File name:

MSCLoader-147-1-2-14-1703271704.zip

Full analysis: https://app.any.run/tasks/2feea347-36e5-46ad-885a-2efd8f507129
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 22, 2024, 23:34:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

41A34E1E551EE10CE5D382B49F806F35

SHA1:

35AFD7CEEFAD0599244A40EBDB0BC19B2202F65B

SHA256:

63E1FA1630F8AC6D3FF0DD3F74F8202FCB4C34680C2DC8597C725F0C12DA9DC4

SSDEEP:

98304:6hJmhzYblgiWTSA3MQV3Ib8asQdbF945Rs65fstHaBnSlMarW5L+TPHUFqY/H50r:y5ecJSW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3700)
      • avg_antivirus_free_setup.exe (PID: 2972)
      • UserBenchMark.exe (PID: 2968)
      • avg_antivirus_free_setup.exe (PID: 844)
      • Instup.exe (PID: 1584)
      • aswOfferTool.exe (PID: 2492)
      • aswOfferTool.exe (PID: 3524)
      • aswOfferTool.exe (PID: 2548)
      • instup.exe (PID: 1592)

    • Changes the autorun value in the registry

      • instup.exe (PID: 1592)

    • Creates a writable file in the system directory

      • instup.exe (PID: 1592)

  • SUSPICIOUS

    • Reads the Internet Settings

      • MSCPatcher.exe (PID: 3940)
      • Instup.exe (PID: 1584)
      • UserBenchMark.exe (PID: 2968)
      • instup.exe (PID: 1592)

    • The process creates files with name similar to system file names

      • UserBenchMark.exe (PID: 2968)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • UserBenchMark.exe (PID: 2968)

    • Executable content was dropped or overwritten

      • UserBenchMark.exe (PID: 2968)
      • avg_antivirus_free_setup.exe (PID: 2972)
      • avg_antivirus_free_setup.exe (PID: 844)
      • Instup.exe (PID: 1584)
      • aswOfferTool.exe (PID: 2492)
      • aswOfferTool.exe (PID: 2548)
      • aswOfferTool.exe (PID: 3524)
      • instup.exe (PID: 1592)

    • Process requests binary or script from the Internet

      • avg_antivirus_free_setup.exe (PID: 2972)

    • Reads settings of System Certificates

      • Instup.exe (PID: 1584)
      • avg_antivirus_free_setup.exe (PID: 844)
      • UserBenchMark.exe (PID: 2968)
      • instup.exe (PID: 1592)

    • Starts itself from another location

      • Instup.exe (PID: 1584)
      • aswOfferTool.exe (PID: 2548)

    • Process drops legitimate windows executable

      • UserBenchMark.exe (PID: 2968)
      • instup.exe (PID: 1592)

    • Reads security settings of Internet Explorer

      • UserBenchMark.exe (PID: 2968)

    • Checks Windows Trust Settings

      • UserBenchMark.exe (PID: 2968)

    • Likely accesses (executes) a file from the Public directory

      • aswOfferTool.exe (PID: 3524)

    • The process drops C-runtime libraries

      • instup.exe (PID: 1592)

    • Creates files in the driver directory

      • instup.exe (PID: 1592)

    • Drops a system driver (possible attempt to evade defenses)

      • instup.exe (PID: 1592)

    • The process verifies whether the antivirus software is installed

      • instup.exe (PID: 1592)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2844)
      • WinRAR.exe (PID: 2332)
      • WinRAR.exe (PID: 1836)

    • Manual execution by a user

      • WinRAR.exe (PID: 2332)
      • WinRAR.exe (PID: 2844)
      • WinRAR.exe (PID: 1836)
      • MSCPatcher.exe (PID: 3940)
      • UserBenchMark.exe (PID: 1768)
      • UserBenchMark.exe (PID: 2968)
      • avg_antivirus_free_setup.exe (PID: 1772)
      • avg_antivirus_free_setup.exe (PID: 2972)
      • avast_free_antivirus_setup_online.exe (PID: 3600)
      • avast_free_antivirus_setup_online.exe (PID: 3148)
      • avast_free_antivirus_setup_online.exe (PID: 3708)
      • avast_free_antivirus_setup_online.exe (PID: 2356)
      • avast_free_antivirus_setup_online.exe (PID: 4060)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2844)
      • WinRAR.exe (PID: 2332)
      • WinRAR.exe (PID: 1836)

    • Checks supported languages

      • MSCPatcher.exe (PID: 3940)
      • UserBenchMark.exe (PID: 2968)
      • avg_antivirus_free_setup.exe (PID: 2972)
      • avg_antivirus_free_setup.exe (PID: 844)
      • Instup.exe (PID: 1584)
      • instup.exe (PID: 1592)
      • aswOfferTool.exe (PID: 3808)
      • aswOfferTool.exe (PID: 2492)
      • aswOfferTool.exe (PID: 2548)
      • aswOfferTool.exe (PID: 3524)
      • sbr.exe (PID: 3024)
      • avast_free_antivirus_setup_online.exe (PID: 3148)
      • aswOfferTool.exe (PID: 1604)
      • avast_free_antivirus_setup_online.exe (PID: 3708)
      • avast_free_antivirus_setup_online.exe (PID: 4060)

    • Reads the computer name

      • MSCPatcher.exe (PID: 3940)
      • UserBenchMark.exe (PID: 2968)
      • avg_antivirus_free_setup.exe (PID: 2972)
      • avg_antivirus_free_setup.exe (PID: 844)
      • Instup.exe (PID: 1584)
      • instup.exe (PID: 1592)
      • aswOfferTool.exe (PID: 2548)
      • avast_free_antivirus_setup_online.exe (PID: 3148)
      • avast_free_antivirus_setup_online.exe (PID: 3708)
      • avast_free_antivirus_setup_online.exe (PID: 4060)

    • Reads the machine GUID from the registry

      • MSCPatcher.exe (PID: 3940)
      • avg_antivirus_free_setup.exe (PID: 2972)
      • Instup.exe (PID: 1584)
      • avg_antivirus_free_setup.exe (PID: 844)
      • instup.exe (PID: 1592)
      • UserBenchMark.exe (PID: 2968)

    • Reads Environment values

      • MSCPatcher.exe (PID: 3940)
      • Instup.exe (PID: 1584)
      • instup.exe (PID: 1592)

    • Create files in a temporary directory

      • UserBenchMark.exe (PID: 2968)

    • Creates files in the program directory

      • avg_antivirus_free_setup.exe (PID: 844)
      • Instup.exe (PID: 1584)
      • instup.exe (PID: 1592)

    • Reads CPU info

      • Instup.exe (PID: 1584)
      • avg_antivirus_free_setup.exe (PID: 844)
      • instup.exe (PID: 1592)

    • Checks proxy server information

      • Instup.exe (PID: 1584)
      • instup.exe (PID: 1592)
      • UserBenchMark.exe (PID: 2968)

    • Reads the software policy settings

      • avg_antivirus_free_setup.exe (PID: 844)
      • UserBenchMark.exe (PID: 2968)
      • Instup.exe (PID: 1584)
      • instup.exe (PID: 1592)

    • Dropped object may contain TOR URL's

      • Instup.exe (PID: 1584)
      • aswOfferTool.exe (PID: 2548)
      • instup.exe (PID: 1592)

    • Creates files or folders in the user directory

      • UserBenchMark.exe (PID: 2968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:02:08 00:14:40
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Assets/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
81
Monitored processes
24
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe winrar.exe winrar.exe mscpatcher.exe userbenchmark.exe no specs userbenchmark.exe avg_antivirus_free_setup.exe no specs avg_antivirus_free_setup.exe avg_antivirus_free_setup.exe instup.exe instup.exe aswoffertool.exe no specs aswoffertool.exe no specs aswoffertool.exe aswoffertool.exe aswoffertool.exe sbr.exe no specs ntvdm.exe no specs avast_free_antivirus_setup_online.exe no specs avast_free_antivirus_setup_online.exe avast_free_antivirus_setup_online.exe no specs avast_free_antivirus_setup_online.exe avast_free_antivirus_setup_online.exe

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Windows\Temp\asw.acba504df5d6656c\avg_antivirus_free_setup.exe" /cookie:mmm_bav_003_999_h4h_m /ga_clientid:5bbf6c85-c11c-4627-bedf-cd40b16010ce /edat_dir:C:\Windows\Temp\asw.acba504df5d6656cC:\Windows\Temp\asw.acba504df5d6656c\avg_antivirus_free_setup.exe
avg_antivirus_free_setup.exe
User:
admin
Company:
AVG Technologies CZ, s.r.o.
Integrity Level:
HIGH
Description:
AVG Antivirus
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.acba504df5d6656c\avg_antivirus_free_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1584"C:\Windows\Temp\asw.7a48046f033893e0\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.7a48046f033893e0 /edition:15 /prod:ais /stub_mapping_guid:7370cef0-3ca9-467f-ab4b-7cec3f2263d8:9725144 /guid:7c12348f-6c67-4247-b571-2b1d3089b407 /ga_clientid:5bbf6c85-c11c-4627-bedf-cd40b16010ce /cookie:mmm_bav_003_999_h4h_m /ga_clientid:5bbf6c85-c11c-4627-bedf-cd40b16010ce /edat_dir:C:\Windows\Temp\asw.acba504df5d6656cC:\Windows\Temp\asw.7a48046f033893e0\Instup.exe
avg_antivirus_free_setup.exe
User:
admin
Company:
AVG Technologies CZ, s.r.o.
Integrity Level:
HIGH
Description:
AVG Antivirus Installer
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.7a48046f033893e0\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1592"C:\Windows\Temp\asw.7a48046f033893e0\New_18010cf7\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.7a48046f033893e0 /edition:15 /prod:ais /stub_mapping_guid:7370cef0-3ca9-467f-ab4b-7cec3f2263d8:9725144 /guid:7c12348f-6c67-4247-b571-2b1d3089b407 /ga_clientid:5bbf6c85-c11c-4627-bedf-cd40b16010ce /cookie:mmm_bav_003_999_h4h_m /edat_dir:C:\Windows\Temp\asw.acba504df5d6656c /online_installerC:\Windows\Temp\asw.7a48046f033893e0\New_18010cf7\instup.exe
Instup.exe
User:
admin
Company:
AVG Technologies CZ, s.r.o.
Integrity Level:
HIGH
Description:
AVG Antivirus Installer
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.7a48046f033893e0\new_18010cf7\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1604"C:\Windows\Temp\asw.7a48046f033893e0\New_18010cf7\aswOfferTool.exe" -checkGToolbar -elevatedC:\Windows\Temp\asw.7a48046f033893e0\New_18010cf7\aswOfferTool.exeinstup.exe
User:
admin
Company:
AVG Technologies CZ, s.r.o.
Integrity Level:
HIGH
Description:
AVG Offer Installation Tool
Exit code:
2
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.7a48046f033893e0\new_18010cf7\aswoffertool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shell32.dll
1768"C:\Users\admin\Desktop\UserBenchMark.exe" C:\Users\admin\Desktop\UserBenchMark.exeexplorer.exe
User:
admin
Company:
UserBenchmark.com
Integrity Level:
MEDIUM
Description:
Benchmark Software
Exit code:
3221226540
Version:
2.9.1.0
Modules
Images
c:\users\admin\desktop\userbenchmark.exe
c:\windows\system32\ntdll.dll
1772"C:\Users\admin\Desktop\avg_antivirus_free_setup.exe" C:\Users\admin\Desktop\avg_antivirus_free_setup.exeexplorer.exe
User:
admin
Company:
AVG Technologies CZ, s.r.o.
Integrity Level:
MEDIUM
Description:
AVG MicroInstaller Installer
Exit code:
3221226540
Version:
2.1.27.0
Modules
Images
c:\users\admin\desktop\avg_antivirus_free_setup.exe
c:\windows\system32\ntdll.dll
1836"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704.zip" C:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2332"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\MOP 3.10.4 for MSCLoader-146-3-10-4-1670685050.zip" "C:\Users\admin\Desktop\MOP 3.10.4 for MSCLoader-146-3-10-4-1670685050\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2356"C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe" C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exeexplorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
Avast MicroInstaller Installer
Exit code:
3221226540
Version:
2.1.27.0
Modules
Images
c:\users\admin\desktop\avast_free_antivirus_setup_online.exe
c:\windows\system32\ntdll.dll
2492"C:\Windows\Temp\asw.7a48046f033893e0\New_18010cf7\aswOfferTool.exe" -checkChrome -elevatedC:\Windows\Temp\asw.7a48046f033893e0\New_18010cf7\aswOfferTool.exe
instup.exe
User:
admin
Company:
AVG Technologies CZ, s.r.o.
Integrity Level:
HIGH
Description:
AVG Offer Installation Tool
Exit code:
2
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.7a48046f033893e0\new_18010cf7\aswoffertool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shell32.dll
Total events
38 259
Read events
32 293
Write events
5 953
Delete events
13

Modification events

(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\MSCLoader-147-1-2-14-1703271704.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
506
Suspicious files
96
Text files
201
Unknown types
97

Dropped files

PID
Process
Filename
Type
2332WinRAR.exeC:\Users\admin\Desktop\MOP 3.10.4 for MSCLoader-146-3-10-4-1670685050\MOP.dllexecutable
MD5:3F4677E9AA5B545C75EFAFC0F6F5C24A
SHA256:2DEF4277FA313FB22A4218DB948D9AB46D367BCD0C6616B566CBE259181A9DF4
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\Changelog.txttext
MD5:112844D916581EF6E6ED020540027EBC
SHA256:E6E7B5212840F4BA6A2A771F9684050386287796E360808E4C25F89203BB2D52
2844WinRAR.exeC:\Users\admin\Desktop\BetterCheatBox 2.1-1679-2-1-1696152761\BetterCheatBox.dllexecutable
MD5:FCCCB393331FA2526F2B84542F4816FD
SHA256:8908CBC8FBC250190A1BD1B201B23AB25CA3991D3B5705130274D63E162150FA
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\INIFileParser.dllexecutable
MD5:2E77F841DBF271FD1FFC460BFD87A1D5
SHA256:F81BA0DD987D46A67B1879EF4EE11C14F32940FF211EACE347A68E42BF272554
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\References.zipcompressed
MD5:FAC7DE7FD560CB4F3BA7D7AAD8073F3B
SHA256:9B66C596A1ED5B191FDE44A5BD460C38D89A3A6E61DDA099538F75D212301018
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\Assets\MSCLoader_Console\console.unity3dunity3d
MD5:1712C8ABCFC56E9DE9512C9600122938
SHA256:B09AA730F81E4F8FC07AB3B7BE5EDFEA3D79BB8805B7C1147B70E33A73D409D5
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\License.txttext
MD5:E62637EA8A114355B985FD86C9FFBD6E
SHA256:230184F60BAE2FEAF244F10A8BAC053C8FF33A183BCC365B4D8B876D2B7F4809
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\Readme.txttext
MD5:D5FFAAF166AE1FCBA1A2E4E4530AB2DB
SHA256:607D8CDA6CDC0277208FF45D08C9AD1B25A56814A9BB810B759B17236EDCB380
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\Mono.Cecil.dllexecutable
MD5:16C4CB74628930724DD717DA06F7BC69
SHA256:046435E644748C5C46545E4304727AABDE76E59B12B7EDC3CE04CC1366EF5DFC
1836WinRAR.exeC:\Users\admin\Desktop\MSCLoader-147-1-2-14-1703271704\w32.dllexecutable
MD5:4AF941B2C178A20E2976458AEA63C70E
SHA256:25B26AC60AA14D5AB4617CC58BB725BD6800B715F1BE0336CB89ED58D1654469
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
65
DNS requests
62
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1584
Instup.exe
GET
200
23.55.161.177:80
http://b0017156.iavs9x.avg.u.avcdn.net/avg/iavs9x/offertool_ais-cf7.vpx
unknown
binary
885 Kb
unknown
1584
Instup.exe
GET
200
23.55.161.177:80
http://b0017156.iavs9x.avg.u.avcdn.net/avg/iavs9x/setgui_ais-cf7.vpx
unknown
binary
1.17 Mb
unknown
1592
instup.exe
GET
200
23.55.161.187:80
http://h1785399.avi18tiny.u.avcdn.net/avi18tiny/prod-vps.vpx
unknown
binary
341 b
unknown
1584
Instup.exe
GET
200
23.55.161.177:80
http://b0017156.iavs9x.avg.u.avcdn.net/avg/iavs9x/sbr_x86_ais-cf7.vpx
unknown
binary
11.0 Kb
unknown
1592
instup.exe
GET
200
23.55.161.177:80
http://l9346865.iavs9x.avg.u.avcdn.net/avg/iavs9x/prod-pgm.vpx
unknown
binary
572 b
unknown
2968
UserBenchMark.exe
GET
301
54.39.161.167:80
http://www.userbenchmark.com/Software?checkVersion=a520407ffaca5477a114f29ccc616a07
unknown
unknown
1592
instup.exe
GET
200
23.55.161.187:80
http://h1785399.avi18tiny.u.avcdn.net/avi18tiny/part-jrog2-f7.vpx
unknown
binary
210 b
unknown
3940
MSCPatcher.exe
GET
200
146.59.19.4:80
http://my-summer-car.ovh/ver.php?core=stable
unknown
text
13 b
unknown
2972
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
unknown
2972
avg_antivirus_free_setup.exe
POST
200
142.250.185.78:80
http://www.google-analytics.com/collect
unknown
image
35 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3940
MSCPatcher.exe
146.59.19.4:80
my-summer-car.ovh
OVH SAS
FR
unknown
2972
avg_antivirus_free_setup.exe
142.250.185.78:80
www.google-analytics.com
GOOGLE
US
whitelisted
2972
avg_antivirus_free_setup.exe
88.221.110.65:80
iavs9x.avg.u.avcdn.net
Akamai International B.V.
DE
unknown
2972
avg_antivirus_free_setup.exe
34.117.223.223:80
v7event.stats.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
844
avg_antivirus_free_setup.exe
142.250.185.78:80
www.google-analytics.com
GOOGLE
US
whitelisted
844
avg_antivirus_free_setup.exe
34.117.223.223:443
v7event.stats.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1584
Instup.exe
34.160.176.28:443
shepherd.avcdn.net
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
my-summer-car.ovh
  • 146.59.19.4
unknown
www.google-analytics.com
  • 142.250.185.78
whitelisted
iavs9x.avg.u.avcdn.net
  • 88.221.110.65
  • 2.16.100.170
whitelisted
v7event.stats.avast.com
  • 34.117.223.223
whitelisted
v7event.stats.avcdn.net
  • 34.117.223.223
whitelisted
analytics.avcdn.net
  • 34.117.223.223
unknown
shepherd.avcdn.net
  • 34.160.176.28
whitelisted
b0017156.iavs9x.avg.u.avcdn.net
  • 23.55.161.177
  • 23.55.161.203
  • 2a02:26f0:3500:11::215:14c6
  • 2a02:26f0:3500:11::215:14cc
whitelisted
f4973661.iavs9x.avg.u.avcdn.net
  • 23.55.161.177
  • 23.55.161.203
  • 2a02:26f0:3500:11::215:14c6
  • 2a02:26f0:3500:11::215:14cc
unknown
g5856219.iavs9x.avg.u.avcdn.net
  • 23.55.161.203
  • 23.55.161.177
  • 2a02:26f0:3500:11::215:14c6
  • 2a02:26f0:3500:11::215:14cc
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
avg_antivirus_free_setup.exe
[2024-02-22 23:37:06.754] [info ] [sfxinst ] [ 844: 1792] [7361C5: 370] Running SFX 'C:\Windows\Temp\asw.acba504df5d6656c\avg_antivirus_free_setup.exe'
avg_antivirus_free_setup.exe
[2024-02-22 23:37:07.082] [info ] [sfxinst ] [ 844: 1792] [7361C5: 592] Moved extra data file 'ecoo.edat' to 'C:\Windows\Temp\asw.7a48046f033893e0\cookie.bin'.
avg_antivirus_free_setup.exe
[2024-02-22 23:37:07.301] [notice ] [burger_rep ] [ 844: 2468] [64A1D8: 66] The event '70.1' was successfully sent to burger: https://analytics.avcdn.net/v4/receive/json/70.
avg_antivirus_free_setup.exe
[2024-02-22 23:37:07.332] [info ] [sfxstats ] [ 844: 1540] [03AC9E: 149] Statistics sent successfully.
avg_antivirus_free_setup.exe
[2024-02-22 23:37:08.254] [info ] [sfxinst ] [ 844: 1792] [7361C5: 881] Starting installer/updater executable 'C:\Windows\Temp\asw.7a48046f033893e0\instup.exe'
Instup.exe
[2024-02-22 23:37:08.598] [info ] [instup ] [ 1584: 3620] [87A008:2734] Running module version: Instup.dll - '24.1.8821.0'
Instup.exe
[2024-02-22 23:37:08.598] [info ] [xproduct ] [ 1584: 3620] [50441C: 64] CrossProductModule::RegisterThisProduct : SOFTWARE\AVG\Products : public-instup 1584
Instup.exe
[2024-02-22 23:37:08.598] [info ] [instup ] [ 1584: 3620] [87A008:2672] setup: x86
Instup.exe
[2024-02-22 23:37:08.598] [info ] [instup ] [ 1584: 3620] [87A008:2686] Memory: 23% load. Phys:2399896/3145208K free, Page:4194303/4194303K free, Virt:1990228/2097024K free
Instup.exe
[2024-02-22 23:37:08.598] [info ] [instup ] [ 1584: 3620] [87A008:2703] DISKs: C:\ - 222202MB free / 255GB total
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MSCLoader-147-1-2-14-1703271704.zip