URL:

https://d3gfstam9ax956.cloudfront.net/vmN0TpQsh9GN.exe

Full analysis: https://app.any.run/tasks/fd62fba8-4e1b-4822-a1da-df78debdd977
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 19, 2025, 08:01:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
innosetup
adware
arch-exec
arch-scr
delphi
inno
installer
stealer
evasion
loader
Indicators:
MD5:

D9E43B1152923CB6F9897B3AE41B46B1

SHA1:

FFFC539C9CDEF8C4785B2DF1AF6F7B254A2B870D

SHA256:

D8A57E526C1CA47BC9E76F53D068AFA44DC5FCA87B6F0FECE69BC4BDEE8E66B0

SSDEEP:

3:N8OUEPHBl/0hV4HCn:2OKh5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • xenus-link-sleuth_vNuzt-1.exe (PID: 4340)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 2324)
      • wsc_proxy.exe (PID: 6632)
      • wsc_proxy.exe (PID: 7796)

    • INNOSETUP mutex has been found

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)

    • INNOSETUP has been detected (SURICATA)

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)

    • Actions looks like stealing of personal data

      • servicehost.exe (PID: 3488)
      • uihost.exe (PID: 8056)

    • Antivirus name has been found in the command line (generic signature)

      • AVGUI.exe (PID: 364)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • xenus-link-sleuth_vNuzt-1.exe (PID: 4340)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 2324)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • avg_antivirus_free_setup.exe (PID: 6612)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • icarus.exe (PID: 6716)
      • icarus.exe (PID: 2164)
      • saBSI.exe (PID: 6860)
      • Setup.exe (PID: 7892)
      • saBSI.exe (PID: 7700)
      • installer.exe (PID: 3820)
      • installer.exe (PID: 3864)
      • engsup.exe (PID: 8140)
      • AvEmUpdate.exe (PID: 2260)
      • icarus.exe (PID: 1856)
      • AVGSvc.exe (PID: 5720)

    • Reads security settings of Internet Explorer

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 3188)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • saBSI.exe (PID: 6860)
      • Setup.exe (PID: 7892)
      • saBSI.exe (PID: 7700)
      • installer.exe (PID: 3864)
      • uihost.exe (PID: 8056)
      • AVGSvc.exe (PID: 5720)

    • Reads the Windows owner or organization settings

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)

    • Access to an unwanted program domain was detected

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)

    • Executes application which crashes

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)

    • Starts itself from another location

      • icarus.exe (PID: 6716)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 6860)
      • saBSI.exe (PID: 7700)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)
      • uihost.exe (PID: 8056)
      • updater.exe (PID: 8000)
      • AVGSvc.exe (PID: 5720)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 6860)
      • servicehost.exe (PID: 3488)
      • AVGSvc.exe (PID: 5720)

    • There is functionality for taking screenshot (YARA)

      • avg_antivirus_free_setup.exe (PID: 6612)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2164)
      • installer.exe (PID: 3864)

    • The process creates files with name similar to system file names

      • icarus.exe (PID: 2164)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)

    • Start notepad (likely ransomware note)

      • Setup.exe (PID: 7892)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2164)

    • Creates a software uninstall entry

      • Setup.exe (PID: 7892)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)
      • icarus.exe (PID: 2164)

    • The process verifies whether the antivirus software is installed

      • installer.exe (PID: 3820)
      • saBSI.exe (PID: 7700)
      • uihost.exe (PID: 8056)
      • cmd.exe (PID: 7780)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)
      • updater.exe (PID: 8000)
      • engsup.exe (PID: 8140)
      • SetupInf.exe (PID: 7460)
      • SetupInf.exe (PID: 7592)
      • SetupInf.exe (PID: 1144)
      • SetupInf.exe (PID: 7048)
      • SetupInf.exe (PID: 7756)
      • SetupInf.exe (PID: 5200)
      • icarus.exe (PID: 1856)
      • cmd.exe (PID: 4244)
      • icarus.exe (PID: 2164)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 3864)
      • icarus.exe (PID: 2164)
      • RegSvr.exe (PID: 3900)
      • RegSvr.exe (PID: 6880)

    • Drops a system driver (possible attempt to evade defenses)

      • icarus.exe (PID: 2164)
      • engsup.exe (PID: 8140)

    • Executes as Windows Service

      • servicehost.exe (PID: 3488)
      • wsc_proxy.exe (PID: 7796)
      • afwServ.exe (PID: 5592)
      • AVGSvc.exe (PID: 5720)
      • avgToolsSvc.exe (PID: 7888)
      • aswidsagent.exe (PID: 8484)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 3488)
      • uihost.exe (PID: 8056)

