Malware analysis Activator.zip Malicious activity | ANY.RUN

Add for printing

File name:	Activator.zip
Full analysis:	https://app.any.run/tasks/71407c8e-5148-40e6-9252-386127ebf2be
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	July 28, 2024, 20:39:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	spam python loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	947CA5995D64DD08CCC29CC08D85827F
SHA1:	357198BBD1A7E9C4D9463ECC259E28C5D8F70C21
SHA256:	4E822F20531E250D774ABF6D1173B07A1BD9EC658C9263FDFA908B1691E659B0
SSDEEP:	98304:PGW7WFvSqUebg162+pdUHxbm2KR0ny+hE7c4YHky/98jL6Fkn/0GfDqzU+a0DnYH:rhB4eccftX+gIunx6ZLeo5Wbr7CNjv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - avast_premium_security_setup_online.exe (PID: 5488)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - Instup.exe (PID: 3620)
  - aswOfferTool.exe (PID: 5812)
  - aswOfferTool.exe (PID: 5696)
  - aswOfferTool.exe (PID: 2856)
  - instup.exe (PID: 5080)
- Changes the autorun value in the registry
  - instup.exe (PID: 5080)
- Modifies hosts file to block updates
  - cmd.exe (PID: 4608)
SUSPICIOUS
- Process drops python dynamic module
  - WinRAR.exe (PID: 2116)
- Potential Corporate Privacy Violation
  - avast_premium_security_setup_online.exe (PID: 5488)
- Loads Python modules
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)
  - Antivirus Activation Assistant.exe (PID: 6788)
  - Antivirus Activation Assistant.exe (PID: 4316)
- Executable content was dropped or overwritten
  - avast_premium_security_setup_online.exe (PID: 5488)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - aswOfferTool.exe (PID: 5812)
  - Instup.exe (PID: 3620)
  - aswOfferTool.exe (PID: 2856)
  - aswOfferTool.exe (PID: 5696)
  - instup.exe (PID: 5080)
- Searches for installed software
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)
  - Antivirus Activation Assistant.exe (PID: 6788)
  - Antivirus Activation Assistant.exe (PID: 4316)
- Process requests binary or script from the Internet
  - avast_premium_security_setup_online.exe (PID: 5488)
- Starts itself from another location
  - Instup.exe (PID: 3620)
  - aswOfferTool.exe (PID: 2856)
- Process checks presence of unattended files
  - instup.exe (PID: 5080)
- Reads security settings of Internet Explorer
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)
- Likely accesses (executes) a file from the Public directory
  - aswOfferTool.exe (PID: 5696)
- Reads the date of Windows installation
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)
- Starts CMD.EXE for commands execution
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)
- Executing commands from a ".bat" file
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)
- Process drops legitimate windows executable
  - instup.exe (PID: 5080)
- The process drops C-runtime libraries
  - instup.exe (PID: 5080)
- Creates files in the driver directory
  - instup.exe (PID: 5080)
- The process verifies whether the antivirus software is installed
  - instup.exe (PID: 5080)
INFO
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 2116)
- Reads the computer name
  - avast_premium_security_setup_online.exe (PID: 5488)
  - Antivirus Activation Assistant.exe (PID: 1644)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - Instup.exe (PID: 3620)
  - instup.exe (PID: 5080)
  - aswOfferTool.exe (PID: 2856)
  - Antivirus Activation Assistant.exe (PID: 4212)
  - Antivirus Activation Assistant.exe (PID: 6788)
  - Antivirus Activation Assistant.exe (PID: 4316)
- Reads the machine GUID from the registry
  - avast_premium_security_setup_online.exe (PID: 5488)
  - Antivirus Activation Assistant.exe (PID: 1644)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - Instup.exe (PID: 3620)
  - instup.exe (PID: 5080)
  - Antivirus Activation Assistant.exe (PID: 4212)
  - Antivirus Activation Assistant.exe (PID: 6788)
  - Antivirus Activation Assistant.exe (PID: 4316)
- Reads the software policy settings
  - slui.exe (PID: 6804)
  - avast_premium_security_setup_online.exe (PID: 5488)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - instup.exe (PID: 5080)
  - Instup.exe (PID: 3620)
- Manual execution by a user
  - avast_premium_security_setup_online.exe (PID: 5488)
  - avast_premium_security_setup_online.exe (PID: 5700)
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)
  - Antivirus Activation Assistant.exe (PID: 6788)
  - Antivirus Activation Assistant.exe (PID: 4316)
- Checks supported languages
  - avast_premium_security_setup_online.exe (PID: 5488)
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Instup.exe (PID: 3620)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - instup.exe (PID: 5080)
  - aswOfferTool.exe (PID: 5812)
  - aswOfferTool.exe (PID: 6260)
  - aswOfferTool.exe (PID: 2856)
  - aswOfferTool.exe (PID: 5696)
  - sbr.exe (PID: 4832)
  - Antivirus Activation Assistant.exe (PID: 4212)
  - Antivirus Activation Assistant.exe (PID: 6788)
  - Antivirus Activation Assistant.exe (PID: 4316)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2116)
- Checks proxy server information
  - slui.exe (PID: 6804)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - Instup.exe (PID: 3620)
  - instup.exe (PID: 5080)
- Reads CPU info
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - Instup.exe (PID: 3620)
  - instup.exe (PID: 5080)
- Reads Environment values
  - Instup.exe (PID: 3620)
  - instup.exe (PID: 5080)
- Creates files in the program directory
  - Instup.exe (PID: 3620)
  - avast_premium_security_setup_online_x64.exe (PID: 4520)
  - instup.exe (PID: 5080)
- Dropped object may contain TOR URL's
  - Instup.exe (PID: 3620)
  - aswOfferTool.exe (PID: 2856)
  - instup.exe (PID: 5080)
- Process checks computer location settings
  - Antivirus Activation Assistant.exe (PID: 1644)
  - Antivirus Activation Assistant.exe (PID: 4212)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:05:01 13:05:18
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Activator/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

193

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1000

FIND /C /I "75.126.120.203" C:\WINDOWS\system32\drivers\etc\hosts

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1292

FIND /C /I "46.4.28.80" C:\WINDOWS\system32\drivers\etc\hosts

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1328

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1428

FIND /C /I "46.4.62.150" C:\WINDOWS\system32\drivers\etc\hosts

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1516

FIND /C /I "46.4.58.71" C:\WINDOWS\system32\drivers\etc\hosts

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1644

"C:\Users\admin\Desktop\Activator\Antivirus Activation Assistant.exe"

C:\Users\admin\Desktop\Activator\Antivirus Activation Assistant.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Antivirus Activation Assistant

Exit code:

Version:

2.1.0.0

Modules

Images
c:\users\admin\desktop\activator\antivirus activation assistant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1716

FIND /C /I "46.4.28.80" C:\WINDOWS\system32\drivers\etc\hosts

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1780

FIND /C /I "46.4.62.150" C:\WINDOWS\system32\drivers\etc\hosts

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1992

FIND /C /I "www.pns.avast.com" C:\WINDOWS\system32\drivers\etc\hosts

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

2116

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Activator.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

36 289

Read events

29 196

Write events

7 074

Delete events

Modification events


(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Activator.zip
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2116) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop
(PID) Process:	(5488) avast_premium_security_setup_online.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	PendingFileRenameOperations
Value: \??\C:\WINDOWS\Temp\asw.9f8c54cb9ab51ac1

Add for printing

Executable files

420

Suspicious files

674

Text files

1 495

Unknown types

Dropped files

PID	Process	Filename		Type
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\more_activations\Avast_Premium_Security\10-2025\license.avastlic		text
		MD5:FFE0DC435DFC1A80641D2E4AD9540B1D	SHA256:36CB4F1250F8340655289DA9E3A25AA4565AA6F0197DDFE993F778742A2D379F
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\more_activations\Avast_Premium_Security\12-2024\license.avastlic		text
		MD5:0575568CCE73B015FA1A1853C89B9C81	SHA256:B69F8B2D5D4B1F67C06AD0A7F56570A48A3264EACC03DDFCCBD48158801D9B9D
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\more_activations\Avast_Ultimate\6-2025\license.avastlic		text
		MD5:71075A04A69FFBC03B56D229484C4E89	SHA256:B0F32EE7C35404BC9BF49A77A5447F09453691B1771173D2F848BC239AAFC836
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\Ultimate\Ultimate-mainPage\2025-1\license.avastlic		text
		MD5:E1B05C88287EDC1CDD117CAD8F051779	SHA256:FC78B7B1A1B2ECFB7E8D4C079ACADD7411B61531DD9F2CA4C82CE84B8CC75DB7
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\Avast Security Premium\2038\license.avastlic		text
		MD5:4D84D3CFFAC3093369C158B08975922B	SHA256:EC666ECFF26C9E5538431D78B70F37FAC1828EDF59897688CDAAE00258869D74
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\Avast Security Premium\2029\license.avastlic		text
		MD5:6E889FAC8D38A9B467543331DD8DF4C6	SHA256:9D6F2562B3BC97312D8E4116D2EF6C49122A37A194BCD69FB3B263EB3DC3C62A
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\more_activations\Avast_Premium_Security\11-2024\license.avastlic		text
		MD5:A10FE0164ABEA9AAEBA4A96024635F06	SHA256:8E70299409561B2EEE76D69EC5F25D9996ABF6091FA10195F2244D6D97B6336E
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\Avast Security Premium\2045\license.avastlic		ini
		MD5:EE2005B78D0E8269D7381229CBC17F92	SHA256:7C8BFB44EE91E296E2A9E4390080BBBA5D7773906009BFDC69586E1B11C2599D
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\more_activations\Avast_Premium_Security\11-2025\license.avastlic		text
		MD5:3843E8AB17ACD3043F96F966B4C52299	SHA256:762A6D596BFB75DAE31A63C30F7FA061B2232B27E10F97E683DA238AD4E3C323
2116	WinRAR.exe	C:\Users\admin\Desktop\Activator\Activations\Avast Security Premium\2050\license.avastlic		text
		MD5:F55DEF2E4F0B1A5996C48D07F6BF73E8	SHA256:EE111BBC35AD0B3644325FB7989658A6EA4B7880D87577D76D7E416324E3D1A5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

102

DNS requests

110

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	US	binary	312 b	whitelisted
5608	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	US	binary	471 b	whitelisted
4132	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	US	binary	471 b	whitelisted
3676	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	US	binary	471 b	whitelisted
5488	avast_premium_security_setup_online.exe	POST	204	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	US	—	—	unknown
5488	avast_premium_security_setup_online.exe	POST	204	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	US	—	—	unknown
5488	avast_premium_security_setup_online.exe	GET	200	2.19.126.143:80	http://iavs9x.u.avcdn.net/iavs9x/avast_premium_security_setup_online_x64.exe	DE	executable	9.47 Mb	whitelisted
3620	Instup.exe	GET	200	23.48.23.20:80	http://j0294597.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx	DE	binary	571 b	whitelisted
3620	Instup.exe	GET	200	23.48.23.20:80	http://c3978047.iavs9x.u.avast.com/iavs9x/servers.def.vpx	DE	binary	2.40 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
996	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6012	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2856	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	92.123.104.67:443	www.bing.com	Akamai International B.V.	DE	unknown
1516	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5452	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
www.bing.com	92.123.104.67 92.123.104.4 92.123.104.66 92.123.104.10 92.123.104.64 92.123.104.8 92.123.104.63 92.123.104.62 92.123.104.6 92.123.104.23 92.123.104.33 92.123.104.31 92.123.104.29 92.123.104.32 92.123.104.26 92.123.104.30 92.123.104.28 92.123.104.34	whitelisted
google.com	142.250.185.110	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.45	whitelisted
login.live.com	20.190.159.68 40.126.31.71 40.126.31.73 20.190.159.2 20.190.159.23 40.126.31.67 20.190.159.4 20.190.159.71	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted

Threats

PID	Process	Class	Message
5488	avast_premium_security_setup_online.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
avast_premium_security_setup_online_x64.exe	[2024-07-28 20:41:55.923] [info ] [sfxinst ] [ 4520: 4028] [F8CC93: 395] Running SFX 'C:\WINDOWS\Temp\asw.9f8c54cb9ab51ac1\avast_premium_security_setup_online_x64.exe'
avast_premium_security_setup_online_x64.exe	[2024-07-28 20:41:56.188] [info ] [sfxinst ] [ 4520: 4028] [F8CC93: 629] Moved extra data file 'ecoo.edat' to 'C:\WINDOWS\Temp\asw.7ef673c8a8f4fd47\cookie.bin'.
avast_premium_security_setup_online_x64.exe	[2024-07-28 20:41:56.313] [notice ] [burger_rep ] [ 4520: 7040] [DC075C: 64] The event '70.1' was successfully sent to burger: https://analytics.avcdn.net/v4/receive/json/70.
avast_premium_security_setup_online_x64.exe	[2024-07-28 20:41:56.313] [info ] [sfxstats ] [ 4520: 3976] [9A143C: 149] Statistics sent successfully.
avast_premium_security_setup_online_x64.exe	[2024-07-28 20:41:57.063] [info ] [sfxinst ] [ 4520: 4028] [F8CC93: 919] Starting installer/updater executable 'C:\WINDOWS\Temp\asw.7ef673c8a8f4fd47\instup.exe'
Instup.exe	[2024-07-28 20:41:57.454] [info ] [instup ] [ 3620: 3840] [EE4A6B:2703] DISKs: C:\ - 218486MB free / 254GB total
Instup.exe	[2024-07-28 20:41:57.454] [info ] [instup ] [ 3620: 3840] [EE4A6B:2719] Running module version: instup.exe - '24.7.9311.0'
Instup.exe	[2024-07-28 20:41:57.454] [info ] [instup ] [ 3620: 3840] [EE4A6B:2734] Running module version: Instup.dll - '24.7.9311.0'
Instup.exe	[2024-07-28 20:41:57.454] [debug ] [repsup ] [ 3620: 3840] [84102E: 58] PfroMutant: \PendingRenameMutex mutant has been successfully opened.
Instup.exe	[2024-07-28 20:41:57.454] [info ] [instup ] [ 3620: 3840] [EE4A6B:2658] Command: '"C:\WINDOWS\Temp\asw.7ef673c8a8f4fd47\instup.exe" /sfx:lite /sfxstorage:C:\WINDOWS\Temp\asw.7ef673c8a8f4fd47 /edition:12 /prod:ais /stub_context:f4627aa5-7106-4ee4-8e2d-bb9f0f4456a6:9931888 /guid:5bfe25cc-9691-403f-89ef-54b7eff91fa0 /ga_clientid:01b081a0-7227-4224-a363-b551a383edd7 /cookie:mmm_prw_998_999_000_m /ga_clientid:01b081a0-7227-4224-a363-b551a383edd7 /edat_dir:C:\WINDOWS\Temp\asw.9f8c54cb9ab51ac1'

General Info

Activator.zip

947CA5995D64DD08CCC29CC08D85827F

357198BBD1A7E9C4D9463ECC259E28C5D8F70C21

4E822F20531E250D774ABF6D1173B07A1BD9EC658C9263FDFA908B1691E659B0

98304:PGW7WFvSqUebg162+pdUHxbm2KR0ny+hE7c4YHky/98jL6Fkn/0GfDqzU+a0DnYH:rhB4eccftX+gIunx6ZLeo5Wbr7CNjv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Modifies hosts file to block updates

SUSPICIOUS

Process drops python dynamic module

Potential Corporate Privacy Violation

Loads Python modules

Executable content was dropped or overwritten

Searches for installed software

Process requests binary or script from the Internet

Starts itself from another location

Process checks presence of unattended files

Reads security settings of Internet Explorer

Likely accesses (executes) a file from the Public directory

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Process drops legitimate windows executable

The process drops C-runtime libraries

Creates files in the driver directory

The process verifies whether the antivirus software is installed

INFO

Drops the executable file immediately after the start

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Manual execution by a user

Checks supported languages

Executable content was dropped or overwritten

Checks proxy server information

Reads CPU info

Reads Environment values

Creates files in the program directory

Dropped object may contain TOR URL's

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity