File name:

MEmu-setup-abroad-sdk.exe

Full analysis: https://app.any.run/tasks/7cab615b-cf2b-4c1c-bc6b-51d805352fb5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 24, 2025, 06:05:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
upx
loader
arch-exec
stealer
evasion
discordgrabber
generic
xor-url
api-base64
susp-powershell
crypto-regex
inno
installer
aspack
antivm
pecompact
themida
dyndns
pikabot
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

6CC9A78E4778F77343CA22CB09CC8BE5

SHA1:

7763DB92A19E2480328C1F92EA49BC68EB536BEE

SHA256:

DCBD77AD65145AB5AA64B8C08608991A6CC23DAABF02CF0695F2261DA3EC5B7D

SSDEEP:

98304:01EX9pZDV1wd5tm0WS+77NNiM6+wLQH4AfV8C1Dj3HYIU6+tgepPlzBLaYhB8PgM:awiPIdCbuyNryzZjXgjUt2g04xYNgH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • instup.exe (PID: 2320)
      • setup.exe (PID: 1976)
      • instup.exe (PID: 2624)
      • AvastBrowser.exe (PID: 4580)

    • Actions looks like stealing of personal data

      • AvastBrowser.exe (PID: 2032)
      • engsup.exe (PID: 4064)
      • AvastUI.exe (PID: 1400)

    • DISCORDGRABBER has been detected (YARA)

      • AvastBrowser.exe (PID: 924)

    • Executing a file with an untrusted certificate

      • MEmuDrvInst.exe (PID: 1928)
      • MemuService.exe (PID: 2720)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Setup.exe (PID: 2112)

    • Steals credentials from Web Browsers

      • engsup.exe (PID: 4064)
      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)
      • AvastUI.exe (PID: 1400)
      • AvastBrowser.exe (PID: 4580)

    • Disables Windows Defender

      • wsc_proxy.exe (PID: 3252)

    • XORed URL has been found (YARA)

      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • Antivirus name has been found in the command line (generic signature)

      • AvastUI.exe (PID: 1400)
      • AvastUI.exe (PID: 284)
      • AvastUI.exe (PID: 1396)
      • AvastUI.exe (PID: 2744)
      • AvastUI.exe (PID: 2168)
      • AvastUI.exe (PID: 2492)

    • PIKABOT has been detected (YARA)

      • AvastUI.exe (PID: 1400)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • Setup.exe (PID: 2112)
      • 7za.exe (PID: 1496)

    • Process drops legitimate windows executable

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • Setup.exe (PID: 2112)
      • instup.exe (PID: 2320)
      • 7za.exe (PID: 1496)
      • 7za.exe (PID: 3016)
      • 7za.exe (PID: 1776)
      • instup.exe (PID: 2624)

    • Executable content was dropped or overwritten

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • Dism.exe (PID: 2796)
      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • AvastBrowserInstaller.exe (PID: 288)
      • Setup.exe (PID: 2112)
      • setup.exe (PID: 1976)
      • instup.exe (PID: 2320)
      • 7za.exe (PID: 3016)
      • 7za.exe (PID: 1496)
      • 7za.exe (PID: 1776)
      • MEmuDrvInst.exe (PID: 1928)
      • AvEmUpdate.exe (PID: 1836)
      • SetupInf.exe (PID: 2472)
      • drvinst.exe (PID: 2736)
      • AvastSvc.exe (PID: 4036)
      • instup.exe (PID: 2624)
      • aswOfferTool.exe (PID: 2992)

    • Reads the Internet Settings

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • avast_secure_browser_setup.exe (PID: 4076)
      • Instup.exe (PID: 2620)
      • AvastBrowserUpdate.exe (PID: 2164)
      • instup.exe (PID: 2320)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3576)
      • AvastBrowser.exe (PID: 2036)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 3760)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 3052)
      • MEmuConsole.exe (PID: 2472)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)
      • AvastUI.exe (PID: 284)
      • AvastUI.exe (PID: 2492)
      • AvastUI.exe (PID: 2168)
      • AvastUI.exe (PID: 1396)
      • AvastUI.exe (PID: 2744)
      • Setup.exe (PID: 2112)
      • AvastBrowser.exe (PID: 4580)

    • Reads settings of System Certificates

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • avast_secure_browser_setup.exe (PID: 4076)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • AvastBrowserUpdate.exe (PID: 2164)
      • instup.exe (PID: 2320)
      • AvastBrowser.exe (PID: 3944)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3576)
      • AvastBrowser.exe (PID: 3372)
      • AvastBrowser.exe (PID: 2036)
      • AvastBrowser.exe (PID: 3564)
      • MEmuDrvInst.exe (PID: 1928)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 3052)
      • instup.exe (PID: 2624)
      • MEmuConsole.exe (PID: 2472)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)
      • AvastBrowser.exe (PID: 4780)
      • AvastBrowser.exe (PID: 4580)

    • Potential Corporate Privacy Violation

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • AvastBrowserUpdate.exe (PID: 2808)
      • AvEmUpdate.exe (PID: 1836)
      • AvastUI.exe (PID: 1400)

    • Process requests binary or script from the Internet

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • AvEmUpdate.exe (PID: 1836)
      • AvastBrowser.exe (PID: 4780)

    • Reads security settings of Internet Explorer

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • avast_secure_browser_setup.exe (PID: 4076)
      • MEmuDrvInst.exe (PID: 1928)
      • AvastSvc.exe (PID: 4036)
      • instup.exe (PID: 2320)

    • The process creates files with name similar to system file names

      • Dism.exe (PID: 2796)
      • 7za.exe (PID: 3016)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 2956)

    • The process verifies whether the antivirus software is installed

      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowserUpdate.exe (PID: 1776)
      • AvastBrowserUpdate.exe (PID: 2996)
      • AvastBrowserUpdate.exe (PID: 2792)
      • AvastBrowserUpdate.exe (PID: 492)
      • AvastBrowserUpdate.exe (PID: 2808)
      • AvastBrowserUpdate.exe (PID: 2164)
      • setup.exe (PID: 1404)
      • instup.exe (PID: 2320)
      • AvastBrowserInstaller.exe (PID: 288)
      • setup.exe (PID: 1976)
      • AvastBrowserCrashHandler.exe (PID: 2464)
      • AvastBrowser.exe (PID: 3216)
      • AvastBrowser.exe (PID: 3944)
      • elevation_service.exe (PID: 3384)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 2032)
      • AvastBrowser.exe (PID: 924)
      • AvastBrowser.exe (PID: 2468)
      • AvastBrowser.exe (PID: 3372)
      • elevation_service.exe (PID: 3240)
      • AvastBrowser.exe (PID: 3576)
      • elevation_service.exe (PID: 2472)
      • setup.exe (PID: 3436)
      • AvastBrowser.exe (PID: 2036)
      • AvastBrowser.exe (PID: 2680)
      • elevation_service.exe (PID: 3768)
      • setup.exe (PID: 2096)
      • AvastBrowser.exe (PID: 3564)
      • elevation_service.exe (PID: 1892)
      • SetupInf.exe (PID: 3696)
      • SetupInf.exe (PID: 1288)
      • AvEmUpdate.exe (PID: 3760)
      • SetupInf.exe (PID: 956)
      • SetupInf.exe (PID: 3876)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 3052)
      • SetupInf.exe (PID: 2856)
      • RegSvr.exe (PID: 3452)
      • SetupInf.exe (PID: 2472)
      • AvastNM.exe (PID: 2604)
      • engsup.exe (PID: 3572)
      • overseer.exe (PID: 3872)
      • wsc_proxy.exe (PID: 3252)
      • wsc_proxy.exe (PID: 2136)
      • aswToolsSvc.exe (PID: 2068)
      • AvastSvc.exe (PID: 4036)
      • engsup.exe (PID: 4064)
      • aswEngSrv.exe (PID: 1576)
      • instup.exe (PID: 3316)
      • instup.exe (PID: 2624)
      • cscript.exe (PID: 4072)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)
      • aswOfferTool.exe (PID: 2992)
      • aswOfferTool.exe (PID: 1020)
      • AvastUI.exe (PID: 2744)
      • AvastUI.exe (PID: 284)
      • AvastUI.exe (PID: 1396)
      • AvastUI.exe (PID: 2168)
      • AvastUI.exe (PID: 2492)
      • AvastBrowser.exe (PID: 4580)
      • AvastBrowser.exe (PID: 4612)
      • AvastBrowser.exe (PID: 4844)
      • elevation_service.exe (PID: 4868)
      • AvastBrowser.exe (PID: 4980)
      • AvastBrowser.exe (PID: 4988)
      • elevation_service.exe (PID: 5000)
      • AvastBrowser.exe (PID: 4768)
      • AvastBrowser.exe (PID: 5056)
      • AvastBrowser.exe (PID: 5108)
      • AvastBrowser.exe (PID: 5116)
      • AvastBrowser.exe (PID: 5412)
      • AvastBrowser.exe (PID: 5532)
      • AvastBrowser.exe (PID: 5540)
      • AvastBrowser.exe (PID: 5676)
      • AvastBrowser.exe (PID: 5800)
      • AvastBrowser.exe (PID: 5812)
      • AvastBrowser.exe (PID: 5968)
      • AvastBrowser.exe (PID: 6108)
      • AvastBrowser.exe (PID: 1156)
      • AvastBrowser.exe (PID: 1880)
      • AvastBrowser.exe (PID: 4204)
      • AvastBrowser.exe (PID: 5892)
      • AvastBrowser.exe (PID: 3236)
      • AvastBrowser.exe (PID: 4408)
      • AvastBrowser.exe (PID: 5944)
      • AvastBrowser.exe (PID: 5956)
      • AvastBrowser.exe (PID: 4516)
      • AvastBrowser.exe (PID: 2368)
      • AvastBrowser.exe (PID: 4532)
      • AvastBrowser.exe (PID: 344)
      • AvastBrowser.exe (PID: 4736)
      • AvastBrowser.exe (PID: 4916)
      • AvastBrowser.exe (PID: 5000)
      • AvastBrowser.exe (PID: 5072)
      • AvastBrowser.exe (PID: 5080)
      • AvastBrowser.exe (PID: 5384)
      • AvastBrowser.exe (PID: 4504)
      • AvastBrowser.exe (PID: 2600)
      • AvastBrowser.exe (PID: 5848)
      • AvastBrowser.exe (PID: 5852)
      • AvastBrowser.exe (PID: 4300)
      • AvastBrowser.exe (PID: 5824)
      • AvastBrowser.exe (PID: 5980)
      • AvastBrowser.exe (PID: 5948)
      • AvastBrowser.exe (PID: 5972)
      • AvastBrowser.exe (PID: 6088)
      • AvastBrowser.exe (PID: 6064)
      • AvastBrowser.exe (PID: 6132)
      • AvastBrowser.exe (PID: 3904)
      • AvastBrowser.exe (PID: 5276)
      • AvastBrowser.exe (PID: 2584)
      • AvastBrowser.exe (PID: 3180)
      • AvastBrowser.exe (PID: 4484)
      • AvastBrowser.exe (PID: 3824)
      • AvastBrowser.exe (PID: 2388)
      • AvastBrowser.exe (PID: 4216)
      • AvastBrowser.exe (PID: 4432)
      • AvastBrowser.exe (PID: 4928)
      • AvastBrowser.exe (PID: 2860)
      • AvastBrowser.exe (PID: 2112)
      • AvastBrowser.exe (PID: 3684)
      • AvastBrowser.exe (PID: 4364)
      • AvastBrowser.exe (PID: 5900)
      • AvastBrowser.exe (PID: 5888)
      • cmd.exe (PID: 4656)
      • cmd.exe (PID: 6124)
      • AvastNM.exe (PID: 6064)
      • AvastNM.exe (PID: 2284)
      • AvastBrowser.exe (PID: 4780)

    • Searches for installed software

      • avast_secure_browser_setup.exe (PID: 4076)
      • setup.exe (PID: 1976)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3576)
      • AvastBrowser.exe (PID: 2036)
      • overseer.exe (PID: 3872)
      • instup.exe (PID: 2320)
      • MEmuConsole.exe (PID: 2472)
      • AvastSvc.exe (PID: 4036)
      • AvastBrowser.exe (PID: 4580)

    • Adds/modifies Windows certificates

      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowserUpdate.exe (PID: 2164)
      • SetupInf.exe (PID: 2472)
      • AvastSvc.exe (PID: 4036)

    • Creates/Modifies COM task schedule object

      • AvastBrowserUpdate.exe (PID: 1776)
      • AvastBrowserUpdate.exe (PID: 2996)
      • MEmuManage.exe (PID: 3012)
      • regsvr32.exe (PID: 2776)
      • instup.exe (PID: 2320)
      • RegSvr.exe (PID: 3452)

    • Starts itself from another location

      • AvastBrowserUpdate.exe (PID: 1776)
      • Instup.exe (PID: 2620)

    • Disables SEHOP

      • AvastBrowserUpdate.exe (PID: 1776)

    • There is functionality for taking screenshot (YARA)

      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowserUpdate.exe (PID: 1776)
      • AvastBrowserUpdate.exe (PID: 492)
      • AvastBrowserUpdate.exe (PID: 2808)
      • Setup.exe (PID: 2112)

    • Executes as Windows Service

      • AvastBrowserUpdate.exe (PID: 2808)
      • elevation_service.exe (PID: 3384)
      • elevation_service.exe (PID: 3240)
      • elevation_service.exe (PID: 2472)
      • elevation_service.exe (PID: 3768)
      • elevation_service.exe (PID: 1892)
      • MemuService.exe (PID: 2720)
      • wsc_proxy.exe (PID: 3252)
      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)
      • elevation_service.exe (PID: 4868)
      • elevation_service.exe (PID: 5000)

    • Application launched itself

      • setup.exe (PID: 1976)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3576)
      • setup.exe (PID: 2096)
      • AvastBrowser.exe (PID: 2036)
      • AvEmUpdate.exe (PID: 1836)
      • AvastUI.exe (PID: 1400)
      • AvastBrowser.exe (PID: 4580)
      • AvastBrowser.exe (PID: 5800)

    • The process drops C-runtime libraries

      • Setup.exe (PID: 2112)
      • 7za.exe (PID: 1496)
      • 7za.exe (PID: 3016)
      • instup.exe (PID: 2320)
      • 7za.exe (PID: 1776)

    • Creates a software uninstall entry

      • setup.exe (PID: 1976)
      • avast_secure_browser_setup.exe (PID: 4076)
      • elevation_service.exe (PID: 3384)
      • elevation_service.exe (PID: 3240)
      • elevation_service.exe (PID: 3768)
      • Setup.exe (PID: 2112)
      • instup.exe (PID: 2320)
      • elevation_service.exe (PID: 4868)

    • Windows service management via SC.EXE

      • sc.exe (PID: 960)
      • sc.exe (PID: 3516)
      • sc.exe (PID: 3328)
      • sc.exe (PID: 3256)
      • sc.exe (PID: 2744)
      • sc.exe (PID: 2236)
      • sc.exe (PID: 2856)
      • sc.exe (PID: 2712)
      • sc.exe (PID: 2952)
      • sc.exe (PID: 3748)
      • sc.exe (PID: 3436)
      • sc.exe (PID: 1448)
      • sc.exe (PID: 3520)
      • sc.exe (PID: 1852)
      • sc.exe (PID: 3304)
      • sc.exe (PID: 1964)
      • sc.exe (PID: 2380)
      • sc.exe (PID: 3140)
      • sc.exe (PID: 268)
      • sc.exe (PID: 2604)
      • sc.exe (PID: 2572)
      • sc.exe (PID: 2708)
      • sc.exe (PID: 2856)
      • sc.exe (PID: 3788)
      • sc.exe (PID: 3384)
      • sc.exe (PID: 3172)
      • sc.exe (PID: 1828)
      • sc.exe (PID: 780)
      • sc.exe (PID: 1628)
      • sc.exe (PID: 1780)
      • sc.exe (PID: 2688)
      • sc.exe (PID: 3848)
      • sc.exe (PID: 3492)

    • Starts SC.EXE for service management

      • Setup.exe (PID: 2112)

    • Reads the date of Windows installation

      • setup.exe (PID: 2096)
      • instup.exe (PID: 2320)
      • AvastUI.exe (PID: 1400)
      • AvastSvc.exe (PID: 4036)

    • Checks for external IP

      • AvastBrowser.exe (PID: 3564)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 3052)
      • AvastSvc.exe (PID: 4036)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)
      • AvastBrowser.exe (PID: 4780)

    • Drops a system driver (possible attempt to evade defenses)

      • 7za.exe (PID: 3016)
      • Setup.exe (PID: 2112)
      • MEmuDrvInst.exe (PID: 1928)
      • instup.exe (PID: 2320)
      • SetupInf.exe (PID: 2472)
      • drvinst.exe (PID: 2736)

    • Creates files in the driver directory

      • instup.exe (PID: 2320)
      • MEmuDrvInst.exe (PID: 1928)
      • drvinst.exe (PID: 2736)
      • SetupInf.exe (PID: 2472)

    • The process executes VB scripts

      • MemuService.exe (PID: 2720)
      • MEmuConsole.exe (PID: 2472)

    • Creates or modifies Windows services

      • instup.exe (PID: 2320)

    • Reads browser cookies

      • engsup.exe (PID: 4064)
      • AvastUI.exe (PID: 1400)

    • Modifies hosts file to alter network resolution

      • AvastSvc.exe (PID: 4036)

    • Found regular expressions for crypto-addresses (YARA)

      • AvastSvc.exe (PID: 4036)

    • There is functionality for VM detection antiVM strings (YARA)

      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • There is functionality for VM detection VirtualBox (YARA)

      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)

    • There is functionality for communication dyndns network (YARA)

      • AvastSvc.exe (PID: 4036)

    • Checks for Java to be installed

      • AvastSvc.exe (PID: 4036)

    • Reads Mozilla Firefox installation path

      • AvastBrowser.exe (PID: 4580)

    • Starts CMD.EXE for commands execution

      • AvastBrowser.exe (PID: 4580)

  • INFO

    • The sample compiled with english language support

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • Dism.exe (PID: 2796)
      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • AvastBrowserInstaller.exe (PID: 288)
      • Setup.exe (PID: 2112)
      • setup.exe (PID: 1976)
      • instup.exe (PID: 2320)
      • 7za.exe (PID: 1496)
      • 7za.exe (PID: 3016)
      • 7za.exe (PID: 1776)
      • MEmuDrvInst.exe (PID: 1928)
      • AvEmUpdate.exe (PID: 1836)
      • SetupInf.exe (PID: 2472)
      • drvinst.exe (PID: 2736)
      • AvastSvc.exe (PID: 4036)
      • instup.exe (PID: 2624)
      • aswOfferTool.exe (PID: 2992)

    • Checks supported languages

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • DismHost.exe (PID: 2956)
      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • AvastBrowserUpdate.exe (PID: 2792)
      • AvastBrowserUpdate.exe (PID: 2996)
      • AvastBrowserUpdate.exe (PID: 2164)
      • AvastBrowserUpdate.exe (PID: 492)
      • AvastBrowserUpdate.exe (PID: 2808)
      • instup.exe (PID: 2320)
      • AvastBrowserInstaller.exe (PID: 288)
      • setup.exe (PID: 1976)
      • setup.exe (PID: 1404)
      • sbr.exe (PID: 3528)
      • Setup.exe (PID: 2112)
      • AvastBrowserCrashHandler.exe (PID: 2464)
      • 7za.exe (PID: 1496)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3216)
      • AvastBrowser.exe (PID: 3944)
      • elevation_service.exe (PID: 3384)
      • AvastBrowser.exe (PID: 2032)
      • AvastBrowser.exe (PID: 924)
      • AvastBrowser.exe (PID: 3576)
      • AvastBrowser.exe (PID: 2468)
      • AvastBrowser.exe (PID: 3372)
      • elevation_service.exe (PID: 3240)
      • elevation_service.exe (PID: 2472)
      • setup.exe (PID: 2096)
      • setup.exe (PID: 3436)
      • AvastBrowser.exe (PID: 2036)
      • AvastBrowser.exe (PID: 2680)
      • AvastBrowser.exe (PID: 3564)
      • elevation_service.exe (PID: 3768)
      • elevation_service.exe (PID: 1892)
      • 7za.exe (PID: 3016)
      • 7za.exe (PID: 1776)
      • MEmuDrvInst.exe (PID: 1928)
      • MEmuManage.exe (PID: 3012)
      • MEmuSVC.exe (PID: 4020)
      • MEmuSVC.exe (PID: 2852)
      • MEmuSVC.exe (PID: 2276)
      • MemuService.exe (PID: 2720)
      • MEmuSVC.exe (PID: 1196)
      • MEmuSVC.exe (PID: 4092)
      • MEmuRepair.exe (PID: 2336)
      • MEmuManage.exe (PID: 2108)
      • SetupInf.exe (PID: 3696)
      • SetupInf.exe (PID: 1288)
      • AvEmUpdate.exe (PID: 3760)
      • SetupInf.exe (PID: 956)
      • SetupInf.exe (PID: 3876)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 3052)
      • 7za.exe (PID: 948)
      • SetupInf.exe (PID: 2472)
      • SetupInf.exe (PID: 2856)
      • drvinst.exe (PID: 2736)
      • RegSvr.exe (PID: 3452)
      • AvastNM.exe (PID: 2604)
      • overseer.exe (PID: 3872)
      • engsup.exe (PID: 3572)
      • wsc_proxy.exe (PID: 2136)
      • wsc_proxy.exe (PID: 3252)
      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)
      • engsup.exe (PID: 4064)
      • aswEngSrv.exe (PID: 1576)
      • instup.exe (PID: 2624)
      • instup.exe (PID: 3316)
      • keytool.exe (PID: 672)
      • keytool.exe (PID: 3732)
      • MEmuManage.exe (PID: 912)
      • MEmuSVC.exe (PID: 3192)
      • MEmuc.exe (PID: 2528)
      • MEmuConsole.exe (PID: 2472)
      • MEmuSVC.exe (PID: 2144)
      • MEmuManage.exe (PID: 1608)
      • MEmu.exe (PID: 3356)
      • AvEmUpdate.exe (PID: 904)
      • MEmuSVC.exe (PID: 3408)
      • MEmuManage.exe (PID: 1836)
      • MEmuManage.exe (PID: 1000)
      • MEmuSVC.exe (PID: 1608)
      • AvastUI.exe (PID: 1400)
      • aswOfferTool.exe (PID: 2992)
      • aswOfferTool.exe (PID: 1020)
      • AvastUI.exe (PID: 2744)
      • AvastUI.exe (PID: 2168)
      • AvastUI.exe (PID: 1396)
      • AvastUI.exe (PID: 2492)
      • AvastUI.exe (PID: 284)
      • MEmu.exe (PID: 4404)
      • screenrecord.exe (PID: 4396)
      • AvastBrowser.exe (PID: 4580)
      • AvastBrowser.exe (PID: 4612)
      • AvastBrowser.exe (PID: 4780)
      • AvastBrowser.exe (PID: 4844)
      • elevation_service.exe (PID: 4868)
      • AvastBrowser.exe (PID: 4980)
      • AvastBrowser.exe (PID: 4988)
      • elevation_service.exe (PID: 5000)
      • AvastBrowser.exe (PID: 5056)
      • AvastBrowser.exe (PID: 5412)
      • AvastBrowser.exe (PID: 5532)
      • AvastBrowser.exe (PID: 5540)
      • AvastBrowser.exe (PID: 5116)
      • AvastBrowser.exe (PID: 5108)
      • AvastBrowser.exe (PID: 5676)
      • AvastBrowser.exe (PID: 5800)
      • AvastBrowser.exe (PID: 5812)
      • AvastBrowser.exe (PID: 5892)
      • AvastBrowser.exe (PID: 5944)
      • AvastBrowser.exe (PID: 5968)
      • AvastBrowser.exe (PID: 6108)
      • AvastBrowser.exe (PID: 4204)
      • AvastBrowser.exe (PID: 1156)
      • AvastBrowser.exe (PID: 1880)
      • AvastBrowser.exe (PID: 3236)
      • AvastBrowser.exe (PID: 5956)
      • AvastBrowser.exe (PID: 4408)
      • AvastBrowser.exe (PID: 4516)
      • AvastBrowser.exe (PID: 2368)
      • AvastBrowser.exe (PID: 344)
      • AvastBrowser.exe (PID: 4532)
      • AvastBrowser.exe (PID: 4736)
      • AvastBrowser.exe (PID: 4916)
      • AvastBrowser.exe (PID: 5080)
      • AvastBrowser.exe (PID: 5072)
      • AvastBrowser.exe (PID: 5384)
      • AvastBrowser.exe (PID: 2600)
      • AvastBrowser.exe (PID: 4504)
      • AvastBrowser.exe (PID: 5848)
      • AvastBrowser.exe (PID: 4300)
      • AvastBrowser.exe (PID: 5000)
      • AvastBrowser.exe (PID: 5824)
      • AvastBrowser.exe (PID: 5980)
      • AvastBrowser.exe (PID: 5948)
      • AvastBrowser.exe (PID: 5972)
      • AvastBrowser.exe (PID: 6088)
      • AvastBrowser.exe (PID: 6064)
      • AvastBrowser.exe (PID: 6132)
      • AvastBrowser.exe (PID: 5852)
      • AvastBrowser.exe (PID: 4216)
      • AvastBrowser.exe (PID: 5276)
      • AvastBrowser.exe (PID: 2584)
      • AvastBrowser.exe (PID: 3180)
      • AvastBrowser.exe (PID: 4484)
      • AvastBrowser.exe (PID: 4364)
      • AvastBrowser.exe (PID: 3824)
      • AvastBrowser.exe (PID: 3904)
      • AvastBrowser.exe (PID: 4432)
      • AvastBrowser.exe (PID: 4928)
      • AvastBrowser.exe (PID: 2860)
      • AvastBrowser.exe (PID: 2112)
      • AvastBrowser.exe (PID: 3684)
      • AvastBrowser.exe (PID: 2388)
      • AvastBrowser.exe (PID: 5888)
      • AvastNM.exe (PID: 2284)
      • AvastNM.exe (PID: 6064)
      • AvastBrowser.exe (PID: 5900)
      • AvastBrowser.exe (PID: 4768)

    • Reads the computer name

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • DismHost.exe (PID: 2956)
      • avast_secure_browser_setup.exe (PID: 4076)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • AvastBrowserUpdate.exe (PID: 1776)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • AvastBrowserUpdate.exe (PID: 2792)
      • AvastBrowserUpdate.exe (PID: 2164)
      • AvastBrowserUpdate.exe (PID: 492)
      • AvastBrowserUpdate.exe (PID: 2808)
      • instup.exe (PID: 2320)
      • AvastBrowserInstaller.exe (PID: 288)
      • setup.exe (PID: 1976)
      • Setup.exe (PID: 2112)
      • 7za.exe (PID: 1496)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3944)
      • elevation_service.exe (PID: 3384)
      • AvastBrowser.exe (PID: 2032)
      • AvastBrowser.exe (PID: 3576)
      • elevation_service.exe (PID: 3240)
      • AvastBrowser.exe (PID: 3372)
      • elevation_service.exe (PID: 2472)
      • setup.exe (PID: 2096)
      • AvastBrowser.exe (PID: 2036)
      • AvastBrowser.exe (PID: 3564)
      • elevation_service.exe (PID: 1892)
      • elevation_service.exe (PID: 3768)
      • 7za.exe (PID: 3016)
      • 7za.exe (PID: 1776)
      • MEmuDrvInst.exe (PID: 1928)
      • MEmuManage.exe (PID: 3012)
      • MEmuSVC.exe (PID: 4020)
      • MemuService.exe (PID: 2720)
      • MEmuSVC.exe (PID: 1196)
      • MEmuSVC.exe (PID: 4092)
      • MEmuRepair.exe (PID: 2336)
      • MEmuManage.exe (PID: 2108)
      • SetupInf.exe (PID: 1288)
      • SetupInf.exe (PID: 3696)
      • SetupInf.exe (PID: 3876)
      • AvEmUpdate.exe (PID: 3760)
      • SetupInf.exe (PID: 956)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 3052)
      • SetupInf.exe (PID: 2856)
      • 7za.exe (PID: 948)
      • SetupInf.exe (PID: 2472)
      • drvinst.exe (PID: 2736)
      • RegSvr.exe (PID: 3452)
      • overseer.exe (PID: 3872)
      • wsc_proxy.exe (PID: 2136)
      • wsc_proxy.exe (PID: 3252)
      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)
      • engsup.exe (PID: 4064)
      • instup.exe (PID: 2624)
      • instup.exe (PID: 3316)
      • MEmuManage.exe (PID: 912)
      • MEmuSVC.exe (PID: 3192)
      • MEmuConsole.exe (PID: 2472)
      • MEmuSVC.exe (PID: 2144)
      • MEmuManage.exe (PID: 1608)
      • AvEmUpdate.exe (PID: 904)
      • MEmuSVC.exe (PID: 3408)
      • MEmu.exe (PID: 3356)
      • MEmuManage.exe (PID: 1836)
      • MEmuManage.exe (PID: 1000)
      • AvastUI.exe (PID: 1400)
      • AvastUI.exe (PID: 1396)
      • AvastUI.exe (PID: 2744)
      • AvastUI.exe (PID: 2168)
      • AvastUI.exe (PID: 2492)
      • AvastUI.exe (PID: 284)
      • MEmuSVC.exe (PID: 1608)
      • MEmu.exe (PID: 4404)
      • screenrecord.exe (PID: 4396)
      • AvastBrowser.exe (PID: 4580)
      • AvastBrowser.exe (PID: 4768)
      • AvastBrowser.exe (PID: 4780)
      • elevation_service.exe (PID: 4868)
      • elevation_service.exe (PID: 5000)
      • AvastBrowser.exe (PID: 5412)
      • AvastBrowser.exe (PID: 5116)
      • AvastBrowser.exe (PID: 5800)
      • AvastBrowser.exe (PID: 5892)
      • AvastNM.exe (PID: 2284)
      • AvastNM.exe (PID: 6064)

