Malware analysis avast_premium_security_setup_online.exe Malicious activity

Add for printing

File name:	avast_premium_security_setup_online.exe
Full analysis:	https://app.any.run/tasks/a4d41501-4e40-408c-88c1-544da940f4a7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 20, 2025, 13:09:55
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader evasion stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	88C638C3CE53EDF10D8D51466D191C62
SHA1:	96B6B69AA2C1A31C7C24CC4C7FD1D2C7A0535984
SHA256:	115654572E31D64900E92B7F33097D1A3C7A20F62A107E00600B6FEE712336F5
SSDEEP:	3072:fhrEcYTuZF3sDmYFDL56DLiSNMWm5RC3Oy1jjHfJWcCAnzuVmoP7wxi6yd+gf8nA:vYTuZFuB66SBRHJWcPz8/JrLACuTY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - instup.exe (PID: 4740)
  - instup.exe (PID: 7636)
- Steals credentials from Web Browsers
  - engsup.exe (PID: 4868)
  - AvastSvc.exe (PID: 5124)
  - aswEngSrv.exe (PID: 6072)
  - AvastUI.exe (PID: 7324)
- Actions looks like stealing of personal data
  - engsup.exe (PID: 4868)
  - AvastSvc.exe (PID: 5124)
  - aswEngSrv.exe (PID: 6072)
  - AvastUI.exe (PID: 7324)
- Antivirus name has been found in the command line (generic signature)
  - AvastUI.exe (PID: 7324)
  - AvastUI.exe (PID: 3396)
  - AvastUI.exe (PID: 6416)
  - AvastUI.exe (PID: 2344)
  - AvastUI.exe (PID: 7604)
  - AvastUI.exe (PID: 7460)
  - AvastUI.exe (PID: 7008)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 8348)
  - AvastUI.exe (PID: 8360)
SUSPICIOUS
- Potential Corporate Privacy Violation
  - avast_premium_security_setup_online.exe (PID: 4988)
  - AvastUI.exe (PID: 7324)
- Executable content was dropped or overwritten
  - avast_premium_security_setup_online.exe (PID: 4988)
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - AvEmUpdate.exe (PID: 5044)
  - engsup.exe (PID: 540)
  - AvastSvc.exe (PID: 5124)
  - instup.exe (PID: 7636)
  - AvEmUpdate.exe (PID: 960)
  - aswOfferTool.exe (PID: 8088)
- Process requests binary or script from the Internet
  - avast_premium_security_setup_online.exe (PID: 4988)
- There is functionality for taking screenshot (YARA)
  - avast_premium_security_setup_online.exe (PID: 4988)
- Starts itself from another location
  - Instup.exe (PID: 5436)
- Process checks presence of unattended files
  - instup.exe (PID: 4740)
- The process verifies whether the antivirus software is installed
  - instup.exe (PID: 4740)
  - SetupInf.exe (PID: 6960)
  - SetupInf.exe (PID: 516)
  - SetupInf.exe (PID: 6264)
  - SetupInf.exe (PID: 3884)
  - SetupInf.exe (PID: 4620)
  - SetupInf.exe (PID: 2644)
  - SetupInf.exe (PID: 5256)
  - AvEmUpdate.exe (PID: 7000)
  - AvEmUpdate.exe (PID: 5044)
  - RegSvr.exe (PID: 3620)
  - RegSvr.exe (PID: 4000)
  - AvastNM.exe (PID: 2244)
  - SetupInf.exe (PID: 132)
  - wsc_proxy.exe (PID: 5344)
  - afwServ.exe (PID: 6436)
  - wsc_proxy.exe (PID: 6972)
  - aswToolsSvc.exe (PID: 1748)
  - engsup.exe (PID: 4868)
  - AvastSvc.exe (PID: 5124)
  - aswEngSrv.exe (PID: 6072)
  - instup.exe (PID: 6612)
  - instup.exe (PID: 7636)
  - overseer.exe (PID: 6256)
  - instup.exe (PID: 8072)
  - engsup.exe (PID: 540)
  - AvEmUpdate.exe (PID: 960)
  - aswOfferTool.exe (PID: 8088)
  - aswOfferTool.exe (PID: 6500)
  - AvastUI.exe (PID: 7324)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 2344)
  - AvastUI.exe (PID: 7460)
  - AvastUI.exe (PID: 3396)
  - AvastUI.exe (PID: 7604)
  - AvastUI.exe (PID: 6416)
  - AvastUI.exe (PID: 7008)
  - AvastUI.exe (PID: 8360)
  - AvastUI.exe (PID: 8348)
- Creates files in the driver directory
  - instup.exe (PID: 4740)
  - AvEmUpdate.exe (PID: 5044)
- Creates a software uninstall entry
  - instup.exe (PID: 4740)
- Creates/Modifies COM task schedule object
  - instup.exe (PID: 4740)
  - RegSvr.exe (PID: 3620)
  - RegSvr.exe (PID: 4000)
- Creates or modifies Windows services
  - instup.exe (PID: 4740)
- Process drops legitimate windows executable
  - instup.exe (PID: 4740)
  - engsup.exe (PID: 540)
  - instup.exe (PID: 7636)
- The process drops C-runtime libraries
  - instup.exe (PID: 4740)
  - engsup.exe (PID: 540)
- Drops a system driver (possible attempt to evade defenses)
  - instup.exe (PID: 4740)
  - AvEmUpdate.exe (PID: 5044)
- Checks for external IP
  - AvEmUpdate.exe (PID: 5044)
  - aswToolsSvc.exe (PID: 1748)
  - AvastSvc.exe (PID: 5124)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 7324)
- Searches for installed software
  - overseer.exe (PID: 6256)
- Executes as Windows Service
  - wsc_proxy.exe (PID: 6972)
  - afwServ.exe (PID: 6436)
  - AvastSvc.exe (PID: 5124)
  - aswToolsSvc.exe (PID: 1748)
- Reads security settings of Internet Explorer
  - AvastSvc.exe (PID: 5124)
- Reads the date of Windows installation
  - instup.exe (PID: 4740)
  - AvastUI.exe (PID: 7324)
  - AvastSvc.exe (PID: 5124)
- Modifies hosts file to alter network resolution
  - AvastSvc.exe (PID: 5124)
- Connects to unusual port
  - AvastSvc.exe (PID: 5124)
- Adds/modifies Windows certificates
  - AvastSvc.exe (PID: 5124)
- Checks for Java to be installed
  - AvastSvc.exe (PID: 5124)
- Reads Microsoft Outlook installation path
  - AvastSvc.exe (PID: 5124)
- Read startup parameters
  - AvastSvc.exe (PID: 5124)
- Application launched itself
  - AvastUI.exe (PID: 7324)
INFO
- The sample compiled with english language support
  - avast_premium_security_setup_online.exe (PID: 5544)
  - avast_premium_security_setup_online.exe (PID: 4988)
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - AvEmUpdate.exe (PID: 5044)
  - engsup.exe (PID: 540)
  - AvastSvc.exe (PID: 5124)
  - instup.exe (PID: 7636)
  - AvEmUpdate.exe (PID: 960)
  - aswOfferTool.exe (PID: 8088)
- Checks supported languages
  - avast_premium_security_setup_online.exe (PID: 5544)
  - avast_premium_security_setup_online.exe (PID: 4988)
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - aswOfferTool.exe (PID: 1164)
  - sbr.exe (PID: 6252)
  - SetupInf.exe (PID: 6960)
  - SetupInf.exe (PID: 516)
  - SetupInf.exe (PID: 6264)
  - SetupInf.exe (PID: 4620)
  - SetupInf.exe (PID: 3884)
  - SetupInf.exe (PID: 2644)
  - SetupInf.exe (PID: 5256)
  - AvEmUpdate.exe (PID: 7000)
  - AvEmUpdate.exe (PID: 5044)
  - RegSvr.exe (PID: 3620)
  - RegSvr.exe (PID: 4000)
  - AvastNM.exe (PID: 2244)
  - engsup.exe (PID: 540)
  - SetupInf.exe (PID: 132)
  - overseer.exe (PID: 6256)
  - wsc_proxy.exe (PID: 5344)
  - wsc_proxy.exe (PID: 6972)
  - afwServ.exe (PID: 6436)
  - AvastSvc.exe (PID: 5124)
  - aswToolsSvc.exe (PID: 1748)
  - engsup.exe (PID: 4868)
  - aswEngSrv.exe (PID: 6072)
  - instup.exe (PID: 7636)
  - instup.exe (PID: 6612)
  - instup.exe (PID: 8072)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 7324)
  - aswOfferTool.exe (PID: 8088)
  - aswOfferTool.exe (PID: 6500)
  - AvastUI.exe (PID: 2344)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 6416)
  - AvastUI.exe (PID: 3396)
  - AvastUI.exe (PID: 7604)
  - AvastUI.exe (PID: 7008)
  - AvastUI.exe (PID: 7460)
  - AvastUI.exe (PID: 8348)
  - AvastUI.exe (PID: 8360)
- Reads the machine GUID from the registry
  - avast_premium_security_setup_online.exe (PID: 4988)
  - avast_premium_security_setup_online.exe (PID: 5544)
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - SetupInf.exe (PID: 3884)
  - SetupInf.exe (PID: 6960)
  - SetupInf.exe (PID: 516)
  - SetupInf.exe (PID: 6264)
  - SetupInf.exe (PID: 4620)
  - SetupInf.exe (PID: 2644)
  - SetupInf.exe (PID: 5256)
  - AvEmUpdate.exe (PID: 5044)
  - RegSvr.exe (PID: 3620)
  - RegSvr.exe (PID: 4000)
  - overseer.exe (PID: 6256)
  - SetupInf.exe (PID: 132)
  - wsc_proxy.exe (PID: 5344)
  - wsc_proxy.exe (PID: 6972)
  - afwServ.exe (PID: 6436)
  - AvastSvc.exe (PID: 5124)
  - aswToolsSvc.exe (PID: 1748)
  - instup.exe (PID: 6612)
  - instup.exe (PID: 7636)
  - instup.exe (PID: 8072)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 7324)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 3396)
  - AvastUI.exe (PID: 7604)
  - AvastUI.exe (PID: 6416)
  - AvastUI.exe (PID: 7008)
  - AvastUI.exe (PID: 7460)
  - AvastUI.exe (PID: 2344)
- Reads the computer name
  - avast_premium_security_setup_online.exe (PID: 4988)
  - avast_premium_security_setup_online.exe (PID: 5544)
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - SetupInf.exe (PID: 3884)
  - SetupInf.exe (PID: 6960)
  - SetupInf.exe (PID: 516)
  - SetupInf.exe (PID: 6264)
  - SetupInf.exe (PID: 4620)
  - SetupInf.exe (PID: 2644)
  - SetupInf.exe (PID: 5256)
  - AvEmUpdate.exe (PID: 7000)
  - AvEmUpdate.exe (PID: 5044)
  - RegSvr.exe (PID: 3620)
  - RegSvr.exe (PID: 4000)
  - SetupInf.exe (PID: 132)
  - overseer.exe (PID: 6256)
  - wsc_proxy.exe (PID: 5344)
  - wsc_proxy.exe (PID: 6972)
  - afwServ.exe (PID: 6436)
  - AvastSvc.exe (PID: 5124)
  - aswToolsSvc.exe (PID: 1748)
  - engsup.exe (PID: 4868)
  - instup.exe (PID: 7636)
  - instup.exe (PID: 6612)
  - instup.exe (PID: 8072)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 7324)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 6416)
  - AvastUI.exe (PID: 2344)
  - AvastUI.exe (PID: 3396)
  - AvastUI.exe (PID: 7008)
  - AvastUI.exe (PID: 7460)
  - AvastUI.exe (PID: 7604)
- Manual execution by a user
  - avast_premium_security_setup_online.exe (PID: 4988)
  - avast_premium_security_setup_online.exe (PID: 6988)
  - AvastUI.exe (PID: 7324)
- Reads CPU info
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - SetupInf.exe (PID: 3884)
  - SetupInf.exe (PID: 6960)
  - SetupInf.exe (PID: 516)
  - SetupInf.exe (PID: 6264)
  - SetupInf.exe (PID: 4620)
  - SetupInf.exe (PID: 2644)
  - SetupInf.exe (PID: 5256)
  - AvEmUpdate.exe (PID: 7000)
  - AvEmUpdate.exe (PID: 5044)
  - RegSvr.exe (PID: 4000)
  - RegSvr.exe (PID: 3620)
  - SetupInf.exe (PID: 132)
  - AvastNM.exe (PID: 2244)
  - engsup.exe (PID: 540)
  - wsc_proxy.exe (PID: 5344)
  - wsc_proxy.exe (PID: 6972)
  - afwServ.exe (PID: 6436)
  - AvastSvc.exe (PID: 5124)
  - aswToolsSvc.exe (PID: 1748)
  - engsup.exe (PID: 4868)
  - aswEngSrv.exe (PID: 6072)
