| File name: | PAVSetup.exe |
| Full analysis: | https://app.any.run/tasks/c91212ba-06f1-4797-ab05-d0085db5a134 |
| Verdict: | Malicious activity |
| Analysis date: | January 31, 2024, 06:22:37 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 521DAD4D9DA420989C8A5487C4C2691A |
| SHA1: | 4B2FB2A07D444EC8F84A8C9AB4DA8D92C78EEDD7 |
| SHA256: | D411D71AE66F71D6249D91E311AECCD4D211A0B63B58AAB183994CE3D3274EC3 |
| SSDEEP: | 786432:77yxiKL+uEszSxhhXKrAtA+TGZvDj/sfS8/9NYP:7exiKqBs2PhXKrGVGxDjUq8/9NM |
MALICIOUS
Drops the executable file immediately after the start
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 2768)
- ProtegentAV.exe (PID: 2476)
- ProtegentAV.tmp (PID: 2532)
Changes the autorun value in the registry
- Setup.exe (PID: 2768)
SUSPICIOUS
Reads Microsoft Outlook installation path
- PAVSetup.exe (PID: 1652)
Reads Internet Explorer settings
- PAVSetup.exe (PID: 1652)
Reads the Internet Settings
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 3040)
Executable content was dropped or overwritten
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 2768)
- ProtegentAV.exe (PID: 2476)
- ProtegentAV.tmp (PID: 2532)
Process drops legitimate windows executable
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 2768)
Creates or modifies Windows services
- DLPSettings.exe (PID: 3560)
- Setup.exe (PID: 2768)
Executes as Windows Service
- CPService.exe (PID: 3828)
Reads the Windows owner or organization settings
- ProtegentAV.tmp (PID: 2532)
INFO
Reads the computer name
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 3040)
- Setup.exe (PID: 2768)
- CPService.exe (PID: 3624)
- CPService.exe (PID: 3896)
- CPService.exe (PID: 3828)
- CPService.exe (PID: 3968)
- CPService.exe (PID: 2980)
- ProtegentAV.tmp (PID: 2532)
Checks supported languages
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 3040)
- Setup.exe (PID: 2768)
- DLPSettings.exe (PID: 3560)
- CPService.exe (PID: 3828)
- CPService.exe (PID: 3896)
- CPService.exe (PID: 3624)
- CPService.exe (PID: 3968)
- CPService.exe (PID: 2980)
- ProtegentAV.exe (PID: 2476)
- ProtegentAV.tmp (PID: 2532)
Checks proxy server information
- PAVSetup.exe (PID: 1652)
Reads the machine GUID from the registry
- PAVSetup.exe (PID: 1652)
Create files in a temporary directory
- PAVSetup.exe (PID: 1652)
- ProtegentAV.exe (PID: 2476)
- ProtegentAV.tmp (PID: 2532)
Creates files or folders in the user directory
- Setup.exe (PID: 2768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:12:05 08:37:23+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 198656 |
| InitializedDataSize: | 254976 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1e239 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
56
Monitored processes
12
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1652 | "C:\Users\admin\AppData\Local\Temp\PAVSetup.exe" | C:\Users\admin\AppData\Local\Temp\PAVSetup.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2088 | "C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe" | C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe | — | PAVSetup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup Exit code: 3221226540 Version: 12, 0, 0, 0 Modules
| |||||||||||||||
| 2476 | C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe | C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe | Setup.exe | ||||||||||||
User: admin Company: Unistal Systems Pvt. Ltd. Integrity Level: HIGH Description: Protegent AV Cloud Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2532 | "C:\Users\admin\AppData\Local\Temp\is-I4KKG.tmp\ProtegentAV.tmp" /SL5="$11018A,74682433,58368,C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe" | C:\Users\admin\AppData\Local\Temp\is-I4KKG.tmp\ProtegentAV.tmp | ProtegentAV.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2768 | "C:\Users\admin\AppData\Local\Temp\PAV\WindowsVista\Setup.exe" | C:\Users\admin\AppData\Local\Temp\PAV\WindowsVista\Setup.exe | Setup.exe | ||||||||||||
User: admin Company: Unistal Systems Pvt. Ltd. Integrity Level: HIGH Description: Setup Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 2980 | C:\UNISTAL\UBSuite\DLP\CPSERV~1.EXE -i | C:\UNISTAL\UBSuite\DLP\CPService.exe | — | Setup.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3040 | "C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe" | C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe | PAVSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup Exit code: 0 Version: 12, 0, 0, 0 Modules
| |||||||||||||||
| 3560 | Setup | C:\UNISTAL\UBSuite\Common Files\DLPSettings.exe | — | Setup.exe | |||||||||||
User: admin Integrity Level: HIGH Description: rstoreSetting MFC Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 3624 | C:\UNISTAL\UBSuite\DLP\CPSERV~1.EXE | C:\UNISTAL\UBSuite\DLP\CPService.exe | Setup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3828 | C:\UNISTAL\UBSuite\dlp\cpservice.exe | C:\UNISTAL\UBSuite\DLP\CPService.exe | — | services.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
Total events
2 595
Read events
2 571
Write events
24
Delete events
0
Modification events
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
96
Suspicious files
36
Text files
93
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe | — | |
MD5:— | SHA256:— | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe | executable | |
MD5:4719ED774AFA76D6028DFF47B7F598F5 | SHA256:576AAFF9D3CC238476D6D66190C8F223FE7C849F271943D455C897A43CF6769A | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\Common\CommonBusiness.bmp | image | |
MD5:32B015C5CB274C53137EF21B5D003096 | SHA256:EF9AFDE8416AA9E433DFB788AEF7A89C4D6AFED486B455624E37B45D69036DDB | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\Common\Thumbs.db | binary | |
MD5:41F673D58937878E43573A5EEB77B5C3 | SHA256:33591F8720C63F148060254061ACFD5D16BE1EC13C89980939A2CD2D404A1E73 | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\AboutUs.bmp | image | |
MD5:21D5F7D022452210B02FBBE814FF8E11 | SHA256:30F0358FCC312CD086E3F1148A0FC0D39520F834C27F82D58FC48E227E3666CC | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\Common\OptionInstall.bmp | image | |
MD5:DB7B962E8F9E361A0E9EF72870986AE9 | SHA256:FAB17CB093B51991B034766BF11981E7D9AD2016AF1158A20B6449BFCF0119B0 | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\DateHelp.BMP | image | |
MD5:5C2D72D2C250F73F9CBCDB2CC981DB25 | SHA256:F5E595B00BC185BE43110103F635238E858093170E437CFFABF28A348B3D3F5B | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\Common\ProductHelp.bmp | image | |
MD5:28460433633183F45AB536CFC5835CFF | SHA256:24B263B68BA31A2D6127EFF47F0D1B7D792579539C2203FDD014E662D30D12DE | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\Commonbmp.bmp | image | |
MD5:B77647ED0A9C0A48B999BD021E9C8269 | SHA256:6F63ABBBAE182C411E4264F92F3273197816E5B5416232EFB904CE07EB3BF477 | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\CommonBusiness.bmp | image | |
MD5:B77647ED0A9C0A48B999BD021E9C8269 | SHA256:6F63ABBBAE182C411E4264F92F3273197816E5B5416232EFB904CE07EB3BF477 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | unknown |
— | — | 192.168.100.255:137 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
CPService.exe | [MY_SERVICE] StartServiceCtrlDispatcher error = 1063
|
CPService.exe | [MY_SERVICE] StartServiceCtrlDispatcher error = 1063
|