    • Create files in a temporary directory

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • Dism.exe (PID: 2796)
      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowserUpdate.exe (PID: 2808)
      • SetupInf.exe (PID: 2472)
      • engsup.exe (PID: 4064)
      • MEmuConsole.exe (PID: 2472)
      • AvastUI.exe (PID: 1400)
      • AvastBrowser.exe (PID: 4580)

    • Reads Environment values

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • avast_secure_browser_setup.exe (PID: 4076)
      • Instup.exe (PID: 2620)
      • instup.exe (PID: 2320)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3576)
      • AvastBrowser.exe (PID: 2036)
      • AvEmUpdate.exe (PID: 3760)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 3052)
      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)
      • instup.exe (PID: 2624)
      • instup.exe (PID: 3316)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)
      • AvastBrowser.exe (PID: 4580)

    • Reads the machine GUID from the registry

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • DismHost.exe (PID: 2956)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • avast_secure_browser_setup.exe (PID: 4076)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • AvastBrowserUpdate.exe (PID: 1776)
      • Instup.exe (PID: 2620)
      • AvastBrowserUpdate.exe (PID: 492)
      • AvastBrowserUpdate.exe (PID: 2808)
      • AvastBrowserUpdate.exe (PID: 2164)
      • instup.exe (PID: 2320)
      • Setup.exe (PID: 2112)
      • setup.exe (PID: 1976)
      • AvastBrowser.exe (PID: 3908)
      • elevation_service.exe (PID: 3384)
      • AvastBrowser.exe (PID: 3576)
      • elevation_service.exe (PID: 3240)
      • elevation_service.exe (PID: 2472)
      • setup.exe (PID: 2096)
      • AvastBrowser.exe (PID: 2036)
      • elevation_service.exe (PID: 3768)
      • elevation_service.exe (PID: 1892)
      • MEmuDrvInst.exe (PID: 1928)
      • MEmuManage.exe (PID: 3012)
      • MEmuSVC.exe (PID: 4020)
      • MEmuSVC.exe (PID: 1196)
      • MEmuSVC.exe (PID: 4092)
      • MemuService.exe (PID: 2720)
      • MEmuManage.exe (PID: 2108)
      • SetupInf.exe (PID: 1288)
      • SetupInf.exe (PID: 3696)
      • SetupInf.exe (PID: 956)
      • SetupInf.exe (PID: 3876)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 3760)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 3052)
      • SetupInf.exe (PID: 2856)
      • SetupInf.exe (PID: 2472)
      • drvinst.exe (PID: 2736)
      • RegSvr.exe (PID: 3452)
      • overseer.exe (PID: 3872)
      • wsc_proxy.exe (PID: 3252)
      • wsc_proxy.exe (PID: 2136)
      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)
      • instup.exe (PID: 2624)
      • instup.exe (PID: 3316)
      • MEmuManage.exe (PID: 1608)
      • MEmuConsole.exe (PID: 2472)
      • MEmuSVC.exe (PID: 2144)
      • MEmuSVC.exe (PID: 3192)
      • MEmu.exe (PID: 3356)
      • MEmuSVC.exe (PID: 3408)
      • MEmuManage.exe (PID: 1836)
      • MEmuManage.exe (PID: 1000)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)
      • AvastUI.exe (PID: 2168)
      • AvastUI.exe (PID: 2492)
      • AvastUI.exe (PID: 1396)
      • AvastUI.exe (PID: 284)
      • AvastUI.exe (PID: 2744)
      • MEmuSVC.exe (PID: 1608)
      • AvastBrowser.exe (PID: 4580)
      • elevation_service.exe (PID: 4868)
      • elevation_service.exe (PID: 5000)
      • AvastBrowser.exe (PID: 5892)
      • MEmuManage.exe (PID: 912)

    • Disables trace logs

      • MEmu-setup-abroad-sdk.exe (PID: 2476)

    • Reads the software policy settings

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 2788)
      • avast_secure_browser_setup.exe (PID: 4076)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • AvastBrowserUpdate.exe (PID: 2164)
      • AvastBrowserUpdate.exe (PID: 2808)
      • instup.exe (PID: 2320)
      • MEmuDrvInst.exe (PID: 1928)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 3052)
      • drvinst.exe (PID: 2736)
      • instup.exe (PID: 2624)
      • AvastSvc.exe (PID: 4036)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)

    • Creates files or folders in the user directory

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3944)
      • AvastBrowser.exe (PID: 3576)
      • AvastBrowser.exe (PID: 2468)
      • setup.exe (PID: 2096)
      • AvastBrowser.exe (PID: 2680)
      • AvastBrowser.exe (PID: 2036)
      • AvastBrowser.exe (PID: 3564)
      • AvastUI.exe (PID: 1400)
      • AvastUI.exe (PID: 2744)
      • Setup.exe (PID: 2112)
      • AvastBrowser.exe (PID: 4612)
      • AvastBrowser.exe (PID: 4580)
      • AvastBrowser.exe (PID: 4780)
      • AvastBrowser.exe (PID: 5812)

    • UPX packer has been detected

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • Process checks computer location settings

      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastBrowser.exe (PID: 3908)
      • AvastBrowser.exe (PID: 3576)
      • AvastBrowser.exe (PID: 2036)
      • AvastUI.exe (PID: 1400)
      • AvastUI.exe (PID: 2492)
      • AvastUI.exe (PID: 2168)
      • AvastBrowser.exe (PID: 4580)
      • AvastBrowser.exe (PID: 4988)
      • AvastBrowser.exe (PID: 4980)
      • AvastBrowser.exe (PID: 5056)
      • AvastBrowser.exe (PID: 5532)
      • AvastBrowser.exe (PID: 5108)
      • AvastBrowser.exe (PID: 5540)
      • AvastBrowser.exe (PID: 4916)
      • AvastBrowser.exe (PID: 2388)
      • AvastBrowser.exe (PID: 4432)
      • AvastBrowser.exe (PID: 4928)
      • AvastBrowser.exe (PID: 4364)
      • AvastBrowser.exe (PID: 5888)
      • AvastBrowser.exe (PID: 2860)

    • Checks proxy server information

      • avast_secure_browser_setup.exe (PID: 4076)
      • Instup.exe (PID: 2620)
      • instup.exe (PID: 2320)

    • The sample compiled with arabic language support

      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)
      • avast_secure_browser_setup.exe (PID: 4076)

    • The sample compiled with Indonesian language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with bulgarian language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with czech language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)
      • instup.exe (PID: 2320)

    • Creates files in the program directory

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)
      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • AvastBrowserUpdate.exe (PID: 2808)
      • AvastBrowserInstaller.exe (PID: 288)
      • setup.exe (PID: 1976)
      • MEmu-setup-abroad-sdk.exe (PID: 2476)
      • instup.exe (PID: 2320)
      • Setup.exe (PID: 2112)
      • avast_secure_browser_setup.exe (PID: 4076)
      • 7za.exe (PID: 1496)
      • setup.exe (PID: 2096)
      • 7za.exe (PID: 3016)
      • 7za.exe (PID: 1776)
      • MemuService.exe (PID: 2720)
      • AvEmUpdate.exe (PID: 3760)
      • AvEmUpdate.exe (PID: 1836)
      • 7za.exe (PID: 948)
      • AvastNM.exe (PID: 2604)
      • engsup.exe (PID: 3572)
      • wsc_proxy.exe (PID: 2136)
      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)
      • engsup.exe (PID: 4064)
      • instup.exe (PID: 2624)
      • instup.exe (PID: 3316)
      • keytool.exe (PID: 672)
      • MEmuConsole.exe (PID: 2472)
      • MEmuSVC.exe (PID: 2144)
      • MEmuSVC.exe (PID: 3408)
      • AvastUI.exe (PID: 1400)
      • aswOfferTool.exe (PID: 2992)

    • The sample compiled with french language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with german language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with Italian language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with japanese language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with korean language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with polish language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with portuguese language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with swedish language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with turkish language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with russian language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with slovak language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • The sample compiled with chinese language support

      • AvastBrowserUpdateSetup.exe (PID: 2700)
      • AvastBrowserUpdate.exe (PID: 1776)

    • Reads CPU info

      • avast_free_antivirus_setup_online.exe (PID: 4048)
      • Instup.exe (PID: 2620)
      • instup.exe (PID: 2320)
      • Setup.exe (PID: 2112)
      • MEmuRepair.exe (PID: 2336)
      • SetupInf.exe (PID: 3696)
      • SetupInf.exe (PID: 1288)
      • SetupInf.exe (PID: 3876)
      • AvEmUpdate.exe (PID: 3760)
      • SetupInf.exe (PID: 956)
      • AvEmUpdate.exe (PID: 1836)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 3052)
      • SetupInf.exe (PID: 2856)
      • SetupInf.exe (PID: 2472)
      • RegSvr.exe (PID: 3452)
      • AvastNM.exe (PID: 2604)
      • engsup.exe (PID: 3572)
      • wsc_proxy.exe (PID: 2136)
      • wsc_proxy.exe (PID: 3252)
      • AvastSvc.exe (PID: 4036)
      • aswToolsSvc.exe (PID: 2068)
      • engsup.exe (PID: 4064)
      • aswEngSrv.exe (PID: 1576)
      • instup.exe (PID: 2624)
      • instup.exe (PID: 3316)
      • MEmuConsole.exe (PID: 2472)
      • AvEmUpdate.exe (PID: 904)
      • AvastUI.exe (PID: 1400)
      • AvastUI.exe (PID: 2168)
      • AvastUI.exe (PID: 2492)
      • AvastUI.exe (PID: 1396)
      • AvastUI.exe (PID: 2744)
      • AvastUI.exe (PID: 284)
      • MEmu.exe (PID: 4404)
      • AvastNM.exe (PID: 6064)
      • AvastNM.exe (PID: 2284)

    • Launching a file from a Registry key

      • instup.exe (PID: 2320)
      • setup.exe (PID: 1976)
      • instup.exe (PID: 2624)
      • AvastBrowser.exe (PID: 4580)

    • Process checks whether UAC notifications are on

      • avast_secure_browser_setup.exe (PID: 4076)
      • AvastSvc.exe (PID: 4036)

    • Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

      • AvastSvc.exe (PID: 4036)

    • Found Base64 encoded network access via PowerShell (YARA)

      • AvastSvc.exe (PID: 4036)

    • Themida protector has been detected

      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • Detects InnoSetup installer (YARA)

      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • Aspack has been detected

      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • PECompact has been detected (YARA)

      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • Detects AutoHotkey samples (YARA)

      • AvastSvc.exe (PID: 4036)
      • aswEngSrv.exe (PID: 1576)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 4072)

    • Manual execution by a user

      • AvastUI.exe (PID: 1400)

    • Reads the Internet Settings

      • explorer.exe (PID: 4464)
      • explorer.exe (PID: 4544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(4036) AvastSvc.exe
Decrypted-URLs (1)http://api.xxxxxxxxxxxx
Decrypted-URLs (13)http://automation.whatismyip.com/~
http://cl.ly/;m
http://dl.dropbox.com/u/
http://dl.dropbox.com/u/5
http://goo.gl/GZle0
http://loltrain.com
http://meatspin.com
http://netdhc.com/
http://pastebin.com/raw.php?
http://update.i9
http://www.4shared.com/download/
http://www.engine-search.biz
http://www.momocell.com/log/install.php?mac=
(PID) Process(1576) aswEngSrv.exe
Decrypted-URLs (1)http://api.xxxxxxxxxxxx
Decrypted-URLs (13)http://automation.whatismyip.com/~
http://cl.ly/;m
http://dl.dropbox.com/u/
http://dl.dropbox.com/u/5
http://goo.gl/GZle0
http://loltrain.com
http://meatspin.com
http://netdhc.com/
http://pastebin.com/raw.php?
http://update.i9
http://www.4shared.com/download/
http://www.engine-search.biz
http://www.momocell.com/log/install.php?mac=
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:15 03:55:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 13860864
InitializedDataSize: 188416
UninitializedDataSize: 6393856
EntryPoint: 0x1351c80
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.0.0.0
ProductVersionNumber: 7.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Microvirt Software Technology Co. Ltd.
FileDescription: MEmu Installer
FileVersion: 7.0.0.0
InternalName: MEmuSetup.exe
LegalCopyright: Copyright (C) 2020 Microvirt Software Technology Co. Ltd. All rights reserved
OriginalFileName: MEmuSetup.exe
ProductName: MEmu Installer
ProductVersion: 7.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
315
Monitored processes
213
Malicious processes
145
Suspicious processes
0

