File name:

spybot-search-destroy-3.4.0.0-installer_YucA-21.exe

Full analysis: https://app.any.run/tasks/5d6d59ed-18f9-46cb-a285-84fc828d6cda
Verdict: Malicious activity
Analysis date: November 19, 2024, 19:45:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C1FE2147288DF9F805ADD851B0A250FB

SHA1:

BBD4CF561810B2A5F6B57FBC4878CA27B11620B6

SHA256:

02E032F5112CC1AAAB727F99B059736F0B4C30B4895C66D93CA29B2ACBDAADAF

SSDEEP:

98304:wyRr3UJ1IqsdPDMJoPvpyUwyFgS8S7ce/Unba+O+CB3jD9hl:y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • AVGUI.exe (PID: 3688)
      • AVGUI.exe (PID: 3716)
      • AVGUI.exe (PID: 540)
      • AVGUI.exe (PID: 4328)
      • AVGUI.exe (PID: 6856)
      • AVGUI.exe (PID: 2120)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • saBSI.exe (PID: 1596)

    • Executable content was dropped or overwritten

      • avg_antivirus_free_setup.exe (PID: 3972)
      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • avg_antivirus_free_online_setup.exe (PID: 5160)
      • spybot-search-destroy-3.4.0.0-installer.exe (PID: 1192)
      • icarus.exe (PID: 2084)
      • icarus.exe (PID: 2088)
      • engsup.exe (PID: 1512)
      • AvEmUpdate.exe (PID: 4556)
      • icarus.exe (PID: 3428)
      • setup.exe (PID: 5776)
      • aswOfferTool.exe (PID: 2152)
      • AVGSvc.exe (PID: 5096)

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 1596)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 1596)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • setup.exe (PID: 5776)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2084)
      • setup.exe (PID: 5776)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2084)
      • setup.exe (PID: 5776)

    • Drops a system driver (possible attempt to evade defenses)

      • icarus.exe (PID: 2084)
      • engsup.exe (PID: 1512)

    • Executes as Windows Service

      • afwServ.exe (PID: 1572)
      • wsc_proxy.exe (PID: 5752)
      • AVGSvc.exe (PID: 5096)
      • aswidsagent.exe (PID: 6564)
      • avgToolsSvc.exe (PID: 4604)

    • Starts itself from another location

      • icarus.exe (PID: 3428)

    • Application launched itself

      • AVGUI.exe (PID: 3688)

    • Checks for external IP

      • AvEmUpdate.exe (PID: 4556)

  • INFO

    • Checks proxy server information

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • saBSI.exe (PID: 1596)
      • avg_antivirus_free_online_setup.exe (PID: 5160)

    • Checks supported languages

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • avg_antivirus_free_setup.exe (PID: 3972)
      • saBSI.exe (PID: 1596)
      • avg_antivirus_free_online_setup.exe (PID: 5160)
      • icarus.exe (PID: 3428)

    • Reads the computer name

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • avg_antivirus_free_setup.exe (PID: 3972)
      • saBSI.exe (PID: 1596)
      • avg_antivirus_free_online_setup.exe (PID: 5160)
      • icarus.exe (PID: 3428)

    • Sends debugging messages

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • saBSI.exe (PID: 1596)

    • The process uses the downloaded file

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)

    • Reads the machine GUID from the registry

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • avg_antivirus_free_setup.exe (PID: 3972)
      • saBSI.exe (PID: 1596)
      • avg_antivirus_free_online_setup.exe (PID: 5160)
      • icarus.exe (PID: 3428)

    • Reads the software policy settings

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • avg_antivirus_free_setup.exe (PID: 3972)
      • saBSI.exe (PID: 1596)
      • avg_antivirus_free_online_setup.exe (PID: 5160)

    • Creates files in the program directory

      • saBSI.exe (PID: 1596)
      • avg_antivirus_free_online_setup.exe (PID: 5160)
      • icarus.exe (PID: 3428)

