File name:

quick-view-plus_6zBb-C1.exe

Full analysis: https://app.any.run/tasks/1abcb91e-ad5e-462f-bbd3-84ca72e5d5eb
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 16, 2025, 08:55:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
innosetup
delphi
inno
installer
loader
arch-exec
arch-scr
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

DEC7ECDC18936AB5812B9775228C533C

SHA1:

0268F7E8F1C73B8F7E4DB06C0CBA34165797D2C5

SHA256:

3EEFC6D97C40705859D703A5D5B1FFE4A6250CDEEBE579A9B5053230FF284901

SSDEEP:

98304:urq3Bdwu/Kiy69v/P4IzQ0eHJI7Ncm3g2irf2J8OQij8jRZukpXMDmdcq465cDC4:AtIp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • INNOSETUP has been detected (SURICATA)

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)

    • Executing a file with an untrusted certificate

      • ISBEW64.exe (PID: 7884)
      • InstallShield Licensing Service.exe (PID: 7284)

    • Changes the autorun value in the registry

      • vcredist_x86.exe (PID: 3420)
      • VCREDI~3.EXE (PID: 2756)
      • InstallShield Licensing Service.exe (PID: 7284)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • quick-view-plus_6zBb-C1.exe (PID: 6352)
      • quick-view-plus_6zBb-C1.exe (PID: 6624)
      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • avg_antivirus_free_setup.exe (PID: 6068)
      • quick-view-plus.exe (PID: 3128)
      • icarus.exe (PID: 1520)
      • icarus.exe (PID: 7724)
      • vcredist_x86.exe (PID: 3420)
      • VCREDI~3.EXE (PID: 2756)
      • TiWorker.exe (PID: 1476)
      • qvp32.exe (PID: 6332)
      • icarus.exe (PID: 7716)

    • Reads security settings of Internet Explorer

      • quick-view-plus_6zBb-C1.tmp (PID: 6384)
      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • qvp32.exe (PID: 6332)

    • Reads the Windows owner or organization settings

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • msiexec.exe (PID: 5728)

    • Potential Corporate Privacy Violation

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)

    • Access to an unwanted program domain was detected

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)

    • Process requests binary or script from the Internet

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)

    • Searches for installed software

      • quick-view-plus.exe (PID: 3128)
      • prereq.exe (PID: 7068)
      • qvp32.exe (PID: 6332)

    • Executes application which crashes

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)

    • Starts itself from another location

      • icarus.exe (PID: 1520)

    • The process creates files with name similar to system file names

      • icarus.exe (PID: 7724)
      • quick-view-plus.exe (PID: 3128)
      • qvp32.exe (PID: 6332)

    • Process drops legitimate windows executable

      • quick-view-plus.exe (PID: 3128)
      • icarus.exe (PID: 7724)
      • vcredist_x86.exe (PID: 3420)
      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)

    • Starts a Microsoft application from unusual location

      • vcredist_x86.exe (PID: 3420)
      • VCREDI~3.EXE (PID: 2756)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5728)
      • icarus.exe (PID: 7724)
      • TiWorker.exe (PID: 1476)

    • There is functionality for taking screenshot (YARA)

      • avg_antivirus_free_setup.exe (PID: 6068)
      • quick-view-plus.exe (PID: 3128)

    • Executes as Windows Service

      • InstallShield Licensing Service.exe (PID: 7284)

    • Drops a system driver (possible attempt to evade defenses)

      • icarus.exe (PID: 7724)

    • Creates/Modifies COM task schedule object

      • quick-view-plus.exe (PID: 3128)
      • InstallShield Licensing Service.exe (PID: 7284)

    • Starts application with an unusual extension

      • quick-view-plus.exe (PID: 3128)
      • qvp32.exe (PID: 6332)

    • Creates a software uninstall entry

      • quick-view-plus.exe (PID: 3128)

    • Reads Internet Explorer settings

      • quick-view-plus.exe (PID: 3128)
      • qvp32.exe (PID: 6332)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 2244)

    • The process verifies whether the antivirus software is installed

      • icarus.exe (PID: 7716)
      • icarus.exe (PID: 7724)

  • INFO

    • Checks supported languages

      • quick-view-plus_6zBb-C1.exe (PID: 6352)
      • quick-view-plus_6zBb-C1.tmp (PID: 6384)
      • quick-view-plus_6zBb-C1.exe (PID: 6624)
      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • avg_antivirus_free_setup.exe (PID: 6068)
      • quick-view-plus.exe (PID: 3128)
      • icarus.exe (PID: 7724)
      • icarus.exe (PID: 7716)
      • icarus.exe (PID: 1520)
      • ISBEW64.exe (PID: 7884)
      • identity_helper.exe (PID: 2084)
      • vcredist_x86.exe (PID: 3420)
      • prereq.exe (PID: 7068)
      • VCREDI~3.EXE (PID: 2756)
      • msiexec.exe (PID: 5728)
      • msiexec.exe (PID: 644)
      • InstallShield Licensing Service.exe (PID: 7284)
      • ISASClean.0001 (PID: 7224)
      • PLUGScheduler.exe (PID: 2244)
      • qvp32.exe (PID: 6332)
      • ISASClean.0001 (PID: 6416)

    • Reads the computer name

      • quick-view-plus_6zBb-C1.tmp (PID: 6384)
      • quick-view-plus_6zBb-C1.exe (PID: 6624)
      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_setup.exe (PID: 6068)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • icarus.exe (PID: 1520)
      • quick-view-plus.exe (PID: 3128)
      • icarus.exe (PID: 7724)
      • ISBEW64.exe (PID: 7884)
      • icarus.exe (PID: 7716)
      • prereq.exe (PID: 7068)
      • identity_helper.exe (PID: 2084)
      • msiexec.exe (PID: 5728)
      • msiexec.exe (PID: 644)
      • InstallShield Licensing Service.exe (PID: 7284)
      • PLUGScheduler.exe (PID: 2244)
      • qvp32.exe (PID: 6332)

    • Create files in a temporary directory

      • quick-view-plus_6zBb-C1.exe (PID: 6352)
      • quick-view-plus_6zBb-C1.exe (PID: 6624)
      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • quick-view-plus.exe (PID: 3128)
      • prereq.exe (PID: 7068)
      • vcredist_x86.exe (PID: 3420)
      • VCREDI~3.EXE (PID: 2756)
      • qvp32.exe (PID: 6332)

    • Process checks computer location settings

      • quick-view-plus_6zBb-C1.tmp (PID: 6384)
      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • qvp32.exe (PID: 6332)

    • Detects InnoSetup installer (YARA)

      • quick-view-plus_6zBb-C1.exe (PID: 6352)
      • quick-view-plus_6zBb-C1.tmp (PID: 6384)

    • Compiled with Borland Delphi (YARA)

      • quick-view-plus_6zBb-C1.exe (PID: 6352)
      • quick-view-plus_6zBb-C1.tmp (PID: 6384)

    • The sample compiled with english language support

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • avg_antivirus_free_setup.exe (PID: 6068)
      • icarus.exe (PID: 1520)
      • quick-view-plus.exe (PID: 3128)
      • icarus.exe (PID: 7724)
      • vcredist_x86.exe (PID: 3420)
      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)
      • qvp32.exe (PID: 6332)
      • icarus.exe (PID: 7716)

    • Reads the software policy settings

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • avg_antivirus_free_setup.exe (PID: 6068)
      • WerFault.exe (PID: 7224)
      • WerFault.exe (PID: 4968)

    • Reads the machine GUID from the registry

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • avg_antivirus_free_setup.exe (PID: 6068)
      • icarus.exe (PID: 1520)
      • icarus.exe (PID: 7716)
      • icarus.exe (PID: 7724)

    • Checks proxy server information

      • quick-view-plus_6zBb-C1.tmp (PID: 6648)
      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • WerFault.exe (PID: 4968)
      • WerFault.exe (PID: 7224)

    • Creates files in the program directory

      • avg_antivirus_free_online_setup.exe (PID: 6256)
      • icarus.exe (PID: 1520)
      • icarus.exe (PID: 7724)
      • quick-view-plus.exe (PID: 3128)
      • icarus.exe (PID: 7716)
      • InstallShield Licensing Service.exe (PID: 7284)
      • PLUGScheduler.exe (PID: 2244)

    • Application launched itself

      • msedge.exe (PID: 624)
      • msedge.exe (PID: 5792)
      • msedge.exe (PID: 8008)

    • Manual execution by a user

      • msedge.exe (PID: 624)
      • qvp32.exe (PID: 6332)

    • Reads CPU info

      • icarus.exe (PID: 1520)
      • icarus.exe (PID: 7716)
      • icarus.exe (PID: 7724)

    • Reads Environment values

      • icarus.exe (PID: 7724)
      • identity_helper.exe (PID: 2084)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4968)
      • WerFault.exe (PID: 7224)
      • quick-view-plus.exe (PID: 3128)

    • The sample compiled with german language support

      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)

    • The sample compiled with chinese language support

      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)

    • The sample compiled with spanish language support

      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5728)

    • The sample compiled with Italian language support

      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)

    • The sample compiled with korean language support

      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5728)

    • The sample compiled with czech language support

      • icarus.exe (PID: 7724)

    • The sample compiled with japanese language support

      • TiWorker.exe (PID: 1476)
      • msiexec.exe (PID: 5728)

    • The sample compiled with french language support

      • msiexec.exe (PID: 5728)
      • TiWorker.exe (PID: 1476)

    • Reads security settings of Internet Explorer

      • splwow64.exe (PID: 6160)
      • splwow64.exe (PID: 6556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 159744
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.4.0.9134
ProductVersionNumber: 2.4.0.9134
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: IMDownloader Installer
FileVersion: 2.4.0.9134
LegalCopyright:
OriginalFileName:
ProductName: IMDownloader
ProductVersion: 2.4.0.9134
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
348
Monitored processes
79
Malicious processes
13
Suspicious processes
5

Behavior graph

Click at the process to see the details
start quick-view-plus_6zbb-c1.exe quick-view-plus_6zbb-c1.tmp no specs quick-view-plus_6zbb-c1.exe #INNOSETUP quick-view-plus_6zbb-c1.tmp avg_antivirus_free_setup.exe avg_antivirus_free_online_setup.exe quick-view-plus.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs icarus.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs icarus.exe icarus.exe isbew64.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs prereq.exe no specs vcredist_x86.exe vcredi~3.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs tiworker.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs installshield licensing service.exe isasclean.0001 no specs msedge.exe no specs splwow64.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs plugscheduler.exe no specs qvp32.exe isasclean.0001 no specs splwow64.exe no specs winword.exe winword.exe no specs ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5380 --field-trial-handle=2264,i,7605403405206664251,7850999634444627121,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument https://en.download.it/?typ=1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644C:\Windows\syswow64\MsiExec.exe -Embedding 9C29B91669A28E51736DB2D5664212C7C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
648"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3736 --field-trial-handle=2264,i,7605403405206664251,7850999634444627121,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
716"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5056 --field-trial-handle=2264,i,7605403405206664251,7850999634444627121,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
980"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "F7B87439-719A-424F-A9F3-3F4BE42E07CD" "5BE7A7A5-CFE3-4F50-8039-56FFE0C7ADE5" "6884"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Exit code:
0
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ucrtbase.dll
1476C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1520C:\WINDOWS\Temp\asw-106c86e6-71bb-4dbd-bf46-ba9e72a2fccd\common\icarus.exe /icarus-info-path:C:\WINDOWS\Temp\asw-106c86e6-71bb-4dbd-bf46-ba9e72a2fccd\icarus-info.xml /install /silent /ws /psh:92pTuf4T6IUVZg3hLq1jbts1BhDVBH3iIjJXUBe7hJjngjsQG6GmRug7nLaQr1u1BOyAwlXaGLcElI /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\WINDOWS\Temp\asw.105de2cf462971eb /track-guid:aa4560cc-e947-4e06-8093-4d6944816cf0C:\Windows\Temp\asw-106c86e6-71bb-4dbd-bf46-ba9e72a2fccd\common\icarus.exe
avg_antivirus_free_online_setup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Exit code:
1073807364
Version:
25.1.8538.0
Modules
Images
c:\windows\temp\asw-106c86e6-71bb-4dbd-bf46-ba9e72a2fccd\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1868"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4276 --field-trial-handle=2264,i,7605403405206664251,7850999634444627121,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2084"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4900 --field-trial-handle=2264,i,7605403405206664251,7850999634444627121,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
37 853
Read events
35 840
Write events
1 877
Delete events
136

Modification events

(PID) Process:(6648) quick-view-plus_6zBb-C1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E907020000001000080038001500C600010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(6648) quick-view-plus_6zBb-C1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000C7663AA65080DB01
(PID) Process:(6256) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:8C5CFDF4-AB05-4EB0-8EF6-7B4620DC2CF3
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAnrlYxaSrR0ek+5MBpQJRUgQAAAACAAAAAAAQZgAAAAEAACAAAABbRnyO4t1w8dxJjB683oiW3UnNp6K9Ra+mr/5fyvAIiwAAAAAOgAAAAAIAACAAAAB7PQ5b96Q/z5vZcmppCFYJ39DEB3iCL9AyHJwP6hdlDlAAAAAIeRWs7A65++oquw2KgWuuZa9ukIL8bRyTtpAy56f1iQLZbQbqRQ28zQS3/v3gPWIPFnlvInQt9nVAH7w32FQTTOQvExjkYOhokMR/Nrb6bUAAAAAZd9/7r6N8gAJFk5q/rdYIITwVup+nXXC6q7OSNyckhJTJG144zZditZa15QU2nOIFUWFgTT3epBDaJcDePfmn
(PID) Process:(6256) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:5E1D6A55-0134-486E-A166-38C2E4919BB1
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAnrlYxaSrR0ek+5MBpQJRUgQAAAACAAAAAAAQZgAAAAEAACAAAABbRnyO4t1w8dxJjB683oiW3UnNp6K9Ra+mr/5fyvAIiwAAAAAOgAAAAAIAACAAAAB7PQ5b96Q/z5vZcmppCFYJ39DEB3iCL9AyHJwP6hdlDlAAAAAIeRWs7A65++oquw2KgWuuZa9ukIL8bRyTtpAy56f1iQLZbQbqRQ28zQS3/v3gPWIPFnlvInQt9nVAH7w32FQTTOQvExjkYOhokMR/Nrb6bUAAAAAZd9/7r6N8gAJFk5q/rdYIITwVup+nXXC6q7OSNyckhJTJG144zZditZa15QU2nOIFUWFgTT3epBDaJcDePfmn
(PID) Process:(6256) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:144807F0-DE37-4C62-9C05-EB4CC64A7A2F
Value:
01ffb1f8-05c1-43a1-bc16-7767ff7e48ac
(PID) Process:(6256) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:56C7A9DA-4B11-406A-8B1A-EFF157C294D6
Value:
01ffb1f8-05c1-43a1-bc16-7767ff7e48ac
(PID) Process:(6256) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:5FD38555-4B16-40AE-9A09-E2C969CB74AF
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(6256) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:7CCD586D-2ABC-42FF-A23B-3731F4F183D9
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(6648) quick-view-plus_6zBb-C1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5792) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
Executable files
1 115
Suspicious files
1 514
Text files
454
Unknown types
0

Dropped files

PID
Process
Filename
Type
6352quick-view-plus_6zBb-C1.exeC:\Users\admin\AppData\Local\Temp\is-SR0HQ.tmp\quick-view-plus_6zBb-C1.tmpexecutable
MD5:DE4E6F20A126C887E4D1882CE07EF3AD
SHA256:8B9B174873ABE205D93FC90FA37C3DBE7C70C1C6F4357CBF227F580800FA7AAF
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\error.pngimage
MD5:6229A2BAFFED4578DD5DDC1530A93711
SHA256:04C8CADFCC46532CB1011693ADEF864201DBD9DEFFECA834D791F66E690D9F99
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6068avg_antivirus_free_setup.exeC:\Windows\Temp\asw.105de2cf462971eb\avg_antivirus_free_online_setup.exeexecutable
MD5:5557D312D77B2E9EBC4F41FE6115B6CD
SHA256:4A271EAC55053C777DBD1F03936EA9BE1CC0F00932AE04CB57E515AA7D382B24
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\is-AFLJ7.tmpimage
MD5:1FA106851AA9B2EC85CEB8A3101B701E
SHA256:E667A708D2EC418E86BAE8BD11DBB720BA8617FFBF0E25CF4E16D7B8B81A656A
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\AVG_AV.pngimage
MD5:AEE8E80B35DCB3CF2A5733BA99231560
SHA256:35BBD8F390865173D65BA2F38320A04755541A0783E9F825FDB9862F80D97AA9
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\loader.gifimage
MD5:12D7FD91A06CEE2D0E76ABE0485036EE
SHA256:A6192B9A3FA5DB9917AEF72D651B7AD8FD8CCB9B53F3AD99D7C46701D00C78CB
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\mainlogo.pngimage
MD5:1FA106851AA9B2EC85CEB8A3101B701E
SHA256:E667A708D2EC418E86BAE8BD11DBB720BA8617FFBF0E25CF4E16D7B8B81A656A
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\finish.pngimage
MD5:ACD67FADC51D3FCCBFD203FC3E1014C0
SHA256:2F957C214D817241B0AE02FE87C658CFA2BF641FDD77B39810BA7CA7A82F9366
6648quick-view-plus_6zBb-C1.tmpC:\Users\admin\AppData\Local\Temp\is-DDU17.tmp\is-QLLAJ.tmpimage
MD5:AEE8E80B35DCB3CF2A5733BA99231560
SHA256:35BBD8F390865173D65BA2F38320A04755541A0783E9F825FDB9862F80D97AA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
169
DNS requests
177
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6648
quick-view-plus_6zBb-C1.tmp
GET
200
104.26.2.86:80
http://dlams.jalecdn.com/US/quick-view-plus.exe
unknown
unknown
6068
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
6068
avg_antivirus_free_setup.exe
POST
200
142.250.186.174:80
http://www.google-analytics.com/collect
unknown
whitelisted
6068
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
6068
avg_antivirus_free_setup.exe
POST
200
142.250.186.174:80
http://www.google-analytics.com/collect
unknown
whitelisted
6452
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
92.123.104.62:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
6648
quick-view-plus_6zBb-C1.tmp
143.204.205.227:443
d26eyevpqyunb6.cloudfront.net
AMAZON-02
US
whitelisted
1176
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
www.bing.com
  • 92.123.104.62
  • 92.123.104.32
  • 92.123.104.31
  • 92.123.104.19
  • 92.123.104.38
  • 92.123.104.40
  • 92.123.104.33
  • 92.123.104.11
  • 92.123.104.34
  • 92.123.104.59
  • 92.123.104.44
  • 2.23.227.208
  • 2.23.227.215
  • 2.19.96.120
  • 2.19.96.80
  • 2.19.96.130
  • 2.19.96.129
  • 2.19.96.128
  • 2.19.96.90
  • 92.123.104.8
  • 92.123.104.52
  • 92.123.104.28
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
google.com
  • 172.217.18.14
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 2.19.106.8
whitelisted
d26eyevpqyunb6.cloudfront.net
  • 143.204.205.227
  • 143.204.205.100
  • 143.204.205.70
  • 143.204.205.176
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.2
  • 20.190.160.22
  • 40.126.32.136
  • 20.190.160.67
  • 40.126.32.74
  • 40.126.32.133
  • 20.190.160.131
  • 40.126.31.2
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.23
  • 40.126.31.3
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.129
whitelisted
static.download.it
  • 104.22.56.224
  • 172.67.26.92
  • 104.22.57.224
unknown

Threats

PID
Process
Class
Message
6648
quick-view-plus_6zBb-C1.tmp
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6648
quick-view-plus_6zBb-C1.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Process
Message
icarus.exe
[2025-02-16 08:58:50.024] [fatal ] [mwatcher ] [ 7724: 7960] [7BA89E: 305] Slave detected that master is not running:'1073807364'! Ending slave.
icarus.exe
[2025-02-16 08:58:50.024] [fatal ] [mwatcher ] [ 7716: 7892] [7BA89E: 305] Slave detected that master is not running:'1073807364'! Ending slave.
icarus.exe
[2025-02-16 08:58:50.024] [error ] [avg-av ] [ 7724: 7816] [2EBE46:3056] Execution of 'class asw::repository::ActionProcessSubProduct' failed with:'4294967295(ffffffff)'
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
quick-view-plus_6zBb-C1.exe