File name:

avast_free_antivirus_setup_online.exe

Full analysis: https://app.any.run/tasks/984f09cb-8c97-483e-93f8-3ea444e39d3b
Verdict: Malicious activity
Analysis date: December 07, 2024, 22:54:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

1AC91AB0DC51CD0B8258945CDED565DB

SHA1:

E8B3FB540F70E695DEEC53E4741633AEAA0ECB1E

SHA256:

7EA883D91F36D26166751E05D734571A561312FBD078068787AD3EFAC2BCB0E6

SSDEEP:

98304:YgZ8Ufsw7sertCpXJBJID2asRKZOcKasz8GFEMQGS+44Dvq7LCZwW3D7M7qTFOvm:iTqzvG/i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates or modifies Windows services

      • avast_free_antivirus_setup_online.exe (PID: 4076)

    • Executable content was dropped or overwritten

      • avast_free_antivirus_setup_online.exe (PID: 4076)

  • INFO

    • Create files in a temporary directory

      • avast_free_antivirus_setup_online.exe (PID: 4076)

    • Reads the computer name

      • avast_free_antivirus_setup_online.exe (PID: 4076)

    • Creates files in the program directory

      • avast_free_antivirus_setup_online.exe (PID: 4076)

    • Checks supported languages

      • avast_free_antivirus_setup_online.exe (PID: 4076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:11:06 12:50:45+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 490496
InitializedDataSize: 316928
UninitializedDataSize: -
EntryPoint: 0x496e1
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 10.0.2208.712
ProductVersionNumber: 10.0.2208.712
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: avast! Antivirus
CompanyName: AVAST Software
FileDescription: avast! Antivirus Installer
FileVersion: 10.0.2208.712
InternalName: SfxInst
LegalCopyright: Copyright (c) 2014 AVAST Software
OriginalFileName: SfxInst.exe
ProductName: Avast Antivirus
ProductVersion: 10.0.2208.712
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast_free_antivirus_setup_online.exe instup.exe no specs pcaui.exe no specs avast_free_antivirus_setup_online.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1804"C:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\instup.exe" /edition:1 /prod:ais /sfx:lite /sfxstorage:C:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788 C:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\instup.exeavast_free_antivirus_setup_online.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\_av_iup.tm~a05788\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
4076"C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe" C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe
explorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
avast! Antivirus Installer
Exit code:
0
Version:
10.0.2208.712
Modules
Images
c:\users\admin\desktop\avast_free_antivirus_setup_online.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5320"C:\WINDOWS\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {5313d2fc-7e9c-4fb6-895c-3a229b317bcb} -a "Avast! Antivirus" -v "AVAST Software" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 0 -k 0 -e "C:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\instup.exe"C:\Windows\System32\pcaui.exeinstup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Program Compatibility Assistant User Interface
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\pcaui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
5652"C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe" C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exeexplorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
avast! Antivirus Installer
Exit code:
3221226540
Version:
10.0.2208.712
Modules
Images
c:\users\admin\desktop\avast_free_antivirus_setup_online.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
147
Read events
122
Write events
20
Delete events
5

Modification events

(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
0
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
6
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
13
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
20
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
26
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
33
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
40
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
46
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
53
(PID) Process:(4076) avast_free_antivirus_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
60
Executable files
4
Suspicious files
14
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\instcont_ais-8a0.vpxbinary
MD5:791A9E07B25EF07FE2047CE6283908E4
SHA256:E2A5AB40DD1719CB59CAF859F1381980931E67596CDB901E052E3B4906B3F182
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\avbugreport_ais-8a0.vpxbinary
MD5:A002DE0B547452BF7604E4E853DAE0FF
SHA256:998824369A348F7D0800533EF1656B85E78BB01E7BF6F1490A72C93E912A8A0A
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\instup_ais-8a0.vpxbinary
MD5:136D3BE6694266D5A2CEACA074232233
SHA256:CD47B6D56C1838B7DF6125280EAB76FC7F5A686B8ECC11FC8E2E8BAA2FADA4B1
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\ngiodriver_x64_ais-8a0.vpxbinary
MD5:98F545C04FDC5E43086331DAFF4BEA6D
SHA256:9375A7F13E320A1975C6702958D9DD97936F2FB06D8A903DBEE4612C7BDE81FC
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\HTMLayout.dllexecutable
MD5:67DCACDEA595375B6323F7C825BFE8DB
SHA256:3618700F2DEA6DCB0D033205AECB0CD0C2ADB3C99B787DEBDE86A5D49939816C
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\prod-ais.vpxbinary
MD5:701876D2184AA1A32BB331C1617E36D6
SHA256:6BBEC8789757D25C13173204E720076B861BF0C5CCF7470B30CF0819EE9C76B0
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\setgui_ais-8a0.vpxbinary
MD5:D57E68A9955AC807B53282D5CD53D183
SHA256:D09F7418F00125DC13EA47CEC40194EF3A89C2E383A08E5C0BC394895116236D
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\servers.defini
MD5:54C28A335D0171035C50C283270E003A
SHA256:17EC5BBE09AA7023A00786ADB7967505DF05B4B03CE3F9C40C712B5A98BE2A62
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\prod-vps.vpxbinary
MD5:074D394DB429D6CBDE70AC2DC8C418D6
SHA256:F7DF7D583EEAEC202723A5D8622EBBBF7EC20E64A2559A57369B1F1162B895F9
4076avast_free_antivirus_setup_online.exeC:\Users\admin\AppData\Local\Temp\_av_iup.tm~a05788\servers.def.vpxbinary
MD5:FBAFD80FF697E463B6B12FA3960BD7DD
SHA256:474774F14D7BA42165ADF7686E6A948FE1125860F9CC56973762B2CF7946D19D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1852
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1852
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1852
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.140
  • 2.23.209.187
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.182.143.215
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
avast_free_antivirus_setup_online.exe