File name:

avast_one_free_antivirus.exe

Full analysis: https://app.any.run/tasks/c201208f-81fd-41eb-97cc-b59b7820c0bc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 23, 2024, 23:18:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2AD867065621067AE07344A947B7ECA6

SHA1:

6C9EFDA5270129B3322221267B57E515189A730F

SHA256:

8FD40714DDA36EA3AD95FC582463665C71FA3948F2AEEB2C3F3BC9258A69C67E

SSDEEP:

3072:x6es8XymuGWAspZYarLXHrLh7gMvmWVpvY5nT/rj4XLcrfzRDmZeVOwxDgzmgM+d:wbmuGWVXHh7aB4LcXRaUrQjsuT19z6j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • avast_one_free_antivirus.exe (PID: 2840)
      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • aswOfferTool.exe (PID: 2576)
      • aswOfferTool.exe (PID: 1848)
      • aswOfferTool.exe (PID: 3616)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • avast_one_free_antivirus.exe (PID: 2840)
      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)

    • Executable content was dropped or overwritten

      • avast_one_free_antivirus.exe (PID: 2840)
      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • aswOfferTool.exe (PID: 2576)
      • aswOfferTool.exe (PID: 1848)
      • aswOfferTool.exe (PID: 3616)

    • Process requests binary or script from the Internet

      • avast_one_free_antivirus.exe (PID: 2840)

    • Reads the Internet Settings

      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)

    • Starts itself from another location

      • Instup.exe (PID: 1976)
      • aswOfferTool.exe (PID: 1848)

    • The process verifies whether the antivirus software is installed

      • instup.exe (PID: 2100)

    • Likely accesses (executes) a file from the Public directory

      • aswOfferTool.exe (PID: 3616)

  • INFO

    • Checks supported languages

      • avast_one_free_antivirus.exe (PID: 2840)
      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)
      • aswOfferTool.exe (PID: 1848)
      • aswOfferTool.exe (PID: 3616)
      • aswOfferTool.exe (PID: 2576)

    • Reads the machine GUID from the registry

      • avast_one_free_antivirus.exe (PID: 2840)
      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)

    • Reads the computer name

      • avast_one_free_antivirus.exe (PID: 2840)
      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)
      • aswOfferTool.exe (PID: 1848)

    • Reads the software policy settings

      • avast_one_free_antivirus.exe (PID: 2840)
      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)

    • Reads CPU info

      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)

    • Creates files in the program directory

      • avast_one_essential_setup_online.exe (PID: 2892)
      • Instup.exe (PID: 1976)

    • Reads Environment values

      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)

    • Checks proxy server information

      • Instup.exe (PID: 1976)
      • instup.exe (PID: 2100)

    • Dropped object may contain TOR URL's

      • Instup.exe (PID: 1976)
      • aswOfferTool.exe (PID: 1848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:15 14:28:58+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 141824
InitializedDataSize: 121856
UninitializedDataSize: -
EntryPoint: 0x1020
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.1.108.0
ProductVersionNumber: 2.1.108.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AVAST Software
Edition: 21
FileDescription: Avast Installer
FileVersion: 2.1.108.0
InternalName: microstub
LegalCopyright: Copyright (c) 2023 AVAST Software
OriginalFileName: microstub.exe
ProductName: Avast
ProductVersion: 2.1.108.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start avast_one_free_antivirus.exe avast_one_essential_setup_online.exe instup.exe instup.exe aswoffertool.exe aswoffertool.exe aswoffertool.exe avast_one_free_antivirus.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1848"C:\Windows\Temp\asw.f4b22e6f4ee246a5\New_180117d3\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFAC:\Windows\Temp\asw.f4b22e6f4ee246a5\New_180117d3\aswOfferTool.exe
instup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Offer Installation Tool
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.f4b22e6f4ee246a5\new_180117d3\aswoffertool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shell32.dll
1976"C:\Windows\Temp\asw.f4b22e6f4ee246a5\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.f4b22e6f4ee246a5 /edition:21 /prod:ais /stub_mapping_guid:99851102-e7f6-46ea-96ef-34fb31d6d630:9634528 /guid:cfe598a1-643d-4b04-a8b8-658f3254381e /ga_clientid:e893be53-12cc-437d-9452-6cece741a01f /cookie:mmm_aon_012_999_a8b_m:dlid_AVAST-ONE-FREE-WIN-PPC /ga_clientid:e893be53-12cc-437d-9452-6cece741a01f /edat_dir:C:\Windows\Temp\asw.9ed4d29fc435c55cC:\Windows\Temp\asw.f4b22e6f4ee246a5\Instup.exe
avast_one_essential_setup_online.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.f4b22e6f4ee246a5\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2100"C:\Windows\Temp\asw.f4b22e6f4ee246a5\New_180117d3\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.f4b22e6f4ee246a5 /edition:21 /prod:ais /stub_mapping_guid:99851102-e7f6-46ea-96ef-34fb31d6d630:9634528 /guid:cfe598a1-643d-4b04-a8b8-658f3254381e /ga_clientid:e893be53-12cc-437d-9452-6cece741a01f /cookie:mmm_aon_012_999_a8b_m:dlid_AVAST-ONE-FREE-WIN-PPC /edat_dir:C:\Windows\Temp\asw.9ed4d29fc435c55c /online_installerC:\Windows\Temp\asw.f4b22e6f4ee246a5\New_180117d3\instup.exe
Instup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.f4b22e6f4ee246a5\new_180117d3\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2576"C:\Windows\Temp\asw.f4b22e6f4ee246a5\New_180117d3\aswOfferTool.exe" -checkChrome -elevatedC:\Windows\Temp\asw.f4b22e6f4ee246a5\New_180117d3\aswOfferTool.exe
instup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Offer Installation Tool
Exit code:
2
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.f4b22e6f4ee246a5\new_180117d3\aswoffertool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shell32.dll
2840"C:\Users\admin\AppData\Local\Temp\avast_one_free_antivirus.exe" C:\Users\admin\AppData\Local\Temp\avast_one_free_antivirus.exe
explorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
0
Version:
2.1.108.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_one_free_antivirus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2892"C:\Windows\Temp\asw.9ed4d29fc435c55c\avast_one_essential_setup_online.exe" /cookie:mmm_aon_012_999_a8b_m:dlid_AVAST-ONE-FREE-WIN-PPC /ga_clientid:e893be53-12cc-437d-9452-6cece741a01f /edat_dir:C:\Windows\Temp\asw.9ed4d29fc435c55cC:\Windows\Temp\asw.9ed4d29fc435c55c\avast_one_essential_setup_online.exe
avast_one_free_antivirus.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\windows\temp\asw.9ed4d29fc435c55c\avast_one_essential_setup_online.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3616"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFAC:\Users\Public\Documents\aswOfferTool.exe
aswOfferTool.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
Avast Offer Installation Tool
Exit code:
0
Version:
24.1.8821.0
Modules
Images
c:\users\public\documents\aswoffertool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shell32.dll
3656"C:\Users\admin\AppData\Local\Temp\avast_one_free_antivirus.exe" C:\Users\admin\AppData\Local\Temp\avast_one_free_antivirus.exeexplorer.exe
User:
admin
Company:
AVAST Software
Integrity Level:
MEDIUM
Description:
Avast Installer
Exit code:
3221226540
Version:
2.1.108.0
Modules
Images
c:\users\admin\appdata\local\temp\avast_one_free_antivirus.exe
c:\windows\system32\ntdll.dll
Total events
16 852
Read events
15 612
Write events
1 234
Delete events
6

Modification events

(PID) Process:(2840) avast_one_free_antivirus.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Windows\Temp\asw.9ed4d29fc435c55c
(PID) Process:(2840) avast_one_free_antivirus.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2840) avast_one_free_antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(2840) avast_one_free_antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2840) avast_one_free_antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2840) avast_one_free_antivirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB61400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D7200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2892) avast_one_essential_setup_online.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2892) avast_one_essential_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
0
(PID) Process:(2892) avast_one_essential_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
7
(PID) Process:(2892) avast_one_essential_setup_online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage
Operation:writeName:SfxInstProgress
Value:
14
Executable files
24
Suspicious files
7
Text files
13
Unknown types
13

Dropped files

PID
Process
Filename
Type
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\part-jrog2-132c.vpxbinary
MD5:F757934C2D28D322FCA999FFAFDB4584
SHA256:09C79062FED78B3BB7BB1DA546014D812FE77904A3F161B4908DC5724FF86A12
2840avast_one_free_antivirus.exeC:\Windows\Temp\asw.9ed4d29fc435c55c\avast_one_essential_setup_online.exeexecutable
MD5:C99B11C7CB7FB4CEBEAB7B1397E790B9
SHA256:4A5BA80B575DEB8CA38FBA356FC9391713E81192B87A0C1B6B9BC9A2D7A0A689
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\cookie.bintext
MD5:D7BF3366997D48DA4ED60720B3D9CEDF
SHA256:51591D016FE7BD59FC06281F8537481A390A586AAC84AA60F458F6DF8D66383B
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\prod-pgm.vpxbinary
MD5:48CADB7D59DAF8E3B51175F48554E58D
SHA256:FA9CDCDDE4F1FB32E7F7BFF8CD5DF48EF4B3ECC29CEC6803E7DD3F7BB63A35A3
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\part-prg_ais-180117d3.vpxbinary
MD5:C9AB86327CC6D1B698906C6B42364040
SHA256:918DFC9B513535FDA13A3A1F1BB3741728936BD9B355958288A395F68090B81F
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\config.def.vpxbinary
MD5:65A94D643E10FFC9156EE8F1BAE43C25
SHA256:2C9559A99BB1859206D554D1C3984787E5B4F347C5C55E8C05D3C6350EBFB760
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\Instup.dllexecutable
MD5:BD8BED4728B002B416E908125C044ADE
SHA256:5FBA4F97BD38C90ED15B2CFF19A8043567E312FDD1A18301E49CDDD39BAB410F
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\part-vps_windows-24020600.vpxbinary
MD5:526AD86C7563D8E89C79034C6F50AD4B
SHA256:EDEDF623E34555BAFD092BABA995CCBD410E44E81663F8AD5DDFD3393765958B
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\config.deftext
MD5:12774C43E92F60CC72545917CA226AA1
SHA256:DDD77710A67F3B37298429B1A4A0D9B952084AF42FF96454DF364F42F9B7DA60
2892avast_one_essential_setup_online.exeC:\Windows\Temp\asw.f4b22e6f4ee246a5\part-setup_ais-180117d3.vpxbinary
MD5:72FEEE470E611C17FCB9494E9BF08B7D
SHA256:DED1EDCAD352CB5236D924F34FEEDEE238DA2B510B36701DE35F1C001D3A5697
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
56
DNS requests
61
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2840
avast_one_free_antivirus.exe
POST
200
216.58.212.174:80
http://www.google-analytics.com/collect
unknown
image
35 b
unknown
2840
avast_one_free_antivirus.exe
POST
403
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
html
317 b
unknown
2840
avast_one_free_antivirus.exe
GET
200
23.54.112.28:80
http://s-iavast.avcdn.net/iavs9x/avast_one_essential_setup_online.exe
unknown
executable
9.19 Mb
unknown
2840
avast_one_free_antivirus.exe
POST
200
216.58.212.174:80
http://www.google-analytics.com/collect
unknown
image
35 b
unknown
2840
avast_one_free_antivirus.exe
POST
403
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
html
317 b
unknown
GET
200
216.58.212.174:80
http://www.google-analytics.com/collect?aiid=mmm_aon_012_999_a8b_m:dlid_AVAST-ONE-FREE-WIN-PPC&an=One%20Essential&av=24.1.8821&cd=stub-extended&cd3=Online&cid=cfe598a1-643d-4b04-a8b8-658f3254381e&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
unknown
image
35 b
unknown
1976
Instup.exe
GET
200
2.21.22.155:80
http://r6726306.iavs9x.u.avast.com/iavs9x/avbugreport_ais-a2c.vpx
unknown
binary
1.25 Mb
unknown
1976
Instup.exe
GET
200
2.21.22.155:80
http://r6726306.iavs9x.u.avast.com/iavs9x/instcont_ais-a2c.vpx
unknown
binary
921 Kb
unknown
1976
Instup.exe
GET
200
2.21.22.155:80
http://r6726306.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-a2c.vpx
unknown
binary
371 Kb
unknown
1976
Instup.exe
GET
200
2.21.22.160:80
http://h4305360.iavs9x.u.avast.com/iavs9x/servers.def.vpx
unknown
binary
2.40 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2840
avast_one_free_antivirus.exe
216.58.212.174:80
www.google-analytics.com
GOOGLE
US
whitelisted
2840
avast_one_free_antivirus.exe
34.149.149.62:443
ip-info.ff.avast.com
GOOGLE
US
unknown
2840
avast_one_free_antivirus.exe
34.117.223.223:80
v7event.stats.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2840
avast_one_free_antivirus.exe
23.54.112.28:443
s-iavast.avcdn.net
AKAMAI-AS
CH
whitelisted
2840
avast_one_free_antivirus.exe
23.54.112.28:80
s-iavast.avcdn.net
AKAMAI-AS
CH
whitelisted
2892
avast_one_essential_setup_online.exe
34.117.223.223:443
v7event.stats.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2892
avast_one_essential_setup_online.exe
216.58.212.174:80
www.google-analytics.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 216.58.212.174
whitelisted
v7event.stats.avast.com
  • 34.117.223.223
whitelisted
ip-info.ff.avast.com
  • 34.149.149.62
whitelisted
s-iavast.avcdn.net
  • 23.54.112.28
unknown
analytics.avcdn.net
  • 34.117.223.223
unknown
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted
d3176133.iavs9x.u.avast.com
  • 2.21.22.155
  • 2a02:26f0:3000::215:166a
whitelisted
h4305360.iavs9x.u.avast.com
  • 2.21.22.160
  • 2a02:26f0:3000::215:1668
whitelisted
r4427608.iavs9x.u.avast.com
  • 2.21.22.160
  • 2a02:26f0:3000::215:1668
whitelisted
r6726306.iavs9x.u.avast.com
  • 2.21.22.155
  • 2a02:26f0:3000::215:166a
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
2840
avast_one_free_antivirus.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Process
Message
avast_one_essential_setup_online.exe
[2024-02-23 23:21:11.367] [info ] [sfxinst ] [ 2892: 2408] [7361C5: 370] Running SFX 'C:\Windows\Temp\asw.9ed4d29fc435c55c\avast_one_essential_setup_online.exe'
avast_one_essential_setup_online.exe
[2024-02-23 23:21:11.648] [info ] [sfxinst ] [ 2892: 2408] [7361C5: 592] Moved extra data file 'ecoo.edat' to 'C:\Windows\Temp\asw.f4b22e6f4ee246a5\cookie.bin'.
avast_one_essential_setup_online.exe
[2024-02-23 23:21:12.539] [warning] [burger_rep ] [ 2892: 2792] [64A1D8: 72] The event '70.1' was successfully sent to burger, but it was reject by the server with response:' <html><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>403 Forbidden</title> </head> <body text=#000000 bgcolor=#ffffff> <h1>Error: Forbidden</h1> <h2>Your client does not have permission to get URL <code>/v4/receive/json/70</code> from this server.</h2> <h2></h2> </body></html> '.
avast_one_essential_setup_online.exe
[2024-02-23 23:21:13.773] [info ] [sfxinst ] [ 2892: 2408] [7361C5: 881] Starting installer/updater executable 'C:\Windows\Temp\asw.f4b22e6f4ee246a5\instup.exe'
Instup.exe
[2024-02-23 23:21:14.226] [info ] [instup ] [ 1976: 2184] [87A008:2734] Running module version: Instup.dll - '24.1.8821.0'
Instup.exe
[2024-02-23 23:21:14.226] [info ] [xproduct ] [ 1976: 2184] [50441C: 64] CrossProductModule::RegisterThisProduct : SOFTWARE\Avast Software\Products : public-instup 1976
Instup.exe
[2024-02-23 23:21:14.226] [info ] [instup ] [ 1976: 2184] [87A008:2658] Command: '"C:\Windows\Temp\asw.f4b22e6f4ee246a5\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.f4b22e6f4ee246a5 /edition:21 /prod:ais /stub_mapping_guid:99851102-e7f6-46ea-96ef-34fb31d6d630:9634528 /guid:cfe598a1-643d-4b04-a8b8-658f3254381e /ga_clientid:e893be53-12cc-437d-9452-6cece741a01f /cookie:mmm_aon_012_999_a8b_m:dlid_AVAST-ONE-FREE-WIN-PPC /ga_clientid:e893be53-12cc-437d-9452-6cece741a01f /edat_dir:C:\Windows\Temp\asw.9ed4d29fc435c55c'
Instup.exe
[2024-02-23 23:21:14.226] [info ] [instup ] [ 1976: 2184] [87A008:2664] CPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz,4
Instup.exe
[2024-02-23 23:21:14.226] [info ] [instup ] [ 1976: 2184] [87A008:2669] OS: Windows 7 SP1 x86
Instup.exe
[2024-02-23 23:21:14.226] [info ] [instup ] [ 1976: 2184] [87A008:2672] setup: x86
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avast_one_free_antivirus.exe