    • Starts CMD.EXE for commands execution

      • updater.exe (PID: 8000)

    • Searches for installed software

      • updater.exe (PID: 8000)

    • Creates or modifies Windows services

      • icarus.exe (PID: 2164)

    • Creates files in the driver directory

      • engsup.exe (PID: 8140)

    • Checks for external IP

      • AvEmUpdate.exe (PID: 2260)
      • avgToolsSvc.exe (PID: 7888)
      • AVGSvc.exe (PID: 5720)

    • Process requests binary or script from the Internet

      • AVGSvc.exe (PID: 5720)

    • Reads the date of Windows installation

      • aswidsagent.exe (PID: 8484)

    • Checks for Java to be installed

      • AVGSvc.exe (PID: 5720)

    • Read startup parameters

      • aswidsagent.exe (PID: 8484)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 6512)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 3188)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • saBSI.exe (PID: 6860)
      • avg_antivirus_free_setup.exe (PID: 6612)
      • icarus.exe (PID: 6716)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • icarus.exe (PID: 2164)
      • icarus.exe (PID: 1856)
      • saBSI.exe (PID: 7700)
      • Xenu.exe (PID: 8112)
      • Setup.exe (PID: 7892)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)
      • uihost.exe (PID: 8056)
      • updater.exe (PID: 8000)
      • engsup.exe (PID: 8140)
      • SetupInf.exe (PID: 7460)
      • SetupInf.exe (PID: 7592)
      • SetupInf.exe (PID: 1144)
      • SetupInf.exe (PID: 7048)
      • SetupInf.exe (PID: 7756)
      • SetupInf.exe (PID: 5200)
      • AvEmUpdate.exe (PID: 4076)
      • AvEmUpdate.exe (PID: 2260)
      • RegSvr.exe (PID: 3900)
      • RegSvr.exe (PID: 6880)
      • wsc_proxy.exe (PID: 7796)
      • afwServ.exe (PID: 5592)
      • SetupInf.exe (PID: 7752)
      • wsc_proxy.exe (PID: 6632)
      • AVGSvc.exe (PID: 5720)
      • avgToolsSvc.exe (PID: 7888)
      • aswidsagent.exe (PID: 8484)
      • icarus.exe (PID: 8776)
      • icarus.exe (PID: 7768)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4540)
      • msedge.exe (PID: 6248)
      • WinRAR.exe (PID: 4520)
      • msedge.exe (PID: 5764)

    • Checks supported languages

      • identity_helper.exe (PID: 6512)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 3188)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 4340)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 2324)
      • avg_antivirus_free_setup.exe (PID: 6612)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • saBSI.exe (PID: 6860)
      • icarus.exe (PID: 6716)
      • icarus.exe (PID: 1856)
      • icarus.exe (PID: 2164)
      • saBSI.exe (PID: 7700)
      • Xenu.exe (PID: 8112)
      • Setup.exe (PID: 7892)
      • installer.exe (PID: 3820)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)
      • uihost.exe (PID: 8056)
      • updater.exe (PID: 8000)
      • SetupInf.exe (PID: 7460)
      • engsup.exe (PID: 8140)
      • SetupInf.exe (PID: 7592)
      • SetupInf.exe (PID: 7048)
      • SetupInf.exe (PID: 7756)
      • SetupInf.exe (PID: 1144)
      • SetupInf.exe (PID: 5200)
      • AvEmUpdate.exe (PID: 4076)
      • AvEmUpdate.exe (PID: 2260)
      • RegSvr.exe (PID: 3900)
      • RegSvr.exe (PID: 6880)
      • afwServ.exe (PID: 5592)
      • wsc_proxy.exe (PID: 7796)
      • SetupInf.exe (PID: 7752)
      • wsc_proxy.exe (PID: 6632)
      • AVGSvc.exe (PID: 5720)
      • avgToolsSvc.exe (PID: 7888)
      • aswidsagent.exe (PID: 8484)
      • aswEngSrv.exe (PID: 5432)
      • icarus.exe (PID: 8776)
      • overseer.exe (PID: 8364)
      • icarus.exe (PID: 7768)
      • AVGUI.exe (PID: 364)

    • Reads Environment values

      • identity_helper.exe (PID: 6512)
      • icarus.exe (PID: 2164)
      • AvEmUpdate.exe (PID: 2260)
      • AvEmUpdate.exe (PID: 4076)
      • afwServ.exe (PID: 5592)
      • AVGSvc.exe (PID: 5720)
      • avgToolsSvc.exe (PID: 7888)
      • aswidsagent.exe (PID: 8484)