  - instup.exe (PID: 6612)
  - instup.exe (PID: 7636)
  - instup.exe (PID: 8072)
  - AvastUI.exe (PID: 7324)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 6416)
  - AvastUI.exe (PID: 7460)
  - AvastUI.exe (PID: 7604)
  - AvastUI.exe (PID: 2344)
  - AvastUI.exe (PID: 3396)
  - AvastUI.exe (PID: 7008)
  - AvastUI.exe (PID: 8348)
  - AvastUI.exe (PID: 8360)
- Reads the software policy settings
  - avast_premium_security_setup_online.exe (PID: 4988)
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - slui.exe (PID: 7152)
  - slui.exe (PID: 6488)
  - AvEmUpdate.exe (PID: 5044)
  - instup.exe (PID: 6612)
  - AvastSvc.exe (PID: 5124)
  - instup.exe (PID: 7636)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 7324)
- Creates files in the program directory
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - AvEmUpdate.exe (PID: 7000)
  - AvEmUpdate.exe (PID: 5044)
  - AvastNM.exe (PID: 2244)
  - engsup.exe (PID: 540)
  - wsc_proxy.exe (PID: 5344)
  - afwServ.exe (PID: 6436)
  - engsup.exe (PID: 4868)
  - AvastSvc.exe (PID: 5124)
  - aswToolsSvc.exe (PID: 1748)
  - instup.exe (PID: 6612)
  - instup.exe (PID: 7636)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 7324)
  - aswOfferTool.exe (PID: 8088)
- Checks proxy server information
  - avast_premium_security_setup_online_x64.exe (PID: 5892)
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - slui.exe (PID: 6488)
  - AvEmUpdate.exe (PID: 7000)
  - AvEmUpdate.exe (PID: 5044)
  - instup.exe (PID: 7636)
  - AvastUI.exe (PID: 7324)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 6416)
  - AvastUI.exe (PID: 3396)
  - AvastUI.exe (PID: 7008)
  - AvastUI.exe (PID: 7604)
  - AvastUI.exe (PID: 7460)
  - AvastUI.exe (PID: 2344)
- Reads Environment values
  - Instup.exe (PID: 5436)
  - instup.exe (PID: 4740)
  - AvEmUpdate.exe (PID: 7000)
  - AvEmUpdate.exe (PID: 5044)
  - afwServ.exe (PID: 6436)
  - aswToolsSvc.exe (PID: 1748)
  - AvastSvc.exe (PID: 5124)
  - instup.exe (PID: 6612)
  - instup.exe (PID: 7636)
  - instup.exe (PID: 8072)
  - AvEmUpdate.exe (PID: 960)
  - AvastUI.exe (PID: 7324)
- The sample compiled with czech language support
  - instup.exe (PID: 4740)
- Create files in a temporary directory
  - engsup.exe (PID: 4868)
  - AvastUI.exe (PID: 7324)
- Reads product name
  - AvastSvc.exe (PID: 5124)
- Process checks computer location settings
  - AvastUI.exe (PID: 7324)
  - AvastUI.exe (PID: 7604)
  - AvastUI.exe (PID: 2344)
  - AvastUI.exe (PID: 6712)
  - AvastUI.exe (PID: 7460)
- Creates files or folders in the user directory
  - AvastUI.exe (PID: 7324)
  - AvastUI.exe (PID: 7008)
- Process checks whether UAC notifications are on
  - AvastSvc.exe (PID: 5124)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:04:12 08:36:05+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	137216
InitializedDataSize:	117760
UninitializedDataSize:	-
EntryPoint:	0x1020
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2.1.99.0
ProductVersionNumber:	2.1.99.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	AVAST Software
Edition:	12
FileDescription:	Avast Installer
FileVersion:	2.1.99.0
InternalName:	microstub
LegalCopyright:	Copyright (c) 2023 AVAST Software
OriginalFileName:	microstub.exe
ProductName:	Avast
ProductVersion:	2.1.99.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

190

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

132

"C:\Program Files\Avast Software\Avast\SetupInf.exe" /catinstall:"C:\Program Files\Avast Software\Avast\setup\crts.cat" /basename:pkg_{af98c830-4f53-4176-a7b0-ec21fc603adc}.cat /crtid:8CCB78ACC60926D900DD70742B3CF229B01D4255

C:\Program Files\Avast Software\Avast\SetupInf.exe

—

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Antivirus Installer

Exit code:

Version:

25.3.9983.0

Modules

Images
c:\program files\avast software\avast\setupinf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

516

"C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswRdr2.cat

C:\Program Files\Avast Software\Avast\SetupInf.exe

—

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Antivirus Installer

Exit code:

Version:

25.3.9983.0

Modules

Images
c:\program files\avast software\avast\setupinf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

540

"C:\Program Files\Avast Software\Avast\defs\25041999\engsup.exe" /prepare_definitions_folder

C:\Program Files\Avast Software\Avast\defs\25041999\engsup.exe

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Antivirus vps tool

Exit code:

Version:

18.0.2198.0

Modules

Images
c:\program files\avast software\avast\defs\25041999\engsup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

780

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

960

"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /installer2

C:\Program Files\Avast Software\Avast\AvEmUpdate.exe

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Emergency Update

Exit code:

Version:

25.3.9983.0

Modules

Images
c:\program files\avast software\avast\avemupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll

1164

"C:\Windows\Temp\asw.8490064ca660b7a0\New_1903180a\aswOfferTool.exe" -checkGToolbar -elevated

C:\Windows\Temp\asw.8490064ca660b7a0\New_1903180a\aswOfferTool.exe

—

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Offer Installation Tool

Exit code:

Version:

25.3.9983.0

Modules

Images
c:\windows\temp\asw.8490064ca660b7a0\new_1903180a\aswoffertool.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1748

"C:\Program Files\Avast Software\Avast\aswToolsSvc.exe" /runassvc

C:\Program Files\Avast Software\Avast\aswToolsSvc.exe

services.exe

User:

SYSTEM

Company:

Gen Digital Inc.

Integrity Level:

SYSTEM

Description:

Avast Antivirus

Version:

25.3.9983.0

Modules

Images
c:\program files\avast software\avast\aswtoolssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2244

"C:\Program Files\Avast Software\Avast\AvastNM.exe" /install

C:\Program Files\Avast Software\Avast\AvastNM.exe

—

instup.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

HIGH

Description:

Avast Antivirus

Exit code:

Version:

25.3.9983.0

Modules

Images
c:\program files\avast software\avast\avastnm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\wtsapi32.dll

2284

"C:\Users\admin\Desktop\avast_premium_security_setup_online.exe"

C:\Users\admin\Desktop\avast_premium_security_setup_online.exe

—

explorer.exe

User:

admin

Company:

AVAST Software

Integrity Level:

MEDIUM

Description:

Avast Installer

Exit code:

3221226540

Version:

2.1.99.0

Modules

Images
c:\users\admin\desktop\avast_premium_security_setup_online.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2344

"C:\Program Files\Avast Software\Avast\AvastUI.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Avast\log\cef_log.txt" --field-trial-handle=9120,234451559113940762,5604171265626235984,131072 --disable-features=CalculateNativeWinOcclusion,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SameSiteDefaultChecksMethodRigorously --disable-gpu-compositing --lang=en-US --log-file="C:\Users\admin\AppData\Roaming\Avast Software\Avast\log\cef_log.txt" --log-severity=error --user-agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Avastium (0.0.0) (Windows 10.0)" --disable-webaudio --force-wave-audio --disable-software-rasterizer --no-sandbox --blacklist-accelerated-compositing --disable-accelerated-2d-canvas --disable-accelerated-compositing --disable-accelerated-layers --disable-accelerated-video-decode --blacklist-webgl --disable-bundled-ppapi-flash --disable-flash-3d --enable-aggressive-domstorage-flushing --enable-media-stream --disable-gpu --disable-webgl --disable-gpu-compositing --allow-file-access-from-files=1 --pack_loading_disabled=1 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=9424 /prefetch:1

C:\Program Files\Avast Software\Avast\AvastUI.exe

—

AvastUI.exe

User:

admin

Company:

Gen Digital Inc.

Integrity Level:

MEDIUM

Description:

Avast Antivirus

Exit code:

Version:

25.3.9983.970

Modules

Images
c:\program files\avast software\avast\avastui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

57 333

Read events

47 842

Write events

9 249

Delete events

242

Modification events


(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software
Operation:	write	Name:	SymbolicLinkValue
Value: \Registry\MACHINE\SOFTWARE\Avast Software
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 0
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 7
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 14
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 21
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 28
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 35
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 42
(PID) Process:	(5892) avast_premium_security_setup_online_x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:	write	Name:	SfxInstProgress
Value: 71

Add for printing

Executable files

835

Suspicious files

669

Text files

344

Unknown types

Dropped files

PID	Process	Filename		Type
4988	avast_premium_security_setup_online.exe	C:\Windows\Temp\asw.17c16948ce939803\eapt.edat		text
		MD5:B510BA1FFD656737B7B896367688EA72	SHA256:087E161185CFFE1A580FB15CF10EBD5B39C1ED14E256DF000C3664E0511FE236
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\prod-vps.vpx		binary
		MD5:219FB106705B5ED2EE4A679A0AE08942	SHA256:62131EACFBB8C1627E4632868C8FF718C458B34F9CB9B134228F7CA549EE6C31
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\part-prg_ais-1903180a.vpx		binary
		MD5:B50A6AA54F53A7D5CB815BC720A811C4	SHA256:254743D2D8FB63BAECA06B1FE6512AB73949AF6F533EC60C40191C06165D5EE0
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\uat.vpx		binary
		MD5:25F0B1036768E0D01A866CAE788FC1AC	SHA256:4B45CDBBFD39026CB69549329430D865A328DCC251DB5FC252A60846A04B193D
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\config.def.vpx		binary
		MD5:15A592A63B146A608292A94354519CE5	SHA256:3306562DD655EB4DA4BC2D736C1DB1BBB5945A69A6D1EF68588428F22467ADF9
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\part-jrog2-1809.vpx		binary
		MD5:86FA15C7FDA08AF3F9F040615C6A73FC	SHA256:20CFAC7ACFC6865876211165A66ED945CD9703FA89E18411975E323F6D7A0F34
5892	avast_premium_security_setup_online_x64.exe	C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log		text
		MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA	SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\part-setup_ais-1903180a.vpx		binary
		MD5:68508275996CA2EBB77E8E091FCE7F69	SHA256:011DA01A07BF23CB5DB39B4CE2D3113CBD55F1B2532707531103BF439428D0A0
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\servers.def		ini
		MD5:60C932B1EF6F856D37B406BBDC140442	SHA256:E01C4BCB97F0E6A256463786E9EC408F2C7F64DCF97D3B9981A7B36D08FD355C
5892	avast_premium_security_setup_online_x64.exe	C:\Windows\Temp\asw.8490064ca660b7a0\Instup.exe		executable
		MD5:9048C1C2C4B2A7214D9F9E7232F50AD5	SHA256:BF36E5EF2014EA2F28FEA10D31435EA5D05A9CA7942B72AAB0F66AC2624524BA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

116

TCP/UDP connections

450

DNS requests

336

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5436	Instup.exe	GET	200	104.109.143.151:80	http://f3461309.iavs9x.u.avast.com/iavs9x/instcont_x64_ais-a63.vpx	unknown	—	—	whitelisted
5436	Instup.exe	GET	200	104.109.143.151:80	http://f3461309.iavs9x.u.avast.com/iavs9x/avdump_x64_ais-a63.vpx	unknown	—	—	whitelisted
5436	Instup.exe	GET	200	104.109.143.151:80	http://f3461309.iavs9x.u.avast.com/iavs9x/instup_x64_ais-a63.vpx	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5544	avast_premium_security_setup_online.exe	POST	200	142.250.186.110:80	http://www.google-analytics.com/collect	unknown	—	—	whitelisted
5544	avast_premium_security_setup_online.exe	POST	204	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4988	avast_premium_security_setup_online.exe	POST	204	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	unknown	—	—	whitelisted
4988	avast_premium_security_setup_online.exe	POST	200	142.250.186.110:80	http://www.google-analytics.com/collect	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5544	avast_premium_security_setup_online.exe	142.250.186.110:80	www.google-analytics.com	GOOGLE	US	whitelisted
5544	avast_premium_security_setup_online.exe	34.117.223.223:80	v7event.stats.avast.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
6544	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.185.78 142.250.185.142	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6 23.216.77.42	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
v7event.stats.avast.com	34.117.223.223	whitelisted
www.google-analytics.com	142.250.186.110	whitelisted
login.live.com	20.190.159.23 40.126.31.131 20.190.159.0 40.126.31.67 20.190.159.131 40.126.31.69 20.190.159.64 20.190.159.2	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
iavs9x.u.avcdn.net	23.48.23.20 23.48.23.6	whitelisted

Threats

PID	Process	Class	Message
4988	avast_premium_security_setup_online.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5044	AvEmUpdate.exe	Misc activity	ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
1748	aswToolsSvc.exe	Misc activity	ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
5124	AvastSvc.exe	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5124	AvastSvc.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
5124	AvastSvc.exe	Misc activity	INFO [ANY.RUN] Possible short link service (bit .ly)
5124	AvastSvc.exe	Not Suspicious Traffic	INFO [ANY.RUN] BootstrapCDN (maxcdn .bootstrapcdn .com)