Behavior graph

Click at the process to see the details
start memu-setup-abroad-sdk.exe dism.exe dismhost.exe cookie_mmm_irs_ppi_005_888_d.exe avast_secure_browser_setup.exe avastbrowserupdatesetup.exe avastbrowserupdate.exe avast_free_antivirus_setup_online.exe avastbrowserupdate.exe no specs avastbrowserupdate.exe no specs instup.exe avastbrowserupdate.exe avastbrowserupdate.exe no specs avastbrowserupdate.exe avastbrowserinstaller.exe instup.exe setup.exe setup.exe no specs setup.exe sbr.exe no specs avastbrowsercrashhandler.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs 7za.exe avastbrowser.exe avastbrowser.exe avastbrowser.exe elevation_service.exe no specs avastbrowser.exe #DISCORDGRABBER avastbrowser.exe no specs avastbrowser.exe avastbrowser.exe avastbrowser.exe no specs elevation_service.exe no specs elevation_service.exe no specs setup.exe no specs setup.exe no specs avastbrowser.exe avastbrowser.exe avastbrowser.exe elevation_service.exe no specs elevation_service.exe no specs 7za.exe 7za.exe sc.exe no specs memudrvinst.exe sc.exe no specs sc.exe no specs memumanage.exe no specs memusvc.exe no specs memusvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs memusvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs memuservice.exe no specs cscript.exe no specs memusvc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs memumanage.exe no specs memusvc.exe no specs memurepair.exe setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe setupinf.exe no specs 7za.exe no specs setupinf.exe drvinst.exe regsvr.exe no specs avastnm.exe no specs overseer.exe engsup.exe no specs wsc_proxy.exe no specs wsc_proxy.exe no specs #XOR-URL avastsvc.exe aswtoolssvc.exe engsup.exe #XOR-URL aswengsrv.exe instup.exe instup.exe keytool.exe no specs icacls.exe no specs keytool.exe no specs memumanage.exe no specs memusvc.exe no specs memumanage.exe no specs memuc.exe no specs memuconsole.exe memusvc.exe no specs cscript.exe no specs memu.exe no specs memusvc.exe no specs memumanage.exe no specs memumanage.exe no specs memusvc.exe no specs avemupdate.exe #PIKABOT avastui.exe aswoffertool.exe aswoffertool.exe no specs avastui.exe avastui.exe no specs avastui.exe avastui.exe no specs avastui.exe no specs screenrecord.exe no specs memu.exe explorer.exe no specs explorer.exe no specs avastbrowser.exe avastbrowser.exe avastbrowser.exe no specs avastbrowser.exe avastbrowser.exe no specs elevation_service.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs elevation_service.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs avastbrowser.exe no specs cmd.exe no specs cmd.exe no specs avastnm.exe no specs avastnm.exe no specs memu-setup-abroad-sdk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
268C:\Windows\System32\sc query MEmuDrvC:\Windows\System32\sc.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
284"C:\Program Files\Avast Software\Avast\AvastUI.exe" --type=gpu-process --field-trial-handle=7816,5625873847328384856,3783433607975289427,131072 --disable-features=CalculateNativeWinOcclusion,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SameSiteDefaultChecksMethodRigorously --no-sandbox --disable-gpu-driver-bug-workarounds --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Avast\log\cef_log.txt" --log-severity=error --user-agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Avastium (0.0.0) (Windows 6.1)" --lang=en-US --disable-webaudio --force-wave-audio --disable-software-rasterizer --no-sandbox --blacklist-accelerated-compositing --disable-accelerated-2d-canvas --disable-accelerated-compositing --disable-accelerated-layers --disable-accelerated-video-decode --blacklist-webgl --disable-bundled-ppapi-flash --disable-flash-3d --enable-aggressive-domstorage-flushing --enable-media-stream --disable-gpu --disable-webgl --disable-gpu-compositing --allow-file-access-from-files=1 --pack_loading_disabled=1 --gpu-preferences=SAAAAAAAAADgAABwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Avast\log\cef_log.txt" --mojo-platform-channel-handle=7844 /prefetch:2C:\Program Files\AVAST Software\Avast\AvastUI.exe
AvastUI.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
MEDIUM
Description:
Avast Antivirus
Version:
25.5.10141.0
Modules
Images
c:\program files\avast software\avast\avastui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\avast software\avast\aavmrpch.dll
c:\windows\system32\rpcrt4.dll
c:\program files\avast software\avast\aswcmnbs.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
288"C:\Program Files\AVAST Software\Browser\Update\Install\{578AA0FA-BD95-43DC-971F-E744BA69E3B9}\AvastBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=msedge --import-cookies --system-levelC:\Program Files\AVAST Software\Browser\Update\Install\{578AA0FA-BD95-43DC-971F-E744BA69E3B9}\AvastBrowserInstaller.exe
AvastBrowserUpdate.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Secure Browser Installer
Exit code:
0
Version:
109.0.25992.120
Modules
Images
c:\program files\avast software\browser\update\install\{578aa0fa-bd95-43dc-971f-e744ba69e3b9}\avastbrowserinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
344"C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1404 --field-trial-handle=1172,i,18130791919485430555,14242193346408705692,131072 /prefetch:8C:\Program Files\Avast Software\Browser\Application\AvastBrowser.exeAvastBrowser.exe
User:
admin
Company:
AVAST Software
Integrity Level:
LOW
Description:
Avast Secure Browser
Exit code:
0
Version:
109.0.25992.120
Modules
Images
c:\program files\avast software\browser\application\avastbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\avast software\browser\application\109.0.25992.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
492"C:\Program Files\AVAST Software\Browser\Update\AvastBrowserUpdate.exe" /handoff "bundlename=Avast Secure Browser&appguid={A8504530-742B-42BC-895D-2BAD6406F698}&appname=Avast Secure Browser&needsadmin=true&lang=en-US&brand=6233&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies" /installsource otherinstallcmd /sessionid "{A1745CB0-9EBA-45D3-B835-E4D2AB57A3BA}" /silentC:\Program Files\AVAST Software\Browser\Update\AvastBrowserUpdate.exeAvastBrowserUpdate.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Browser
Exit code:
0
Version:
1.8.1697.6
Modules
Images
c:\program files\avast software\browser\update\avastbrowserupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
672"C:\Program Files\Java\jre1.8.0_271\bin\keytool.exe" -exportcert -alias "Avastsslscannerroot" -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts" -storepass changeitC:\Program Files\Java\jre1.8.0_271\bin\keytool.exeAvastSvc.exe
User:
SYSTEM
Company:
Oracle Corporation
Integrity Level:
SYSTEM
Description:
Java(TM) Platform SE binary
Exit code:
1
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\keytool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\java\jre1.8.0_271\bin\jli.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
780C:\Windows\system32\sc start MEmuSVCC:\Windows\System32\sc.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1056
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
904"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /installer2C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
instup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Emergency Update
Exit code:
0
Version:
25.5.10141.0
Modules
Images
c:\program files\avast software\avast\avemupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
912"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exeSetup.exe
User:
admin
Company:
Maiwei Corporation
Integrity Level:
HIGH
Description:
MemuHyperv Command Line Tool
Exit code:
0
Version:
5.1.34.121010
Modules
Images
c:\program files\microvirt\memuhyperv\memumanage.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microvirt\memuhyperv\msvcr100.dll
c:\program files\microvirt\memuhyperv\msvcp100.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
924"C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1640 --field-trial-handle=1176,i,2686608698344251690,9703432073600143966,131072 /prefetch:8C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe
AvastBrowser.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
Avast Secure Browser
Exit code:
0
Version:
109.0.25992.120
Modules
Images
c:\program files\avast software\browser\application\avastbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\avast software\browser\application\109.0.25992.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
128 373
Read events
117 127
Write events
10 280
Delete events
966

Modification events

(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2476) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
1 013
Suspicious files
2 194
Text files
2 068
Unknown types
0

