File name:

ARTAV Installer.exe.v

Full analysis: https://app.any.run/tasks/fc0cb755-d823-4579-afdf-b1e475272090
Verdict: Malicious activity
Analysis date: December 09, 2023, 01:12:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

E5527068D449585472A71154925CA3F9

SHA1:

1961EBBD861BB0008A0EC499D05FA926519625D5

SHA256:

53518AFE3805B8B43AE97946B65A0D018804C78ECBEC76D3DCE7967AA87A64A2

SSDEEP:

49152:WnZOzJwpWzaZmsEP8Tt6XA8L0vESAADuk1/XnAiT6/U71E7Fdfb09Dky3TSLrqDl:eiqRgsEU161S5Dn/Xn10OkFdfbOkyuPq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ARTAV Installer.exe.v.exe (PID: 2928)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ARTAV Installer.exe.v.exe (PID: 2928)

  • INFO

    • Checks supported languages

      • ARTAV Installer.exe.v.exe (PID: 2928)
      • ARTAV Antivirus.exe (PID: 3832)
      • wmpnscfg.exe (PID: 2668)
      • ARTAV Antivirus.exe (PID: 3932)

    • Reads the computer name

      • ARTAV Installer.exe.v.exe (PID: 2928)
      • wmpnscfg.exe (PID: 2668)
      • ARTAV Antivirus.exe (PID: 3832)

    • Creates files in the program directory

      • ARTAV Installer.exe.v.exe (PID: 2928)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2668)
      • taskmgr.exe (PID: 2536)
      • ARTAV Antivirus.exe (PID: 3932)

    • Create files in a temporary directory

      • ARTAV Antivirus.exe (PID: 3832)
      • ARTAV Antivirus.exe (PID: 3932)

    • Reads the machine GUID from the registry

      • ARTAV Antivirus.exe (PID: 3832)
      • ARTAV Antivirus.exe (PID: 3932)

    • Creates files or folders in the user directory

      • ARTAV Antivirus.exe (PID: 3832)

    • Reads Environment values

      • ARTAV Antivirus.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:12:17 09:58:40+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 77824
InitializedDataSize: 12288
UninitializedDataSize: 110592
EntryPoint: 0x2e560
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.24
ProductVersionNumber: 2.0.0.24
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 2, 0, 0, 24
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
PrivateBuild: -
ProductName: ARTAV Antivirus Install Program
ProductVersion: 2, 0, 0, 24
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start artav installer.exe.v.exe artav antivirus.exe no specs wmpnscfg.exe no specs taskmgr.exe no specs artav antivirus.exe artav installer.exe.v.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2464"C:\Users\admin\AppData\Local\Temp\ARTAV Installer.exe.v.exe" C:\Users\admin\AppData\Local\Temp\ARTAV Installer.exe.v.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
2, 0, 0, 24
Modules
Images
c:\users\admin\appdata\local\temp\artav installer.exe.v.exe
c:\windows\system32\ntdll.dll
2536"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2668"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2928"C:\Users\admin\AppData\Local\Temp\ARTAV Installer.exe.v.exe" C:\Users\admin\AppData\Local\Temp\ARTAV Installer.exe.v.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
2, 0, 0, 24
Modules
Images
c:\users\admin\appdata\local\temp\artav installer.exe.v.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3832"C:\Program Files\ARTAV Team\ARTAV Antivirus.exe"C:\Program Files\ARTAV Team\ARTAV Antivirus.exeARTAV Installer.exe.v.exe
User:
admin
Company:
Indonesian Anti Virus
Integrity Level:
HIGH
Description:
ARTAV Team
Exit code:
0
Version:
1.01
Modules
Images
c:\program files\artav team\artav antivirus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3932"C:\Program Files\ARTAV Team\ARTAV Antivirus.exe" C:\Program Files\ARTAV Team\ARTAV Antivirus.exe
explorer.exe
User:
admin
Company:
Indonesian Anti Virus
Integrity Level:
MEDIUM
Description:
ARTAV Team
Exit code:
0
Version:
1.01
Modules
Images
c:\program files\artav team\artav antivirus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
846
Read events
825
Write events
19
Delete events
2

Modification events

(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
Operation:delete keyName:(default)
Value:
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
Operation:delete keyName:(default)
Value:
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib
Operation:writeName:Version
Value:
2.0
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib
Operation:writeName:Version
Value:
2.0
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{e602c5a2-9378-42f9-9806-a74c065977f6}
Operation:writeName:CLSID
Value:
{A8C680EB-3D32-11D2-9EE7-00C04F797396}
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{e602c5a2-9378-42f9-9806-a74c065977f6}
Operation:writeName:DeviceName
Value:
Speakers (Realtek AC'97 Audio)
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{e602c5a2-9378-42f9-9806-a74c065977f6}
Operation:writeName:DeviceId
Value:
{0.0.0.00000000}.{e602c5a2-9378-42f9-9806-a74c065977f6}
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{e602c5a2-9378-42f9-9806-a74c065977f6}\Attributes
Operation:writeName:Vendor
Value:
Microsoft
(PID) Process:(3832) ARTAV Antivirus.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{e602c5a2-9378-42f9-9806-a74c065977f6}\Attributes
Operation:writeName:Technology
Value:
MMSys
(PID) Process:(2536) taskmgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Operation:writeName:UsrColumnSettings
Value:
1C0C0000340400000000000050000000010000001D0C0000350400000000000023000000010000001E0C000036040000000000003C000000010000001F0C000039040000000000004E00000001000000200C000037040000000000004E00000001000000
Executable files
22
Suspicious files
11
Text files
526
Unknown types
0

Dropped files

PID
Process
Filename
Type
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\Quarantine\Quarantine.txtbinary
MD5:921C5AC50CB983816440175A236E800C
SHA256:16D8D646E5F2499DF8824CB20CD2848ADB813A77CE12609CB0CA2A1F644DF682
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\ARTAV Updater.$Aexecutable
MD5:61E43915E895135C65AD5E919C41D19A
SHA256:48CD54DC227AFE0CEEF5CE87965D3A1DF1FF2FF85504EA4DCF08F3ACCA519F0B
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\Uninstal.exeexecutable
MD5:E10072472393D1C82AD7CC01C9631D68
SHA256:8E52F34EEB2FE015CDBA9EAC9A6F87618216A818FDC5869EC5E4EB2FA7D87592
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\Change Log(s).$Atext
MD5:15075833541D156FC97D2027DCC3300B
SHA256:3158E62B95EFE3E233D21BB3FB03979C70F6F62DE27502E018A00BC3C052624D
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\ARTAV Antivirus.exeexecutable
MD5:B792D6A209DD5A3C480D4BA6153B0DBF
SHA256:63A9F11687714FFBF51CEBF7AD864699CCDC3DF292628AD780DA16C99F4C6805
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\ARTAV Updater.exeexecutable
MD5:61E43915E895135C65AD5E919C41D19A
SHA256:48CD54DC227AFE0CEEF5CE87965D3A1DF1FF2FF85504EA4DCF08F3ACCA519F0B
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\MSWINSCK.$Aexecutable
MD5:9484C04258830AA3C2F2A70EB041414C
SHA256:BF7E47C16D7E1C0E88534F4EF95E09D0FD821ED1A06B0D95A389B35364B63FF5
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\Change Log(s).txttext
MD5:15075833541D156FC97D2027DCC3300B
SHA256:3158E62B95EFE3E233D21BB3FB03979C70F6F62DE27502E018A00BC3C052624D
2928ARTAV Installer.exe.v.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\ARTAV Antivirus\ARTAV.lnkbinary
MD5:3A83E781FE4CE6B903BE4133AA1516CE
SHA256:098962C3C84C77EF21BDB3A3E78C705FF3C6C5A4766DF9951A6F3C0E0F14D12F
2928ARTAV Installer.exe.v.exeC:\Program Files\ARTAV Team\COMDLG32.OCXexecutable
MD5:3EC0A48ED8D8A019175CFA3952CCB3B7
SHA256:F9ECCA1F6718F7AB711E3F675DCE438930079CA8649F101FB41A93D85977149D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
868
svchost.exe
88.221.124.138:80
armmf.adobe.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 88.221.124.138
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ARTAV Installer.exe.v