File name:

avg_secure_browser_setup.exe

Full analysis: https://app.any.run/tasks/8759c0a7-5910-4ba9-a5e9-3ba4b76f9b81
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 19, 2024, 00:13:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
avg
browser
fakenet
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

99C1F0ECE2DFC60FBCD286099A710127

SHA1:

26B580DD8CD4055300B572A4E00B3411D2983D8D

SHA256:

611DACC8658F42B9EDF2E750B9403324E1B8CAB85A8C515D252CE8E85B6AED1D

SSDEEP:

98304:STrDmcoPlDcn3Rc/vTV08T19StKUCzVxejICvSPd8g9P2xL3fdkCwBkqEGzAmYZR:k08VQEEkZZ3BZgpy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • aj6AB7.exe (PID: 5472)

    • Actions looks like stealing of personal data

      • aj6AB7.exe (PID: 5472)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • Reads the BIOS version

      • aj6AB7.exe (PID: 5472)

    • Reads security settings of Internet Explorer

      • aj6AB7.exe (PID: 5472)

    • The process verifies whether the antivirus software is installed

      • aj6AB7.exe (PID: 5472)

    • Checks Windows Trust Settings

      • aj6AB7.exe (PID: 5472)

    • Searches for installed software

      • aj6AB7.exe (PID: 5472)

    • SMB connection has been detected (probably for file transfer)

      • explorer.exe (PID: 4488)

  • INFO

    • The sample compiled with arabic language support

      • avg_secure_browser_setup.exe (PID: 3928)

    • Reads Environment values

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • The sample compiled with english language support

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • Reads the computer name

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • Checks supported languages

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • Process checks computer location settings

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • Sends debugging messages

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • Create files in a temporary directory

      • avg_secure_browser_setup.exe (PID: 3928)
      • aj6AB7.exe (PID: 5472)

    • Reads the software policy settings

      • aj6AB7.exe (PID: 5472)
      • explorer.exe (PID: 4488)

    • Checks proxy server information

      • aj6AB7.exe (PID: 5472)
      • explorer.exe (PID: 4488)

    • Reads the machine GUID from the registry

      • aj6AB7.exe (PID: 5472)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)

    • The process uses the downloaded file

      • explorer.exe (PID: 4488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 00:50:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x350d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.11.9.7512
ProductVersionNumber: 8.11.9.7512
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Windows, Arabic
BuildDate: 19700120T212345
BuildTimestamp: 1718625656
BuildVersion: 8.11.9.7512
CompanyName: Gen Digital Inc.
FileDescription: إعداد AVG Secure Browser
FileVersion: 8.11.9.7512
InstallerCommit: 6abe2ae156386bdebece5cf23c59152082c14d11
InstallerEdition: web
InstallerKeyword: avg-securebrowser
InternalName: AVG Secure Browser
JsisCommit: 9787409e632740167533d24081ccbb49791a2fdf
LegalCopyright: حقوق النشر 2017-2024 لشركة Gen Digital Inc.
OmahaVersion: 1.8.1693.6
ProductName: إعداد AVG Secure Browser
ProductVersion: 8.11.9.7512
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avg_secure_browser_setup.exe aj6ab7.exe rundll32.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
440C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3928"C:\Users\admin\Downloads\avg_secure_browser_setup.exe" C:\Users\admin\Downloads\avg_secure_browser_setup.exe
explorer.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
MEDIUM
Description:
AVG Secure Browser Setup
Exit code:
3221225547
Version:
8.11.9.7512
Modules
Images
c:\users\admin\downloads\avg_secure_browser_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4488C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\smartscreenps.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5472"C:\Users\admin\AppData\Local\Temp\aj6AB7.exe" /relaunch=8 /was_elevated=0 /tagdata C:\Users\admin\AppData\Local\Temp\aj6AB7.exe
avg_secure_browser_setup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
MEDIUM
Description:
AVG Secure Browser Setup
Exit code:
2
Version:
8.11.9.7512
Modules
Images
c:\users\admin\appdata\local\temp\aj6ab7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
19 539
Read events
19 468
Write events
68
Delete events
3

Modification events

(PID) Process:(5472) aj6AB7.exeKey:HKEY_CURRENT_USER\SOFTWARE\AVG\Browser
Operation:writeName:installer_run_count
Value:
1
(PID) Process:(5472) aj6AB7.exeKey:HKEY_CURRENT_USER\SOFTWARE\AVG\Browser
Operation:writeName:machine_id
Value:
0000B0E1009ABA5E95F7227E57434874
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000004020E
Operation:writeName:VirtualDesktop
Value:
1000000030304456A48A294F7A40804AB924005FF030B61F
(PID) Process:(5472) aj6AB7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5472) aj6AB7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5472) aj6AB7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5472) aj6AB7.exeKey:HKEY_CURRENT_USER\SOFTWARE\AVG\Browser
Operation:writeName:user_id
Value:
31b88718faae4ba2abda8f05aa3efb52
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000004020E
Operation:delete keyName:(default)
Value:
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
5865636700000000
(PID) Process:(4488) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
Executable files
23
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\StdUtils.dllexecutable
MD5:34939C7B38BFFEDBF9B9ED444D689BC9
SHA256:B127F3E04429D9F841A03BFD9344A0450594004C770D397FB32A76F6B0EABED0
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\JsisPlugins.dllexecutable
MD5:D21AE3F86FC69C1580175B7177484FA7
SHA256:A6241F168CACB431BFCD4345DD77F87B378DD861B5D440AE8D3FFD17B9CEB450
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\Midex.dllexecutable
MD5:2597A829E06EB9616AF49FCD8052B8BD
SHA256:7359CA1BEFDB83D480FC1149AC0E8E90354B5224DB7420B14B2D96D87CD20A87
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\jsis.dllexecutable
MD5:2027121C3CDEB1A1F8A5F539D1FE2E28
SHA256:1DAE8B6DE29F2CFC0745D9F2A245B9ECB77F2B272A5B43DE1BA5971C43BF73A1
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\thirdparty.dllexecutable
MD5:7B4BD3B8AD6E913952F8ED1CEEF40CD4
SHA256:A49D3E455D7AECA2032C30FC099BFAD1B1424A2F55EC7BB0F6ACBBF636214754
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\inetc.dllexecutable
MD5:650E0E39808140A1DA5ABD3D27880C7E
SHA256:AAB155DCAAAFEBE4B84A9AEEC6FFBCE9B484A99B316657EE9B7A98B346F9538B
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\AccessControl.dllexecutable
MD5:D4FA24F021F155CE9214DCCF812C3B7F
SHA256:3B0889281FF6367BB736690229F461BB4FF34B7437F54A5C71B877A104C0F876
5472aj6AB7.exeC:\Users\admin\AppData\Local\Temp\nss6B90.tmp\FF.places.tmp
MD5:
SHA256:
3928avg_secure_browser_setup.exeC:\Users\admin\AppData\Local\Temp\nsh5B93.tmp\jsisdl.dllexecutable
MD5:5121C566AC9315A53E558BF62600F9B6
SHA256:D88E38DF30887C722FB837278EE3782914574414C741CDFD3BD6126799FA3167
5472aj6AB7.exeC:\Users\admin\AppData\Local\Temp\nsd6B41.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
59
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5472
aj6AB7.exe
POST
404
104.20.87.8:80
http://stats.securebrowser.com/?_=1734567233664&retry_tracking_count=2&last_request_error_code=4&last_request_error_message=&last_request_status=404&last_request_system_error=0&request_proxy=0
unknown
unknown
5472
aj6AB7.exe
POST
404
104.20.87.8:80
http://stats.securebrowser.com/?_=1734567234775&retry_tracking_count=2&last_request_error_code=4&last_request_error_message=&last_request_status=404&last_request_system_error=0&request_proxy=0
unknown
unknown
4488
explorer.exe
POST
404
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
4488
explorer.exe
GET
404
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
4488
explorer.exe
GET
404
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAQ1YD96iIrhbAWwDxU8xvw%3D
unknown
whitelisted
4488
explorer.exe
GET
404
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
4488
explorer.exe
POST
404
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
4488
explorer.exe
GET
404
192.229.221.95:80
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
unknown
whitelisted
4488
explorer.exe
GET
404
192.229.221.95:80
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
unknown
whitelisted
4488
explorer.exe
GET
404
192.229.221.95:80
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6092
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5472
aj6AB7.exe
104.20.87.8:443
stats.securebrowser.com
CLOUDFLARENET
unknown
5472
aj6AB7.exe
104.20.87.8:80
stats.securebrowser.com
CLOUDFLARENET
unknown
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.177
  • 104.126.37.163
  • 104.126.37.160
  • 104.126.37.179
  • 104.126.37.129
  • 104.126.37.171
  • 104.126.37.170
  • 104.126.37.154
whitelisted
google.com
  • 142.250.186.110
whitelisted
stats.securebrowser.com
  • 104.20.87.8
  • 104.20.86.8
unknown
login.live.com
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.72
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
  • 2a01:111:f100:a000::4134:4847
whitelisted
18.31.95.13.in-addr.arpa
unknown
7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
unknown

Threats

No threats detected
Process
Message
avg_secure_browser_setup.exe
2024-12-19T00:13:50 [libnsis] {00000f58:00000694} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
avg_secure_browser_setup.exe
2024-12-19T00:13:50 [libnsis] {00000f58:00000694} <4:Error> (893f00f663353e48\src\jsis-plugins\plugins\UtilitiesPlugin\TagData.cpp:85) 0x00000400000715 91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62
avg_secure_browser_setup.exe
2024-12-19T00:13:50 [libnsis] {00000f58:00000694} <1:Debug> (91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62) Throwing exception 0x00000400000715
aj6AB7.exe
2024-12-19T00:13:51 [libnsis] {00001560:0000070c} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
aj6AB7.exe
2024-12-19T00:13:51 [libnsis] {00001560:0000070c} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nss6B90.tmp\CR.History.tmp
aj6AB7.exe
2024-12-19T00:13:51 [libnsis] {00001560:0000070c} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 20046 AND vtime <= 20077 GROUP BY vtime
aj6AB7.exe
2024-12-19T00:13:52 [libnsis] {00001560:0000070c} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nss6B90.tmp\CR.History.tmp
aj6AB7.exe
2024-12-19T00:13:52 [libnsis] {00001560:0000070c} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 20046 AND vtime <= 20077 GROUP BY vtime
aj6AB7.exe
2024-12-19T00:13:52 [libnsis] {00001560:0000070c} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT last_visit_date / 1000000 /60 /60 / 24 AS vtime FROM 'moz_places' WHERE vtime >= 20046 AND vtime <= 20077 GROUP BY vtime
aj6AB7.exe
2024-12-19T00:13:52 [libnsis] {00001560:0000070c} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nss6B90.tmp\FF.places.tmp
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avg_secure_browser_setup.exe