| File name: | PAVSetup.exe |
| Full analysis: | https://app.any.run/tasks/c91212ba-06f1-4797-ab05-d0085db5a134 |
| Verdict: | Malicious activity |
| Analysis date: | January 31, 2024, 06:22:37 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 521DAD4D9DA420989C8A5487C4C2691A |
| SHA1: | 4B2FB2A07D444EC8F84A8C9AB4DA8D92C78EEDD7 |
| SHA256: | D411D71AE66F71D6249D91E311AECCD4D211A0B63B58AAB183994CE3D3274EC3 |
| SSDEEP: | 786432:77yxiKL+uEszSxhhXKrAtA+TGZvDj/sfS8/9NYP:7exiKqBs2PhXKrGVGxDjUq8/9NM |
MALICIOUS
Drops the executable file immediately after the start
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 2768)
- ProtegentAV.tmp (PID: 2532)
- ProtegentAV.exe (PID: 2476)
Changes the autorun value in the registry
- Setup.exe (PID: 2768)
SUSPICIOUS
Reads the Internet Settings
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 3040)
Reads Microsoft Outlook installation path
- PAVSetup.exe (PID: 1652)
Process drops legitimate windows executable
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 2768)
Executable content was dropped or overwritten
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 2768)
- ProtegentAV.tmp (PID: 2532)
- ProtegentAV.exe (PID: 2476)
Reads Internet Explorer settings
- PAVSetup.exe (PID: 1652)
Creates or modifies Windows services
- DLPSettings.exe (PID: 3560)
- Setup.exe (PID: 2768)
Executes as Windows Service
- CPService.exe (PID: 3828)
Reads the Windows owner or organization settings
- ProtegentAV.tmp (PID: 2532)
INFO
Checks supported languages
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 2768)
- Setup.exe (PID: 3040)
- DLPSettings.exe (PID: 3560)
- CPService.exe (PID: 3624)
- CPService.exe (PID: 3896)
- CPService.exe (PID: 3828)
- CPService.exe (PID: 3968)
- ProtegentAV.exe (PID: 2476)
- CPService.exe (PID: 2980)
- ProtegentAV.tmp (PID: 2532)
Reads the computer name
- PAVSetup.exe (PID: 1652)
- Setup.exe (PID: 3040)
- Setup.exe (PID: 2768)
- CPService.exe (PID: 3828)
- CPService.exe (PID: 3896)
- CPService.exe (PID: 3968)
- CPService.exe (PID: 2980)
- CPService.exe (PID: 3624)
- ProtegentAV.tmp (PID: 2532)
Checks proxy server information
- PAVSetup.exe (PID: 1652)
Reads the machine GUID from the registry
- PAVSetup.exe (PID: 1652)
Create files in a temporary directory
- PAVSetup.exe (PID: 1652)
- ProtegentAV.exe (PID: 2476)
- ProtegentAV.tmp (PID: 2532)
Creates files or folders in the user directory
- Setup.exe (PID: 2768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:12:05 08:37:23+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 198656 |
| InitializedDataSize: | 254976 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1e239 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
56
Monitored processes
12
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1652 | "C:\Users\admin\AppData\Local\Temp\PAVSetup.exe" | C:\Users\admin\AppData\Local\Temp\PAVSetup.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2088 | "C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe" | C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe | — | PAVSetup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup Exit code: 3221226540 Version: 12, 0, 0, 0 Modules
| |||||||||||||||
| 2476 | C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe | C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe | Setup.exe | ||||||||||||
User: admin Company: Unistal Systems Pvt. Ltd. Integrity Level: HIGH Description: Protegent AV Cloud Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2532 | "C:\Users\admin\AppData\Local\Temp\is-I4KKG.tmp\ProtegentAV.tmp" /SL5="$11018A,74682433,58368,C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe" | C:\Users\admin\AppData\Local\Temp\is-I4KKG.tmp\ProtegentAV.tmp | ProtegentAV.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2768 | "C:\Users\admin\AppData\Local\Temp\PAV\WindowsVista\Setup.exe" | C:\Users\admin\AppData\Local\Temp\PAV\WindowsVista\Setup.exe | Setup.exe | ||||||||||||
