabs
C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe	0%	ReversingLabs
C:\Users\alfredo\AppData\Roaming\stubinstaller\msvcp140.dll	0%	ReversingLabs
C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140.dll	0%	ReversingLabs
C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140_1.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
chip-cluster.de	1%	Virustotal	Browse
www.trustedoffers.de	1%	Virustotal	Browse
static.chip-secured-download.de	0%	Virustotal	Browse
api.trustedoffers.de	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://static.chip-secured-download.de/gfx/progress/BitGuardian/PPD_Bit-Driver-Updater_1.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
accounts.google.com	172.217.18.109	true	false		high
eu.net.opera.com	185.26.182.112	true	false		high
api.trustedoffers.de	185.158.249.69	true	false	1%, Virustotal, Browse	unknown
outsurf.net	52.57.167.243	true	false		unknown
www.oschwecke.com	3.122.207.2	true	false		unknown
sni1gl.wpc.nucdn.net	152.199.21.175	true	false		unknown
www.trustedoffers.de	185.212.44.250	true	false	1%, Virustotal, Browse	unknown
albapigateway01-907695634.eu-central-1.elb.amazonaws.com	52.57.151.95	true	false		high
www3.l.google.com	172.217.18.14	true	false		high
static.chip-secured-download.de	116.203.169.156	true	false	0%, Virustotal, Browse	unknown
chip-cluster.de	83.125.106.237	true	false	1%, Virustotal, Browse	unknown
www.google.com	142.250.185.164	true	false		high
yanalogyone.com	52.208.31.180	true	false		unknown
api.mixpanel.com	130.211.34.183	true	false		high
clients.l.google.com	172.217.16.206	true	false		high
package.avira.com	unknown	unknown	false		high
net.geo.opera.com	unknown	unknown	false		high
downloaderapi.chip.de	unknown	unknown	false		high
clients2.google.com	unknown	unknown	false		high
www.chip.de	unknown	unknown	false		high
chrome.google.com	unknown	unknown	false		high
api.my.avira.com	unknown	unknown	false		high
securedl.cdn.chip.de	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://static.chip-secured-download.de/gfx/progress/BitGuardian/PPD_Bit-Driver-Updater_1.png	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.125.106.237	chip-cluster.de	European Union	198710	UUU-TELECOM-ASDE	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
2.23.193.81	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
3.122.207.2	www.oschwecke.com	United States	16509	AMAZON-02US	false
52.57.167.243	outsurf.net	United States	16509	AMAZON-02US	false
172.217.16.206	clients.l.google.com	United States	15169	GOOGLEUS	false
172.217.18.14	www3.l.google.com	United States	15169	GOOGLEUS	false
2.19.126.89	unknown	European Union	16625	AKAMAI-ASUS	false
142.250.185.100	unknown	United States	15169	GOOGLEUS	false
185.212.44.250	www.trustedoffers.de	Sweden	39378	SERVINGADE	false
185.158.249.69	api.trustedoffers.de	Netherlands	58329	RACKPLACEDE	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.26.182.112	eu.net.opera.com	Norway	39832	NO-OPERANO	false
172.217.18.109	accounts.google.com	United States	15169	GOOGLEUS	false
52.208.31.180	yanalogyone.com	United States	16509	AMAZON-02US	false
142.250.184.227	unknown	United States	15169	GOOGLEUS	false
95.101.111.130	unknown	European Union	12956	TELEFONICATELXIUSES	false
116.203.169.156	static.chip-secured-download.de	Germany	24940	HETZNER-ASDE	false
172.217.16.195	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	779040
Start date and time:	2023-01-06 14:13:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Snipping Tool Plus - CHIP Installer _Pvujx.exe
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus28.spyw.winEXE@25/18@38/132
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.154.19, 40.126.26.135, 20.190.154.16, 40.126.26.132, 40.126.26.133, 20.190.154.18, 20.190.154.136, 20.190.154.139
Excluded domains from analysis (whitelisted): prda.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup_exe.parts
VT rate limit hit for: http://static.chip-secured-download.de/gfx/progress/BitGuardian/PPD_Bit-Driver-Updater_1.png

Created / dropped Files

C:\Users\alfredo\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\133174844577776824.exe.log

Download File

Process:	C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\alfredo\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\easyprogresscampaign-progress-bitsolucians[1].htm

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	2142
Entropy (8bit):	5.244871000930477
Encrypted:	false
SSDEEP:
MD5:	E6F0BD00D49D36FA1B5FABC1530DBB4F
SHA1:	21D98C0C180A877552DAFF7C34505DB2942F1A9A
SHA-256:	EE53CAA252AA150FC6641CDD76C32FCAC6B69DD4DF73D3E4E7A5F628B26D0745
SHA-512:	432629C723A9FB375123CD8CD86CF6F01792E45B88B34BFBD813AA2D9C58D2D88182D1436046E4D6808879CED942E9298BE3ABA0FF0E89F343AA656002DC9029
Malicious:	false
Reputation:	low
Preview:	<html><head><title></title></head><body> .. "click-tracking-url". "image-asset-url". "impression-tracking-url"..--><span class="disclaim">Anzeige</a></span><a target="_blank" href=...."https://webcf.bitdriverupdater.com/bitdrvupdt/instlr/build/10020/bitdurtsetup.exe"....><img src=.."http://static.chip-secured-download.de/gfx/progress/BitGuardian/PPD_Bit-Driver-Updater_1.png"....></a><div class="track" style="background:url(.https://api.trustedoffers.de/progresspagead/impression?pid=chipderedesign&id=65..)"><style>.body{.padding:0 3% 3% 3%;border:none;cursor:default;..display: table-cell;..vertical-align: middle; ..overflow:hidden;.}.html,body {height: 100%;}.html{.display: table;..margin: auto;.}.img{.padding:0;border:none;margin:0;width:100%;display:block;}..track{.display:none;}..disclaim{..font: 10px Arial, sans-serif;color: rgba(128,128,128,0.9); ..position:absolute;top:2.5%;right:3.5%;display:block;.}</style>..<img src="#" class="track" id="rholive">..<script>./* coun

C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\QFX1KV1T\PPD_Bit-Driver-Updater_1[1].png

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	PNG image data, 1200 x 300, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	253480
Entropy (8bit):	7.997455604117719
Encrypted:	true
SSDEEP:
MD5:	4FA788C006BA2C165DFB15A20DD408D8
SHA1:	6F8D7A53BA7AE3B6B1D3B3297B730FC2A93B7D09
SHA-256:	AA0A1A9E282167A2A8BA84CED85760DF64311B6A2F60BF44E7BB17AAD3780C95
SHA-512:	7A1131BCB4323A313AEC3954CEE9C4359D2CA9A923B99C660CB47EFA60B698FBD084C18D2001058EA7972188A525AA2F5DB16A0FE9CDBDF1E1331D0E4B4AB36D
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.......,.....\.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx....,.....o.Y...._.~$..P....g..f.... ....l......6`.?.....K..........._w...K.........k6e....c........w.w.h4.......O..${A.....&.$.. ...H.M..V.#......8..&.a......o'..8N..I....#.)m.....hCy......8;..m,...^6$..';$....d...k.....}.P..w..1..K..........l.@h...........+~$E...a...0==..C.G..6L..x..../.......k2..?.'...............+:..M.{................._.=.W...'.3..A........o....a..o......~1<..q..>.0N......f/.?...................7;..Qt\|..........8..........O.._....g...'........kua.D............o.;p....^.$a.......I...%1.#....=....$].0]c.V.1./.-?...i........IL..Z...-....:_*........o..'?.=.~.d'.=d.-]8.1.0..5..r..m..Dd...........7...._4..f..K..b."........'O..=3.C].....^...l.:^h;....pN......M].x.d8.0.`.i.....N.G."..9..x..[.k..":.O.t...q.G..f7..\|?..M6$...F.G.]QR1Nx(.........66N..4......N.....D.....][.....t...~.W.}.[.........h....z..._.....i}..e.'.^'.b......6=.p.dc......p.s

C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup.exe (copy)

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2800656
Entropy (8bit):	7.770112097251173
Encrypted:	false
SSDEEP:
MD5:	2010FD32C94411DF0E4218EAE58E699F
SHA1:	D34562EF17F4A382C12F024B6E6ED4D94A3F20DE
SHA-256:	4D2F56127AF824C24389FC7DCD1C48D2C27865D2603B621C4B49D81A06F57D86
SHA-512:	D70E09E26D1BD45BD6D3ACAEF6A1FFE40094F8DA7F2E5DFF82753DB195F3BC915C63548425822E028CA6F042CDA10BF5C0615DD47AC6EDF974409428780EAA3F
Malicious:	false
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....1.c.........."..............&.0&P.. &..0P...@...........................P......>+...@.................................d.P......0P.d...............,..`.P.$............................'P......(P.............................................UPX0......&.............................UPX1........ &....................@....rsrc........0P....................@...3.96.UPX!..........z.T.P. ...zO.&..Sa.!.U..]....U..1.]........SWV.....E.`..@....@........d.....d....}...........M.1..U..M.B..Z.9.s<.M.).).....9..L.M.4.9.r.9.wm.u..t.SPQ....ww.w.U....8..=M..+...X$.E.....{................t.N......A1.C:..;}.\|...1..E....F...........^_[]...E..h...).L....h...l......Y\|.....@.o8..U.......a8..WV.........x ....u.1.H^_].n...F..H..N......5.?.@8.OM.P...n...P..}..W.._.....9.s>..O.)..9.r....op..9......2QPSQR..w.?v.....TB.:.E.....E...=..X0.X......?..u.['F.E.@z...........

