File name:

dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d

Full analysis: https://app.any.run/tasks/059e5227-f2cd-41f9-a53e-9bb1882e7e3b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 09, 2024, 07:22:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
loader
arch-exec
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

6CC9A78E4778F77343CA22CB09CC8BE5

SHA1:

7763DB92A19E2480328C1F92EA49BC68EB536BEE

SHA256:

DCBD77AD65145AB5AA64B8C08608991A6CC23DAABF02CF0695F2261DA3EC5B7D

SSDEEP:

98304:01EX9pZDV1wd5tm0WS+77NNiM6+wLQH4AfV8C1Dj3HYIU6+tgepPlzBLaYhB8PgM:awiPIdCbuyNryzZjXgjUt2g04xYNgH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 6792)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)

    • Executable content was dropped or overwritten

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • Dism.exe (PID: 6956)
      • avast_secure_browser_setup.exe (PID: 4128)
      • AvastBrowserUpdateSetup.exe (PID: 2088)
      • AvastBrowserUpdate.exe (PID: 5856)
      • avast_secure_browser_setup.exe (PID: 6792)
      • AvastBrowserInstaller.exe (PID: 7784)

    • Process drops legitimate windows executable

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)

    • Reads security settings of Internet Explorer

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 4128)
      • AvastBrowserUpdate.exe (PID: 5856)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 7028)

    • Potential Corporate Privacy Violation

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • AvastBrowserUpdate.exe (PID: 7224)

    • Reads the BIOS version

      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Checks Windows Trust Settings

      • avast_secure_browser_setup.exe (PID: 5836)

    • Searches for installed software

      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Application launched itself

      • avast_secure_browser_setup.exe (PID: 4128)
      • setup.exe (PID: 7804)

    • Disables SEHOP

      • AvastBrowserUpdate.exe (PID: 5856)

    • Starts itself from another location

      • AvastBrowserUpdate.exe (PID: 5856)

    • The process verifies whether the antivirus software is installed

      • AvastBrowserUpdate.exe (PID: 3824)
      • AvastBrowserUpdate.exe (PID: 6736)
      • AvastBrowserUpdate.exe (PID: 5856)
      • AvastBrowserUpdate.exe (PID: 540)
      • AvastBrowserUpdate.exe (PID: 6992)
      • avast_secure_browser_setup.exe (PID: 6792)
      • setup.exe (PID: 7804)
      • setup.exe (PID: 7824)

    • Creates/Modifies COM task schedule object

      • AvastBrowserUpdateComRegisterShell64.exe (PID: 6992)
      • AvastBrowserUpdate.exe (PID: 6736)
      • AvastBrowserUpdate.exe (PID: 5856)

    • Executes as Windows Service

      • AvastBrowserUpdate.exe (PID: 7224)

    • Process requests binary or script from the Internet

      • AvastBrowserUpdate.exe (PID: 7224)

  • INFO

    • Sends debugging messages

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • Dism.exe (PID: 6956)
      • DismHost.exe (PID: 7028)
      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 4128)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Disables trace logs

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)

    • Checks supported languages

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avg_antivirus_free_setup.exe (PID: 2624)
      • DismHost.exe (PID: 7028)
      • identity_helper.exe (PID: 5588)
      • avast_secure_browser_setup.exe (PID: 4128)
      • avast_secure_browser_setup.exe (PID: 5836)
      • AvastBrowserUpdateSetup.exe (PID: 2088)
      • AvastBrowserUpdate.exe (PID: 5856)
      • AvastBrowserUpdate.exe (PID: 6736)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 6868)
      • AvastBrowserUpdateComRegisterShell64.exe (PID: 3828)
      • AvastBrowserUpdate.exe (PID: 540)
      • avast_secure_browser_setup.exe (PID: 6792)
      • AvastBrowserUpdate.exe (PID: 7224)
      • setup.exe (PID: 7804)
      • AvastBrowserInstaller.exe (PID: 7784)

    • Reads the computer name

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avg_antivirus_free_setup.exe (PID: 2624)
      • DismHost.exe (PID: 7028)
      • avast_secure_browser_setup.exe (PID: 5836)
      • AvastBrowserUpdate.exe (PID: 5856)
      • AvastBrowserUpdate.exe (PID: 6736)
      • AvastBrowserUpdate.exe (PID: 540)
      • AvastBrowserUpdate.exe (PID: 7224)
      • AvastBrowserInstaller.exe (PID: 7784)
      • setup.exe (PID: 7804)

    • Reads the machine GUID from the registry

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avg_antivirus_free_setup.exe (PID: 2624)
      • avast_secure_browser_setup.exe (PID: 5836)
      • AvastBrowserUpdate.exe (PID: 5856)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Checks proxy server information

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Reads the software policy settings

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avast_secure_browser_setup.exe (PID: 5836)
      • AvastBrowserUpdate.exe (PID: 540)
      • AvastBrowserUpdate.exe (PID: 7224)

    • Create files in a temporary directory

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • Dism.exe (PID: 6956)
      • avast_secure_browser_setup.exe (PID: 4128)
      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Creates files or folders in the user directory

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avast_secure_browser_setup.exe (PID: 5836)

    • UPX packer has been detected

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)

    • Manual execution by a user

      • msedge.exe (PID: 4244)
      • avg_antivirus_free_setup.exe (PID: 7044)
      • avg_antivirus_free_setup.exe (PID: 2624)
      • avast_secure_browser_setup.exe (PID: 4128)

    • The process uses the downloaded file

      • dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe (PID: 6500)
      • avast_secure_browser_setup.exe (PID: 4128)

    • Reads Environment values

      • DismHost.exe (PID: 7028)
      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Application launched itself

      • msedge.exe (PID: 4308)
      • msedge.exe (PID: 4244)

    • Process checks computer location settings

      • avast_secure_browser_setup.exe (PID: 5836)
      • avast_secure_browser_setup.exe (PID: 4128)
      • AvastBrowserUpdate.exe (PID: 5856)
      • avast_secure_browser_setup.exe (PID: 6792)

    • Creates files in the program directory

      • AvastBrowserUpdateSetup.exe (PID: 2088)
      • AvastBrowserUpdate.exe (PID: 5856)
      • AvastBrowserInstaller.exe (PID: 7784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:15 03:55:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 13860864
InitializedDataSize: 188416
UninitializedDataSize: 6393856
EntryPoint: 0x1351c80
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.0.0.0
ProductVersionNumber: 7.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Microvirt Software Technology Co. Ltd.
FileDescription: MEmu Installer
FileVersion: 7.0.0.0
InternalName: MEmuSetup.exe
LegalCopyright: Copyright (C) 2020 Microvirt Software Technology Co. Ltd. All rights reserved
OriginalFileName: MEmuSetup.exe
ProductName: MEmu Installer
ProductVersion: 7.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
68
Malicious processes
11
Suspicious processes
3

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
540"C:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezZEMzdDNzYwLThGRUQtNDhBNS1BNEE0LUNFQzA5NUIyRDhERH0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5Ny42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5Ny42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezUwODI4QUNFLTI5NDUtNDk3Ri04QkQ5LTY5NDlBREM1MENFRX0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9InszNEY3NEM3OC04QjY1LTQzOUYtQTVCMC00MkEwRTBFNzc1RTR9IiB1c2VyaWRfZGF0ZT0iMjAyNDEyMDkiIG1hY2hpbmVpZD0iezAwMDBCMEUxLTAwOUEtQkE1RS05NUY3LTIyN0U1NzQzNDg3NH0iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MTIwOSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins5RjVFNzc2Ny05MjIzLTRFQjUtQkVBNy04MUM2QUQwREY4QjN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjQiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDUuNDA0NiIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezZEMzdDNzYwLThGRUQtNDhBNS1BNEE0LUNFQzA5NUIyRDhERH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjk3LjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iNjIzMyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNzgzIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Program Files (x86)\AVAST Software\Browser\Update\AvastBrowserUpdate.exe
AvastBrowserUpdate.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Browser
Exit code:
0
Version:
1.8.1697.6
Modules
Images
c:\program files (x86)\avast software\browser\update\avastbrowserupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2684 --field-trial-handle=2336,i,18359186578756233855,13766053990043857383,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=6648 --field-trial-handle=2336,i,18359186578756233855,13766053990043857383,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3636 --field-trial-handle=2336,i,18359186578756233855,13766053990043857383,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2084"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6052 --field-trial-handle=2336,i,18359186578756233855,13766053990043857383,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2088AvastBrowserUpdateSetup.exe /silent /install "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=6233&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome"C:\Users\admin\AppData\Local\Temp\nsv89E1.tmp\AvastBrowserUpdateSetup.exe
avast_secure_browser_setup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Browser Setup
Version:
1.8.1697.6
Modules
Images
c:\users\admin\appdata\local\temp\nsv89e1.tmp\avastbrowserupdatesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
2160"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3348 --field-trial-handle=2336,i,18359186578756233855,13766053990043857383,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2452"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7156 --field-trial-handle=2336,i,18359186578756233855,13766053990043857383,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2612"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5644 --field-trial-handle=2336,i,18359186578756233855,13766053990043857383,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2624"C:\Users\admin\Desktop\avg_antivirus_free_setup.exe" C:\Users\admin\Desktop\avg_antivirus_free_setup.exe
explorer.exe
User:
admin
Company:
AVG Technologies CZ, s.r.o.
Integrity Level:
HIGH
Description:
AVG Installer
Version:
2.1.99.0
Modules
Images
c:\users\admin\desktop\avg_antivirus_free_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
29 434
Read events
27 399
Write events
1 993
Delete events
42

