File name:

Avast Antivirus.exe

Full analysis: https://app.any.run/tasks/8f70b848-3207-443a-81ab-d0eb21ff96a8
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: May 20, 2025, 09:59:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
python
miner
xmrig
winring0x64-sys
vuln-driver
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

142EAED307B5F36613F4183BEC66C4E7

SHA1:

5B06B75E7CB6166E0A9A5E4894E381233C63EC2C

SHA256:

0EF09A041D9D61D92E7E7429F1A087E07E518BBEBBFBF3AFD659DF062AAFD468

SSDEEP:

98304:54/XzVtpa+sENic7T8zKyv530/Vxmh7vSRpl89+bE9d9YbuvCjlhp4Tlcw15+EiK:7tCvTp5A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Avast Antivirus.exe (PID: 4448)

    • XMRIG has been detected

      • Avast Antivirus.exe (PID: 4448)

    • Vulnerable driver has been detected

      • Avast Antivirus.exe (PID: 4448)

    • XMRig has been detected

      • xmrig.exe (PID: 5576)

    • Looks like the application has launched a miner

      • Avast Antivirus.exe (PID: 4448)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Avast Antivirus.exe (PID: 4892)

    • Process drops legitimate windows executable

      • Avast Antivirus.exe (PID: 4892)

    • Executable content was dropped or overwritten

      • Avast Antivirus.exe (PID: 4892)
      • Avast Antivirus.exe (PID: 4448)

    • Process drops python dynamic module

      • Avast Antivirus.exe (PID: 4892)

    • Application launched itself

      • Avast Antivirus.exe (PID: 4892)

    • Loads Python modules

      • Avast Antivirus.exe (PID: 4448)

    • Drops a system driver (possible attempt to evade defenses)

      • Avast Antivirus.exe (PID: 4448)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Avast Antivirus.exe (PID: 4448)

  • INFO

    • Reads the computer name

      • Avast Antivirus.exe (PID: 4892)
      • Avast Antivirus.exe (PID: 4448)
      • xmrig.exe (PID: 5576)

    • Checks supported languages

      • Avast Antivirus.exe (PID: 4892)
      • Avast Antivirus.exe (PID: 4448)
      • xmrig.exe (PID: 5576)

    • Create files in a temporary directory

      • Avast Antivirus.exe (PID: 4892)
      • Avast Antivirus.exe (PID: 4448)

    • The sample compiled with english language support

      • Avast Antivirus.exe (PID: 4892)

    • Reads the machine GUID from the registry

      • Avast Antivirus.exe (PID: 4448)

    • Checks proxy server information

      • Avast Antivirus.exe (PID: 4448)

    • Creates files or folders in the user directory

      • Avast Antivirus.exe (PID: 4448)

    • The sample compiled with japanese language support

      • Avast Antivirus.exe (PID: 4448)

    • Attempting to use instant messaging service

      • Avast Antivirus.exe (PID: 4448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:18 20:14:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.36
CodeSize: 166400
InitializedDataSize: 154624
UninitializedDataSize: -
EntryPoint: 0xb340
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast antivirus.exe #XMRIG avast antivirus.exe #XMRIG xmrig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4448"C:\Users\admin\Desktop\Avast Antivirus.exe" C:\Users\admin\Desktop\Avast Antivirus.exe
Avast Antivirus.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\avast antivirus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4892"C:\Users\admin\Desktop\Avast Antivirus.exe" C:\Users\admin\Desktop\Avast Antivirus.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\avast antivirus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5576"C:\Users\admin\AppData\Roaming\Microsoft\Windows Defender\Platform\xmrig-6.20.0\xmrig.exe" -o stratum+tcp://gulf.mpool.pro:10128 -u 49KxcqRUduJMEKj5Lo5GWT52wHJBuuvbZCYnnpoR2btvh3x4iVWtDqdAd3q7hbA8Ez4GwpCvbt7gR2dzHprzncKhFr3XuT6.adaptive_worker --quiet --background --donate-level=0 --max-cpu-usage=50C:\Users\admin\AppData\Roaming\Microsoft\Windows Defender\Platform\xmrig-6.20.0\xmrig.exe
Avast Antivirus.exe
User:
admin
Company:
www.xmrig.com
Integrity Level:
MEDIUM
Description:
XMRig miner
Version:
6.20.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows defender\platform\xmrig-6.20.0\xmrig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
614
Read events
613
Write events
1
Delete events
0

Modification events

(PID) Process:(4448) Avast Antivirus.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsDefenderUpdate
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Windows Defender\SecurityHealthService.exe
Executable files
18
Suspicious files
3
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\_bz2.pydexecutable
MD5:92075C2759AC8246953E6FA6323E43FE
SHA256:E7AF6119B56DDD47FD0A909710F7163D7EF4822405FC138D24E6CE9DE7A5022F
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\charset_normalizer\md__mypyc.cp37-win_amd64.pydexecutable
MD5:8535E8F36CB8F724502449435CF33E8C
SHA256:000E773474B36C21D804F37AA6F8A5C8218ED6DE6D2A56E053904CDA0002F0C4
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\python37.dllexecutable
MD5:C4E99D7375888D873D2478769A8D844C
SHA256:12F26BEB439DDF8D56E7544B06A0675D5DA6670C02F8F9CEDE7AAD1DE71EB116
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\_lzma.pydexecutable
MD5:AB582419629183E1615B76FC5D2C7704
SHA256:5A45F7CD517AD396A042BC2767AE73221DC68F934E828A9433249924A371EE5E
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\_socket.pydexecutable
MD5:10CD16BB63862536570C717FFC453DA4
SHA256:E002A1BD6FBA44681D557B64D439585DBA9820226E1C3DA5A62628BBAA930AE3
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\_ctypes.pydexecutable
MD5:2787764FE3056F37C79A3FC79E620172
SHA256:41C593C960F3F89B1E1629C6B7BD6171FE306168F816BEF02027332A263DE117
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\charset_normalizer\md.cp37-win_amd64.pydexecutable
MD5:664FECAB45C48C4E3EE0A8255DE431B7
SHA256:D432E275D7EB68A7094EE4C83CEE09068EB26EBEA9AF843C4F919485EF02D698
4448Avast Antivirus.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows Defender\SecurityHealthService.exeexecutable
MD5:142EAED307B5F36613F4183BEC66C4E7
SHA256:0EF09A041D9D61D92E7E7429F1A087E07E518BBEBBFBF3AFD659DF062AAFD468
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\_queue.pydexecutable
MD5:A48AF48DD880C11673469C1ADE525558
SHA256:A98E9F330EEAF40EF516237AB5BC1EFAC1FC49ED321A128BE78DD3FB8733E0A4
4892Avast Antivirus.exeC:\Users\admin\AppData\Local\Temp\_MEI48922\base_library.zipcompressed
MD5:BCDB389D811C15FBD09F944A0E1ADE12
SHA256:4C2978F7235F96151F59AB6B6BBF077C779869066B94109A38DDC90CDDE2D03F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
29
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6652
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4448
Avast Antivirus.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
4448
Avast Antivirus.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
4448
Avast Antivirus.exe
185.199.108.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
github.com
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.110.133
whitelisted
gulf.mpool.pro
unknown
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.129
  • 20.190.159.128
  • 20.190.159.23
  • 20.190.159.131
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.0
whitelisted

Threats

PID
Process
Class
Message
4448
Avast Antivirus.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Avast Antivirus.exe