C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup_exe.parts

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2800656
Entropy (8bit):	7.770112097251173
Encrypted:	false
SSDEEP:
MD5:	2010FD32C94411DF0E4218EAE58E699F
SHA1:	D34562EF17F4A382C12F024B6E6ED4D94A3F20DE
SHA-256:	4D2F56127AF824C24389FC7DCD1C48D2C27865D2603B621C4B49D81A06F57D86
SHA-512:	D70E09E26D1BD45BD6D3ACAEF6A1FFE40094F8DA7F2E5DFF82753DB195F3BC915C63548425822E028CA6F042CDA10BF5C0615DD47AC6EDF974409428780EAA3F
Malicious:	false
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....1.c.........."..............&.0&P.. &..0P...@...........................P......>+...@.................................d.P......0P.d...............,..`.P.$............................'P......(P.............................................UPX0......&.............................UPX1........ &....................@....rsrc........0P....................@...3.96.UPX!..........z.T.P. ...zO.&..Sa.!.U..]....U..1.]........SWV.....E.`..@....@........d.....d....}...........M.1..U..M.B..Z.9.s<.M.).).....9..L.M.4.9.r.9.wm.u..t.SPQ....ww.w.U....8..=M..+...X$.E.....{................t.N......A1.C:..;}.\|...1..E....F...........^_[]...E..h...).L....h...l......Y\|.....@.o8..U.......a8..WV.........x ....u.1.H^_].n...F..H..N......5.?.@8.OM.P...n...P..}..W.._.....9.s>..O.)..9.r....op..9......2QPSQR..w.?v.....TB.:.E.....E...=..X0.X......?..u.['F.E.@z...........

C:\Users\alfredo\AppData\Local\Temp\SnippingToolPlusv3-4-1-0_zip_1162023214098482085251\SnippingToolPlusv3-4-1-0_zip.parts

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	437645
Entropy (8bit):	7.998904525428809
Encrypted:	true
SSDEEP:
MD5:	ADBE4D4E1EB146045D0AE3DFDD973554
SHA1:	D1AD3EBD99A13584F828CBD134918D9D8B262320
SHA-256:	2BC6D0092E097978B8D7EB8A7A41CF6A7C384A44C30D205407DFF946DF685837
SHA-512:	089A8F619305CC1B81AD86B3CE4292E703E7EF473F0FFAD6A244AEEABDB22B56BAD2A1227545785449C8863A84B3D8924F60C8A9490899460BDCF7622DD7EF44
Malicious:	false
Reputation:	low
Preview:	PK.........ed?.U.......'......Changelog.txt.ZI..0.....P.@3..L....@..!..D.....F.W.\......./...@..N.....9.......t.<qT.QOOtT_=V........}....p.....>\}..P}....Xe..\..Q#u...p...t..;....:,.'#8o..D.._....{...7.[....5..gp..........<...2.3?+.@V.+~.}.S.....3.t.5.k..:.a.....@..4......<).<U.j.8...._NO3..~2.......0..X-......!..9C..^;j...}@.-.h.........-F.3.S.=.`.....%.....v..4.4j..>i.R5$.#._ .E.MZ..B.(5>.......%.#... ...H.W.j..........v.g......Z.....^...V..o..w<....0cki..I.B[..FY'..v.g...P........r.(....N.u..%. N...41.kFNB..}2\|V.E...l0%oK<Oa;,.l-/.I.xC.d.z..........k...u\..>....r.."o.o....\#.k..4..B_4..xQ.u...i.........3.......W..c.'..3.ufe.....E.....s.R.=..O......D;.....a.F......S9u.s....)..C.y.;.#Z..6..2...X..).{.4...T..;.}p...1#.]..*Q./X..u..W\|.%5..o.s.g.I......&....B..#.....P..kL.\|]D.h..:8 .Y..v....J^...yA..d....H....z......d.j}."...5...r-.9..?.E[%.P7.C. .....w.\8~S.<.....(a.6Y$...z.g.KN..q...Kq..._.(.r..D..."G..;~NQ.+.......f....X..

C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release.exe (copy)

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6300824
Entropy (8bit):	6.280973596147506
Encrypted:	false
SSDEEP:
MD5:	74482ED9E6E1370416539AA9F893F100
SHA1:	1F42D18000670BFBB80C87CAD3B1B1476ABBF9B4
SHA-256:	2FE80C7262E22CF901E31B49FB1684C16402EEC8F239EF9AC961D22D592EFB36
SHA-512:	25310414FD1BFF1A41E2738F2CE8F374BE8D8E44728759340E20CEC559CF3CF1D7032473690B0E0CE19834DFBBE5AB9DAA290F1CBC04E315007A85AA8E7466DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.B...,,..,,..,,I./-..,,I.)-..,,I.(-..,,@.(-..,,@./-..,,@.)-H.,,I.*-..,,I.--..,,..-,.,,..%-..,,...,..,,...,..,,...-..,,Rich..,,........................PE..L....P.c.....................NZ.....`.............@..........................`_......p`...@.................................x^..........`mX..........&_...... _..>..................................0...@...............\|............................text............................... ..`.rdata..Xm.......n..................@..@.data...,0...p... ...X..............@....rsrc...`mX......nX..x..............@..@.reloc...>... _..@....^.............@..B................................................................................................................................................................................................................................................................................

C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release_exe.parts

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6300824
Entropy (8bit):	6.280973596147506
Encrypted:	false
SSDEEP:
MD5:	74482ED9E6E1370416539AA9F893F100
SHA1:	1F42D18000670BFBB80C87CAD3B1B1476ABBF9B4
SHA-256:	2FE80C7262E22CF901E31B49FB1684C16402EEC8F239EF9AC961D22D592EFB36
SHA-512:	25310414FD1BFF1A41E2738F2CE8F374BE8D8E44728759340E20CEC559CF3CF1D7032473690B0E0CE19834DFBBE5AB9DAA290F1CBC04E315007A85AA8E7466DB
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.B...,,..,,..,,I./-..,,I.)-..,,I.(-..,,@.(-..,,@./-..,,@.)-H.,,I.*-..,,I.--..,,..-,.,,..%-..,,...,..,,...,..,,...-..,,Rich..,,........................PE..L....P.c.....................NZ.....`.............@..........................`_......p`...@.................................x^..........`mX..........&_...... _..>..................................0...@...............\|............................text............................... ..`.rdata..Xm.......n..................@..@.data...,0...p... ...X..............@....rsrc...`mX......nX..x..............@..@.reloc...>... _..@....^.............@..B................................................................................................................................................................................................................................................................................

C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe (copy)

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3672664
Entropy (8bit):	6.7007677408300115
Encrypted:	false
SSDEEP:
MD5:	2670D3FCFECE2FA02CBE00AF6E462BFA
SHA1:	3F092DE3DB7F89CBD4544B1168986B256CD7C4A9
SHA-256:	14A396E3E82B5C75FF7D2E3C607CE9F23B7D007339F1CB87C2921FD6FEB6AC43
SHA-512:	A8166CEDA81EFE5F0124AAE185DEE64D34FC001BED4C3AF36E87DB28C3053194A43DC84CF52E1B9244962A4ECF78B461F9FC6543B4FE85842988D0EEE9EE4828
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................"...0...7.............. .....@..... ....................... 8.....6.9...`...@......@............... ................................8...............7.X$............7.8............................................................ ..H............text.....7.. ....7................. ..`.rsrc.........8.......7.............@..@........................................H.......H#..d............4..X.7..........................................0..........(.....(....&.(....~....&(......(....r...p(....~.......(....(......(....-..(....&.(....-.(....(....o........+.....( ......X......i2.(!.......(".......(#...r...p(.....r'..p..(.......(....-.(....(....re..p.r...p(..... ....(....-.(....(....r...p.r...p(..... ....(....-.(....(....r=..p.r{..p(..... ....(....-.(....(....s$...%o%....o&...%o%....o'...%o%.....(....o(...%o%...o)...( ...%o*...-.(....(....%o+...o,.

C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe.lnk

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hideshowminimized
Category:	modified
Size (bytes):	2212
Entropy (8bit):	2.8705781093841667
Encrypted:	false
SSDEEP:
MD5:	DC51EC52AC9780D78E375E3FC3ADF2EF
SHA1:	E3C90B70B3294292EB84A038FB4827D469AF1933
SHA-256:	C6DCF44CD975077A5874AC84F3D3593FA8805237A4C935EE857EC58DBB0118AF
SHA-512:	59538A626D909CC1233B69DDF486E420BF1E1E0886208AC8F49175482FA5E96E78532DE91C07E5931A413C43C947A6A57C7BDC21558AE348D2D5EAFA3012F94C
Malicious:	true
Reputation:	low
Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....V.1...........alfredo.@............................................a.l.f.r.e.d.o.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.......1...........outsrf220429_exe_1162023214092743401251..............................................o.u.t.s.r.f.2.2.0.4.2.9._.e.x.e._.1.1.6.2.0.2.3.2.1.4.0.9.2.7.4.3.4.0.1.2.5.1...6.r.2...........outsrf220429.exe..R............................................o.u.t.s.r.f.2.2.0.4.2.9...e.x.e... .......\.o.u.t.s.r.f.2.2.0.4.2.9...e.x.e.L.C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.o.u.t.s.r.f.2.2.0.4.2.9._.e.x.e._.1.1.6.2.0.2.3.2.1.4.0.9

C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3672664
Entropy (8bit):	6.7007677408300115
Encrypted:	false
SSDEEP:
MD5:	2670D3FCFECE2FA02CBE00AF6E462BFA
SHA1:	3F092DE3DB7F89CBD4544B1168986B256CD7C4A9
SHA-256:	14A396E3E82B5C75FF7D2E3C607CE9F23B7D007339F1CB87C2921FD6FEB6AC43
SHA-512:	A8166CEDA81EFE5F0124AAE185DEE64D34FC001BED4C3AF36E87DB28C3053194A43DC84CF52E1B9244962A4ECF78B461F9FC6543B4FE85842988D0EEE9EE4828
Malicious:	false
Yara Hits:	Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts, Author: Florian Roth Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts, Author: Florian Roth Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts, Author: Florian Roth
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................"...0...7.............. .....@..... ....................... 8.....6.9...`...@......@............... ................................8...............7.X$............7.8............................................................ ..H............text.....7.. ....7................. ..`.rsrc.........8.......7.............@..@........................................H.......H#..d............4..X.7..........................................0..........(.....(....&.(....~....&(......(....r...p(....~.......(....(......(....-..(....&.(....-.(....(....o........+.....( ......X......i2.(!.......(".......(#...r...p(.....r'..p..(.......(....-.(....(....re..p.r...p(..... ....(....-.(....(....r...p.r...p(..... ....(....-.(....(....r=..p.r{..p(..... ....(....-.(....(....s$...%o%....o&...%o%....o'...%o%.....(....o(...%o%...o)...( ...%o*...-.(....(....%o+...o,.

C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1127512
Entropy (8bit):	6.066917511385274
Encrypted:	false
SSDEEP:
MD5:	98BDFFE59B649724E7DB0148DC3A3CC8
SHA1:	0EF517D26CE1664C8352F4310B8A4902291A84E9
SHA-256:	BA3DD4CB2D1E76C592AB19CC9F0A5DBF14CF45D8ABAE1FCBC4FD3896195B2C1C
SHA-512:	61AB162CB8C6D910FC098B128423DE83706669038D592F19D11006BA0AB2A204AB6BC5ED09E0F1272B41BE27A3FBA00C5E15B52D7A8B6B9C4A2368AD523C1A64
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...............................................................................`......`............`......Rich...................PE..d.....kb.........."......b...........[.........@....................................G.....`..................................................>....... ...q..............X$..............T.......................(...@...8...............P...............H............text...[P.......R.................. ..`.nep....P....p.......V.............. ..`.rdata...............f..............@..@.data....r...........h..............@....pdata..............................@..@.rsrc....q... ...r..................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe.res

Download File

Process:	C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:
MD5:	F781895C9ECFD0684F06034CD37032D5
SHA1:	3C92B28C4770767C170042706FEE676D95520BF4
SHA-256:	A8EFC28ED86A7ABF4869C1FC4C07FD00231DBE50EB6FC4F4D69E05F94E58D0D3
SHA-512:	33618FE4C727EF0ADD709112A0433C6069BC7870E22828BC66EF66BB45E804983E4B12A54E66843E95527D5E940009DD75D3B9E7459ADD60650BE8718063A6DF
Malicious:	true
Reputation:	low
Preview:	71500

C:\Users\alfredo\AppData\Roaming\stubinstaller\msvcp140.dll

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	565648
Entropy (8bit):	6.489456926940133
Encrypted:	false
SSDEEP:
MD5:	CB75D6437418AFE1A7B52ACF75730FF1
SHA1:	54C2DA9552671B161CC87EB50FBDB86319B00F56
SHA-256:	7C4CE9D6BFCD6D9DB4EEF4E75ECDCF5A8E5320106E80F1ECA617439FA43F33E8
SHA-512:	F58ABB740A30467E2D8AEDD7EED357DA020FDC7D966E245890D102A52E96FEA296E122C1D2BC112423FC64B6F5E70B7DF3F3EB7DE1BF5C2F5F0EB3644F1E06D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...Z.-a.........." .....<...\.......)....................................................`A.........................................5..h...(...,............p...9...~...#......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140.dll

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97168
Entropy (8bit):	6.424686954579329
Encrypted:	false
SSDEEP:
MD5:	A87575E7CF8967E481241F13940EE4F7
SHA1:	879098B8A353A39E16C79E6479195D43CE98629E
SHA-256:	DED5ADAA94341E6C62AEA03845762591666381DCA30EB7C17261DD154121B83E
SHA-512:	E112F267AE4C9A592D0DD2A19B50187EB13E25F23DED74C2E6CCDE458BCDAEE99F4E3E0A00BAF0E3362167AE7B7FE4F96ECBCD265CC584C1C3A4D1AC316E92F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...Y.-a.........." .........`......p.....................................................`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140_1.dll

Download File

Process:	C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37240
Entropy (8bit):	6.3017272133584585
Encrypted:	false
SSDEEP:
MD5:	37C372DA4B1ADB96DC995ECB7E68E465
SHA1:	6C1B6CB92FF76C40C77F86EA9A917A5F854397E2
SHA-256:	1554B5802968FDB2705A67CBB61585E9560B9E429D043A5AA742EF3C9BBFB6BF
SHA-512:	926F081B1678C15DC649D7E53BFBE98E4983C9AD6CCDF11C9383CA1D85F2A7353D5C52BEBF867D6E155FF897F4702FC4DA36A8F4CF76B00CB842152935E319A6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...^.-a.........." .....:...6......`A..............................................7]....`A.........................................l.......m..x....................n..x#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

C:\Users\alfredo\Downloads\SnippingToolPlusv3-4-1-0.zip (copy)

Download File

Process:	C:\Users\alfredo\Desktop\Snipping Tool Plus - CHIP Installer _Pvujx.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	437645
Entropy (8bit):	7.998904525428809
Encrypted:	true
SSDEEP:
MD5:	ADBE4D4E1EB146045D0AE3DFDD973554
SHA1:	D1AD3EBD99A13584F828CBD134918D9D8B262320
SHA-256:	2BC6D0092E097978B8D7EB8A7A41CF6A7C384A44C30D205407DFF946DF685837
SHA-512:	089A8F619305CC1B81AD86B3CE4292E703E7EF473F0FFAD6A244AEEABDB22B56BAD2A1227545785449C8863A84B3D8924F60C8A9490899460BDCF7622DD7EF44
Malicious:	false
Reputation:	low
Preview:	PK.........ed?.U.......'......Changelog.txt.ZI..0.....P.@3..L....@..!..D.....F.W.\......./...@..N.....9.......t.<qT.QOOtT_=V........}....p.....>\}..P}....Xe..\..Q#u...p...t..;....:,.'#8o..D.._....{...7.[....5..gp..........<...2.3?+.@V.+~.}.S.....3.t.5.k..:.a.....@..4......<).<U.j.8...._NO3..~2.......0..X-......!..9C..^;j...}@.-.h.........-F.3.S.=.`.....%.....v..4.4j..>i.R5$.#._ .E.MZ..B.(5>.......%.#... ...H.W.j..........v.g......Z.....^...V..o..w<....0cki..I.B[..FY'..v.g...P........r.(....N.u..%. N...41.kFNB..}2\|V.E...l0%oK<Oa;,.l-/.I.xC.d.z..........k...u\..>....r.."o.o....\#.k..4..B_4..xQ.u...i.........3.......W..c.'..3.ufe.....E.....s.R.=..O......D;.....a.F......S9u.s....)..C.y.;.#Z..6..2...X..).{.4...T..;.}p...1#.]..*Q./X..u..W\|.%5..o.s.g.I......&....B..#.....P..kL.\|]D.h..:8 .Y..v....J^...yA..d....H....z......d.j}."...5...r-.9..?.E[%.P7.C. .....w.\8~S.<.....(a.6Y$...z.g.KN..q...Kq..._.(.r..D..."G..;~NQ.+.......f....X..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.013112201325464
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	Snipping Tool Plus - CHIP Installer _Pvujx.exe
File size:	5331520
MD5:	f5980f17f44da870072c5ce396eb01bf
SHA1:	22ce208acb16875cdd9d42a794557a56068220c2
SHA256:	2f9079df89e96a997a910f9243173ac60bfe625501452152f8ab281778e5696b
SHA512:	f30c2029f7b85c7959385f64627d2443e9e76b8a025a02aa2619f0758dbdd0e00f2b0464a8af5a4607be1bff006d24f677d548bac0e755f880f7207a6e465037
SSDEEP:	49152:xhx7dxx15qe01xtgx41J/StY/yuiYWLmgpaRZkDuZdTNACtn:JV1JALgvz4ACtn
TLSH:	9236197F72D4D22AC29DC63AC0A38B40DA33BD751B32C5E7469412695F36BC09E7E621
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	c2e8c4ccccccf4cc

Static PE Info

General

Entrypoint:	0x7f8020
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x625A8D90 [Sat Apr 16 09:34:08 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	9a3ae152609425957e9b2d8f50b872a5

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/17/2021 1:00:00 AM 11/17/2023 12:59:59 AM
Subject Chain	CN=CHIP Digital GmbH, O=CHIP Digital GmbH, L=Mnchen, S=Bayern, C=DE, SERIALNUMBER=HRB 104168, OID.1.3.6.1.4.1.311.60.2.1.1=Mnchen, OID.1.3.6.1.4.1.311.60.2.1.2=Bayern, OID.1.3.6.1.4.1.311.60.2.1.3=DE, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	31290AD99CA708B045825C48A6AB55AF
Thumbprint SHA-1:	F0B3131CBF220230B163F8BD2829AF4724C89D5F
Thumbprint SHA-256:	82AF1C835CD258D4F8789573E0EBD33ADCD8E4F32B4E88355D1719C149EA1502
Serial:	04DFC5474923E7F3AD3BDC6904AC55C1

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 30h
dec eax
mov ebp, esp
dec eax
mov dword ptr [ebp+28h], ebp
nop
dec eax
lea ecx, dword ptr [000000ECh]
call 00007F04E898E06Ch
nop
dec eax
mov eax, dword ptr [00062E1Fh]
dec eax
mov ecx, dword ptr [eax]
call 00007F04E8C1CCDCh
dec eax
mov eax, dword ptr [00062E10h]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007F04E8C1F5DBh
dec eax
mov eax, dword ptr [00062DFFh]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFF2105h]
dec esp
mov eax, dword ptr [00063316h]
call 00007F04E8C1CCDEh
dec eax
mov eax, dword ptr [00062DE2h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFE5CC8h]
dec esp
mov eax, dword ptr [00063399h]
call 00007F04E8C1CCC1h
dec eax
mov eax, dword ptr [00062DC5h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFE6D4Bh]
dec esp
mov eax, dword ptr [00062C9Ch]
call 00007F04E8C1CCA4h
dec eax
mov eax, dword ptr [00062DA8h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFE774Eh]
dec esp
mov eax, dword ptr [0006307Fh]
call 00007F04E8C1CC87h
dec eax
mov eax, dword ptr [00062D8Bh]
dec eax
mov ecx, dword ptr [eax]
call 00007F04E8C1CE68h
jmp 00007F04E8D6D2AAh
nop
nop
call 00007F04E8983BAFh
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x471000	0x9b	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x46a000	0x48b4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4dc000	0x4ba00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4ad000	0x2ee0c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x513600	0x2440	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x474000	0x385ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x473000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x46b240	0x1110	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x46f000	0x1256	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40a818	0x40aa00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x40c000	0x4f518	0x4f600	False	0.2850086122047244	data	4.968686152471056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x45c000	0xd05c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x46a000	0x48b4	0x4a00	False	0.259765625	data	4.345737102455069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x46f000	0x1256	0x1400	False	0.2427734375	data	3.257494677996339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x471000	0x9b	0x200	False	0.2578125	data	1.9082599248602587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x472000	0x290	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x473000	0x6d	0x200	False	0.1953125	data	1.373604921932461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x474000	0x385ec	0x38600	False	0.4910312153547672	data	6.5209745136516215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x4ad000	0x2ee0c	0x2f000	False	0.4940419298537234	SysEx File -	6.344672106893594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x4dc000	0x4ba00	0x4ba00	False	0.4954319473140496	data	6.8194764524170495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x4ddbd0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x4ddd04	0x134	data	English	United States
RT_CURSOR	0x4dde38	0x134	data	English	United States
RT_CURSOR	0x4ddf6c	0x134	data	English	United States
RT_CURSOR	0x4de0a0	0x134	data	English	United States
RT_CURSOR	0x4de1d4	0x134	data	English	United States
RT_CURSOR	0x4de308	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States
RT_BITMAP	0x4de43c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4de60c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States
RT_BITMAP	0x4de7f0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4de9c0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4deb90	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4ded60	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4def30	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4df100	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4df2d0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_BITMAP	0x4df4a0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States
RT_ICON	0x4df670	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 131072	English	United States
RT_ICON	0x4efe98	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 32768	English	United States
RT_ICON	0x4f40c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	English	United States
RT_ICON	0x4f5168	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 2048	English	United States
RT_STRING	0x4f55d0	0x4a4	data
RT_STRING	0x4f5a74	0x810	OpenPGP Public Key
RT_STRING	0x4f6284	0xe6c	data
RT_STRING	0x4f70f0	0x6a4	data
RT_STRING	0x4f7794	0x53c	data
RT_STRING	0x4f7cd0	0x634	data
RT_STRING	0x4f8304	0x400	data
RT_STRING	0x4f8704	0x588	data
RT_STRING	0x4f8c8c	0xb8	data
RT_STRING	0x4f8d44	0x114	data
RT_STRING	0x4f8e58	0x178	data
RT_STRING	0x4f8fd0	0x4c0	data
RT_STRING	0x4f9490	0x5ec	data
RT_STRING	0x4f9a7c	0x520	data
RT_STRING	0x4f9f9c	0x64c	data
RT_STRING	0x4fa5e8	0x260	data
RT_STRING	0x4fa848	0x500	data
RT_STRING	0x4fad48	0x50c	data
RT_STRING	0x4fb254	0x534	data
RT_STRING	0x4fb788	0x4b0	data
RT_STRING	0x4fbc38	0x534	data
RT_STRING	0x4fc16c	0x1b4	data
RT_STRING	0x4fc320	0xc4	data
RT_STRING	0x4fc3e4	0x22c	data
RT_STRING	0x4fc610	0x440	data
RT_STRING	0x4fca50	0x408	data
RT_STRING	0x4fce58	0x32c	data
RT_STRING	0x4fd184	0x44c	data
RT_RCDATA	0x4fd5d0	0x10	data
RT_RCDATA	0x4fd5e0	0x148b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x4fea6c	0x111e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x4ffb8c	0xd8c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x500918	0x9b4	data
RT_RCDATA	0x5012cc	0x2	data	English	United States
RT_RCDATA	0x5012d0	0xa38	Delphi compiled form 'Tc9BjKsSmiTEe33o'
RT_RCDATA	0x501d08	0x353d	Delphi compiled form 'TGuqLjmFWgSFjcqi3C'
RT_RCDATA	0x505248	0x371	Delphi compiled form 'Tl5LCINb0HSbn1m'
RT_RCDATA	0x5055bc	0x82d	Delphi compiled form 'TNvWREsI9pb'
RT_RCDATA	0x505dec	0x1179	PNG image data, 1800 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x506f68	0x176c	PNG image data, 2400 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x5086d4	0x2cf0	PNG image data, 3600 x 48, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x50b3c4	0x3970	PNG image data, 4800 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x50ed34	0x1403	PNG image data, 1800 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x510138	0x18ad	PNG image data, 2400 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x5119e8	0x343f	PNG image data, 3600 x 48, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x514e28	0x3ea6	PNG image data, 4800 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x518cd0	0x509	PNG image data, 192 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x5191dc	0x64e	PNG image data, 256 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51982c	0xb62	PNG image data, 384 x 48, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51a390	0xe43	PNG image data, 512 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51b1d4	0x62f	PNG image data, 192 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51b804	0x6d3	PNG image data, 256 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51bed8	0xe13	PNG image data, 384 x 48, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51ccec	0xf5b	PNG image data, 512 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51dc48	0xbc3	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51e80c	0xc58	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x51f464	0xbd1	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x520038	0xcfa	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x520d34	0x644	PNG image data, 384 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x521378	0x823	PNG image data, 512 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x521b9c	0xe08	PNG image data, 768 x 48, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x5229a4	0x117c	PNG image data, 1024 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x523b20	0x787	PNG image data, 384 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x5242a8	0x89c	PNG image data, 512 x 32, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x524b44	0x1189	PNG image data, 768 x 48, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x525cd0	0x1251	PNG image data, 1024 x 64, 8-bit/color RGBA, non-interlaced	English	United States
RT_GROUP_CURSOR	0x526f24	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x526f38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x526f4c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x526f60	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x526f74	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x526f88	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x526f9c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x526fb0	0x3e	data	English	United States
RT_VERSION	0x526ff0	0x280	data	English	United States
RT_MANIFEST	0x527270	0x716	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States

Imports

DLL	Import
winspool.drv	DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
comctl32.dll	FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, ImageList_GetDragImage, FlatSB_SetScrollProp, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
shell32.dll	SHGetMalloc, SHGetSpecialFolderLocation, Shell_NotifyIconW, SHGetFolderLocation, FindExecutableW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
user32.dll	CopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, ShowOwnedPopups, GetSystemMenu, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, GetClassLongPtrW, SetClassLongPtrW, ClientToScreen, GetClipboardData, SetClipboardData, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, MessageBoxW, MessageBeep, SetPropW, RemovePropW, UpdateWindow, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, EmptyClipboard, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, GetMessageTime, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, GetWindowLongPtrW, SetWindowLongPtrW, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, RemoveMenu, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, OpenClipboard, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, FindWindowW, DeleteMenu, GetKeyboardLayout
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SysFreeString, VariantClear, VariantInit, GetErrorInfo, SysReAllocStringLen, SafeArrayCreate, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType
advapi32.dll	RegSetValueExW, RegEnumKeyExW, OpenThreadToken, RegOpenKeyExW, RegQueryInfoKeyW, OpenProcessToken, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, GetTokenInformation, RegCloseKey, RegCreateKeyExW
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
msvcrt.dll	memcpy, memset
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
kernel32.dll	RtlUnwindEx, QueryDosDeviceW, GetACP, GetExitCodeProcess, LocalFree, CloseHandle, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetUserDefaultLCID, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, LoadResource, SuspendThread, GetTickCount, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, EnumResourceNamesW, DeleteFileW, GetSystemDefaultLCID, GetLocalTime, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
SHFolder.dll	SHGetFolderPathW
ole32.dll	IsAccelerator, CoCreateInstance, CoUninitialize, IsEqualGUID, CreateStreamOnHGlobal, OleInitialize, ProgIDFromCLSID, CLSIDFromProgID, OleUninitialize, CoGetClassObject, CoInitialize, CoTaskMemFree, OleDraw, CoTaskMemAlloc, OleSetMenuDescriptor, StringFromCLSID
gdi32.dll	Pie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, CreateFontIndirectW, PolyBezier, LPtoDP, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, CreateEnhMetaFileW, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, CreateRoundRectRgn, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x505790
__dbk_fcall_wrapper	2	0x418ab0
dbkFCallWrapperAddr	1	0x862298

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Snipping Tool Plus - CHIP Installer _Pvujx.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\alfredo\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\133174844577776824.exe.log

C:\Users\alfredo\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\easyprogresscampaign-progress-bitsolucians[1].htm

C:\Users\alfredo\AppData\Local\Microsoft\Windows\INetCache\IE\QFX1KV1T\PPD_Bit-Driver-Updater_1[1].png

C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup.exe (copy)

C:\Users\alfredo\AppData\Local\Temp\OperaSetup_exe_3162023214092374826251\OperaSetup_exe.parts

C:\Users\alfredo\AppData\Local\Temp\SnippingToolPlusv3-4-1-0_zip_1162023214098482085251\SnippingToolPlusv3-4-1-0_zip.parts

C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release.exe (copy)

C:\Users\alfredo\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_3162023214094295883251\avira_de_sptl1___chip-spotlight-release_exe.parts

C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe (copy)

C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429.exe.lnk

C:\Users\alfredo\AppData\Local\Temp\outsrf220429_exe_1162023214092743401251\outsrf220429_exe.parts

C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe

C:\Users\alfredo\AppData\Roaming\stubinstaller\133174844577776824.exe.res

C:\Users\alfredo\AppData\Roaming\stubinstaller\msvcp140.dll

C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140.dll

C:\Users\alfredo\AppData\Roaming\stubinstaller\vcruntime140_1.dll

C:\Users\alfredo\Downloads\SnippingToolPlusv3-4-1-0.zip (copy)

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
Snipping Tool Plus - CHIP Installer _Pvujx.exe