    • Create files in a temporary directory

      • xenus-link-sleuth_vNuzt-1.exe (PID: 4340)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 2324)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • Setup.exe (PID: 7892)
      • saBSI.exe (PID: 7700)
      • installer.exe (PID: 3864)

    • Process checks computer location settings

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 3188)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • Setup.exe (PID: 7892)
      • servicehost.exe (PID: 3488)

    • Reads the machine GUID from the registry

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • avg_antivirus_free_setup.exe (PID: 6612)
      • icarus.exe (PID: 6716)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • icarus.exe (PID: 1856)
      • icarus.exe (PID: 2164)
      • saBSI.exe (PID: 6860)
      • saBSI.exe (PID: 7700)
      • servicehost.exe (PID: 3488)
      • installer.exe (PID: 3864)
      • uihost.exe (PID: 8056)
      • updater.exe (PID: 8000)
      • wsc_proxy.exe (PID: 6632)
      • AVGSvc.exe (PID: 5720)
      • avgToolsSvc.exe (PID: 7888)
      • afwServ.exe (PID: 5592)
      • aswidsagent.exe (PID: 8484)
      • icarus.exe (PID: 8776)

    • Checks proxy server information

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • WerFault.exe (PID: 6440)
      • WerFault.exe (PID: 7580)
      • saBSI.exe (PID: 6860)
      • saBSI.exe (PID: 7700)
      • AvEmUpdate.exe (PID: 4076)
      • AvEmUpdate.exe (PID: 2260)
      • AVGUI.exe (PID: 364)

    • Reads the software policy settings

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • avg_antivirus_free_setup.exe (PID: 6612)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • WerFault.exe (PID: 6440)
      • saBSI.exe (PID: 6860)
      • WerFault.exe (PID: 7580)
      • saBSI.exe (PID: 7700)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)
      • uihost.exe (PID: 8056)
      • updater.exe (PID: 8000)
      • AvEmUpdate.exe (PID: 2260)
      • AVGSvc.exe (PID: 5720)

    • The sample compiled with english language support

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • avg_antivirus_free_setup.exe (PID: 6612)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • icarus.exe (PID: 6716)
      • icarus.exe (PID: 2164)
      • saBSI.exe (PID: 6860)
      • Setup.exe (PID: 7892)
      • WinRAR.exe (PID: 4520)
      • installer.exe (PID: 3820)
      • installer.exe (PID: 3864)
      • icarus.exe (PID: 1856)
      • msedge.exe (PID: 5764)
      • engsup.exe (PID: 8140)
      • AvEmUpdate.exe (PID: 2260)
      • AVGSvc.exe (PID: 5720)

    • Application launched itself

      • msedge.exe (PID: 4540)

    • Detects InnoSetup installer (YARA)

      • xenus-link-sleuth_vNuzt-1.exe (PID: 4340)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 3188)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 2324)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)

    • Compiled with Borland Delphi (YARA)

      • xenus-link-sleuth_vNuzt-1.tmp (PID: 3188)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 4340)
      • xenus-link-sleuth_vNuzt-1.tmp (PID: 5112)
      • xenus-link-sleuth_vNuzt-1.exe (PID: 2324)

    • Creates files in the program directory

      • saBSI.exe (PID: 6860)
      • avg_antivirus_free_online_setup.exe (PID: 6920)
      • icarus.exe (PID: 6716)
      • icarus.exe (PID: 2164)
      • Xenu.exe (PID: 8112)
      • Setup.exe (PID: 7892)
      • saBSI.exe (PID: 7700)
      • installer.exe (PID: 3820)
      • installer.exe (PID: 3864)
      • servicehost.exe (PID: 3488)
      • uihost.exe (PID: 8056)
      • icarus.exe (PID: 1856)
      • engsup.exe (PID: 8140)

    • Reads CPU info

      • icarus.exe (PID: 6716)
      • icarus.exe (PID: 1856)
      • icarus.exe (PID: 2164)
      • engsup.exe (PID: 8140)
      • SetupInf.exe (PID: 7460)
      • SetupInf.exe (PID: 7592)
      • SetupInf.exe (PID: 7048)
      • SetupInf.exe (PID: 1144)
      • SetupInf.exe (PID: 7756)
      • SetupInf.exe (PID: 5200)
      • AvEmUpdate.exe (PID: 4076)
      • AvEmUpdate.exe (PID: 2260)
      • RegSvr.exe (PID: 3900)
      • RegSvr.exe (PID: 6880)
      • SetupInf.exe (PID: 7752)
      • wsc_proxy.exe (PID: 6632)
      • wsc_proxy.exe (PID: 7796)
      • afwServ.exe (PID: 5592)
      • AVGSvc.exe (PID: 5720)
      • avgToolsSvc.exe (PID: 7888)
      • aswidsagent.exe (PID: 8484)
      • aswEngSrv.exe (PID: 5432)
      • icarus.exe (PID: 8776)
      • uihost.exe (PID: 8056)
      • icarus.exe (PID: 7768)
      • AVGUI.exe (PID: 364)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6440)
      • WerFault.exe (PID: 7580)

    • The sample compiled with czech language support

      • icarus.exe (PID: 2164)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 8152)

    • The sample compiled with russian language support

      • Setup.exe (PID: 7892)

    • Manual execution by a user

      • Setup.exe (PID: 7844)
      • Setup.exe (PID: 7892)
      • AVGUI.exe (PID: 364)

    • Reads product name

      • aswidsagent.exe (PID: 8484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
112
Malicious processes
25
Suspicious processes
7

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs xenus-link-sleuth_vnuzt-1.exe xenus-link-sleuth_vnuzt-1.tmp no specs xenus-link-sleuth_vnuzt-1.exe THREAT xenus-link-sleuth_vnuzt-1.tmp sabsi.exe avg_antivirus_free_setup.exe avg_antivirus_free_online_setup.exe msedge.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs werfault.exe icarus.exe icarus.exe icarus.exe werfault.exe sabsi.exe msedge.exe no specs setup.exe no specs setup.exe xenu.exe no specs notepad.exe no specs msedge.exe no specs msedge.exe no specs installer.exe installer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs servicehost.exe uihost.exe msedge.exe no specs updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs engsup.exe setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs avemupdate.exe no specs avemupdate.exe regsvr.exe no specs regsvr.exe no specs setupinf.exe no specs wsc_proxy.exe no specs wsc_proxy.exe no specs afwserv.exe no specs avgsvc.exe avgtoolssvc.exe aswengsrv.exe no specs aswidsagent.exe no specs unsecapp.exe no specs icarus.exe msedge.exe no specs icarus.exe overseer.exe wpr.exe no specs conhost.exe no specs avgui.exe no specs engsup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
364"C:\Program Files\AVG\Antivirus\AVGUI.exe" /silent_welcomeC:\Program Files\AVG\Antivirus\AVGUI.exeexplorer.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
MEDIUM
Description:
AVG Antivirus
Version:
25.1.9816.0
Modules
Images
c:\program files\avg\antivirus\avgui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\avg\antivirus\aswhook.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\program files\avg\antivirus\aavmrpch.dll
396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5748 --field-trial-handle=2372,i,3050534755657876791,4186607268687744000,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6032 --field-trial-handle=2372,i,3050534755657876791,4186607268687744000,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1144"C:\Program Files\AVG\Antivirus\SetupInf.exe" /uninstall /catalog:avgRdr2.catC:\Program Files\AVG\Antivirus\SetupInf.exeicarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Antivirus Installer
Exit code:
0
Version:
25.1.9816.0
Modules
Images
c:\program files\avg\antivirus\setupinf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1292"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7964 --field-trial-handle=2372,i,3050534755657876791,4186607268687744000,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://en.download.it/?typ=1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exexenus-link-sleuth_vNuzt-1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1856C:\WINDOWS\Temp\asw-f0b9b038-7195-4a07-ba0c-9c924136ec24\avg-av-vps\icarus.exe /silent /ws /psh:92pTuf4T6J1eaAdlZ2GKFvER3MVTzzHfhAHGTqVHICzhOlDRBGfjjyfJmo0Fi9KKDZAa9pGjucgI5c /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\WINDOWS\Temp\asw.c1626bfe4ae05ea0 /track-guid:c88ac0cd-1fcc-4925-8874-f2fa92b0eab5 /er_master:master_ep_50441183-d3e7-460b-b67e-4539558f88b5 /er_ui:ui_ep_4770aabb-4f22-4fac-880e-f3de41f9dcd3 /er_slave:avg-av-vps_slave_ep_6db353b0-160e-43b0-b3d8-52808bf4f1a7 /slave:avg-av-vpsC:\Windows\Temp\asw-f0b9b038-7195-4a07-ba0c-9c924136ec24\avg-av-vps\icarus.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Exit code:
0
Version:
25.2.8676.0
Modules
Images
c:\windows\temp\asw-f0b9b038-7195-4a07-ba0c-9c924136ec24\avg-av-vps\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2164C:\WINDOWS\Temp\asw-f0b9b038-7195-4a07-ba0c-9c924136ec24\avg-av\icarus.exe /silent /ws /psh:92pTuf4T6J1eaAdlZ2GKFvER3MVTzzHfhAHGTqVHICzhOlDRBGfjjyfJmo0Fi9KKDZAa9pGjucgI5c /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\WINDOWS\Temp\asw.c1626bfe4ae05ea0 /track-guid:c88ac0cd-1fcc-4925-8874-f2fa92b0eab5 /er_master:master_ep_50441183-d3e7-460b-b67e-4539558f88b5 /er_ui:ui_ep_4770aabb-4f22-4fac-880e-f3de41f9dcd3 /er_slave:avg-av_slave_ep_0faaa088-2e31-4cde-877f-820e87eaf1c0 /slave:avg-avC:\Windows\Temp\asw-f0b9b038-7195-4a07-ba0c-9c924136ec24\avg-av\icarus.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Exit code:
0
Version:
25.1.8538.0
Modules
Images
c:\windows\temp\asw-f0b9b038-7195-4a07-ba0c-9c924136ec24\avg-av\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ucrtbase.dll
2260"C:\Program Files\AVG\Antivirus\AvEmUpdate.exe" /installerC:\Program Files\AVG\Antivirus\AvEmUpdate.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Emergency Update
Exit code:
0
Version:
25.1.9816.0
Modules
Images
c:\program files\avg\antivirus\avemupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
2324"C:\Users\admin\Downloads\xenus-link-sleuth_vNuzt-1.exe" /SPAWNWND=$602D2 /NOTIFYWND=$70292 C:\Users\admin\Downloads\xenus-link-sleuth_vNuzt-1.exe
xenus-link-sleuth_vNuzt-1.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Exit code:
3221226525
Version:
2.2.174.2916
Modules
Images
c:\users\admin\downloads\xenus-link-sleuth_vnuzt-1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
Total events
92 756
Read events
91 228
Write events
1 394
Delete events
134

Modification events

(PID) Process:(4540) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
A17E4772108D2F00
(PID) Process:(4540) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328464
Operation:writeName:WindowTabManagerFileMappingId
Value:
{501A45DB-DFFF-4136-998E-72405EC41E8C}
(PID) Process:(4540) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328464
Operation:writeName:WindowTabManagerFileMappingId
Value:
{85562714-895A-4B42-9734-75AFD840BBCB}
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(4540) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
Executable files
689
Suspicious files
2 139
Text files
1 160
Unknown types
0

Dropped files

PID
Process
Filename
Type
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1367e5.TMP
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1367f4.TMP
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF136804.TMP
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF136814.TMP
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF136843.TMP
MD5:
SHA256:
4540msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
171
TCP/UDP connections
238
DNS requests
359
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2632
svchost.exe
GET
200
2.16.164.81:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4540
msedge.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D
unknown
whitelisted
4540
msedge.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
644
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
644
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5972
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4540
msedge.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEQCCtNg24bN77tEVheKOZnuJ
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2632
svchost.exe
2.16.164.81:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2632
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4540
msedge.exe
239.255.255.250:1900
whitelisted
6248
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6248
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6248
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6248
msedge.exe
142.250.186.131:443
update.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.81
  • 2.16.164.9
  • 2.16.164.120
  • 2.16.164.51
  • 2.16.164.24
  • 2.16.164.18
  • 23.48.23.147
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.194
  • 23.48.23.156
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 95.101.149.131
  • 23.35.229.160
whitelisted
google.com
  • 216.58.206.46
whitelisted
d3gfstam9ax956.cloudfront.net
  • 52.222.206.2
  • 52.222.206.49
  • 52.222.206.180
  • 52.222.206.53
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.16.100.161
  • 88.221.110.80
  • 2.22.242.105
  • 2.22.242.11
whitelisted
update.googleapis.com
  • 142.250.186.131
whitelisted

Threats

PID
Process
Class
Message
5112
xenus-link-sleuth_vNuzt-1.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
2260
AvEmUpdate.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
7888
avgToolsSvc.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5720
AVGSvc.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Process
Message
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-J3GF6.tmp\prod0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://d3gfstam9ax956.cloudfront.net/vmN0TpQsh9GN.exe