User: admin Company: Unistal Systems Pvt. Ltd. Integrity Level: HIGH Description: Setup Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 2980 | C:\UNISTAL\UBSuite\DLP\CPSERV~1.EXE -i | C:\UNISTAL\UBSuite\DLP\CPService.exe | — | Setup.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3040 | "C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe" | C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe | PAVSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup Exit code: 0 Version: 12, 0, 0, 0 Modules
| |||||||||||||||
| 3560 | Setup | C:\UNISTAL\UBSuite\Common Files\DLPSettings.exe | — | Setup.exe | |||||||||||
User: admin Integrity Level: HIGH Description: rstoreSetting MFC Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 3624 | C:\UNISTAL\UBSuite\DLP\CPSERV~1.EXE | C:\UNISTAL\UBSuite\DLP\CPService.exe | Setup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3828 | C:\UNISTAL\UBSuite\dlp\cpservice.exe | C:\UNISTAL\UBSuite\DLP\CPService.exe | — | services.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
Total events
2 595
Read events
2 571
Write events
24
Delete events
0
Modification events
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1652) PAVSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3040) Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
96
Suspicious files
36
Text files
93
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Anti-Virus\ProtegentAV.exe | — | |
MD5:— | SHA256:— | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Setup.exe | executable | |
MD5:4719ED774AFA76D6028DFF47B7F598F5 | SHA256:576AAFF9D3CC238476D6D66190C8F223FE7C849F271943D455C897A43CF6769A | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CommonUnistal.bmp | image | |
MD5:32B015C5CB274C53137EF21B5D003096 | SHA256:EF9AFDE8416AA9E433DFB788AEF7A89C4D6AFED486B455624E37B45D69036DDB | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\AboutUs.bmp | image | |
MD5:21D5F7D022452210B02FBBE814FF8E11 | SHA256:30F0358FCC312CD086E3F1148A0FC0D39520F834C27F82D58FC48E227E3666CC | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\Common\AgreementHelp.BMP | image | |
MD5:0B49D882FB81EBF533CCBE259CBDCF3F | SHA256:CF718A3B5FD3B161FE7D8AB1EBAF8E1E3EB29F50991F92FD3EE407701AA9F844 | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\PartHelp.BMP | image | |
MD5:0DBF9E97C526D877A51F20B218070802 | SHA256:80D8E30B51DA14217C418CEBE78A677295AB4DBF78C047824DCCF482145BFD8C | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\OptionHelp.bmp | image | |
MD5:1259EA662C447813B9084EB4C70741F9 | SHA256:5259053856FD71FD8B9384EE06213EA5BA10E8E87B78BBF6FD560AD95A139338 | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\DateHelp.BMP | image | |
MD5:5C2D72D2C250F73F9CBCDB2CC981DB25 | SHA256:F5E595B00BC185BE43110103F635238E858093170E437CFFABF28A348B3D3F5B | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\DiskHelp.BMP | image | |
MD5:EA4B866F89B039D1C2F6F0990681FF51 | SHA256:B562A2BA89620AEB2B39A34C69EC414853E124D53FD96BA4E3A565BFEE836A80 | |||
| 1652 | PAVSetup.exe | C:\Users\admin\AppData\Local\Temp\PAV\Windows\BMP\CP\SchedulerSettingsHelp.bmp | image | |
MD5:00265E7F765EEBE1566846E3AF6990D4 | SHA256:D5190498AAF93F6BFA683994834A2A0023949518822899A448F644F7C9BAEA2E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | unknown |
— | — | 192.168.100.255:137 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
CPService.exe | [MY_SERVICE] StartServiceCtrlDispatcher error = 1063
|
CPService.exe | [MY_SERVICE] StartServiceCtrlDispatcher error = 1063
|