URL:

https://mega-share.pro/YlpNVDNfMjAyMC0wOC0yMSAxNzoyMDozMA==

Full analysis: https://app.any.run/tasks/281cdb70-04d9-477e-92e8-2b7dbe6db376
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 07, 2021, 03:30:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

40DA6426CE4C397BDBA6D72A9379A195

SHA1:

74292295F5A5286768A6CF2CE03B727E828E8F31

SHA256:

A5FB58A2CD37A2184174A6484759CB6AD5F9529ED346093B5D33624A8F29AF51

SSDEEP:

3:N8X6KXKni4PohEPn:2KLi4P7P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • iclickmacapp_3671.exe (PID: 304)
      • iclickmacapp_3671.exe (PID: 3540)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3336)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 3472)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 2872)
      • installer.exe (PID: 3356)
      • pcapd.exe (PID: 3652)
      • installer.exe (PID: 3588)
      • RFileStpr2.tmp (PID: 272)
      • ProfitSymb.tmp (PID: 2264)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • tbar.exe (PID: 1668)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Submention.tmp (PID: 2860)
      • RestMinder.exe (PID: 1284)
      • KruSpeedup.exe (PID: 3160)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • KruSpeedupUpdater.exe (PID: 2960)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • RestMinder.exe (PID: 3632)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 2612)
      • sbr.exe (PID: 1832)
      • instup.exe (PID: 3640)
      • AVGBrowserCrashHandler.exe (PID: 1220)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 5040)
      • AVGBrowser.exe (PID: 5328)
      • AVGBrowser.exe (PID: 5636)
      • AVGBrowser.exe (PID: 4820)
      • AVGBrowser.exe (PID: 5772)
      • setup.exe (PID: 1952)
      • setup.exe (PID: 3124)
      • chrmstp.exe (PID: 5432)
      • chrmstp.exe (PID: 5632)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 5024)
      • AVGBrowser.exe (PID: 4860)
      • AVGBrowser.exe (PID: 4504)
      • AVGBrowser.exe (PID: 5396)
      • AVGBrowser.exe (PID: 5476)
      • AVGBrowser.exe (PID: 4984)
      • RestMinder.exe (PID: 1564)
      • AVGBrowser.exe (PID: 5108)
      • AVGBrowser.exe (PID: 920)
      • AVGBrowser.exe (PID: 932)
      • AVGBrowser.exe (PID: 1668)
      • AVGBrowser.exe (PID: 5604)
      • ServiceHost.exe (PID: 4564)
      • UIHost.exe (PID: 5052)
      • santivirusclient.exe (PID: 4228)
      • updater.exe (PID: 4284)
      • AVGBrowser.exe (PID: 3604)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 4344)
      • SetupInf.exe (PID: 4640)
      • SetupInf.exe (PID: 5216)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Changes settings of System certificates

      • iclickmacapp_3671.exe (PID: 304)
      • saBSI.exe (PID: 2828)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 880)

    • Drops executable file immediately after starts

      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • installer.exe (PID: 3356)
      • tbar.exe (PID: 1668)
      • SFileI.exe (PID: 3184)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • csc.exe (PID: 4968)

    • Steals credentials from Web Browsers

      • avg_secure_browser_setup.exe (PID: 2292)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 880)

    • Actions looks like stealing of personal data

      • avg_secure_browser_setup.exe (PID: 2292)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)

    • Loads the Task Scheduler COM API

      • AVGBrowserUpdate.exe (PID: 3556)
      • setup.exe (PID: 3124)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 1728)

    • Loads dropped or rewritten executable

      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 2872)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 3472)
      • AVGBrowserUpdate.exe (PID: 3336)
      • regsvr32.exe (PID: 188)
      • regsvr32.exe (PID: 3492)
      • ServiceHost.exe (PID: 3724)
      • regsvr32.exe (PID: 1452)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • TrouqrinSpeedup.exe (PID: 2364)
      • RestMinder.exe (PID: 1284)
      • KruSpeedup.exe (PID: 3160)
      • KruSpeedupUpdater.exe (PID: 2960)
      • RestMinder.exe (PID: 4080)
      • SFileI.exe (PID: 3184)
      • SAntivirusService.exe (PID: 2344)
      • regsvr32.exe (PID: 2424)
      • regsvr32.exe (PID: 1908)
      • RestMinder.exe (PID: 3632)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 2612)
      • instup.exe (PID: 3640)
      • ServiceHost.exe (PID: 4564)
      • RestMinder.exe (PID: 1564)
      • UIHost.exe (PID: 5052)
      • regsvr32.exe (PID: 4000)
      • santivirusclient.exe (PID: 4228)
      • AvEmUpdate.exe (PID: 276)

    • Registers / Runs the DLL via REGSVR32.EXE

      • installer.exe (PID: 3588)
      • ServiceHost.exe (PID: 3724)
      • updater.exe (PID: 304)
      • ServiceHost.exe (PID: 4564)

    • Changes the autorun value in the registry

      • tbar.tmp (PID: 1580)
      • KruSpeedup.exe (PID: 3160)
      • instup.exe (PID: 2612)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)

    • Starts Visual C# compiler

      • SAntivirusService.exe (PID: 2344)
      • santivirusclient.exe (PID: 4228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • saBSI.exe (PID: 2828)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • RFileStpr2.tmp (PID: 272)
      • Essence.tmp (PID: 756)
      • tbar.exe (PID: 1668)
      • tbar.tmp (PID: 1580)
      • pcapd.exe (PID: 3652)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Essence.tmp (PID: 4040)
      • SFileI.exe (PID: 3184)
      • updater.exe (PID: 304)
      • csc.exe (PID: 4024)
      • SAntivirusService.exe (PID: 2344)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 3640)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • csc.exe (PID: 4968)

    • Drops a file with a compile date too recent

      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • TrouqrinSpeedup.exe (PID: 2364)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • updater.exe (PID: 304)
      • csc.exe (PID: 4024)
      • instup.exe (PID: 3640)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • csc.exe (PID: 4968)

    • Checks supported languages

      • iclickmacapp_3671.exe (PID: 3540)
      • cmd.exe (PID: 1304)
      • iclickmacapp_3671.exe (PID: 304)
      • cmd.exe (PID: 3000)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 3316)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 2088)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • BrowniBox.tmp (PID: 3880)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3472)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 3336)
      • AVGBrowserUpdate.exe (PID: 2872)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • cmd.exe (PID: 1272)
      • RFileStpr2.tmp (PID: 272)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 2500)
      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 1844)
      • cmd.exe (PID: 3012)
      • pcapd.exe (PID: 3652)
      • ProfitSymb.tmp (PID: 2264)
      • unsecapp.exe (PID: 3204)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 3724)
      • Essence.tmp (PID: 4040)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2904)
      • Essence.tmp (PID: 756)
      • cmd.exe (PID: 3492)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 4016)
      • tbar.exe (PID: 1668)
      • tbar.tmp (PID: 1580)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Submention.tmp (PID: 2860)
      • RestMinder.exe (PID: 1284)
      • KruSpeedup.exe (PID: 3160)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 2720)
      • SFileI.exe (PID: 3184)
      • cmd.exe (PID: 3752)
      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 2420)
      • RestMinder.exe (PID: 4080)
      • KruSpeedupUpdater.exe (PID: 2960)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • cmd.exe (PID: 2832)
      • csc.exe (PID: 4024)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 1952)
      • cvtres.exe (PID: 2284)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 3184)
      • RestMinder.exe (PID: 3632)
      • cmd.exe (PID: 2328)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2852)
      • instup.exe (PID: 2612)
      • cmd.exe (PID: 1460)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • setup.exe (PID: 1952)
      • sbr.exe (PID: 1832)
      • AVGBrowserCrashHandler.exe (PID: 1220)
      • AVGBrowser.exe (PID: 932)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 1668)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 920)
      • elevation_service.exe (PID: 4260)
      • AVGBrowser.exe (PID: 5024)
      • AVGBrowser.exe (PID: 5040)
      • AVGBrowser.exe (PID: 5328)
      • AVGBrowser.exe (PID: 5636)
      • AVGBrowser.exe (PID: 5604)
      • AVGBrowser.exe (PID: 4820)
      • AVGBrowser.exe (PID: 5108)
      • AVGBrowser.exe (PID: 5772)
      • elevation_service.exe (PID: 2408)
      • chrmstp.exe (PID: 5432)
      • chrmstp.exe (PID: 5632)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 4860)
      • AVGBrowser.exe (PID: 5396)
      • AVGBrowser.exe (PID: 4504)
      • elevation_service.exe (PID: 5824)
      • AVGBrowser.exe (PID: 4984)
      • cmd.exe (PID: 5136)
      • RestMinder.exe (PID: 1564)
      • AVGBrowser.exe (PID: 5476)
      • UIHost.exe (PID: 5052)
      • ServiceHost.exe (PID: 4564)
      • cmd.exe (PID: 1972)
      • cmd.exe (PID: 1632)
      • santivirusclient.exe (PID: 4228)
      • PresentationFontCache.exe (PID: 6028)
      • csc.exe (PID: 4968)
      • updater.exe (PID: 4284)
      • cmd.exe (PID: 5024)
      • cmd.exe (PID: 5172)
      • AVGBrowser.exe (PID: 3604)
      • cvtres.exe (PID: 5392)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 4344)
      • SetupInf.exe (PID: 5216)
      • AvEmUpdate.exe (PID: 3532)
      • SetupInf.exe (PID: 4640)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Starts CMD.EXE for commands execution

      • iclickmacapp_3671.exe (PID: 304)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 1272)
      • BrowniBox.tmp (PID: 3880)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2904)
      • Essence.tmp (PID: 756)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 4016)
      • pcapd.exe (PID: 3652)
      • Essence.tmp (PID: 4040)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 3768)
      • RFileStpr2.tmp (PID: 272)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 3184)
      • avg_secure_browser_setup.exe (PID: 2292)
      • updater.exe (PID: 304)
      • updater.exe (PID: 4284)

    • Reads the computer name

      • iclickmacapp_3671.exe (PID: 3540)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3472)
      • AVGBrowserUpdate.exe (PID: 2872)
      • AVGBrowserUpdate.exe (PID: 3104)
      • installer.exe (PID: 3588)
      • RFileStpr2.tmp (PID: 272)
      • pcapd.exe (PID: 3652)
      • ProfitSymb.tmp (PID: 2264)
      • unsecapp.exe (PID: 3204)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • tbar.tmp (PID: 1580)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Submention.tmp (PID: 2860)
      • RestMinder.exe (PID: 1284)
      • KruSpeedup.exe (PID: 3160)
      • SFileI.exe (PID: 3184)
      • KruSpeedupUpdater.exe (PID: 2960)
      • RestMinder.exe (PID: 4080)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • RestMinder.exe (PID: 3632)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)
      • setup.exe (PID: 3124)
      • AVGBrowserInstaller.exe (PID: 1580)
      • AVGBrowserCrashHandler.exe (PID: 1220)
      • AVGBrowser.exe (PID: 880)
      • elevation_service.exe (PID: 4260)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 1668)
      • AVGBrowser.exe (PID: 4820)
      • elevation_service.exe (PID: 2408)
      • chrmstp.exe (PID: 5432)
      • AVGBrowser.exe (PID: 4892)
      • elevation_service.exe (PID: 5824)
      • AVGBrowser.exe (PID: 4504)
      • AVGBrowser.exe (PID: 4984)
      • RestMinder.exe (PID: 1564)
      • AVGBrowser.exe (PID: 5396)
      • ServiceHost.exe (PID: 4564)
      • UIHost.exe (PID: 5052)
      • santivirusclient.exe (PID: 4228)
      • PresentationFontCache.exe (PID: 6028)
      • updater.exe (PID: 4284)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 4640)
      • SetupInf.exe (PID: 4344)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)
      • SetupInf.exe (PID: 5216)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Application launched itself

      • iclickmacapp_3671.exe (PID: 3540)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 1272)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 3184)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)
      • AVGBrowser.exe (PID: 4892)
      • AvEmUpdate.exe (PID: 3532)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1304)
      • cmd.exe (PID: 3000)
      • installer.exe (PID: 3588)
      • updater.exe (PID: 304)

    • Creates files in the program directory

      • iclickmacapp_3671.exe (PID: 304)
      • saBSI.exe (PID: 2828)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • TrouqrinSpeedup.exe (PID: 2364)
      • updater.exe (PID: 304)
      • KruSpeedup.exe (PID: 3160)
      • SFileI.exe (PID: 3184)
      • KruSpeedupUpdater.exe (PID: 2960)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 3640)
      • AVGBrowserUpdate.exe (PID: 2872)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)

    • Adds / modifies Windows certificates

      • iclickmacapp_3671.exe (PID: 304)
      • saBSI.exe (PID: 2828)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 880)

    • Creates a directory in Program Files

      • iclickmacapp_3671.exe (PID: 304)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 2872)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • SFileI.exe (PID: 3184)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 880)
      • SAntivirusService.exe (PID: 2344)
      • AvEmUpdate.exe (PID: 3532)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3316)
      • cmd.exe (PID: 2500)
      • RFileStpr2.tmp (PID: 272)
      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 3492)

    • Starts CMD.EXE for self-deleting

      • iclickmacapp_3671.exe (PID: 304)
      • cmd.exe (PID: 2892)
      • pcapd.exe (PID: 3652)
      • cmd.exe (PID: 3768)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 3156)
      • avg_secure_browser_setup.exe (PID: 2292)

    • Reads Environment values

      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • ServiceHost.exe (PID: 3724)
      • RestMinder.exe (PID: 2272)
      • SFileI.exe (PID: 3184)
      • SAntivirusService.exe (PID: 2344)
      • instup.exe (PID: 3640)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 880)
      • santivirusclient.exe (PID: 4228)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Reads the date of Windows installation

      • BrowniBox.tmp (PID: 3880)
      • SAntivirusService.exe (PID: 2344)
      • setup.exe (PID: 3124)
      • chrmstp.exe (PID: 5432)

    • Drops a file that was compiled in debug mode

      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • saBSI.exe (PID: 2828)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • RFileStpr2.tmp (PID: 272)
      • tbar.tmp (PID: 1580)
      • TrouqrinSpeedup.exe (PID: 2364)
      • SFileI.exe (PID: 3184)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • updater.exe (PID: 304)
      • instup.exe (PID: 3640)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • AvEmUpdate.exe (PID: 3532)

    • Searches for installed software

      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 880)
      • updater.exe (PID: 4284)

    • Creates/Modifies COM task schedule object

      • AVGBrowserUpdate.exe (PID: 3336)
      • AVGBrowserUpdate.exe (PID: 3556)
      • regsvr32.exe (PID: 188)
      • regsvr32.exe (PID: 3492)
      • regsvr32.exe (PID: 1452)
      • regsvr32.exe (PID: 2424)
      • regsvr32.exe (PID: 1908)
      • regsvr32.exe (PID: 4000)
      • instup.exe (PID: 2612)

    • Disables SEHOP

      • AVGBrowserUpdate.exe (PID: 3556)

    • Starts itself from another location

      • AVGBrowserUpdate.exe (PID: 3556)
      • instup.exe (PID: 3640)

    • Executed as Windows Service

      • AVGBrowserUpdate.exe (PID: 2872)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • elevation_service.exe (PID: 4260)
      • elevation_service.exe (PID: 2408)
      • elevation_service.exe (PID: 5824)
      • ServiceHost.exe (PID: 4564)
      • PresentationFontCache.exe (PID: 6028)

    • Drops a file with too old compile date

      • BrowniBox.tmp (PID: 3880)
      • tbar.tmp (PID: 1580)
      • pcapd.exe (PID: 3652)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Essence.tmp (PID: 4040)
      • SFileI.exe (PID: 3184)
      • instup.exe (PID: 2612)

    • Reads Windows Product ID

      • RFileStpr2.tmp (PID: 272)
      • TrouqrinSpeedup.exe (PID: 2364)
      • KruSpeedup.exe (PID: 3160)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)

    • Executed via COM

      • unsecapp.exe (PID: 3204)

    • Creates a software uninstall entry

      • installer.exe (PID: 3588)
      • ServiceHost.exe (PID: 3724)
      • TrouqrinSpeedup.exe (PID: 2364)
      • SFileI.exe (PID: 3184)
      • setup.exe (PID: 3124)
      • avg_secure_browser_setup.exe (PID: 2292)
      • elevation_service.exe (PID: 4260)
      • elevation_service.exe (PID: 5824)
      • updater.exe (PID: 304)
      • ServiceHost.exe (PID: 4564)
      • instup.exe (PID: 2612)

    • Reads Windows owner or organization settings

      • tbar.tmp (PID: 1580)

    • Reads the Windows organization settings

      • tbar.tmp (PID: 1580)

    • Creates files in the user directory

      • tbar.tmp (PID: 1580)
      • KruSpeedup.exe (PID: 3160)
      • SFileI.exe (PID: 3184)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)
      • santivirusclient.exe (PID: 4228)

    • Reads Microsoft Outlook installation path

      • RestMinder.exe (PID: 2272)

    • Reads internet explorer settings

      • RestMinder.exe (PID: 2272)

    • Changes IE settings (feature browser emulation)

      • TrouqrinSpeedup.exe (PID: 2364)
      • KruSpeedup.exe (PID: 3160)
      • santivirusclient.exe (PID: 4228)

    • Reads CPU info

      • KruSpeedup.exe (PID: 3160)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 4344)
      • SetupInf.exe (PID: 5216)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)
      • SetupInf.exe (PID: 4640)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Creates files in the Windows directory

      • SFileI.exe (PID: 3184)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusService.exe (PID: 2344)
      • csc.exe (PID: 4024)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)
      • setup.exe (PID: 1952)

    • Removes files from Windows directory

      • csc.exe (PID: 4024)
      • SAntivirusService.exe (PID: 2344)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)

    • Reads the time zone

      • SAntivirusService.exe (PID: 2344)

    • Creates or modifies windows services

      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)

    • Changes default file association

      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)

    • Creates files in the driver directory

      • instup.exe (PID: 2612)

  • INFO

    • Checks supported languages

      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 3632)
      • chrome.exe (PID: 4032)
      • chrome.exe (PID: 2608)
      • chrome.exe (PID: 1128)
      • chrome.exe (PID: 4092)
      • chrome.exe (PID: 3324)
      • chrome.exe (PID: 2244)
      • chrome.exe (PID: 3532)
      • chrome.exe (PID: 3996)
      • chrome.exe (PID: 3036)
      • chrome.exe (PID: 3784)
      • chrome.exe (PID: 2360)
      • chrome.exe (PID: 2544)
      • chrome.exe (PID: 3892)
      • chrome.exe (PID: 2988)
      • chrome.exe (PID: 3088)
      • sc.exe (PID: 2876)
      • find.exe (PID: 2952)
      • sc.exe (PID: 1816)
      • find.exe (PID: 1836)
      • chrome.exe (PID: 3184)
      • chrome.exe (PID: 4048)
      • timeout.exe (PID: 1824)
      • chrome.exe (PID: 1564)
      • chrome.exe (PID: 2576)
      • regsvr32.exe (PID: 188)
      • sc.exe (PID: 4008)
      • sc.exe (PID: 1376)
      • sc.exe (PID: 1636)
      • chrome.exe (PID: 2640)
      • regsvr32.exe (PID: 3492)
      • sc.exe (PID: 148)
      • regsvr32.exe (PID: 1452)
      • chrome.exe (PID: 3528)
      • timeout.exe (PID: 3716)
      • timeout.exe (PID: 3444)
      • timeout.exe (PID: 2892)
      • regsvr32.exe (PID: 2424)
      • sc.exe (PID: 3456)
      • regsvr32.exe (PID: 1908)
      • timeout.exe (PID: 1292)
      • timeout.exe (PID: 2844)
      • timeout.exe (PID: 3028)
      • timeout.exe (PID: 2276)
      • timeout.exe (PID: 5248)
      • regsvr32.exe (PID: 4000)

    • Reads the computer name

      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 3632)
      • chrome.exe (PID: 3532)
      • chrome.exe (PID: 3996)
      • chrome.exe (PID: 2244)
      • chrome.exe (PID: 3892)
      • sc.exe (PID: 2876)
      • sc.exe (PID: 1816)
      • chrome.exe (PID: 4048)
      • chrome.exe (PID: 3184)
      • chrome.exe (PID: 1564)
      • sc.exe (PID: 4008)
      • sc.exe (PID: 1376)
      • sc.exe (PID: 1636)
      • sc.exe (PID: 148)
      • regsvr32.exe (PID: 3492)
      • regsvr32.exe (PID: 1452)
      • sc.exe (PID: 3456)
      • regsvr32.exe (PID: 1908)
      • regsvr32.exe (PID: 4000)

    • Reads the hosts file

      • chrome.exe (PID: 3632)
      • chrome.exe (PID: 2888)
      • instup.exe (PID: 3640)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 4504)

    • Application launched itself

      • chrome.exe (PID: 2888)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3632)
      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 2872)
      • AVGBrowserUpdate.exe (PID: 3104)
      • installer.exe (PID: 3588)
      • pcapd.exe (PID: 3652)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • tbar.tmp (PID: 1580)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • RestMinder.exe (PID: 1284)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • SAntivirusService.exe (PID: 2344)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • RestMinder.exe (PID: 3632)
      • instup.exe (PID: 3640)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 4892)
      • RestMinder.exe (PID: 1564)
      • ServiceHost.exe (PID: 4564)
      • UIHost.exe (PID: 5052)
      • updater.exe (PID: 4284)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Checks Windows Trust Settings

      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • installer.exe (PID: 3588)
      • pcapd.exe (PID: 3652)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • RestMinder.exe (PID: 1284)
      • updater.exe (PID: 304)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • SAntivirusService.exe (PID: 2344)
      • RestMinder.exe (PID: 3632)
      • SAntivirusIC.exe (PID: 3108)
      • RestMinder.exe (PID: 1564)
      • ServiceHost.exe (PID: 4564)
      • UIHost.exe (PID: 5052)
      • updater.exe (PID: 4284)

    • Reads the date of Windows installation

      • chrome.exe (PID: 4048)

    • Dropped object may contain Bitcoin addresses

      • installer.exe (PID: 3356)
      • AVGBrowser.exe (PID: 880)
      • instup.exe (PID: 2612)

    • Creates a software uninstall entry

      • tbar.tmp (PID: 1580)

    • Application was dropped or rewritten from another process

      • tbar.tmp (PID: 1580)

    • Manual execution by user

      • RestMinder.exe (PID: 1284)
      • RestMinder.exe (PID: 4080)
      • RestMinder.exe (PID: 3632)
      • AVGBrowser.exe (PID: 4892)
      • RestMinder.exe (PID: 1564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
265
Monitored processes
183
Malicious processes
51
Suspicious processes
31

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start download and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iclickmacapp_3671.exe no specs iclickmacapp_3671.exe cmd.exe no specs sc.exe no specs find.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs brownibox.tmp chrome.exe no specs chrome.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs sabsi.exe chrome.exe no specs avg_secure_browser_setup.exe avgbrowserupdatesetup.exe avgbrowserupdate.exe avgbrowserupdate.exe no specs avgbrowserupdate.exe no specs avgbrowserupdate.exe avgbrowserupdate.exe no specs avgbrowserupdate.exe chrome.exe no specs installer.exe installer.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs rfilestpr2.tmp sc.exe no specs regsvr32.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs pcapd.exe profitsymb.tmp no specs unsecapp.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs essence.tmp cmd.exe no specs cmd.exe no specs cmd.exe no specs essence.tmp chrome.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs tbar.exe tbar.tmp regsvr32.exe no specs sc.exe no specs servicehost.exe uihost.exe no specs regsvr32.exe no specs restminder.exe chrome.exe no specs updater.exe trouqrinspeedup.exe submention.tmp restminder.exe no specs kruspeedup.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sfilei.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs restminder.exe no specs kruspeedupupdater.exe cookie_mmm_irs_ppi_005_888_a.exe santivirusservice.exe santivirusic.exe sc.exe no specs regsvr32.exe no specs csc.exe cmd.exe no specs regsvr32.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cvtres.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs restminder.exe no specs cmd.exe no specs avast_free_antivirus_setup_online.exe instup.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs instup.exe avgbrowserinstaller.exe setup.exe setup.exe no specs sbr.exe no specs avgbrowsercrashhandler.exe no specs avgbrowser.exe avgbrowser.exe no specs avgbrowser.exe avgbrowser.exe no specs avgbrowser.exe no specs elevation_service.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs elevation_service.exe no specs chrmstp.exe chrmstp.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe avgbrowser.exe no specs elevation_service.exe no specs avgbrowser.exe no specs cmd.exe no specs timeout.exe no specs restminder.exe no specs servicehost.exe no specs uihost.exe no specs regsvr32.exe no specs cmd.exe no specs cmd.exe no specs santivirusclient.exe no specs presentationfontcache.exe no specs csc.exe cvtres.exe no specs updater.exe cmd.exe no specs cmd.exe no specs avgbrowser.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe avbugreport.exe no specs avbugreport.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
148sc.exe start "McAfee WebAdvisor"C:\Windows\system32\sc.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
188regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"C:\Windows\system32\regsvr32.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\rpcrt4.dll
272"C:\Users\admin\AppData\Local\Temp\4KTYbIoO\partners\RFileStpr2.tmp" /q=1351863091 /n="iclickmacapp Download Manager" /i="C:\Users\admin\AppData\Local\partner.bmp" C:\Users\admin\AppData\Local\Temp\4KTYbIoO\partners\RFileStpr2.tmp
cmd.exe
User:
admin
Company:
Universal Echo Pipe
Integrity Level:
HIGH
Description:
Universal Echo Pipe
Exit code:
0
Version:
3.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\4ktybioo\partners\rfilestpr2.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
276AvEmUpdate.exe /installer1 /emupdater /applydll "C:\Program Files\Avast Software\Avast\Setup\b56cba4e-41e6-4313-aea8-3b7ef84e95a7.dll"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe
AvEmUpdate.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Emergency Update
Exit code:
0
Version:
21.8.6586.0
Modules
Images
c:\program files\avast software\avast\avemupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
304"C:\Users\admin\Downloads\iclickmacapp_3671.exe" -namk 1QOhfqsx8MGAAdBsYy+zmIkcYBkmgUvSUkNkypGdC/Pqqgnwte5uq2XlI/egA8Ulwm8waEwKc3KsIWdxZqexsyy+V2pReBw11/sMMI3khRWyoDqSO+tXTxyLp6t5c3huxC3pkJaLjlXsLNXyoBMDcDcHIK78d39jI7M/lkQCHoMD8o2SYtA0o7VDdCdmOmyKC:\Users\admin\Downloads\iclickmacapp_3671.exe
iclickmacapp_3671.exe
User:
admin
Company:
Brown Box
Integrity Level:
HIGH
Description:
Brown Box App
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\downloads\iclickmacapp_3671.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
304"C:\Program Files\McAfee\WebAdvisor\updater.exe" C:\Program Files\McAfee\WebAdvisor\updater.exe
ServiceHost.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
McAfee WebAdvisor
Exit code:
0
Version:
4,1,1,627
Modules
Images
c:\program files\mcafee\webadvisor\updater.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
540"C:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvcC:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exeAVGBrowserUpdate.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG Browser
Exit code:
0
Version:
1.8.1188.1
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\avg\browser\update\avgbrowserupdate.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\lpk.dll
756"C:\Users\admin\AppData\Local\Temp\4KTYbIoO\Essence.tmp" ":aLLqy+!a25E^3(jv>Fqw2bhIRE7>tUT@t4)WI0=_q3S+`Z^`e[p7Er<!@Bh_D9`Doj-godhUI7RY,^od0ZYvdAWR7]hU71;u\nm" C:\Users\admin\AppData\Local\Temp\4KTYbIoO\Essence.tmp
cmd.exe
User:
admin
Company:
Essence reflect
Integrity Level:
HIGH
Description:
Essence
Exit code:
1
Version:
2.0.1.7
Modules
Images
c:\users\admin\appdata\local\temp\4ktybioo\essence.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
828"C:\Program Files\McAfee\WebAdvisor\UIHost.exe" C:\Program Files\McAfee\WebAdvisor\UIHost.exeServiceHost.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
MEDIUM
Description:
McAfee WebAdvisor
Exit code:
0
Version:
4,1,1,627
Modules
Images
c:\program files\mcafee\webadvisor\uihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
880"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --heartbeat --install --create-profile C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
avg_secure_browser_setup.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG Secure Browser
Exit code:
0
Version:
93.0.12112.84
Modules
Images
c:\program files\avg\browser\application\avgbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\avg\browser\application\93.0.12112.84\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
243 428
Read events
231 785
Write events
11 566
Delete events
77

Modification events

(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2888) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid_installdate
Value:
0
Executable files
837
Suspicious files
953
Text files
4 174
Unknown types
257

Dropped files

PID
Process
Filename
Type
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-615E69DE-B48.pma
MD5:
SHA256:
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c2c19035-00fa-42bb-94f9-274890d6277d.tmptext
MD5:
SHA256:
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferencestext
MD5:
SHA256:
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:9C016064A1F864C8140915D77CF3389A
SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF10132c.TMPtext
MD5:64AD8ED3E666540337BA541C549F72F7
SHA256:BECBDB08B5B37D203A85F2E974407334053BB1D2270F0B3C9A4DB963896F2206
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF10132c.TMPtext
MD5:936EB7280DA791E6DD28EF3A9B46D39C
SHA256:CBAF2AFD831B32F6D1C12337EE5D2F090D6AE1F4DCB40B08BEF49BF52AD9721F
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.oldtext
MD5:EF1D5606A483BB6C72C81A3F649BEB18
SHA256:BA083E7585ADA9936944FE56BC0141A544F18A01C3424E5C9F02375B34FE3D45
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a6ce511e-7b30-4495-b93d-f6b874e266ae.tmpbinary
MD5:5058F1AF8388633F609CADB75A75DC9D
SHA256:
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:00046F773EFDD3C8F8F6D0F87A2B93DC
SHA256:593EDE11D17AF7F016828068BCA2E93CF240417563FB06DC8A579110AEF81731
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF10134b.TMPtext
MD5:81F483F77EE490F35306A4F94DB2286B
SHA256:82434CE3C9D13F509EBEEBE3A7A1A1DE9AB4557629D9FC855761E0CFA45E8BCE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
121
TCP/UDP connections
596
DNS requests
183
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvODZmQUFYS2VOaGowdjdSeVBvWFBSTDIxdw/1.0.0.9_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
US
whitelisted
3632
chrome.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3db0d3907a3720ab
US
compressed
59.7 Kb
whitelisted
3880
BrowniBox.tmp
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3880
BrowniBox.tmp
GET
200
13.32.23.69:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3
US
crx
2.81 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3
US
binary
9.69 Kb
whitelisted
304
iclickmacapp_3671.exe
GET
200
95.101.89.75:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNwl4cqAQEUFBbCTK4a3087AA%3D%3D
unknown
der
503 b
shared
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3
US
binary
9.69 Kb
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvODZmQUFYS2VOaGowdjdSeVBvWFBSTDIxdw/1.0.0.9_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
US
crx
2.81 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3
US
binary
20.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3632
chrome.exe
142.250.186.109:443
accounts.google.com
Google Inc.
US
whitelisted
3632
chrome.exe
142.250.186.142:443
clients2.google.com
Google Inc.
US
whitelisted
3632
chrome.exe
104.16.18.94:443
cdnjs.cloudflare.com
Cloudflare Inc
US
unknown
3632
chrome.exe
172.67.186.115:443
mega-share.pro
US
unknown
3632
chrome.exe
35.190.80.1:443
a.nel.cloudflare.com
Google Inc.
US
suspicious
3632
chrome.exe
23.32.238.178:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
3632
chrome.exe
172.67.143.216:443
ichaunam.space
US
unknown
3632
chrome.exe
142.250.185.227:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3632
chrome.exe
137.184.73.7:443
sharpfiledownload.com
The Procter and Gamble Company
US
unknown
3632
chrome.exe
172.217.23.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
accounts.google.com
  • 142.250.186.109
  • 142.250.186.141
shared
mega-share.pro
  • 172.67.186.115
  • 104.21.1.13
malicious
clients2.google.com
  • 142.250.186.142
whitelisted
cdnjs.cloudflare.com
  • 104.16.18.94
  • 104.16.19.94
whitelisted
a.nel.cloudflare.com
  • 35.190.80.1
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
  • 209.197.3.8
whitelisted
ichaunam.space
  • 172.67.143.216
  • 104.21.95.84
malicious
sharpfiledownload.com
  • 137.184.73.7
unknown
ssl.gstatic.com
  • 142.250.185.227
whitelisted
yourjsdelivery.com
  • 104.26.6.149
  • 104.26.7.149
  • 172.67.73.213
malicious

Threats

PID
Process
Class
Message
2132
cookie_mmm_irs_ppi_005_888_a.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3532
AvEmUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
saBSI.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp1297039107\installer.exe loading C:\Program Files\McAfee\Temp1297039107\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mega-share.pro/YlpNVDNfMjAyMC0wOC0yMSAxNzoyMDozMA==