Add for printing

Process	Message
AvastSvc.exe	[2025-04-20 13:13:12.204] [error ] [gui_cache ] [ 5124: 6208] [089985: 47] Cannot determine resources folder, defaulting to default_av, which may or may not exist Exception: No GUI resources group is installed
AvastSvc.exe	[2025-04-20 13:13:12.188] [error ] [gui_cache ] [ 5124: 6208] [089985: 47] Cannot determine resources folder, defaulting to default_av, which may or may not exist Exception: No GUI resources group is installed
AvastSvc.exe	[2025-04-20 13:13:12.188] [error ] [gui_cache ] [ 5124: 6208] [089985: 47] Cannot determine resources folder, defaulting to default_av, which may or may not exist Exception: No GUI resources group is installed
AvastSvc.exe	[2025-04-20 13:13:12.282] [error ] [gui_cache ] [ 5124: 6208] [089985: 47] Cannot determine resources folder, defaulting to default_av, which may or may not exist Exception: No GUI resources group is installed
AvastSvc.exe	[2025-04-20 13:13:12.282] [error ] [gui_cache ] [ 5124: 6208] [089985: 47] Cannot determine resources folder, defaulting to default_av, which may or may not exist Exception: No GUI resources group is installed
AvastSvc.exe	[2025-04-20 13:13:12.297] [error ] [gui_cache ] [ 5124: 6208] [089985: 47] Cannot determine resources folder, defaulting to default_av, which may or may not exist Exception: No GUI resources group is installed
AvastSvc.exe	[2025-04-20 13:13:12.297] [error ] [gui_cache ] [ 5124: 6208] [089985: 47] Cannot determine resources folder, defaulting to default_av, which may or may not exist Exception: No GUI resources group is installed
aswToolsSvc.exe	[2025-04-20 13:13:13.690] [error ] [AlphaClient] [ 1748: 4220] [6DA35E: 13] ~qLUdM4zSKYz+6qUvsR5B0YKyDXyR5DiCxqWnL700Q8q6vRFMiNIpjMT/6CCxDEbLgqAQTJ3YKYjU5bITqgJMzrigUXWd0iaCxaX0euZfG5ft5UYk3OAvldPUoimtCBWHq7UeYdzIPobV/rVstxgPy7KgX2mZySXLgfmjL7sCWcC59BtyiNpwx4OnpSOwH0rdqe4Pep/QFYbC6Kk5sB9ww6+7EkyO3i3JwOilE7IESMyziwt6n9Avk4/nqSu3BXDRsosecJ/UP4nV1LIlvQBK0YA=
aswToolsSvc.exe	[2025-04-20 13:13:13.704] [error ] [lif_acc ] [ 1748: 4220] [6DA35E: 13] ~vvQPep/QFYbC6Kk5sB9ww6+7EkyO3i3JwOilE7IESMyziwt6n9Avk4/tpyWyDkuL7+JHJ8iJetaYvOYXuxld+rmxDHDGmTyGwPnmP6oKW9Cu9BZg3NUlk4Hxoz6xRw/XuLcaeoreLsfF6rIt5EsNib67EWeZwz7d0eKlJ4EKTMayoRFno904iMzUtCm5RU7GvosTfJvSJLjV4qUnux9y
aswToolsSvc.exe	[2025-04-20 13:13:13.704] [error ] [lif_acc ] [ 1748: 4220] [6DA35E: 13] ~/aQWcJfkK4TC5LMiqjRJ17K5IGGZ3GSBwOKqKbpFHZPl4EshzIpz0IHQoz6sNEvArrdFMYraK5WB+LItqh5chbSnX32Tz2qdxPmpYP4ZSsa4vQl2mJsuhtXq/Gz8R0zKs6Aaa4iBOo7C4JktvQhA0LOgIHWO1Ce40+6hEQ==

General Info

avast_premium_security_setup_online.exe

88C638C3CE53EDF10D8D51466D191C62

96B6B69AA2C1A31C7C24CC4C7FD1D2C7A0535984

115654572E31D64900E92B7F33097D1A3C7A20F62A107E00600B6FEE712336F5

3072:fhrEcYTuZF3sDmYFDL56DLiSNMWm5RC3Oy1jjHfJWcCAnzuVmoP7wxi6yd+gf8nA:vYTuZFuB66SBRHJWcPz8/JrLACuTY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

Process requests binary or script from the Internet

There is functionality for taking screenshot (YARA)

Starts itself from another location

Process checks presence of unattended files

The process verifies whether the antivirus software is installed

Creates files in the driver directory

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Creates or modifies Windows services

Process drops legitimate windows executable

The process drops C-runtime libraries

Drops a system driver (possible attempt to evade defenses)

Checks for external IP

Searches for installed software

Executes as Windows Service

Reads security settings of Internet Explorer

Reads the date of Windows installation

Modifies hosts file to alter network resolution

Connects to unusual port

Adds/modifies Windows certificates

Checks for Java to be installed

Reads Microsoft Outlook installation path

Read startup parameters

Application launched itself

INFO

The sample compiled with english language support

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Manual execution by a user

Reads CPU info

Reads the software policy settings

Creates files in the program directory

Checks proxy server information

Reads Environment values

The sample compiled with czech language support

Create files in a temporary directory

Reads product name

Process checks computer location settings

Creates files or folders in the user directory

Process checks whether UAC notifications are on

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules