File name:

avast_secure_browser_setup.exe

Full analysis: https://app.any.run/tasks/c5d1817d-aa04-4fd2-8135-983ff2a3016b
Verdict: Malicious activity
Analysis date: November 29, 2023, 13:04:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

3085510A65E8FE7BC9FBE80BF397BA17

SHA1:

B1333AEE22719E36AD7DF617B387CAAF1DF6469B

SHA256:

065615954D715FC33B16A8A6EF92C26E44ED81225EB7908D74F26F52BFAED17A

SSDEEP:

98304:MjMzSEAuMNS6jnOQdZxi+wcABFNjkIjrmNTT9stBkLdVxCvI0D6wxNvfP2zdeNa7:UCRKxZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ajE454.exe (PID: 2476)
      • avast_secure_browser_setup.exe (PID: 2496)

    • Steals credentials from Web Browsers

      • ajE454.exe (PID: 2476)

    • Actions looks like stealing of personal data

      • ajE454.exe (PID: 2476)

  • SUSPICIOUS

    • The process verifies whether the antivirus software is installed

      • avast_secure_browser_setup.exe (PID: 2496)
      • ajE454.exe (PID: 2476)

    • Searches for installed software

      • avast_secure_browser_setup.exe (PID: 2496)
      • ajE454.exe (PID: 2476)

    • Reads the Internet Settings

      • ajE454.exe (PID: 2476)

    • Reads settings of System Certificates

      • ajE454.exe (PID: 2476)

    • Checks Windows Trust Settings

      • ajE454.exe (PID: 2476)

    • Reads security settings of Internet Explorer

      • ajE454.exe (PID: 2476)

  • INFO

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3004)
      • ajE454.exe (PID: 2476)

    • Reads the computer name

      • avast_secure_browser_setup.exe (PID: 2496)
      • ajE454.exe (PID: 2476)

    • Checks supported languages

      • avast_secure_browser_setup.exe (PID: 2496)
      • ajE454.exe (PID: 2476)

    • Reads Environment values

      • avast_secure_browser_setup.exe (PID: 2496)
      • ajE454.exe (PID: 2476)

    • Process checks computer location settings

      • avast_secure_browser_setup.exe (PID: 2496)
      • ajE454.exe (PID: 2476)

    • Create files in a temporary directory

      • ajE454.exe (PID: 2476)
      • avast_secure_browser_setup.exe (PID: 2496)

    • Checks proxy server information

      • ajE454.exe (PID: 2476)

    • Creates files or folders in the user directory

      • ajE454.exe (PID: 2476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 01:50:53+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x350d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.11.5.7269
ProductVersionNumber: 8.11.5.7269
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Windows, Arabic
BuildDate: 19700120T163136
BuildTimestamp: 1701096510
BuildVersion: 8.11.5.7269
FileDescription: إعداد Avast Secure Browser
FileVersion: 8.11.5.7269
InstallerCommit: 9f7fdfd50145d84250cbfc8b264b821d4fd70781
InstallerEdition: web
InstallerKeyword: avast-securebrowser
InternalName: Avast Secure Browser
JsisCommit: 9493fd2f0fa70e8e33fa09133b99cb45ce6442ca
LegalCopyright: حقوق الطبع والنشر (c) لعام 2023 محفوظة لشركة AVAST Software
OmahaVersion: 1.8.1653.5
ProductName: إعداد Avast Secure Browser
ProductVersion: 8.11.5.7269
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast_secure_browser_setup.exe aje454.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2476"C:\Users\admin\AppData\Local\Temp\ajE454.exe" /relaunch=8 /was_elevated=0 /tagdata C:\Users\admin\AppData\Local\Temp\ajE454.exe
avast_secure_browser_setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Avast Secure Browser Setup
Exit code:
0
Version:
8.11.5.7269
Modules
Images
c:\users\admin\appdata\local\temp\aje454.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2496"C:\Users\admin\AppData\Local\Temp\avast_secure_browser_setup.exe" C:\Users\admin\AppData\Local\Temp\avast_secure_browser_setup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Avast Secure Browser Setup
Exit code:
0
Version:
8.11.5.7269
Modules
Images
c:\users\admin\appdata\local\temp\avast_secure_browser_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3004"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
Total events
6 001
Read events
5 974
Write events
24
Delete events
3

Modification events

(PID) Process:(3004) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{F7F98F42-CCE6-4E62-B03E-FBAE1DEF63F1}\{617884B6-F84F-4A43-875F-393E2DDF9627}
Operation:delete keyName:(default)
Value:
(PID) Process:(3004) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{F7F98F42-CCE6-4E62-B03E-FBAE1DEF63F1}
Operation:delete keyName:(default)
Value:
(PID) Process:(3004) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{3C6484D6-164B-452E-A8F5-38AE4AC56601}
Operation:delete keyName:(default)
Value:
(PID) Process:(2476) ajE454.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2476) ajE454.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2476) ajE454.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2476) ajE454.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2476) ajE454.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2476) ajE454.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2476) ajE454.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
23
Suspicious files
11
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2496avast_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsyDADE.tmp\reboot.dllexecutable
MD5:2A6A9C73EA41A4634413F626087EA4B4
SHA256:1F9FC5B90F75AEA4BAE67F2B88791EE488DE61FB959BE7A8795ADC47FA45C3DE
2496avast_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsyDADE.tmp\AccessControl.dllexecutable
MD5:A1B76C4386328C2A243FC4D2B35328AF
SHA256:BAC3B3A526EB67AE375A9FE29CAB6268536E44C2ECE1239B65BD1827D055157A
2496avast_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsyDADE.tmp\Midex.dllexecutable
MD5:E4EB6EE3CC523D52DDDD018497DE64C5
SHA256:75BF6CCE57CE3089F662E0E0700FCD28903FD0DAB06ECF47714F75A411A68305
2496avast_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsyDADE.tmp\inetc.dllexecutable
MD5:23E0A7D53E3DF83685B70EA8CE33DC37
SHA256:96A871F048202C26B85487E24593080D6A95C271ACAF5CD676BD2E2D96DE57DB
2496avast_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsyDADE.tmp\thirdparty.dllexecutable
MD5:C855765DD1290045D985FFA2CA6D4882
SHA256:8C0222A57A491960CB86E167BC17188D581BE9B64CAE8BA3A6EC1A56B9091931
2496avast_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsyDADE.tmp\JsisPlugins.dllexecutable
MD5:BF61CEDF96EE9D9ADE414B55EC92B3C0
SHA256:585F40B7428AC8258BBF7436A338B8235B9AA2516C42E669C6D1837CCE9CAD03
2476ajE454.exeC:\Users\admin\AppData\Local\Temp\nssE5DA.tmp\FF.places.tmp
MD5:
SHA256:
2496avast_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsyDADE.tmp\jsis.dllexecutable
MD5:EEB9DC60D33C7F9479DD6F0A2DB6EC3C
SHA256:B3962B7EC5E21EA51BC4D9F42E293C77F3DA4632C711924619F2343AFF4D138A
2476ajE454.exeC:\Users\admin\AppData\Local\Temp\nssE5DA.tmp\nsJSON.dllexecutable
MD5:A6866A31DE35CD31009FB535693A8612
SHA256:D3A1C0D5E3DB477595D3F3A41B2704405AD992D346397BEDD8DAF31F104F5300
2476ajE454.exeC:\Users\admin\AppData\Local\Temp\nssE5DA.tmp\jsis.dllexecutable
MD5:EEB9DC60D33C7F9479DD6F0A2DB6EC3C
SHA256:B3962B7EC5E21EA51BC4D9F42E293C77F3DA4632C711924619F2343AFF4D138A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
9
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1080
svchost.exe
GET
304
8.253.207.120:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60b2f43ad8cf70d9
unknown
unknown
2476
ajE454.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAhflMAthXvozBT%2FU%2B2iPio%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
200
8.253.207.120:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8c278ce706dba7cc
unknown
compressed
65.2 Kb
unknown
2476
ajE454.exe
GET
200
8.253.207.120:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?991511079402e352
unknown
compressed
4.66 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
2476
ajE454.exe
104.20.159.62:443
stats.securebrowser.com
CLOUDFLARENET
unknown
2476
ajE454.exe
8.253.207.120:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
2476
ajE454.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
8.253.207.120:80
ctldl.windowsupdate.com
LEVEL3
US
unknown

DNS requests

Domain
IP
Reputation
stats.securebrowser.com
  • 104.20.159.62
  • 104.20.158.62
unknown
ctldl.windowsupdate.com
  • 8.253.207.120
  • 67.26.137.254
  • 8.253.95.249
  • 8.248.147.254
  • 8.248.149.254
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
Process
Message
avast_secure_browser_setup.exe
2023-11-29T13:04:29 [libnsis] {000009c0:00000c20} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
avast_secure_browser_setup.exe
2023-11-29T13:04:29 [libnsis] {000009c0:00000c20} <1:Debug> (91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62) Throwing exception 0x00000400000715
avast_secure_browser_setup.exe
2023-11-29T13:04:29 [libnsis] {000009c0:00000c20} <4:Error> (893f00f663353e48\src\jsis-plugins\plugins\UtilitiesPlugin\TagData.cpp:85) 0x00000400000715 91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62
ajE454.exe
2023-11-29T13:04:31 [libnsis] {000009ac:00000d18} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
ajE454.exe
2023-11-29T13:04:31 [libnsis] {000009ac:00000d18} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19660 AND vtime <= 19691 GROUP BY vtime
ajE454.exe
2023-11-29T13:04:31 [libnsis] {000009ac:00000d18} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nssE5DA.tmp\CR.History.tmp
ajE454.exe
2023-11-29T13:04:31 [libnsis] {000009ac:00000d18} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nssE5DA.tmp\CR.History.tmp
ajE454.exe
2023-11-29T13:04:31 [libnsis] {000009ac:00000d18} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19660 AND vtime <= 19691 GROUP BY vtime
ajE454.exe
2023-11-29T13:04:31 [libnsis] {000009ac:00000d18} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nssE5DA.tmp\FF.places.tmp
ajE454.exe
2023-11-29T13:04:31 [libnsis] {000009ac:00000d18} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT last_visit_date / 1000000 /60 /60 / 24 AS vtime FROM 'moz_places' WHERE vtime >= 19660 AND vtime <= 19691 GROUP BY vtime
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avast_secure_browser_setup.exe