URL:

https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient

Full analysis: https://app.any.run/tasks/dfeb8c80-944a-4dd3-870a-f52b4fb9d4dc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 13, 2024, 06:18:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

95BF76059B984ACBF43EB9048431D4AC

SHA1:

C6A12B0FADC97A9AF7E72C6B58B7A68139581FBE

SHA256:

B23408030748EC5BB14329D9CAE42C20F535659F5ADC6F469363AAE120D94E0A

SSDEEP:

3:N8DSL/K7C/I1dBRIYrJD6QWmOLEom//I+lAL+2MJGDLR:2OLCVsQfWmMmYddMJGXR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • avast_free_antivirus_online-installation (1).exe (PID: 2504)
      • avast_free_antivirus_setup_online.exe (PID: 4016)
      • Instup.exe (PID: 3124)
      • aswOfferTool.exe (PID: 3808)
      • aswOfferTool.exe (PID: 3888)
      • aswOfferTool.exe (PID: 684)
      • aswOfferTool.exe (PID: 1804)
      • AvEmUpdate.exe (PID: 2688)
      • SetupInf.exe (PID: 1144)
      • drvinst.exe (PID: 3172)
      • AvastSvc.exe (PID: 1216)
      • instup.exe (PID: 2764)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • avast_free_antivirus_setup_online.exe (PID: 4016)
      • avast_free_antivirus_online-installation (1).exe (PID: 2504)
      • Instup.exe (PID: 3124)
      • aswOfferTool.exe (PID: 3888)
      • instup.exe (PID: 2764)
      • aswOfferTool.exe (PID: 684)
      • aswOfferTool.exe (PID: 1804)
      • aswOfferTool.exe (PID: 3808)
      • AvEmUpdate.exe (PID: 2688)
      • SetupInf.exe (PID: 1144)
      • drvinst.exe (PID: 3172)
      • AvastSvc.exe (PID: 1216)

    • Starts itself from another location

      • Instup.exe (PID: 3124)
      • aswOfferTool.exe (PID: 3888)
      • aswOfferTool.exe (PID: 1804)

    • Likely accesses (executes) a file from the Public directory

      • aswOfferTool.exe (PID: 2828)
      • aswOfferTool.exe (PID: 3808)

    • Process drops legitimate windows executable

      • instup.exe (PID: 2764)

    • Application launched itself

      • AvEmUpdate.exe (PID: 2688)

    • Drops a system driver (possible attempt to evade defenses)

      • drvinst.exe (PID: 3172)
      • AvEmUpdate.exe (PID: 2688)
      • instup.exe (PID: 2764)
      • SetupInf.exe (PID: 1144)

    • Executes as Windows Service

      • wsc_proxy.exe (PID: 2056)
      • AvastSvc.exe (PID: 1216)
      • aswToolsSvc.exe (PID: 1948)

    • The process drops C-runtime libraries

      • instup.exe (PID: 2764)

  • INFO

    • The process uses the downloaded file

      • chrome.exe (PID: 2892)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3344)
      • chrome.exe (PID: 1624)

    • Drops the executable file immediately after the start

      • chrome.exe (PID: 3344)
      • chrome.exe (PID: 1624)

    • Dropped object may contain TOR URL's

      • Instup.exe (PID: 3124)
      • aswOfferTool.exe (PID: 1804)
      • aswOfferTool.exe (PID: 3888)
      • instup.exe (PID: 2764)

    • Application launched itself

      • chrome.exe (PID: 3344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
69
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs avast_free_antivirus_online-installation (1).exe no specs avast_free_antivirus_online-installation (1).exe avast_free_antivirus_setup_online.exe instup.exe instup.exe aswoffertool.exe no specs aswoffertool.exe no specs aswoffertool.exe aswoffertool.exe aswoffertool.exe aswoffertool.exe aswoffertool.exe no specs aswoffertool.exe no specs chrome.exe no specs sbr.exe no specs chrome.exe setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe no specs avemupdate.exe no specs chrome.exe no specs setupinf.exe no specs setupinf.exe drvinst.exe regsvr.exe no specs regsvr.exe no specs avastnm.exe no specs overseer.exe no specs engsup.exe no specs wsc_proxy.exe no specs wsc_proxy.exe no specs avastsvc.exe aswtoolssvc.exe no specs engsup.exe no specs instup.exe no specs instup.exe no specs keytool.exe no specs icacls.exe no specs keytool.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
292"C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe" /skip_uptime /skip_remediationsC:\Program Files\Common Files\Avast Software\Overseer\overseer.exeinstup.exe
User:
admin
Company:
Avast Software
Integrity Level:
HIGH
Description:
Avast Overseer
Exit code:
0
Version:
1.0.486.0
368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3740 --field-trial-handle=1136,i,17554600587425880886,3385982580253946947,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
444"C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswHwid.catC:\Program Files\Avast Software\Avast\SetupInf.exeinstup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
24.6.9241.0
680"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1088 --field-trial-handle=1136,i,17554600587425880886,3385982580253946947,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
684"C:\Windows\Temp\asw.072f74501960e733\New_180617e9\aswOfferTool.exe" -checkChrome -elevatedC:\Windows\Temp\asw.072f74501960e733\New_180617e9\aswOfferTool.exe
instup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Offer Installation Tool
Exit code:
2
Version:
24.6.9241.0
748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3660 --field-trial-handle=1136,i,17554600587425880886,3385982580253946947,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
880C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\system32\icacls.exekeytool.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
976AvEmUpdate.exe /installer1 /emupdater /applydll "C:\Program Files\Avast Software\Avast\Setup\17028d5e-b5c0-4d34-98b1-48b6c48ba700.dll"C:\Program Files\Avast Software\Avast\AvEmUpdate.exeAvEmUpdate.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Emergency Update
Exit code:
0
Version:
24.6.9241.0
1144"C:\Program Files\Avast Software\Avast\SetupInf.exe" /install /netservice:aswNetNd6 /catalog:aswNetNd6.cat "C:\Program Files\Avast Software\Avast\setup\Inf\aswNetNd6.inf"C:\Program Files\Avast Software\Avast\SetupInf.exe
instup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
24.6.9241.0
1216"C:\Program Files\Avast Software\Avast\AvastSvc.exe" /runassvcC:\Program Files\Avast Software\Avast\AvastSvc.exe
services.exe
User:
SYSTEM
Company:
Gen Digital Inc.
Integrity Level:
SYSTEM
Description:
Avast Service
Version:
24.6.9241.0
Total events
9 164
Read events
9 075
Write events
85
Delete events
4

Modification events

(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(3344) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(3344) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
537
Suspicious files
809
Text files
294
Unknown types
229

Dropped files

PID
Process
Filename
Type
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF4e115.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:456D3EF989973A7C218E338A6CFFAD25
SHA256:75631D994431F254B94255C50038A3657BFC45D76FCE9D794D514E57CA678872
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:9C016064A1F864C8140915D77CF3389A
SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF4e115.TMPtext
MD5:ECD3386BCC950E73B86EB128A5F57622
SHA256:C9A068EAFBC587EDFC89392F64DDD350EEB96C5CF195CDB030BAB8F6DD33833B
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:825B582C78EC88D54C215EFDF1EAD639
SHA256:367995D01A8F13E5C30C79499F86B034775BFD009D83DC97635DE438D47DFA37
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF4e367.TMP
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:9F941EA08DBDCA2EB3CFA1DBBBA6F5DC
SHA256:127F71DF0D2AD895D4F293E62284D85971AE047CA15F90B87BF6335898B0B655
3344chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old~RF4f73d.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
137
TCP/UDP connections
161
DNS requests
382
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.32.238.242:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adasgb6qzo3kp62542i5hyaakdua_30.2/imefjhfbkmcmebodilednhmaccmincoa_30.2_win_kwiu22sehztwd3bii7gzgq4vri.crx3
unknown
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adasgb6qzo3kp62542i5hyaakdua_30.2/imefjhfbkmcmebodilednhmaccmincoa_30.2_win_kwiu22sehztwd3bii7gzgq4vri.crx3
unknown
whitelisted
POST
200
216.239.34.178:80
http://www.google-analytics.com/collect
unknown
unknown
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
unknown
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adasgb6qzo3kp62542i5hyaakdua_30.2/imefjhfbkmcmebodilednhmaccmincoa_30.2_win_kwiu22sehztwd3bii7gzgq4vri.crx3
unknown
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adasgb6qzo3kp62542i5hyaakdua_30.2/imefjhfbkmcmebodilednhmaccmincoa_30.2_win_kwiu22sehztwd3bii7gzgq4vri.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
3344
chrome.exe
239.255.255.250:1900
whitelisted
2108
chrome.exe
142.250.145.84:443
accounts.google.com
GOOGLE
US
unknown
2108
chrome.exe
23.206.210.36:443
www.avast.com
AKAMAI-AS
DE
unknown
2108
chrome.exe
104.19.178.52:443
cdn.cookielaw.org
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
accounts.google.com
  • 142.250.145.84
whitelisted
www.avast.com
  • 23.206.210.36
  • 2.19.225.229
whitelisted
cdn.cookielaw.org
  • 104.19.178.52
  • 104.19.177.52
whitelisted
static3.avast.com
  • 23.56.205.198
whitelisted
s.go-mpulse.net
  • 69.192.160.133
whitelisted
assets.adobedtm.com
  • 184.30.16.231
whitelisted
static.avast.com
  • 23.56.205.198
whitelisted
www.googletagmanager.com
  • 142.250.185.232
whitelisted
geolocation.onetrust.com
  • 104.18.32.137
  • 172.64.155.119
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient