File name:

Avast.exe

Full analysis: https://app.any.run/tasks/efba1e29-5d3c-4a12-9adb-3150fccf8f2a
Verdict: Malicious activity
Analysis date: September 14, 2024, 10:03:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

2669B87C087004B50E01CD3B964E736A

SHA1:

BBA6066233F8800AFDB456C94706A78C5950C23E

SHA256:

AA6215E4FB1E233B56ED57703656B1C96ACFD3926659C49332C75AC978B3A6E0

SSDEEP:

98304:uEWwTombg4tqaO9zVhaY96eKNhRgbJnIB+p74S5Jp/Oj84MdylHPLPwx5eD4aSgQ:k4X4XJHEVQabvSaj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • Avast.exe (PID: 6684)

    • Executable content was dropped or overwritten

      • Avast.exe (PID: 6684)

    • Process drops python dynamic module

      • Avast.exe (PID: 6684)

    • Loads Python modules

      • Avast.exe (PID: 6460)

  • INFO

    • Checks supported languages

      • Avast.exe (PID: 6684)
      • Avast.exe (PID: 6460)

    • Reads the computer name

      • Avast.exe (PID: 6684)
      • Avast.exe (PID: 6460)

    • Create files in a temporary directory

      • Avast.exe (PID: 6684)

    • Reads the machine GUID from the registry

      • Avast.exe (PID: 6460)

    • Checks proxy server information

      • Avast.exe (PID: 6460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:14 08:56:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 168960
InitializedDataSize: 153600
UninitializedDataSize: -
EntryPoint: 0xc0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start avast.exe avast.exe

Process information

PID
CMD
Path
Indicators
Parent process
6460"C:\Users\admin\Desktop\Avast.exe" C:\Users\admin\Desktop\Avast.exe
Avast.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\avast.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6684"C:\Users\admin\Desktop\Avast.exe" C:\Users\admin\Desktop\Avast.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\avast.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
325
Read events
325
Write events
0
Delete events
0

Modification events

No data
Executable files
61
Suspicious files
1
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\VCRUNTIME140.dllexecutable
MD5:870FEA4E961E2FBD00110D3783E529BE
SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\_lzma.pydexecutable
MD5:0A94C9F3D7728CF96326DB3AB3646D40
SHA256:0A70E8546FA6038029F2A3764E721CEEBEA415818E5F0DF6B90D6A40788C3B31
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\_decimal.pydexecutable
MD5:6339FA92584252C3B24E4CCE9D73EF50
SHA256:4AE6F6FB3992BB878416211221B3D62515E994D78F72EAB51E0126CA26D0EE96
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\_cffi_backend.cp310-win_amd64.pydexecutable
MD5:EBB660902937073EC9695CE08900B13D
SHA256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\_socket.pydexecutable
MD5:0F5E64E33F4D328EF11357635707D154
SHA256:8AF6D70D44BB9398733F88BCFB6D2085DD1A193CD00E52120B96A651F6E35EBE
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\_hashlib.pydexecutable
MD5:D856A545A960BF2DCA1E2D9BE32E5369
SHA256:CD33F823E608D3BDA759AD441F583A20FC0198119B5A62A8964F172559ACB7D3
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\_bz2.pydexecutable
MD5:BBE89CF70B64F38C67B7BF23C0EA8A48
SHA256:775FBC6E9A4C7E9710205157350F3D6141B5A9E8F44CB07B3EAC38F2789C8723
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\_ctypes.pydexecutable
MD5:CA4CEF051737B0E4E56B7D597238DF94
SHA256:E60A2B100C4FA50B0B144CF825FE3CDE21A8B7B60B92BFC326CB39573CE96B2B
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:AC28EDB5AD8EAA70ECBC64BAF3E70BD4
SHA256:FBD5E958F6EFB4D78FD61EE9EE4B4D1B6F43C1210301668F654A880C65A1BE86
6684Avast.exeC:\Users\admin\AppData\Local\Temp\_MEI66842\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:6E84207402F5CD66E00ABB1689DED080
SHA256:301A110ED905F10243437C5BC2A92CDF7C8609C19CB8BAFF92C99D8645C8D6F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6440
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6248
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6440
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6248
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6440
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6248
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6460
Avast.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
shared
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
shared

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Avast.exe