| File name: | avast_business_agent_setup_online (2).exe |
| Full analysis: | https://app.any.run/tasks/b4754921-2928-4aba-942e-ca0189fa26a1 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 07, 2024, 12:15:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 0E9EAE31177B33C26076DB2BB31AB3D3 |
| SHA1: | EAE018EE76C44B4E3B01D33A22861F8E6DD67CD7 |
| SHA256: | 6114D75F3F02FD22BF6607FDA1263F3A731E1063FECE802EB143AA8BA1670802 |
| SSDEEP: | 98304:qwUAocFQ/OgZ5oB2zG3tlX7dxZFNblnKKRc2puSG9jhyyJIbA2NE2avOavaP82ou:fjEpXKJe95hhWa24mTNUHK |
MALICIOUS
Drops the executable file immediately after the start
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
- AvastBackupInstall_7.12.0.30.exe (PID: 2744)
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
- x1eo.0 (PID: 3876)
- avast_business_security_setup_online.exe (PID: 2360)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Changes the autorun value in the registry
- Setup2.exe (PID: 1824)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
- instup.exe (PID: 2292)
Starts NET.EXE for service management
- Setup2.exe (PID: 1824)
- net.exe (PID: 3048)
- net.exe (PID: 2032)
SUSPICIOUS
Process drops legitimate windows executable
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
Reads settings of System Certificates
- Setup2.exe (PID: 1824)
- x1eo.0 (PID: 3876)
- avast_business_security_setup_online.exe (PID: 2360)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Reads the date of Windows installation
- Setup2.exe (PID: 1824)
The process drops C-runtime libraries
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
Process drops SQLite DLL files
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
Reads security settings of Internet Explorer
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- SAgent.Service.exe (PID: 3564)
- SAgent.Service.exe (PID: 3588)
Reads the Internet Settings
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
The process verifies whether the antivirus software is installed
- ClientManager.exe (PID: 1992)
- Setup2.exe (PID: 1824)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
- instup.exe (PID: 2292)
Creates a software uninstall entry
- Setup2.exe (PID: 1824)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
Checks Windows Trust Settings
- Setup2.exe (PID: 1824)
Adds/modifies Windows certificates
- Setup2.exe (PID: 1824)
Executes as Windows Service
- VSSVC.exe (PID: 3404)
- SAgent.Service.exe (PID: 3564)
- SAgent.Service.exe (PID: 3588)
The process creates files with name similar to system file names
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
Searches for installed software
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
Starts itself from another location
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Instup.exe (PID: 3940)
Starts application with an unusual extension
- Setup2.exe (PID: 1824)
Process requests binary or script from the Internet
- x1eo.0 (PID: 3876)
INFO
Checks supported languages
- avast_business_agent_setup_online (2).exe (PID: 2896)
- setup.exe (PID: 1348)
- Setup2.exe (PID: 1824)
- ClientManager.exe (PID: 1992)
- AvastBackupInstall_7.12.0.30.exe (PID: 2744)
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
- SAgent.Service.exe (PID: 3564)
- RegAsm.exe (PID: 2556)
- SAgent.Service.exe (PID: 3588)
- avast_business_security_setup_online.exe (PID: 2360)
- x1eo.0 (PID: 3876)
- OlbConnector.exe (PID: 3880)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
- sbr.exe (PID: 3224)
Reads the computer name
- setup.exe (PID: 1348)
- Setup2.exe (PID: 1824)
- avast_business_agent_setup_online (2).exe (PID: 2896)
- ClientManager.exe (PID: 1992)
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
- SAgent.Service.exe (PID: 3564)
- OlbConnector.exe (PID: 3880)
- x1eo.0 (PID: 3876)
- SAgent.Service.exe (PID: 3588)
- avast_business_security_setup_online.exe (PID: 2360)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Create files in a temporary directory
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
Reads the machine GUID from the registry
- Setup2.exe (PID: 1824)
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
- SAgent.Service.exe (PID: 3564)
- RegAsm.exe (PID: 2556)
- OlbConnector.exe (PID: 3880)
- x1eo.0 (PID: 3876)
- SAgent.Service.exe (PID: 3588)
- avast_business_security_setup_online.exe (PID: 2360)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Creates files in the program directory
- Setup2.exe (PID: 1824)
- AvastBackupInstall_7.12.0.30.exe (PID: 1308)
- Setup-7.12.0.30-Avast.exe (PID: 2788)
- SAgent.Service.exe (PID: 3564)
- SAgent.Service.exe (PID: 3588)
- avast_business_security_setup_online.exe (PID: 2360)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Dropped object may contain TOR URL's
- avast_business_agent_setup_online (2).exe (PID: 2896)
- Setup2.exe (PID: 1824)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Reads Environment values
- Setup2.exe (PID: 1824)
- SAgent.Service.exe (PID: 3564)
- SAgent.Service.exe (PID: 3588)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Reads the software policy settings
- Setup2.exe (PID: 1824)
- x1eo.0 (PID: 3876)
- avast_business_security_setup_online.exe (PID: 2360)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Reads CPU info
- Setup2.exe (PID: 1824)
- avast_business_security_setup_online.exe (PID: 2360)
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Checks proxy server information
- Instup.exe (PID: 3940)
- instup.exe (PID: 2292)
Reads product name
- Setup2.exe (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:02:21 16:00:00+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 104448 |
| InitializedDataSize: | 19456 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1910c |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 24.1.2027.0 |
| ProductVersionNumber: | 24.1.2027.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| FileVersion: | 24.1.2027.0 |
| ProductVersion: | 24.1.2027.0 |
| CompanyName: | Avast Software |
| FileDescription: | Avast Business Agent Installer |
| InternalName: | avast_business_agent_setup_online.exe |
| LegalCopyright: | Copyright (C) 2024 Avast Software. All rights reserved. |
| OriginalFileName: | avast_business_agent_setup_online.exe |
| ProductName: | Avast Business Agent |
Total processes
76
Monitored processes
22
Malicious processes
11
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1308 | "C:\Windows\Temp\{4B951FFD-AC3F-4DC8-9D75-D9DBF2495CDB}\.cr\AvastBackupInstall_7.12.0.30.exe" -burn.clean.room="C:\ProgramData\AVAST Software\Business Agent\installers\AvastBackupInstall_7.12.0.30.exe" -burn.filehandle.attached=268 -burn.filehandle.self=276 -s -l "C:\ProgramData\\AVAST Software\Business Agent\log\\olb_install_log.log" | C:\Windows\Temp\{4B951FFD-AC3F-4DC8-9D75-D9DBF2495CDB}\.cr\AvastBackupInstall_7.12.0.30.exe | — | AvastBackupInstall_7.12.0.30.exe | |||||||||||
User: admin Company: Avast Integrity Level: HIGH Description: Avast Business Cloud Backup Exit code: 0 Version: 7.12.0.30 Modules
| |||||||||||||||
| 1348 | "C:\Users\admin\AppData\Local\Temp\7zS05BD4408\setup.exe" -i -tok "8210110e4a92df3e462130a9beeedf48ff680e05379cf7babd631982b39a964a8e072bfae08d29cdaaceec5dd61fcdd2b1d4c5d52eaa3da7eecabb6f66bfebe1fb711bb6a8ef5d59f31f4b211e412d34b040da6aff7f318788794fa0c968763fb700b4fa2a76bb95cae1e797daf586720b3102474699fe23012f6a8ec04bbd36" -svr "https://device-us.cloudcare.avg.com:443/" -lid "1" -bid "1" | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\setup.exe | — | avast_business_agent_setup_online (2).exe | |||||||||||
User: admin Company: Avast Software Integrity Level: HIGH Description: Avast Business Agent Installer Version: 24.1.2027.0 Modules
| |||||||||||||||
| 1824 | "C:\Users\admin\AppData\Local\Temp\7zS05BD4408\setup2.exe" -i -tok "8210110e4a92df3e462130a9beeedf48ff680e05379cf7babd631982b39a964a8e072bfae08d29cdaaceec5dd61fcdd2b1d4c5d52eaa3da7eecabb6f66bfebe1fb711bb6a8ef5d59f31f4b211e412d34b040da6aff7f318788794fa0c968763fb700b4fa2a76bb95cae1e797daf586720b3102474699fe23012f6a8ec04bbd36" -svr "https://device-us.cloudcare.avg.com:443/" -lid "1" -bid "1" | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\Setup2.exe | setup.exe | ||||||||||||
User: admin Company: Avast Software Integrity Level: HIGH Description: Setup Application Version: 24.1.2027.0 Modules
| |||||||||||||||
| 1992 | -i | C:\Program Files\AVAST Software\Business Agent\ClientManager.exe | — | Setup2.exe | |||||||||||
User: admin Company: Avast Software Integrity Level: HIGH Description: Avast Business Agent Exit code: 1 Version: 24.1.2027.0 Modules
| |||||||||||||||
| 2032 | net start sagentservice | C:\Windows\System32\net.exe | — | Setup2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2292 | "C:\Windows\Temp\asw.86561136356dd3c9\New_170c0adf\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.86561136356dd3c9 /edition:14 /sub_edition:smb-usp /prod:ais /no_delayed_installation /stub_mapping_guid:40ce20bc-e236-45ed-bdaa-afa32f53c5a3:9537312 /guid:5d38725b-b4d4-488c-b1cf-9dcecf40f597 /ga_clientid:fd2a3be9-173e-4937-b2f7-3e6966297ce4 /silent /wait /cust_ini:"C:\ProgramData\\AVAST Software\Business Agent\temp\custom.ini" /licfile:"C:\ProgramData\\AVAST Software\Business Agent\temp\license.avastlic" /smbupd:"C:\ProgramData\\AVAST Software\Business Agent\temp\smbupd.ini" /bpubkey:"C:\ProgramData\\AVAST Software\Business Agent\temp\bcpub.key" /managed /edat_dir:C:\Windows\Temp\asw.0226a1599817b8e4 /geo:DE /online_installer | C:\Windows\Temp\asw.86561136356dd3c9\New_170c0adf\instup.exe | Instup.exe | ||||||||||||
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Version: 23.12.8700.0 Modules
| |||||||||||||||
| 2360 | "C:\Windows\Temp\asw.0226a1599817b8e4\avast_business_security_setup_online.exe" /silent /wait /cust_ini:"C:\ProgramData\\AVAST Software\Business Agent\temp\custom.ini" /licfile:"C:\ProgramData\\AVAST Software\Business Agent\temp\license.avastlic" /smbupd:"C:\ProgramData\\AVAST Software\Business Agent\temp\smbupd.ini" /bpubkey:"C:\ProgramData\\AVAST Software\Business Agent\temp\bcpub.key" /managed /ga_clientid:fd2a3be9-173e-4937-b2f7-3e6966297ce4 /edat_dir:C:\Windows\Temp\asw.0226a1599817b8e4 /geo:DE | C:\Windows\Temp\asw.0226a1599817b8e4\avast_business_security_setup_online.exe | x1eo.0 | ||||||||||||
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Version: 23.12.8700.0 Modules
| |||||||||||||||
| 2556 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe "C:\Program Files\Avast Business Cloud Backup\ClientApi.dll" /tlb /codebase | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | — | Setup2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Exit code: 100 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 2744 | "C:\ProgramData\\AVAST Software\Business Agent\installers\AvastBackupInstall_7.12.0.30.exe" -s -l "C:\ProgramData\\AVAST Software\Business Agent\log\\olb_install_log.log" | C:\ProgramData\AVAST Software\Business Agent\installers\AvastBackupInstall_7.12.0.30.exe | — | Setup2.exe | |||||||||||
User: admin Company: Avast Integrity Level: HIGH Description: Avast Business Cloud Backup Exit code: 0 Version: 7.12.0.30 Modules
| |||||||||||||||
| 2788 | "C:\Windows\Temp\{08D94F13-0A75-4783-B7AD-65090244BA6C}\.be\Setup-7.12.0.30-Avast.exe" -q -burn.elevated BurnPipe.{04AF837A-CACD-41F7-BFDA-46C01C26EA76} {16A3EF6F-0400-4EED-A84C-CEF0C54C4750} 1308 | C:\Windows\Temp\{08D94F13-0A75-4783-B7AD-65090244BA6C}\.be\Setup-7.12.0.30-Avast.exe | AvastBackupInstall_7.12.0.30.exe | ||||||||||||
User: admin Company: Avast Integrity Level: HIGH Description: Avast Business Cloud Backup Exit code: 0 Version: 7.12.0.30 Modules
| |||||||||||||||
Total events
51 652
Read events
45 163
Write events
6 290
Delete events
199
Modification events
| (PID) Process: | (2896) avast_business_agent_setup_online (2).exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2896) avast_business_agent_setup_online (2).exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2896) avast_business_agent_setup_online (2).exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2896) avast_business_agent_setup_online (2).exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1824) Setup2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{874799D2-87CC-451D-9BE5-898AD2B92071}\164 |
| Operation: | write | Name: | PP |
Value: \AVAST Software\Business Agent\ | |||
| (PID) Process: | (1824) Setup2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{874799D2-87CC-451D-9BE5-898AD2B92071}\164 |
| Operation: | write | Name: | RR |
Value: SOFTWARE\AVAST Software\ | |||
| (PID) Process: | (1824) Setup2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{874799D2-87CC-451D-9BE5-898AD2B92071}\164 |
| Operation: | write | Name: | RK |
Value: SOFTWARE\AVAST Software\Business Agent | |||
| (PID) Process: | (1824) Setup2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{874799D2-87CC-451D-9BE5-898AD2B92071}\164 |
| Operation: | write | Name: | PN |
Value: Avast Business CloudCare | |||
| (PID) Process: | (1824) Setup2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\SB Runtime |
| Operation: | write | Name: | EnableLogLevelDebug |
Value: 0 | |||
| (PID) Process: | (1824) Setup2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Business Agent |
| Operation: | delete value | Name: | DEPLOY_ID |
Value: | |||
Executable files
330
Suspicious files
28
Text files
230
Unknown types
76
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\agentui.exe.config | xml | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\ClientVersion.txt | text | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\events.db | binary | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\images\1\block_footer.png | image | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\images\1\block_logo.png | image | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\images\1\block_symbol.png | image | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\images\1\CF_Override.bmp | image | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\images\1\checkmark.bmp | image | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\images\1\close.bmp | image | |
MD5:— | SHA256:— | |||
| 2896 | avast_business_agent_setup_online (2).exe | C:\Users\admin\AppData\Local\Temp\7zS05BD4408\images\1\desktop.ico | image | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
72
DNS requests
62
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3876 | x1eo.0 | POST | 200 | 142.250.186.110:80 | http://www.google-analytics.com/collect | unknown | — | — | unknown |
3876 | x1eo.0 | POST | 204 | 34.117.223.223:80 | http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | unknown | — | — | unknown |
3876 | x1eo.0 | GET | 200 | 23.48.23.30:80 | http://iabs.u.avast.com/iabs/~o_o~/23.12.8700/avast_business_security_setup_online.exe | unknown | — | — | unknown |
3876 | x1eo.0 | POST | 200 | 142.250.186.110:80 | http://www.google-analytics.com/collect | unknown | — | — | unknown |
3876 | x1eo.0 | POST | 204 | 34.117.223.223:80 | http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | unknown | — | — | unknown |
2360 | avast_business_security_setup_online.exe | GET | 200 | 142.250.186.110:80 | http://www.google-analytics.com/collect?an=Business&av=23.12.8700&cd=stub-extended&cd3=Online&cid=5d38725b-b4d4-488c-b1cf-9dcecf40f597&dt=Installation&t=screenview&tid=UA-58120669-3&v=1 | unknown | — | — | unknown |
3940 | Instup.exe | GET | 200 | 2.20.71.231:80 | http://r9496339.iabs.u.avast.com/iabs/~o_o~/23.12.8700/servers.def.vpx | unknown | — | — | unknown |
3940 | Instup.exe | GET | 200 | 2.20.71.133:80 | http://b0881764.iabs.u.avast.com/iabs/~o_o~/23.12.8700/prod-pgm.vpx | unknown | — | — | unknown |
3940 | Instup.exe | GET | 200 | 2.20.71.133:80 | http://b0881764.iabs.u.avast.com/iabs/~o_o~/23.12.8700/avbugreport_ais-ade.vpx | unknown | — | — | unknown |
3940 | Instup.exe | GET | 200 | 2.20.71.133:80 | http://b0881764.iabs.u.avast.com/iabs/~o_o~/23.12.8700/avdump_x86_ais-ade.vpx | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1824 | Setup2.exe | 52.207.125.226:443 | device-us.cloudcare.avg.com | AMAZON-AES | US | unknown |
1824 | Setup2.exe | 54.211.166.46:443 | installer.cloudcare.avg.com | AMAZON-AES | US | unknown |
1824 | Setup2.exe | 34.89.198.16:443 | bconsole-avm-prod.ff.avast.com | GOOGLE-CLOUD-PLATFORM | DE | unknown |
1824 | Setup2.exe | 34.235.97.96:443 | device-us.cloudcare.avg.com | AMAZON-AES | US | unknown |
1824 | Setup2.exe | 35.196.155.80:443 | bconsole-avm-prod-nyc.ff.avast.com | GOOGLE-CLOUD-PLATFORM | US | unknown |
1824 | Setup2.exe | 184.30.215.79:443 | bits.avcdn.net | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
device-us.cloudcare.avg.com |
| unknown |
installer.cloudcare.avg.com |
| unknown |
bconsole-avm-prod.ff.avast.com |
| unknown |
bconsole-avm-prod-nyc.ff.avast.com |
| unknown |
bits.avcdn.net |
| whitelisted |
v7event.stats.avast.com |
| whitelisted |
ip-info.ff.avast.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
iabs.u.avast.com |
| unknown |
analytics.avcdn.net |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com) |
3876 | x1eo.0 | Misc activity | ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI |
3876 | x1eo.0 | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
|---|---|
SAgent.Service.exe | INFO : +
=========================================== STARTED ===========================================
Title : SAgent.Service
TargetFramework : .NET Framework 4.5
Location : C:\Program Files\Avast Business Cloud Backup\SAgent.Service.exe
AssemblyFullName : SAgent.Service, Version=7.12.0.30, Culture=neutral, PublicKeyToken=9b8afe2c706a1860
LocalTimeOffset : 4/7/2024 1:16:10 PM +01:00
StillWorkingPeriod: 00:15:00
AppSessionGUID : d2d3b66e-2bb7-4d4c-9bfa-7532a7fb423d
OS : Microsoft Windows NT 6.1.7601 Service Pack 1
Platform : Win32NT
=========================================== STARTED ===========================================
+ [1]
|
SAgent.Service.exe | INFO : ¦ ==== Working d2d3b66e-2bb7-4d4c-9bfa-7532a7fb423d ==== ¦ [1] 00.532
|
SAgent.Service.exe | STAT:
============================= OPERATIONS STATISTICS =============================
Logger Name | Operation Name | Time | Calls | Errors | Threads | Per Call | Items | Per Item
---------------+------------------+-------------+-------+--------+---------+-------------+-------+------------
AgentService | | AppWorking | 00:00:00.00 | 0 | 0 | 1 / 1 | | |
============================= OPERATIONS STATISTICS =============================
|
SAgent.Service.exe | INFO : +
===================== FINISHED =====================
AppSessionGUID: d2d3b66e-2bb7-4d4c-9bfa-7532a7fb423d
===================== FINISHED =====================
+ [1] 00.747
|
SAgent.Service.exe | INFO : +
=========================================== STARTED ===========================================
Title : SAgent.Service
TargetFramework : .NET Framework 4.5
Location : C:\Program Files\Avast Business Cloud Backup\SAgent.Service.exe
AssemblyFullName : SAgent.Service, Version=7.12.0.30, Culture=neutral, PublicKeyToken=9b8afe2c706a1860
LocalTimeOffset : 4/7/2024 1:16:14 PM +01:00
StillWorkingPeriod: 00:15:00
AppSessionGUID : a1faef41-f567-4d11-8bad-930d2c1bbf2e
OS : Microsoft Windows NT 6.1.7601 Service Pack 1
Platform : Win32NT
=========================================== STARTED ===========================================
+ [1]
|
SAgent.Service.exe | INFO : ¦ ==== Working a1faef41-f567-4d11-8bad-930d2c1bbf2e ==== ¦ [1] 00.489
|
SAgent.Service.exe | INFO : + CleanupOldBaremetalTasks + [2] << [1]
|
SAgent.Service.exe | INFO : ¦ 0 task(s) were deleted. ¦ [2] << [1] 00.057
|
SAgent.Service.exe | INFO : + CleanupOldBaremetalTasks + [2] << [1] 00.058
|
SAgent.Service.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Avast Business Cloud Backup\x86\SQLite.Interop.dll"...
|