URL:

https://mega-share.pro/YlpNVDNfMjAyMC0wOC0yMSAxNzoyMDozMA==

Full analysis: https://app.any.run/tasks/281cdb70-04d9-477e-92e8-2b7dbe6db376
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 07, 2021, 03:30:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

40DA6426CE4C397BDBA6D72A9379A195

SHA1:

74292295F5A5286768A6CF2CE03B727E828E8F31

SHA256:

A5FB58A2CD37A2184174A6484759CB6AD5F9529ED346093B5D33624A8F29AF51

SSDEEP:

3:N8X6KXKni4PohEPn:2KLi4P7P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • iclickmacapp_3671.exe (PID: 3540)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 3336)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 3472)
      • AVGBrowserUpdate.exe (PID: 2872)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • pcapd.exe (PID: 3652)
      • RFileStpr2.tmp (PID: 272)
      • ProfitSymb.tmp (PID: 2264)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • tbar.exe (PID: 1668)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • RestMinder.exe (PID: 1284)
      • Submention.tmp (PID: 2860)
      • KruSpeedup.exe (PID: 3160)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • KruSpeedupUpdater.exe (PID: 2960)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • RestMinder.exe (PID: 3632)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • sbr.exe (PID: 1832)
      • instup.exe (PID: 2612)
      • AVGBrowserCrashHandler.exe (PID: 1220)
      • AVGBrowser.exe (PID: 1668)
      • AVGBrowser.exe (PID: 920)
      • AVGBrowser.exe (PID: 5604)
      • AVGBrowser.exe (PID: 5040)
      • AVGBrowser.exe (PID: 5328)
      • AVGBrowser.exe (PID: 4820)
      • AVGBrowser.exe (PID: 5636)
      • AVGBrowser.exe (PID: 5772)
      • AVGBrowser.exe (PID: 5108)
      • setup.exe (PID: 3124)
      • setup.exe (PID: 1952)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 932)
      • AVGBrowser.exe (PID: 5024)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 4860)
      • AVGBrowser.exe (PID: 5396)
      • AVGBrowser.exe (PID: 4504)
      • AVGBrowser.exe (PID: 5476)
      • chrmstp.exe (PID: 5432)
      • chrmstp.exe (PID: 5632)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 4984)
      • RestMinder.exe (PID: 1564)
      • ServiceHost.exe (PID: 4564)
      • UIHost.exe (PID: 5052)
      • santivirusclient.exe (PID: 4228)
      • updater.exe (PID: 4284)
      • AVGBrowser.exe (PID: 3604)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 4640)
      • AvEmUpdate.exe (PID: 1728)
      • SetupInf.exe (PID: 5216)
      • SetupInf.exe (PID: 4344)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Changes settings of System certificates

      • iclickmacapp_3671.exe (PID: 304)
      • saBSI.exe (PID: 2828)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 880)

    • Drops executable file immediately after starts

      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • installer.exe (PID: 3356)
      • tbar.exe (PID: 1668)
      • SFileI.exe (PID: 3184)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • csc.exe (PID: 4968)

    • Steals credentials from Web Browsers

      • avg_secure_browser_setup.exe (PID: 2292)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 880)

    • Actions looks like stealing of personal data

      • avg_secure_browser_setup.exe (PID: 2292)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)

    • Loads the Task Scheduler COM API

      • AVGBrowserUpdate.exe (PID: 3556)
      • setup.exe (PID: 3124)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 1728)

    • Loads dropped or rewritten executable

      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 2872)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3472)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 3336)
      • regsvr32.exe (PID: 188)
      • regsvr32.exe (PID: 3492)
      • ServiceHost.exe (PID: 3724)
      • regsvr32.exe (PID: 1452)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • RestMinder.exe (PID: 1284)
      • TrouqrinSpeedup.exe (PID: 2364)
      • KruSpeedup.exe (PID: 3160)
      • KruSpeedupUpdater.exe (PID: 2960)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • SAntivirusService.exe (PID: 2344)
      • regsvr32.exe (PID: 2424)
      • regsvr32.exe (PID: 1908)
      • RestMinder.exe (PID: 3632)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)
      • RestMinder.exe (PID: 1564)
      • UIHost.exe (PID: 5052)
      • regsvr32.exe (PID: 4000)
      • ServiceHost.exe (PID: 4564)
      • santivirusclient.exe (PID: 4228)
      • AvEmUpdate.exe (PID: 276)

    • Registers / Runs the DLL via REGSVR32.EXE

      • installer.exe (PID: 3588)
      • ServiceHost.exe (PID: 3724)
      • updater.exe (PID: 304)
      • ServiceHost.exe (PID: 4564)

    • Changes the autorun value in the registry

      • tbar.tmp (PID: 1580)
      • KruSpeedup.exe (PID: 3160)
      • instup.exe (PID: 2612)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)

    • Starts Visual C# compiler

      • SAntivirusService.exe (PID: 2344)
      • santivirusclient.exe (PID: 4228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • saBSI.exe (PID: 2828)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • RFileStpr2.tmp (PID: 272)
      • Essence.tmp (PID: 756)
      • tbar.exe (PID: 1668)
      • tbar.tmp (PID: 1580)
      • pcapd.exe (PID: 3652)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Essence.tmp (PID: 4040)
      • SFileI.exe (PID: 3184)
      • updater.exe (PID: 304)
      • SAntivirusService.exe (PID: 2344)
      • csc.exe (PID: 4024)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 3640)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • csc.exe (PID: 4968)

    • Drops a file with a compile date too recent

      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • TrouqrinSpeedup.exe (PID: 2364)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • updater.exe (PID: 304)
      • csc.exe (PID: 4024)
      • instup.exe (PID: 3640)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • csc.exe (PID: 4968)

    • Reads the computer name

      • iclickmacapp_3671.exe (PID: 3540)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 2872)
      • AVGBrowserUpdate.exe (PID: 3472)
      • installer.exe (PID: 3588)
      • RFileStpr2.tmp (PID: 272)
      • pcapd.exe (PID: 3652)
      • unsecapp.exe (PID: 3204)
      • ProfitSymb.tmp (PID: 2264)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • tbar.tmp (PID: 1580)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Submention.tmp (PID: 2860)
      • RestMinder.exe (PID: 1284)
      • KruSpeedup.exe (PID: 3160)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • KruSpeedupUpdater.exe (PID: 2960)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • RestMinder.exe (PID: 3632)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)
      • setup.exe (PID: 3124)
      • AVGBrowserInstaller.exe (PID: 1580)
      • AVGBrowserCrashHandler.exe (PID: 1220)
      • elevation_service.exe (PID: 4260)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 1668)
      • AVGBrowser.exe (PID: 4820)
      • elevation_service.exe (PID: 2408)
      • chrmstp.exe (PID: 5432)
      • AVGBrowser.exe (PID: 4892)
      • elevation_service.exe (PID: 5824)
      • AVGBrowser.exe (PID: 4984)
      • AVGBrowser.exe (PID: 4504)
      • AVGBrowser.exe (PID: 5396)
      • RestMinder.exe (PID: 1564)
      • ServiceHost.exe (PID: 4564)
      • UIHost.exe (PID: 5052)
      • PresentationFontCache.exe (PID: 6028)
      • santivirusclient.exe (PID: 4228)
      • updater.exe (PID: 4284)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 4640)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 4344)
      • SetupInf.exe (PID: 5216)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 4884)
      • AvEmUpdate.exe (PID: 276)

    • Application launched itself

      • iclickmacapp_3671.exe (PID: 3540)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 1272)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 3184)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)
      • AVGBrowser.exe (PID: 4892)
      • AvEmUpdate.exe (PID: 3532)

    • Checks supported languages

      • iclickmacapp_3671.exe (PID: 3540)
      • iclickmacapp_3671.exe (PID: 304)
      • cmd.exe (PID: 1304)
      • cmd.exe (PID: 3000)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 3316)
      • BrowniBox.tmp (PID: 3880)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 2088)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 540)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 3336)
      • AVGBrowserUpdate.exe (PID: 3472)
      • AVGBrowserUpdate.exe (PID: 2872)
      • installer.exe (PID: 3588)
      • cmd.exe (PID: 1272)
      • cmd.exe (PID: 2768)
      • RFileStpr2.tmp (PID: 272)
      • cmd.exe (PID: 2500)
      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 1844)
      • cmd.exe (PID: 3012)
      • pcapd.exe (PID: 3652)
      • ProfitSymb.tmp (PID: 2264)
      • unsecapp.exe (PID: 3204)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 3724)
      • Essence.tmp (PID: 4040)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 3492)
      • Essence.tmp (PID: 756)
      • cmd.exe (PID: 2948)
      • installer.exe (PID: 3356)
      • cmd.exe (PID: 4016)
      • tbar.tmp (PID: 1580)
      • cmd.exe (PID: 2796)
      • tbar.exe (PID: 1668)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Submention.tmp (PID: 2860)
      • RestMinder.exe (PID: 1284)
      • KruSpeedup.exe (PID: 3160)
      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3964)
      • cmd.exe (PID: 2720)
      • SFileI.exe (PID: 3184)
      • cmd.exe (PID: 3752)
      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 2420)
      • RestMinder.exe (PID: 4080)
      • KruSpeedupUpdater.exe (PID: 2960)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)
      • cmd.exe (PID: 1952)
      • csc.exe (PID: 4024)
      • cmd.exe (PID: 1068)
      • cvtres.exe (PID: 2284)
      • cmd.exe (PID: 2832)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 3184)
      • RestMinder.exe (PID: 3632)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • cmd.exe (PID: 2328)
      • instup.exe (PID: 3640)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2852)
      • cmd.exe (PID: 1460)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • setup.exe (PID: 1952)
      • sbr.exe (PID: 1832)
      • AVGBrowserCrashHandler.exe (PID: 1220)
      • AVGBrowser.exe (PID: 932)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 1668)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 920)
      • elevation_service.exe (PID: 4260)
      • AVGBrowser.exe (PID: 5024)
      • AVGBrowser.exe (PID: 5328)
      • AVGBrowser.exe (PID: 5636)
      • AVGBrowser.exe (PID: 5604)
      • AVGBrowser.exe (PID: 4820)
      • AVGBrowser.exe (PID: 5108)
      • AVGBrowser.exe (PID: 5040)
      • elevation_service.exe (PID: 2408)
      • chrmstp.exe (PID: 5432)
      • chrmstp.exe (PID: 5632)
      • AVGBrowser.exe (PID: 5772)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 4504)
      • AVGBrowser.exe (PID: 4860)
      • AVGBrowser.exe (PID: 5396)
      • AVGBrowser.exe (PID: 4984)
      • cmd.exe (PID: 5136)
      • AVGBrowser.exe (PID: 5476)
      • elevation_service.exe (PID: 5824)
      • RestMinder.exe (PID: 1564)
      • ServiceHost.exe (PID: 4564)
      • cmd.exe (PID: 1972)
      • UIHost.exe (PID: 5052)
      • santivirusclient.exe (PID: 4228)
      • PresentationFontCache.exe (PID: 6028)
      • csc.exe (PID: 4968)
      • cvtres.exe (PID: 5392)
      • cmd.exe (PID: 1632)
      • updater.exe (PID: 4284)
      • cmd.exe (PID: 5024)
      • cmd.exe (PID: 5172)
      • AVGBrowser.exe (PID: 3604)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 4640)
      • SetupInf.exe (PID: 5216)
      • AvEmUpdate.exe (PID: 1728)
      • SetupInf.exe (PID: 4344)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Starts CMD.EXE for commands execution

      • iclickmacapp_3671.exe (PID: 304)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 2892)
      • BrowniBox.tmp (PID: 3880)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 1272)
      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2904)
      • Essence.tmp (PID: 756)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 4016)
      • pcapd.exe (PID: 3652)
      • cmd.exe (PID: 3996)
      • cmd.exe (PID: 3964)
      • Essence.tmp (PID: 4040)
      • cmd.exe (PID: 3768)
      • RFileStpr2.tmp (PID: 272)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 3184)
      • avg_secure_browser_setup.exe (PID: 2292)
      • updater.exe (PID: 304)
      • updater.exe (PID: 4284)

    • Adds / modifies Windows certificates

      • iclickmacapp_3671.exe (PID: 304)
      • saBSI.exe (PID: 2828)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 880)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3000)
      • cmd.exe (PID: 1304)
      • installer.exe (PID: 3588)
      • updater.exe (PID: 304)

    • Creates a directory in Program Files

      • iclickmacapp_3671.exe (PID: 304)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 2872)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • updater.exe (PID: 304)
      • TrouqrinSpeedup.exe (PID: 2364)
      • SFileI.exe (PID: 3184)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 880)
      • SAntivirusService.exe (PID: 2344)
      • AvEmUpdate.exe (PID: 3532)

    • Creates files in the program directory

      • iclickmacapp_3671.exe (PID: 304)
      • saBSI.exe (PID: 2828)
      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • TrouqrinSpeedup.exe (PID: 2364)
      • KruSpeedup.exe (PID: 3160)
      • KruSpeedupUpdater.exe (PID: 2960)
      • SFileI.exe (PID: 3184)
      • updater.exe (PID: 304)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 3640)
      • AVGBrowserUpdate.exe (PID: 2872)
      • AVGBrowserInstaller.exe (PID: 1580)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)
      • SAntivirusService.exe (PID: 2344)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3316)
      • cmd.exe (PID: 2500)
      • RFileStpr2.tmp (PID: 272)
      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 3492)

    • Reads the date of Windows installation

      • BrowniBox.tmp (PID: 3880)
      • SAntivirusService.exe (PID: 2344)
      • setup.exe (PID: 3124)
      • chrmstp.exe (PID: 5432)

    • Reads Environment values

      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • ServiceHost.exe (PID: 3724)
      • RestMinder.exe (PID: 2272)
      • SFileI.exe (PID: 3184)
      • SAntivirusService.exe (PID: 2344)
      • instup.exe (PID: 3640)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 4892)
      • santivirusclient.exe (PID: 4228)
      • AvEmUpdate.exe (PID: 1728)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 4884)
      • AvEmUpdate.exe (PID: 276)

    • Starts CMD.EXE for self-deleting

      • iclickmacapp_3671.exe (PID: 304)
      • cmd.exe (PID: 2892)
      • pcapd.exe (PID: 3652)
      • cmd.exe (PID: 3768)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 3156)
      • avg_secure_browser_setup.exe (PID: 2292)

    • Drops a file that was compiled in debug mode

      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdateSetup.exe (PID: 920)
      • AVGBrowserUpdate.exe (PID: 3556)
      • saBSI.exe (PID: 2828)
      • installer.exe (PID: 3356)
      • installer.exe (PID: 3588)
      • RFileStpr2.tmp (PID: 272)
      • tbar.tmp (PID: 1580)
      • TrouqrinSpeedup.exe (PID: 2364)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SFileI.exe (PID: 3184)
      • updater.exe (PID: 304)
      • instup.exe (PID: 3640)
      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)
      • AvEmUpdate.exe (PID: 3532)

    • Searches for installed software

      • BrowniBox.tmp (PID: 3880)
      • avg_secure_browser_setup.exe (PID: 2292)
      • SAntivirusService.exe (PID: 2344)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 4892)
      • updater.exe (PID: 4284)

    • Disables SEHOP

      • AVGBrowserUpdate.exe (PID: 3556)

    • Starts itself from another location

      • AVGBrowserUpdate.exe (PID: 3556)
      • instup.exe (PID: 3640)

    • Creates/Modifies COM task schedule object

      • AVGBrowserUpdate.exe (PID: 3556)
      • AVGBrowserUpdate.exe (PID: 3336)
      • regsvr32.exe (PID: 188)
      • regsvr32.exe (PID: 3492)
      • regsvr32.exe (PID: 1452)
      • regsvr32.exe (PID: 2424)
      • regsvr32.exe (PID: 1908)
      • regsvr32.exe (PID: 4000)
      • instup.exe (PID: 2612)

    • Executed as Windows Service

      • AVGBrowserUpdate.exe (PID: 2872)
      • ServiceHost.exe (PID: 3724)
      • SAntivirusIC.exe (PID: 3108)
      • elevation_service.exe (PID: 4260)
      • elevation_service.exe (PID: 2408)
      • SAntivirusService.exe (PID: 2344)
      • elevation_service.exe (PID: 5824)
      • ServiceHost.exe (PID: 4564)
      • PresentationFontCache.exe (PID: 6028)

    • Drops a file with too old compile date

      • BrowniBox.tmp (PID: 3880)
      • tbar.tmp (PID: 1580)
      • pcapd.exe (PID: 3652)
      • TrouqrinSpeedup.exe (PID: 2364)
      • Essence.tmp (PID: 4040)
      • SFileI.exe (PID: 3184)
      • instup.exe (PID: 2612)

    • Reads Windows Product ID

      • RFileStpr2.tmp (PID: 272)
      • TrouqrinSpeedup.exe (PID: 2364)
      • KruSpeedup.exe (PID: 3160)
      • SAntivirusService.exe (PID: 2344)
      • SAntivirusIC.exe (PID: 3108)

    • Executed via COM

      • unsecapp.exe (PID: 3204)

    • Creates a software uninstall entry

      • installer.exe (PID: 3588)
      • ServiceHost.exe (PID: 3724)
      • TrouqrinSpeedup.exe (PID: 2364)
      • SFileI.exe (PID: 3184)
      • avg_secure_browser_setup.exe (PID: 2292)
      • setup.exe (PID: 3124)
      • elevation_service.exe (PID: 4260)
      • elevation_service.exe (PID: 5824)
      • updater.exe (PID: 304)
      • ServiceHost.exe (PID: 4564)
      • instup.exe (PID: 2612)

    • Reads Windows owner or organization settings

      • tbar.tmp (PID: 1580)

    • Reads the Windows organization settings

      • tbar.tmp (PID: 1580)

    • Creates files in the user directory

      • tbar.tmp (PID: 1580)
      • KruSpeedup.exe (PID: 3160)
      • SFileI.exe (PID: 3184)
      • setup.exe (PID: 3124)
      • AVGBrowser.exe (PID: 880)
      • chrmstp.exe (PID: 5432)
      • santivirusclient.exe (PID: 4228)

    • Reads Microsoft Outlook installation path

      • RestMinder.exe (PID: 2272)

    • Reads internet explorer settings

      • RestMinder.exe (PID: 2272)

    • Changes IE settings (feature browser emulation)

      • TrouqrinSpeedup.exe (PID: 2364)
      • KruSpeedup.exe (PID: 3160)
      • santivirusclient.exe (PID: 4228)

    • Reads CPU info

      • KruSpeedup.exe (PID: 3160)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)
      • SetupInf.exe (PID: 2668)
      • SetupInf.exe (PID: 3904)
      • SetupInf.exe (PID: 5540)
      • SetupInf.exe (PID: 5216)
      • AvEmUpdate.exe (PID: 1728)
      • SetupInf.exe (PID: 4344)
      • SetupInf.exe (PID: 4640)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 4884)
      • AvEmUpdate.exe (PID: 276)

    • Creates files in the Windows directory

      • SFileI.exe (PID: 3184)
      • cookie_mmm_irs_ppi_005_888_a.exe (PID: 2132)
      • SAntivirusService.exe (PID: 2344)
      • csc.exe (PID: 4024)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)
      • setup.exe (PID: 1952)

    • Removes files from Windows directory

      • csc.exe (PID: 4024)
      • SAntivirusService.exe (PID: 2344)
      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)

    • Reads the time zone

      • SAntivirusService.exe (PID: 2344)

    • Creates or modifies windows services

      • instup.exe (PID: 3640)
      • instup.exe (PID: 2612)

    • Changes default file association

      • setup.exe (PID: 3124)
      • instup.exe (PID: 2612)

    • Creates files in the driver directory

      • instup.exe (PID: 2612)

  • INFO

    • Checks supported languages

      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 3324)
      • chrome.exe (PID: 3532)
      • chrome.exe (PID: 3632)
      • chrome.exe (PID: 4032)
      • chrome.exe (PID: 3996)
      • chrome.exe (PID: 2244)
      • chrome.exe (PID: 3036)
      • chrome.exe (PID: 3784)
      • chrome.exe (PID: 4092)
      • chrome.exe (PID: 2608)
      • chrome.exe (PID: 1128)
      • chrome.exe (PID: 2544)
      • chrome.exe (PID: 2360)
      • chrome.exe (PID: 3088)
      • chrome.exe (PID: 2988)
      • chrome.exe (PID: 3892)
      • sc.exe (PID: 2876)
      • find.exe (PID: 2952)
      • sc.exe (PID: 1816)
      • find.exe (PID: 1836)
      • chrome.exe (PID: 3184)
      • chrome.exe (PID: 4048)
      • timeout.exe (PID: 1824)
      • chrome.exe (PID: 1564)
      • chrome.exe (PID: 2576)
      • sc.exe (PID: 1636)
      • regsvr32.exe (PID: 188)
      • sc.exe (PID: 4008)
      • sc.exe (PID: 1376)
      • chrome.exe (PID: 2640)
      • regsvr32.exe (PID: 3492)
      • sc.exe (PID: 148)
      • regsvr32.exe (PID: 1452)
      • chrome.exe (PID: 3528)
      • timeout.exe (PID: 3716)
      • timeout.exe (PID: 3444)
      • timeout.exe (PID: 2892)
      • regsvr32.exe (PID: 1908)
      • timeout.exe (PID: 2844)
      • regsvr32.exe (PID: 2424)
      • sc.exe (PID: 3456)
      • timeout.exe (PID: 1292)
      • timeout.exe (PID: 3028)
      • timeout.exe (PID: 2276)
      • timeout.exe (PID: 5248)
      • regsvr32.exe (PID: 4000)

    • Reads the computer name

      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 3632)
      • chrome.exe (PID: 3532)
      • chrome.exe (PID: 3996)
      • chrome.exe (PID: 2244)
      • chrome.exe (PID: 3892)
      • sc.exe (PID: 2876)
      • sc.exe (PID: 1816)
      • chrome.exe (PID: 3184)
      • chrome.exe (PID: 4048)
      • chrome.exe (PID: 1564)
      • sc.exe (PID: 1636)
      • sc.exe (PID: 4008)
      • sc.exe (PID: 1376)
      • sc.exe (PID: 148)
      • regsvr32.exe (PID: 3492)
      • regsvr32.exe (PID: 1452)
      • sc.exe (PID: 3456)
      • regsvr32.exe (PID: 1908)
      • regsvr32.exe (PID: 4000)

    • Reads the hosts file

      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 3632)
      • instup.exe (PID: 3640)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 1580)
      • AVGBrowser.exe (PID: 4892)
      • AVGBrowser.exe (PID: 4504)

    • Application launched itself

      • chrome.exe (PID: 2888)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3632)
      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • AVGBrowserUpdate.exe (PID: 3104)
      • AVGBrowserUpdate.exe (PID: 2872)
      • installer.exe (PID: 3588)
      • pcapd.exe (PID: 3652)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • tbar.tmp (PID: 1580)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • RestMinder.exe (PID: 1284)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • SAntivirusService.exe (PID: 2344)
      • avast_free_antivirus_setup_online.exe (PID: 1868)
      • RestMinder.exe (PID: 3632)
      • instup.exe (PID: 3640)
      • SAntivirusIC.exe (PID: 3108)
      • instup.exe (PID: 2612)
      • AVGBrowser.exe (PID: 880)
      • AVGBrowser.exe (PID: 4892)
      • RestMinder.exe (PID: 1564)
      • ServiceHost.exe (PID: 4564)
      • UIHost.exe (PID: 5052)
      • updater.exe (PID: 4284)
      • AvEmUpdate.exe (PID: 3532)
      • AvEmUpdate.exe (PID: 276)
      • AvEmUpdate.exe (PID: 4884)

    • Checks Windows Trust Settings

      • chrome.exe (PID: 2888)
      • iclickmacapp_3671.exe (PID: 304)
      • BrowniBox.tmp (PID: 3880)
      • saBSI.exe (PID: 2828)
      • avg_secure_browser_setup.exe (PID: 2292)
      • installer.exe (PID: 3588)
      • pcapd.exe (PID: 3652)
      • Essence.tmp (PID: 4040)
      • Essence.tmp (PID: 756)
      • ServiceHost.exe (PID: 3724)
      • UIHost.exe (PID: 828)
      • RestMinder.exe (PID: 2272)
      • updater.exe (PID: 304)
      • RestMinder.exe (PID: 1284)
      • SFileI.exe (PID: 3184)
      • RestMinder.exe (PID: 4080)
      • SAntivirusService.exe (PID: 2344)
      • RestMinder.exe (PID: 3632)
      • SAntivirusIC.exe (PID: 3108)
      • RestMinder.exe (PID: 1564)
      • UIHost.exe (PID: 5052)
      • ServiceHost.exe (PID: 4564)
      • updater.exe (PID: 4284)

    • Reads the date of Windows installation

      • chrome.exe (PID: 4048)

    • Dropped object may contain Bitcoin addresses

      • installer.exe (PID: 3356)
      • AVGBrowser.exe (PID: 880)
      • instup.exe (PID: 2612)

    • Creates a software uninstall entry

      • tbar.tmp (PID: 1580)

    • Application was dropped or rewritten from another process

      • tbar.tmp (PID: 1580)

    • Manual execution by user

      • RestMinder.exe (PID: 1284)
      • RestMinder.exe (PID: 4080)
      • RestMinder.exe (PID: 3632)
      • AVGBrowser.exe (PID: 4892)
      • RestMinder.exe (PID: 1564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
265
Monitored processes
183
Malicious processes
51
Suspicious processes
31

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start download and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iclickmacapp_3671.exe no specs iclickmacapp_3671.exe cmd.exe no specs sc.exe no specs find.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs brownibox.tmp chrome.exe no specs chrome.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs sabsi.exe chrome.exe no specs avg_secure_browser_setup.exe avgbrowserupdatesetup.exe avgbrowserupdate.exe avgbrowserupdate.exe no specs avgbrowserupdate.exe no specs avgbrowserupdate.exe avgbrowserupdate.exe no specs avgbrowserupdate.exe chrome.exe no specs installer.exe installer.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs rfilestpr2.tmp sc.exe no specs regsvr32.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs pcapd.exe profitsymb.tmp no specs unsecapp.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs essence.tmp cmd.exe no specs cmd.exe no specs cmd.exe no specs essence.tmp chrome.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs tbar.exe tbar.tmp regsvr32.exe no specs sc.exe no specs servicehost.exe uihost.exe no specs regsvr32.exe no specs restminder.exe chrome.exe no specs updater.exe trouqrinspeedup.exe submention.tmp restminder.exe no specs kruspeedup.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sfilei.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs restminder.exe no specs kruspeedupupdater.exe cookie_mmm_irs_ppi_005_888_a.exe santivirusservice.exe santivirusic.exe sc.exe no specs regsvr32.exe no specs csc.exe cmd.exe no specs regsvr32.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cvtres.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs restminder.exe no specs cmd.exe no specs avast_free_antivirus_setup_online.exe instup.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs instup.exe avgbrowserinstaller.exe setup.exe setup.exe no specs sbr.exe no specs avgbrowsercrashhandler.exe no specs avgbrowser.exe avgbrowser.exe no specs avgbrowser.exe avgbrowser.exe no specs avgbrowser.exe no specs elevation_service.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs elevation_service.exe no specs chrmstp.exe chrmstp.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe no specs avgbrowser.exe avgbrowser.exe no specs elevation_service.exe no specs avgbrowser.exe no specs cmd.exe no specs timeout.exe no specs restminder.exe no specs servicehost.exe no specs uihost.exe no specs regsvr32.exe no specs cmd.exe no specs cmd.exe no specs santivirusclient.exe no specs presentationfontcache.exe no specs csc.exe cvtres.exe no specs updater.exe cmd.exe no specs cmd.exe no specs avgbrowser.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe avbugreport.exe no specs avbugreport.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
148sc.exe start "McAfee WebAdvisor"C:\Windows\system32\sc.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
188regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"C:\Windows\system32\regsvr32.exeinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\rpcrt4.dll
272"C:\Users\admin\AppData\Local\Temp\4KTYbIoO\partners\RFileStpr2.tmp" /q=1351863091 /n="iclickmacapp Download Manager" /i="C:\Users\admin\AppData\Local\partner.bmp" C:\Users\admin\AppData\Local\Temp\4KTYbIoO\partners\RFileStpr2.tmp
cmd.exe
User:
admin
Company:
Universal Echo Pipe
Integrity Level:
HIGH
Description:
Universal Echo Pipe
Exit code:
0
Version:
3.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\4ktybioo\partners\rfilestpr2.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
276AvEmUpdate.exe /installer1 /emupdater /applydll "C:\Program Files\Avast Software\Avast\Setup\b56cba4e-41e6-4313-aea8-3b7ef84e95a7.dll"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe
AvEmUpdate.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Emergency Update
Exit code:
0
Version:
21.8.6586.0
Modules
Images
c:\program files\avast software\avast\avemupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
304"C:\Users\admin\Downloads\iclickmacapp_3671.exe" -namk 1QOhfqsx8MGAAdBsYy+zmIkcYBkmgUvSUkNkypGdC/Pqqgnwte5uq2XlI/egA8Ulwm8waEwKc3KsIWdxZqexsyy+V2pReBw11/sMMI3khRWyoDqSO+tXTxyLp6t5c3huxC3pkJaLjlXsLNXyoBMDcDcHIK78d39jI7M/lkQCHoMD8o2SYtA0o7VDdCdmOmyKC:\Users\admin\Downloads\iclickmacapp_3671.exe
iclickmacapp_3671.exe
User:
admin
Company:
Brown Box
Integrity Level:
HIGH
Description:
Brown Box App
Exit code:
0
Version:
1.0.0.4
Modules
Images
c:\users\admin\downloads\iclickmacapp_3671.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
304"C:\Program Files\McAfee\WebAdvisor\updater.exe" C:\Program Files\McAfee\WebAdvisor\updater.exe
ServiceHost.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
McAfee WebAdvisor
Exit code:
0
Version:
4,1,1,627
Modules
Images
c:\program files\mcafee\webadvisor\updater.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
540"C:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvcC:\Program Files\AVG\Browser\Update\AVGBrowserUpdate.exeAVGBrowserUpdate.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG Browser
Exit code:
0
Version:
1.8.1188.1
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\avg\browser\update\avgbrowserupdate.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\lpk.dll
756"C:\Users\admin\AppData\Local\Temp\4KTYbIoO\Essence.tmp" ":aLLqy+!a25E^3(jv>Fqw2bhIRE7>tUT@t4)WI0=_q3S+`Z^`e[p7Er<!@Bh_D9`Doj-godhUI7RY,^od0ZYvdAWR7]hU71;u\nm" C:\Users\admin\AppData\Local\Temp\4KTYbIoO\Essence.tmp
cmd.exe
User:
admin
Company:
Essence reflect
Integrity Level:
HIGH
Description:
Essence
Exit code:
1
Version:
2.0.1.7
Modules
Images
c:\users\admin\appdata\local\temp\4ktybioo\essence.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
828"C:\Program Files\McAfee\WebAdvisor\UIHost.exe" C:\Program Files\McAfee\WebAdvisor\UIHost.exeServiceHost.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
MEDIUM
Description:
McAfee WebAdvisor
Exit code:
0
Version:
4,1,1,627
Modules
Images
c:\program files\mcafee\webadvisor\uihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
880"C:\Program Files\AVG\Browser\Application\AVGBrowser.exe" --heartbeat --install --create-profile C:\Program Files\AVG\Browser\Application\AVGBrowser.exe
avg_secure_browser_setup.exe
User:
admin
Company:
AVG Technologies
Integrity Level:
HIGH
Description:
AVG Secure Browser
Exit code:
0
Version:
93.0.12112.84
Modules
Images
c:\program files\avg\browser\application\avgbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\avg\browser\application\93.0.12112.84\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
243 428
Read events
231 785
Write events
11 566
Delete events
77

Modification events

(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2888) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
(PID) Process:(2888) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid_installdate
Value:
0
Executable files
837
Suspicious files
953
Text files
4 174
Unknown types
257

Dropped files

PID
Process
Filename
Type
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-615E69DE-B48.pma
MD5:
SHA256:
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c2c19035-00fa-42bb-94f9-274890d6277d.tmptext
MD5:
SHA256:
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferencestext
MD5:
SHA256:
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:00046F773EFDD3C8F8F6D0F87A2B93DC
SHA256:593EDE11D17AF7F016828068BCA2E93CF240417563FB06DC8A579110AEF81731
3324chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pmabinary
MD5:03C4F648043A88675A920425D824E1B3
SHA256:F91DBB7C64B4582F529C968C480D2DCE1C8727390482F31E4355A27BB3D9B450
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:5BD3C311F2136A7A88D3E197E55CF902
SHA256:FA331915E1797E59979A3E4BCC2BD0D3DEAA039B94D4DB992BE251FD02A224B9
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldtext
MD5:7721CDA9F5B73CE8A135471EB53B4E0E
SHA256:DD730C576766A46FFC84E682123248ECE1FF1887EC0ACAB22A5CE93A450F4500
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000001.dbtmptext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001binary
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
2888chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:8FF312A95D60ED89857FEB720D80D4E1
SHA256:946A57FAFDD28C3164D5AB8AB4971B21BD5EC5BFFF7554DBF832CB58CC37700B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
121
TCP/UDP connections
596
DNS requests
183
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvODZmQUFYS2VOaGowdjdSeVBvWFBSTDIxdw/1.0.0.9_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
US
whitelisted
304
iclickmacapp_3671.exe
GET
200
95.101.89.75:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNwl4cqAQEUFBbCTK4a3087AA%3D%3D
unknown
der
503 b
shared
3880
BrowniBox.tmp
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3880
BrowniBox.tmp
GET
200
95.101.89.75:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMBpPRfBh%2FqdWu3Q5flXjErvA%3D%3D
unknown
der
503 b
shared
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvODZmQUFYS2VOaGowdjdSeVBvWFBSTDIxdw/1.0.0.9_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
US
crx
2.81 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3
US
binary
7.36 Kb
whitelisted
3632
chrome.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3db0d3907a3720ab
US
compressed
59.7 Kb
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3
US
crx
2.81 Kb
whitelisted
2292
avg_secure_browser_setup.exe
GET
200
143.204.214.74:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAKlYE7MaDod9XmFCSybWZg%3D
US
der
471 b
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adys6mm2sd23z36ns7e4hcs4hrqq_1.3.36.111/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.111_win_ac5lwr5427en7czu7myxmee6c7xq.crx3
US
binary
9.69 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3632
chrome.exe
142.250.186.109:443
accounts.google.com
Google Inc.
US
whitelisted
3632
chrome.exe
104.16.18.94:443
cdnjs.cloudflare.com
Cloudflare Inc
US
unknown
3632
chrome.exe
172.67.186.115:443
mega-share.pro
US
unknown
3632
chrome.exe
35.190.80.1:443
a.nel.cloudflare.com
Google Inc.
US
suspicious
3632
chrome.exe
23.32.238.178:80
ctldl.windowsupdate.com
XO Communications
US
suspicious
3632
chrome.exe
172.67.143.216:443
ichaunam.space
US
unknown
3632
chrome.exe
137.184.73.7:443
sharpfiledownload.com
The Procter and Gamble Company
US
unknown
3632
chrome.exe
142.250.185.227:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3632
chrome.exe
172.217.23.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3632
chrome.exe
104.26.6.149:443
yourjsdelivery.com
Cloudflare Inc
US
unknown

DNS requests

Domain
IP
Reputation
accounts.google.com
  • 142.250.186.109
  • 142.250.186.141
shared
mega-share.pro
  • 172.67.186.115
  • 104.21.1.13
malicious
clients2.google.com
  • 142.250.186.142
whitelisted
cdnjs.cloudflare.com
  • 104.16.18.94
  • 104.16.19.94
whitelisted
a.nel.cloudflare.com
  • 35.190.80.1
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
  • 209.197.3.8
whitelisted
ichaunam.space
  • 172.67.143.216
  • 104.21.95.84
malicious
sharpfiledownload.com
  • 137.184.73.7
unknown
ssl.gstatic.com
  • 142.250.185.227
whitelisted
yourjsdelivery.com
  • 104.26.6.149
  • 104.26.7.149
  • 172.67.73.213
malicious

Threats

PID
Process
Class
Message
2132
cookie_mmm_irs_ppi_005_888_a.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3532
AvEmUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
saBSI.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
installer.exe
NotComDllGetInterface: C:\Program Files\McAfee\Temp1297039107\installer.exe loading C:\Program Files\McAfee\Temp1297039107\mfeaaca.dll, WinVerifyTrust failed with 80092003
installer.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mega-share.pro/YlpNVDNfMjAyMC0wOC0yMSAxNzoyMDozMA==