Modification events

(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6500) dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
238
Suspicious files
297
Text files
1 217
Unknown types
19

Dropped files

PID
Process
Filename
Type
6500dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeC:\Users\admin\AppData\Local\Temp\MEmuSetup\7za.exeexecutable
MD5:B9425918E9F7B8AFFB9952ED02E01285
SHA256:8A5E4CCE83CA7C08945348BFB13395109656079E99BC6445B62C4DAAE16FAA5D
6956Dism.exeC:\Users\admin\AppData\Local\Temp\BC96AC2B-9004-42B6-BA93-6FF78FBBBB4F\AssocProvider.dllexecutable
MD5:B7DB592706D3EEFBCF0D5A166D462E56
SHA256:DE21321272862E7C332E1724DC315F06F3ABE7A0340E61D351CAB208D6BBF059
6500dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeC:\Users\admin\AppData\Local\Temp\MEmuSetup\normaliz.dllexecutable
MD5:25A38B00DF321C5684C175D9E5366963
SHA256:1ECB627D6532331316567C2E1A98A61F14720F02B03FA1B836C4A206442CD392
6956Dism.exeC:\Users\admin\AppData\Local\Temp\BC96AC2B-9004-42B6-BA93-6FF78FBBBB4F\DismCorePS.dllexecutable
MD5:35A07968EC37231249F3F072AE555E3A
SHA256:E5F25E5A170CB3D165C3D143EAE967B96AB80F88FB09176DA8591B0B68C77E00
6956Dism.exeC:\Users\admin\AppData\Local\Temp\BC96AC2B-9004-42B6-BA93-6FF78FBBBB4F\DismProv.dllexecutable
MD5:AB0DBC4F05B33EAAA447E31ACCAB8D21
SHA256:6A3C3F07BDDBC3079873F8799F2C19ADDDC59F15D6B2DBA6E9314E5626BFD2A0
6956Dism.exeC:\Users\admin\AppData\Local\Temp\BC96AC2B-9004-42B6-BA93-6FF78FBBBB4F\en-US\AppxProvider.dll.muiexecutable
MD5:BD0DD9C5A602CB0AD7EABC16B3C1ABFC
SHA256:8AF0073F8A023F55866E48BF3B902DFA7F41C51B0E8B0FE06F8C496D41F9A7B3
6956Dism.exeC:\Users\admin\AppData\Local\Temp\BC96AC2B-9004-42B6-BA93-6FF78FBBBB4F\en-US\CbsProvider.dll.muiexecutable
MD5:6C51A3187D2464C48CC8550B141E25C5
SHA256:D7A0253D6586E7BBFB0ACB6FACD9A326B32BA1642B458F5B5ED27FECCB4FC199
6956Dism.exeC:\Users\admin\AppData\Local\Temp\BC96AC2B-9004-42B6-BA93-6FF78FBBBB4F\en-US\AssocProvider.dll.muiexecutable
MD5:8833761572F0964BDC1BEA6E1667F458
SHA256:B18C6CE1558C9EF6942A3BCE246A46557C2A7D12AEC6C4A07E4FA84DD5C422F5
6500dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exeC:\Users\admin\AppData\Local\Microvirt\setup\MEmuSetup.logtext
MD5:75B9DC2F00E0840C975764576E9C42B7
SHA256:A1C2098B883BFACAC234E2C19DC5B0CB14F084D13B9F50A1EB3B8258CA9AE407
6956Dism.exeC:\Users\admin\AppData\Local\Temp\BC96AC2B-9004-42B6-BA93-6FF78FBBBB4F\DismCore.dllexecutable
MD5:681186B5696BA7D46B6681C027A659AD
SHA256:FBB5135DE4F6A5C9422A0B218D676930DB9BC9A2AEA0F7219077862912455914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
163
TCP/UDP connections
175
DNS requests
166
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
108.138.24.180:443
https://d1xj8c1wowfhpd.cloudfront.net/latest/il/v1.94.400.03.13
US
executable
266 Kb
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
4536
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
973 b
whitelisted
4536
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
973 b
whitelisted
2632
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
973 b
whitelisted
POST
200
18.66.92.190:443
https://d3afal19p30kfh.cloudfront.net/sec