    • Create files in a temporary directory

      • spybot-search-destroy-3.4.0.0-installer_YucA-21.exe (PID: 3816)
      • avg_antivirus_free_online_setup.exe (PID: 5160)

    • Reads CPU info

      • icarus.exe (PID: 3428)

    • Manual execution by a user

      • AVGUI.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:14 12:00:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 2145792
InitializedDataSize: 2305536
UninitializedDataSize: -
EntryPoint: 0x1c2253
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.9.1
ProductVersionNumber: 3.0.9.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Softonic
FileDescription: Softonic
FileVersion: 3.0.9.1
LegalCopyright: (c) Softonic. All rights reserved.
ProductName: Softonic
ProductVersion: 3.0.9.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
48
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start spybot-search-destroy-3.4.0.0-installer_yuca-21.exe sabsi.exe avg_antivirus_free_setup.exe avg_antivirus_free_online_setup.exe icarus.exe icarus.exe icarus.exe spybot-search-destroy-3.4.0.0-installer.exe setup.exe foobar2000.exe no specs foobar2000 shell associations updater.exe no specs foobar2000.exe no specs engsup.exe setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe regsvr.exe no specs regsvr.exe no specs setupinf.exe no specs wsc_proxy.exe no specs wsc_proxy.exe no specs afwserv.exe no specs avgsvc.exe avgtoolssvc.exe no specs overseer.exe no specs avgui.exe no specs aswengsrv.exe no specs aswidsagent.exe no specs engsup.exe no specs wpr.exe no specs conhost.exe no specs icarus.exe no specs unsecapp.exe no specs aswoffertool.exe icarus.exe no specs icarus.exe no specs aswoffertool.exe no specs avgui.exe no specs avgui.exe no specs avgui.exe no specs avgui.exe no specs avgui.exe no specs spybot-search-destroy-3.4.0.0-installer_yuca-21.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436"C:\Program Files (x86)\foobar2000\foobar2000.exe" /install /quiet /exportshelldata "C:\Users\admin\AppData\Local\Temp\fb2kshelldata.tmp"C:\Program Files (x86)\foobar2000\foobar2000.exesetup.exe
User:
admin
Company:
Piotr Pawlowski
Integrity Level:
HIGH
Description:
foobar2000
Exit code:
0
Version:
2.1.4.0
Modules
Images
c:\program files (x86)\foobar2000\foobar2000.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
540"C:\Program Files\AVG\Antivirus\AVGUI.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\admin\AppData\Roaming\AVG\Antivirus\log\cef_log.txt" --field-trial-handle=5732,4942236942359043718,12553617794642162151,131072 --disable-features=CalculateNativeWinOcclusion,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SameSiteDefaultChecksMethodRigorously --disable-gpu-compositing --lang=en-US --log-file="C:\Users\admin\AppData\Roaming\AVG\Antivirus\log\cef_log.txt" --log-severity=error --user-agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Avastium (0.0.0) (Windows 10.0)" --disable-webaudio --force-wave-audio --disable-software-rasterizer --no-sandbox --blacklist-accelerated-compositing --disable-accelerated-2d-canvas --disable-accelerated-compositing --disable-accelerated-layers --disable-accelerated-video-decode --blacklist-webgl --disable-bundled-ppapi-flash --disable-flash-3d --enable-aggressive-domstorage-flushing --enable-media-stream --disable-gpu --disable-webgl --disable-gpu-compositing --allow-file-access-from-files=1 --pack_loading_disabled=1 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=9372 /prefetch:1C:\Program Files\AVG\Antivirus\AVGUI.exeAVGUI.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
MEDIUM
Description:
AVG Antivirus
Version:
24.11.9615.0
900"C:\Program Files\AVG\Antivirus\RegSvr.exe" "C:\Program Files\AVG\Antivirus\aswAMSI.dll"C:\Program Files\AVG\Antivirus\RegSvr.exeicarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Antivirus Installer
Exit code:
0
Version:
24.11.9615.0
Modules
Images
c:\program files\avg\antivirus\regsvr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1192"C:\Users\admin\Downloads\spybot-search-destroy-3.4.0.0-installer.exe" C:\Users\admin\Downloads\spybot-search-destroy-3.4.0.0-installer.exe
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
User:
admin
Company:
Efficacious Approval Applications
Integrity Level:
HIGH
Description:
Efficacious Approval Applications
Exit code:
0
Version:
2.1.5.0
Modules
Images
c:\users\admin\downloads\spybot-search-destroy-3.4.0.0-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1356"C:\Program Files\AVG\Antivirus\x86\RegSvr.exe" "C:\Program Files\AVG\Antivirus\x86\aswAMSI.dll"C:\Program Files\AVG\Antivirus\x86\RegSvr.exeicarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Antivirus Installer
Exit code:
0
Version:
24.11.9615.0
Modules
Images
c:\program files\avg\antivirus\x86\regsvr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
1512"C:\Program Files\AVG\Antivirus\defs\24111902\engsup.exe" /prepare_definitions_folderC:\Program Files\AVG\Antivirus\defs\24111902\engsup.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Antivirus vps tool
Exit code:
0
Version:
18.0.2075.0
Modules
Images
c:\program files\avg\antivirus\defs\24111902\engsup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1572"C:\Program Files\AVG\Antivirus\afwServ.exe"C:\Program Files\AVG\Antivirus\afwServ.exeservices.exe
User:
SYSTEM
Company:
Gen Digital Inc.
Integrity Level:
SYSTEM
Description:
AVG firewall service
Version:
24.11.9615.0
Modules
Images
c:\program files\avg\antivirus\afwserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1596"C:\Users\admin\AppData\Local\Temp\ISV9566.tmp\saBSI.exe" /affid {aflt} PaidDistribution=true CountryCode=USC:\Users\admin\AppData\Local\Temp\ISV9566.tmp\saBSI.exe
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
HIGH
Description:
McAfee WebAdvisor(bootstrap installer)
Exit code:
0
Version:
4,1,1,865
Modules
Images
c:\users\admin\appdata\local\temp\isv9566.tmp\sabsi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
2084C:\WINDOWS\Temp\asw-9a85ddca-4d8f-4338-aa90-9aae5c157869\avg-av\icarus.exe /silent /ws /psh:hIA7qv6y4LnyhZ8uUg5ES7NJSv5xFxjsl6RHqJGR35jKfB2LkrE9eOjWN5xgM0llMoJ1AtB9KgRCtX /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\WINDOWS\Temp\asw.a0a141e024ffca9c /track-guid:10001d9a-d2bf-4ef9-97cf-100992588996 /er_master:master_ep_bd8016e7-37fb-43e4-aab5-cadbb5854751 /er_ui:ui_ep_68ae9c36-3bab-4c1e-a262-bfddaa6b7184 /er_slave:avg-av_slave_ep_d4dc1762-1c24-4ec5-b796-f4bc89facefd /slave:avg-avC:\Windows\Temp\asw-9a85ddca-4d8f-4338-aa90-9aae5c157869\avg-av\icarus.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Exit code:
0
Version:
24.11.8270.0
Modules
Images
c:\windows\temp\asw-9a85ddca-4d8f-4338-aa90-9aae5c157869\avg-av\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2088C:\WINDOWS\Temp\asw-9a85ddca-4d8f-4338-aa90-9aae5c157869\avg-av-vps\icarus.exe /silent /ws /psh:hIA7qv6y4LnyhZ8uUg5ES7NJSv5xFxjsl6RHqJGR35jKfB2LkrE9eOjWN5xgM0llMoJ1AtB9KgRCtX /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\WINDOWS\Temp\asw.a0a141e024ffca9c /track-guid:10001d9a-d2bf-4ef9-97cf-100992588996 /er_master:master_ep_bd8016e7-37fb-43e4-aab5-cadbb5854751 /er_ui:ui_ep_68ae9c36-3bab-4c1e-a262-bfddaa6b7184 /er_slave:avg-av-vps_slave_ep_4c0907cb-44d8-4621-a44a-24d2437f8727 /slave:avg-av-vpsC:\Windows\Temp\asw-9a85ddca-4d8f-4338-aa90-9aae5c157869\avg-av-vps\icarus.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Exit code:
0
Version:
24.11.8270.0
Modules
Images
c:\windows\temp\asw-9a85ddca-4d8f-4338-aa90-9aae5c157869\avg-av-vps\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
8 812
Read events
8 016
Write events
703
Delete events
93

Modification events

(PID) Process:(3816) spybot-search-destroy-3.4.0.0-installer_YucA-21.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E8070B000200130013002E002E00CE02010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(3816) spybot-search-destroy-3.4.0.0-installer_YucA-21.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000F7EC79C4BB3ADB01
(PID) Process:(1596) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:UUID
Value:
{A8B906F3-91EB-4BC7-BFDC-16EA556ECAD1}
(PID) Process:(1596) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallerFlags
Value:
1
(PID) Process:(5160) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:5FD38555-4B16-40AE-9A09-E2C969CB74AF
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(5160) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:7CCD586D-2ABC-42FF-A23B-3731F4F183D9
Value:
F6D4F52220BB5A3D7246A004278BB23F
(PID) Process:(5160) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:8C5CFDF4-AB05-4EB0-8EF6-7B4620DC2CF3
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAtA46N03Oz0Cz07PubfNy/wQAAAACAAAAAAAQZgAAAAEAACAAAADFj6W4FFonOwZOPf8fuJ5gb9zqaZwQnZt8XfB8M9257QAAAAAOgAAAAAIAACAAAAADjfeed2GUEeUJW9UMAlWhzFUKBus9INzVXWwCtyVqUVAAAAArWzQml1oDYoW5YgJP/ZAe6D9pOXQW1XqCZoojpJV8Gm4Nn33YeOlqMOMfSPFV//a20UEiK7TjPEBVyI4LGs8O3nRPck40xxSYsw2/dIMiQ0AAAABUbpll3mSUsWXbsK/RhSB1NobeXfYKapRzQk5PlPHSPt5Bjv7+NC1F7D8VGf4bQnni8h1zIDmZT4SQ0aZoFi8+
(PID) Process:(5160) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:5E1D6A55-0134-486E-A166-38C2E4919BB1
Value:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAtA46N03Oz0Cz07PubfNy/wQAAAACAAAAAAAQZgAAAAEAACAAAADFj6W4FFonOwZOPf8fuJ5gb9zqaZwQnZt8XfB8M9257QAAAAAOgAAAAAIAACAAAAADjfeed2GUEeUJW9UMAlWhzFUKBus9INzVXWwCtyVqUVAAAAArWzQml1oDYoW5YgJP/ZAe6D9pOXQW1XqCZoojpJV8Gm4Nn33YeOlqMOMfSPFV//a20UEiK7TjPEBVyI4LGs8O3nRPck40xxSYsw2/dIMiQ0AAAABUbpll3mSUsWXbsK/RhSB1NobeXfYKapRzQk5PlPHSPt5Bjv7+NC1F7D8VGf4bQnni8h1zIDmZT4SQ0aZoFi8+
(PID) Process:(5160) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198
Operation:writeName:144807F0-DE37-4C62-9C05-EB4CC64A7A2F
Value:
1a13586a-7cd2-4883-9151-f94c19f6c817
(PID) Process:(5160) avg_antivirus_free_online_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F
Operation:writeName:56C7A9DA-4B11-406A-8B1A-EFF157C294D6
Value:
1a13586a-7cd2-4883-9151-f94c19f6c817
Executable files
831
Suspicious files
1 653
Text files
323
Unknown types
12

Dropped files

PID
Process
Filename
Type
3972avg_antivirus_free_setup.exeC:\Windows\Temp\asw.a0a141e024ffca9c\avg_antivirus_free_online_setup.exeexecutable
MD5:FB4D24ABE3AE811025140C5F34D60F81
SHA256:3B216887612445F58C20FA8F140C404477F33B49A631616C43E26523ED082383
3816spybot-search-destroy-3.4.0.0-installer_YucA-21.exeC:\Users\admin\AppData\Local\Temp\ISV9566.tmp\avg_antivirus_free_setup.exeexecutable
MD5:26816AF65F2A3F1C61FB44C682510C97
SHA256:2025C8C2ACC5537366E84809CB112589DDC9E16630A81C301D24C887E2D25F45
3972avg_antivirus_free_setup.exeC:\Windows\Temp\asw.a0a141e024ffca9c\ecoo.edattext
MD5:3F44A3C655AC2A5C3AB32849ECB95672
SHA256:51516A61A1E25124173DEF4EF68A6B8BABEDC28CA143F9EEE3E729EBDC1EF31F
3816spybot-search-destroy-3.4.0.0-installer_YucA-21.exeC:\Users\admin\AppData\Local\Temp\ISV9566.tmp\saBSI.exeexecutable
MD5:143255618462A577DE27286A272584E1
SHA256:F5AA950381FBCEA7D730AA794974CA9E3310384A95D6CF4D015FBDBD9797B3E4
5160avg_antivirus_free_online_setup.exeC:\ProgramData\AVG\Icarus\Logs\sfx.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
1596saBSI.exeC:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00000057003F001D0006.txttext
MD5:410C78500862933173B3FE7F5D821EB2
SHA256:F8C945EAA4F690D144129E87AA1CAA6DC2C522371DDA07D323D07C873C11A4BD
3816spybot-search-destroy-3.4.0.0-installer_YucA-21.exeC:\Users\admin\AppData\Local\Temp\ISV9566.tmp\saBSI.zipcompressed
MD5:F68008B70822BD28C82D13A289DEB418
SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
3816spybot-search-destroy-3.4.0.0-installer_YucA-21.exeC:\Users\admin\Downloads\spybot-search-destroy-3.4.0.0-installer.exeexecutable
MD5:A81C81AC1646561FB099556AD4FE75E1
SHA256:CA3334DFC38746110C192443D9A26B4677164944CF751A89F98784C1EBE343AB
3816spybot-search-destroy-3.4.0.0-installer_YucA-21.exeC:\Users\admin\AppData\Local\Temp\ISV9566.tmp\avg.zipcompressed
MD5:56B0D3E1B154AE65682C167D25EC94A6
SHA256:434BFC9E005A7C8EE249B62F176979F1B4CDE69484DB1683EA07A63E6C1E93DE
5160avg_antivirus_free_online_setup.exeC:\Windows\Temp\asw-9a85ddca-4d8f-4338-aa90-9aae5c157869\common\icarus_ui.exeexecutable
MD5:349DEA57501C683B9982C0F0C19C95F6
SHA256:14F05EF3568B541979E5D6580679559651E31CD6128F206AED2567076B42823F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
215
DNS requests
269
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4932
svchost.exe
GET
200
2.16.164.89:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4932
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1760
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1760
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1300
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3972
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
3972
avg_antivirus_free_setup.exe
POST
200
142.250.186.78:80
http://www.google-analytics.com/collect
unknown
whitelisted
4556
AvEmUpdate.exe
HEAD
200
2.19.126.157:80
http://emupdate.avcdn.net/files/emupdate/pong.txt
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
544
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
2.16.164.89:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4932
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4932
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.209.148:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.89
  • 2.16.164.82
  • 2.16.164.10
  • 2.16.164.25
  • 2.16.164.67
  • 2.16.164.40
  • 2.16.164.106
  • 2.16.164.42
  • 2.16.164.17
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.185.110
  • 142.250.186.142
whitelisted
www.bing.com
  • 2.23.209.148
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.185
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.140
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Process
Message
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
LoadingPage
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
WelcomePage
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
ProductPage
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
ProductPage
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
DownloadPageDLM
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe
FinishPageDLM
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\ISV9566.tmp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\ISV9566.tmp\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
spybot-search-destroy-3.4.0.0-installer_YucA-21.exe