Dropped files

PID
Process
Filename
Type
2476MEmu-setup-abroad-sdk.exeC:\Users\admin\AppData\Local\Temp\MEmuSetup\normaliz.dllexecutable
MD5:25A38B00DF321C5684C175D9E5366963
SHA256:1ECB627D6532331316567C2E1A98A61F14720F02B03FA1B836C4A206442CD392
2476MEmu-setup-abroad-sdk.exeC:\Users\admin\AppData\Local\Temp\DotSetupSDK\DotSetupSDK.dllexecutable
MD5:FE67FEF5F0AFCC973A5DAA40F1DF14C5
SHA256:E8590980E8F3D57E8B2FE107EF2FBCE0020A2EAC018A64A007817888EBF04C54
2476MEmu-setup-abroad-sdk.exeC:\Users\admin\AppData\Local\Microvirt\setup\MEmuSetup.logtext
MD5:E78846E01BB445764086552C72CC2CAE
SHA256:A6FC640D534C7C3FAA6B4142EE8BB2700CB5990A19E660961F4C6D217A8C31FE
2796Dism.exeC:\Users\admin\AppData\Local\Temp\0D98FA15-5A59-41D9-B55D-304BF8B918B3\CbsProvider.dllexecutable
MD5:C5681F8A63C9544D2A6D93D5448606F5
SHA256:0FB263E9A01773710C2491CBBFD4A02848457030FEDC0023EAC6BACAB828D1EA
2796Dism.exeC:\Windows\Logs\DISM\dism.logcsv
MD5:A85BF453DD2F0D7BF5BFB9711FE0E3CF
SHA256:D7F5A50174293A1E43E51F8A9A6E69AEC635CF0087D5C0A3CB710F72038F4622
2476MEmu-setup-abroad-sdk.exeC:\Users\admin\AppData\Local\Temp\MEmuSetup\7za.exeexecutable
MD5:B9425918E9F7B8AFFB9952ED02E01285
SHA256:8A5E4CCE83CA7C08945348BFB13395109656079E99BC6445B62C4DAAE16FAA5D
2796Dism.exeC:\Users\admin\AppData\Local\Temp\0D98FA15-5A59-41D9-B55D-304BF8B918B3\DismHost.exeexecutable
MD5:5E2E337F6F942B63428DB19355D6742B
SHA256:F60406C5D01B22F95C7F7298498475F0930550CBBF6BB31EB01E1E565FA175AE
2796Dism.exeC:\Users\admin\AppData\Local\Temp\0D98FA15-5A59-41D9-B55D-304BF8B918B3\DismCore.dllexecutable
MD5:BAFED573EA730D8891EE7E8B96115411
SHA256:E9FE0C7A2FE4C2C19A4E55F52118A3A093E9EE6C0A48D9D4292D940F881A24E0
2796Dism.exeC:\Users\admin\AppData\Local\Temp\0D98FA15-5A59-41D9-B55D-304BF8B918B3\CompatProvider.dllexecutable
MD5:AA34ED1CEF804818B0C4BDAA5DF1A3E2
SHA256:67CAF507F943FDC69FEC6C153B38EE765D571C50900A8986CEE2DE566941D1EB
2796Dism.exeC:\Users\admin\AppData\Local\Temp\0D98FA15-5A59-41D9-B55D-304BF8B918B3\en-US\CbsProvider.dll.muiexecutable
MD5:3D3835F95630A5F46DEA1F7FD823E6A5
SHA256:D32B28B184439673E3AC94070453FAF69434DF29A064558015D2A3FCE2956CA4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
123
TCP/UDP connections
325
DNS requests
256
Threats
67

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2620
Instup.exe
GET
200
2.16.168.119:80
http://n2833777.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx
unknown
whitelisted
2476
MEmu-setup-abroad-sdk.exe
GET
200
118.253.168.216:80
http://www.xyaz.cn/install.php?op_name=acceptDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2476
MEmu-setup-abroad-sdk.exe
GET
200
118.253.168.216:80
http://www.xyaz.cn/install.php?op_name=showDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2476
MEmu-setup-abroad-sdk.exe
GET
200
118.253.168.216:80
http://www.xyaz.cn/install.php?op_name=acceptDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2476
MEmu-setup-abroad-sdk.exe
GET
200
156.225.108.44:80
http://www.microvirt.com/new_market/service.php?action=getrelease&abroad=1
unknown
unknown
2476
MEmu-setup-abroad-sdk.exe
GET
302
18.173.187.24:80
http://www.memuplay.com/download-en.php?file_name=MEmu-Setup-9.2.3.0-haa98210ff&from=offline_installer
unknown
whitelisted
2476
MEmu-setup-abroad-sdk.exe
HEAD
200
108.138.36.42:80
http://dl.memuplay.com/download/MEmu-Setup-9.2.3.0-haa98210ff.exe
unknown
whitelisted
2476
MEmu-setup-abroad-sdk.exe
GET
200
118.253.168.216:80
http://www.xyaz.cn/install.php?op_name=insDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2476
MEmu-setup-abroad-sdk.exe
GET
108.138.36.42:80
http://dl.memuplay.com/download/MEmu-Setup-9.2.3.0-haa98210ff.exe
unknown
whitelisted
2788
cookie_mmm_irs_ppi_005_888_d.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2476
MEmu-setup-abroad-sdk.exe
108.138.34.96:443
d1xj8c1wowfhpd.cloudfront.net
AMAZON-02
US
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
2476
MEmu-setup-abroad-sdk.exe
54.239.192.86:443
d1q9vw401wbm4c.cloudfront.net
AMAZON-02
US
whitelisted
2476
MEmu-setup-abroad-sdk.exe
118.253.168.216:80
www.xyaz.cn
Chinanet
CN
whitelisted
2904
svchost.exe
239.255.255.250:1900
whitelisted
2476
MEmu-setup-abroad-sdk.exe
156.225.108.44:80
www.microvirt.com
MULTA-ASN1
HK
suspicious
2476
MEmu-setup-abroad-sdk.exe
18.173.187.24:80
www.memuplay.com
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
d1xj8c1wowfhpd.cloudfront.net
  • 108.138.34.96
  • 108.138.34.84
  • 108.138.34.31
  • 108.138.34.66
whitelisted
d1q9vw401wbm4c.cloudfront.net
  • 54.239.192.86
  • 54.239.192.96
  • 54.239.192.213
  • 54.239.192.182
whitelisted
www.xyaz.cn
  • 118.253.168.216
  • 118.253.168.217
  • 118.253.168.215
  • 118.253.168.147
  • 118.253.168.148
  • 118.253.168.218
  • 118.253.168.219
  • 118.253.168.150
  • 118.253.168.146
  • 118.253.168.149
whitelisted
www.microvirt.com
  • 156.225.108.44
  • 156.225.108.42
  • 156.225.108.43
unknown
www.memuplay.com
  • 18.173.187.24
  • 18.173.187.49
  • 18.173.187.3
  • 18.173.187.54
whitelisted
dl.memuplay.com
  • 108.138.36.42
  • 108.138.36.82
  • 108.138.36.125
  • 108.138.36.65
  • 18.245.31.108
  • 18.245.31.49
  • 18.245.31.52
  • 18.245.31.17
whitelisted
v7event.stats.avast.com
  • 34.117.223.223
whitelisted
iavs9x.u.avast.com
  • 2.16.168.119
  • 2.16.168.118
whitelisted
www.google-analytics.com
  • 142.250.186.78
  • 142.250.184.238
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2476
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2476
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2476
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Process
Message
MEmu-setup-abroad-sdk.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 21x14+320+106 on QWidgetWindow/'QCheckBoxClassWindow'. Resulting geometry: 104x14+320+106 (frame: 4, 23, 4, 4, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
MEmu-setup-abroad-sdk.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 55x14+320+106 on QWidgetWindow/'QLabelClassWindow'. Resulting geometry: 104x14+320+106 (frame: 4, 23, 4, 4, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
Dism.exe
PID=2796 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
Dism.exe
PID=2796 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)
Dism.exe
PID=2796 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=2796 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=2796 Getting Provider OSServices - CDISMProviderStore::GetProvider
Dism.exe
PID=2796 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=2796 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=2796 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MEmu-setup-abroad-sdk.exe