US
xml
86.3 Kb
whitelisted
GET
200
18.66.92.217:443
https://d3afal19p30kfh.cloudfront.net/assets/schema/1.0/schema.xsd
US
xml
18.6 Kb
whitelisted
POST
200
18.66.92.190:443
https://d3afal19p30kfh.cloudfront.net/report
US
binary
15 b
whitelisted
POST
200
18.245.86.84:443
https://api.playanext.com/httpapi
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4536
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2632
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.159:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
6500
dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe
3.161.75.175:443
d1xj8c1wowfhpd.cloudfront.net
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4536
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.209.159
  • 2.23.209.160
  • 2.23.209.162
  • 2.23.209.163
  • 2.23.209.168
  • 2.23.209.164
  • 2.23.209.169
  • 2.23.209.171
  • 2.23.209.167
  • 104.126.37.161
  • 104.126.37.184
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.176
  • 104.126.37.177
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.152
  • 2.23.209.183
  • 2.23.209.185
  • 2.23.209.181
  • 2.23.209.189
  • 2.23.209.186
  • 2.23.209.180
  • 2.23.209.191
  • 2.23.209.182
  • 2.23.209.188
whitelisted
google.com
  • 216.58.212.142
whitelisted
d1xj8c1wowfhpd.cloudfront.net
  • 3.161.75.175
  • 3.161.75.82
  • 3.161.75.162
  • 3.161.75.39
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
d3afal19p30kfh.cloudfront.net
  • 18.66.92.154
  • 18.66.92.217
  • 18.66.92.190
  • 18.66.92.113
whitelisted
api.playanext.com
  • 18.245.86.26
  • 18.245.86.79
  • 18.245.86.105
  • 18.245.86.84
whitelisted
www.xyaz.cn
  • 113.219.142.35
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

PID
Process
Class
Message
6500
dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7224
AvastBrowserUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
8 ETPRO signatures available at the full report
Process
Message
dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe
Qt: Untested Windows version 10.0 detected!
dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 21x14+320+100 on QWidgetWindow/'QCheckBoxClassWindow'. Resulting geometry: 120x14+320+100 (frame: 8, 31, 8, 8, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 55x14+320+100 on QWidgetWindow/'QLabelClassWindow'. Resulting geometry: 120x14+320+100 (frame: 8, 31, 8, 8, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
Dism.exe
PID=6956 TID=6960 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6956 TID=6960 Loading Provider from location C:\WINDOWS\system32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6956 TID=6960 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=6956 TID=6960 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6956 TID=6960 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6956 TID=6960 Connecting to the provider located at C:\WINDOWS\system32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe
PID=7028 TID=7056 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dcbd77ad65145ab5aa64b8c08608991a6cc23daabf02cf0695f2261da3ec5b7d