File name:

eshield-free-antivirus-setup.exe

Full analysis: https://app.any.run/tasks/0325f8ec-ac32-4f69-bc75-dae0afb1b11d
Verdict: Malicious activity
Analysis date: February 16, 2024, 23:02:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FD58D5EEFFE3910DEAE5223458C815C9

SHA1:

A7A0A7750B210BA418EA558F0B6C7482F882C980

SHA256:

E19D786C5F6BD4AF6B6CC20BBAA94E6A55E117A94C09E4703012F973CB183F7C

SSDEEP:

98304:Fydm60qZrZ8fc0eacCj0bwJ9uiTy0sARjzqxfbNrc95d2KCOC/6fAiSW9BJufqwT:xrNQJgl1h8LwR3Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Windows-outbyte-driver-updater.exe (PID: 2376)
      • Windows-outbyte-driver-updater.exe (PID: 952)
      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Installer.exe (PID: 3472)
      • vcredist_x86.exe (PID: 3464)

    • Steals credentials from Web Browsers

      • DriverUpdater.exe (PID: 1072)

    • Actions looks like stealing of personal data

      • DriverUpdater.exe (PID: 1072)
      • CustomDllSurrogate.x32.exe (PID: 3476)
      • DriverUpdater.exe (PID: 3136)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DriverUpdater.exe (PID: 3136)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • eshield-free-antivirus-setup.exe (PID: 2036)

    • Executable content was dropped or overwritten

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Windows-outbyte-driver-updater.exe (PID: 952)
      • Windows-outbyte-driver-updater.exe (PID: 2376)
      • Installer.exe (PID: 3472)
      • vcredist_x86.exe (PID: 3464)

    • The process creates files with name similar to system file names

      • eshield-free-antivirus-setup.exe (PID: 2036)

    • Process drops legitimate windows executable

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Installer.exe (PID: 3472)
      • vcredist_x86.exe (PID: 3464)

    • Starts a Microsoft application from unusual location

      • vcredist_x86.exe (PID: 3464)

    • Creates a software uninstall entry

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Installer.exe (PID: 3472)

    • Reads the Internet Settings

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • eShield Free Antivirus.exe (PID: 2192)
      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 3136)

    • Reads security settings of Internet Explorer

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Executes as Windows Service

      • PresentationFontCache.exe (PID: 3056)
      • ServiceHelper.Agent.exe (PID: 1556)
      • VSSVC.exe (PID: 2788)

    • Reads settings of System Certificates

      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Reads the BIOS version

      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Reads the Windows owner or organization settings

      • Installer.exe (PID: 3472)

    • Checks Windows Trust Settings

      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Process drops SQLite DLL files

      • Installer.exe (PID: 3472)

    • Adds/modifies Windows certificates

      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Searches for installed software

      • dllhost.exe (PID: 884)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2496)

    • Starts CMD.EXE for commands execution

      • DriverUpdater.exe (PID: 3136)

  • INFO

    • Reads the computer name

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • vcredist_x86.exe (PID: 3464)
      • Setup.exe (PID: 3304)
      • freshclam.exe (PID: 1408)
      • eShield Free Antivirus.exe (PID: 2192)
      • PresentationFontCache.exe (PID: 3056)
      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Installer.exe (PID: 3472)
      • ServiceHelper.Agent.exe (PID: 2468)
      • ServiceHelper.Agent.exe (PID: 1556)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)
      • CustomDllSurrogate.x32.exe (PID: 3476)
      • freshclam.exe (PID: 3596)

    • Checks supported languages

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • vcredist_x86.exe (PID: 3464)
      • Setup.exe (PID: 3304)
      • freshclam.exe (PID: 1408)
      • eShield Free Antivirus.exe (PID: 2192)
      • PresentationFontCache.exe (PID: 3056)
      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Windows-outbyte-driver-updater.exe (PID: 952)
      • Installer.exe (PID: 3472)
      • Windows-outbyte-driver-updater.exe (PID: 2376)
      • ServiceHelper.Agent.exe (PID: 2468)
      • ServiceHelper.Agent.exe (PID: 1556)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)
      • CustomDllSurrogate.x32.exe (PID: 3476)
      • freshclam.exe (PID: 3596)

    • Create files in a temporary directory

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Windows-outbyte-driver-updater.exe (PID: 952)
      • Windows-outbyte-driver-updater.exe (PID: 2376)
      • Installer.exe (PID: 3472)
      • Setup.exe (PID: 3304)

    • Reads CPU info

      • Setup.exe (PID: 3304)

    • Creates files in the program directory

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • CustomDllSurrogate.x32.exe (PID: 3476)
      • DriverUpdater.exe (PID: 3136)

    • Creates files or folders in the user directory

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • eShield Free Antivirus.exe (PID: 2192)
      • freshclam.exe (PID: 1408)
      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 3136)

    • Reads the machine GUID from the registry

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • eShield Free Antivirus.exe (PID: 2192)
      • PresentationFontCache.exe (PID: 3056)
      • Installer.exe (PID: 3472)
      • vcredist_x86.exe (PID: 3464)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)
      • CustomDllSurrogate.x32.exe (PID: 3476)

    • Application launched itself

      • msedge.exe (PID: 3428)
      • msedge.exe (PID: 3508)
      • msedge.exe (PID: 2656)

    • Checks proxy server information

      • eshield-free-antivirus-setup.exe (PID: 2036)
      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 3136)

    • Manual execution by a user

      • msedge.exe (PID: 3508)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3508)
      • msedge.exe (PID: 680)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 680)
      • msedge.exe (PID: 3508)

    • The process uses the downloaded file

      • msedge.exe (PID: 1424)
      • msedge.exe (PID: 3508)

    • Process checks computer location settings

      • Windows-outbyte-driver-updater.exe (PID: 2776)
      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 3136)

    • Reads the software policy settings

      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Reads Windows Product ID

      • Installer.exe (PID: 3472)
      • DriverUpdater.exe (PID: 1072)
      • DriverUpdater.exe (PID: 3136)

    • Reads Environment values

      • vcredist_x86.exe (PID: 3464)

    • Reads Microsoft Office registry keys

      • DriverUpdater.exe (PID: 3136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:59+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28672
InitializedDataSize: 445952
UninitializedDataSize: 16896
EntryPoint: 0x39e3
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.9.0.0
ProductVersionNumber: 1.9.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: eShieldAV LLC
FileDescription: eShield Free Antivirus
FileVersion: 1.9.0.0
LegalCopyright: � eShieldAV LLC
ProductName: eShield Free Antivirus
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
68
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start eshield-free-antivirus-setup.exe vcredist_x86.exe setup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs eshield free antivirus.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs freshclam.exe presentationfontcache.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs windows-outbyte-driver-updater.exe no specs windows-outbyte-driver-updater.exe windows-outbyte-driver-updater.exe no specs windows-outbyte-driver-updater.exe no specs windows-outbyte-driver-updater.exe windows-outbyte-driver-updater.exe installer.exe servicehelper.agent.exe no specs servicehelper.agent.exe no specs driverupdater.exe SPPSurrogate no specs vssvc.exe no specs driverupdater.exe regsvr32.exe no specs customdllsurrogate.x32.exe cmd.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs freshclam.exe eshield-free-antivirus-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Users\admin\Downloads\Windows-outbyte-driver-updater.exe" C:\Users\admin\Downloads\Windows-outbyte-driver-updater.exemsedge.exe
User:
admin
Company:
Outbyte
Integrity Level:
MEDIUM
Description:
Outbyte Driver Updater Installation File
Exit code:
3221226540
Version:
2.3.1.25150
Modules
Images
c:\users\admin\downloads\windows-outbyte-driver-updater.exe
c:\windows\system32\ntdll.dll
568"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1628 --field-trial-handle=1340,i,15978449684013051289,11500370336417600787,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1340,i,15978449684013051289,11500370336417600787,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
748"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1392,i,10640660056936641601,11387219138028041055,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
752"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3164 --field-trial-handle=1340,i,15978449684013051289,11500370336417600787,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
884C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
896"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3612 --field-trial-handle=1340,i,15978449684013051289,11500370336417600787,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
952"C:\Users\admin\Downloads\Windows-outbyte-driver-updater.exe" C:\Users\admin\Downloads\Windows-outbyte-driver-updater.exe
msedge.exe
User:
admin
Company:
Outbyte
Integrity Level:
HIGH
Description:
Outbyte Driver Updater Installation File
Exit code:
0
Version:
2.3.1.25150
Modules
Images
c:\users\admin\downloads\windows-outbyte-driver-updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
984"C:\Windows\system32\cmd.exe" /C "start "title" "C:\Program Files\Microsoft\Edge\Application\msedge.exe" "https://outbyte.com/software/driver-updater/purchase/?DriversCount=3&softwareCode=driver-updater&version=2.3.1.25150&registered=false&language=en&_sid=oNG5cPi1wr&m_=0216230342_src_ag_affiliate_du_jerome&clkid=2h9kof94391ui&utm_source=jerome&utm_medium=affiliate&utm_campaign=du_dll&_ga=1816282891.1708124619""C:\Windows\System32\cmd.exeDriverUpdater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1072"C:\Program Files\Outbyte\Driver Updater\DriverUpdater.exe" /Install /AutoStart /CreateOSSnapshotC:\Program Files\Outbyte\Driver Updater\DriverUpdater.exe
Installer.exe
User:
admin
Company:
Outbyte
Integrity Level:
HIGH
Description:
Driver Updater
Exit code:
0
Version:
2.3.1.25150
Modules
Images
c:\program files\outbyte\driver updater\driverupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\program files\outbyte\driver updater\axcomponentsvcl.bpl
c:\windows\system32\oleacc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
73 649
Read events
73 111
Write events
482
Delete events
56

Modification events

(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_CURRENT_USER\Software\eShield Free Antivirus
Operation:writeName:AUTOUPDATE
Value:
1
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_CURRENT_USER\Software\eShield Free Antivirus
Operation:writeName:MENUEXPLORER
Value:
1
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_CURRENT_USER\Software\eShield Free Antivirus
Operation:writeName:SCANRECURSIVITY
Value:
1
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\eShield Free Antivirus
Operation:writeName:Icon
Value:
C:\Program Files\eShield Free Antivirus\eShield Free Antivirus.exe,0
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\eShield Free Antivirus
Operation:writeName:Icon
Value:
C:\Program Files\eShield Free Antivirus\eShield Free Antivirus.exe,0
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eShield Free Antivirus
Operation:writeName:DisplayName
Value:
eShield Free Antivirus
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eShield Free Antivirus
Operation:writeName:Publisher
Value:
eShieldAV LLC
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eShield Free Antivirus
Operation:writeName:InstallLocation
Value:
C:\Program Files\eShield Free Antivirus
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eShield Free Antivirus
Operation:writeName:URLInfoAbout
Value:
http://www.eShieldAV.com/
(PID) Process:(2036) eshield-free-antivirus-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eShield Free Antivirus
Operation:writeName:DisplayIcon
Value:
C:\Program Files\eShield Free Antivirus\eShield Free Antivirus.exe
Executable files
143
Suspicious files
151
Text files
148
Unknown types
151

Dropped files

PID
Process
Filename
Type
3464vcredist_x86.exeC:\30eff176711c35fb8a\SetupUi.dllexecutable
MD5:EB881E3DDDC84B20BD92ABCEC444455F
SHA256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
2036eshield-free-antivirus-setup.exeC:\Users\admin\AppData\Local\Temp\nspF261.tmp\nsDialogs.dllexecutable
MD5:4CCC4A742D4423F2F0ED744FD9C81F63
SHA256:416133DD86C0DFF6B0FCAF1F46DFE97FDC85B37F90EFFB2D369164A8F7E13AE6
2036eshield-free-antivirus-setup.exeC:\Users\admin\AppData\Local\Temp\nspF261.tmp\System.dllexecutable
MD5:BF712F32249029466FA86756F5546950
SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
2036eshield-free-antivirus-setup.exeC:\Users\admin\AppData\Local\Temp\nspF261.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2036eshield-free-antivirus-setup.exeC:\Users\admin\AppData\Local\Temp\nspF261.tmp\vcredist_x86.exeexecutable
MD5:B88228D5FEF4B6DC019D69D4471F23EC
SHA256:8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
3464vcredist_x86.exeC:\30eff176711c35fb8a\SetupEngine.dllexecutable
MD5:84C1DAF5F30FF99895ECAB3A55354BCF
SHA256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
3464vcredist_x86.exeC:\30eff176711c35fb8a\Setup.exeexecutable
MD5:006F8A615020A4A17F5E63801485DF46
SHA256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
3464vcredist_x86.exeC:\30eff176711c35fb8a\DHtmlHeader.htmlhtml
MD5:CD131D41791A543CC6F6ED1EA5BD257C
SHA256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
3464vcredist_x86.exeC:\30eff176711c35fb8a\SetupUi.xsdxml
MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
SHA256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
3464vcredist_x86.exeC:\30eff176711c35fb8a\UiInfo.xmlxml
MD5:812F8D2E53F076366FA3A214BB4CF558
SHA256:0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
172
DNS requests
199
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
680
msedge.exe
GET
301
89.42.218.147:80
http://www.eshieldav.com/
unknown
html
707 b
unknown
1408
freshclam.exe
GET
104.16.219.84:80
http://database.clamav.net/main.cvd
unknown
unknown
1408
freshclam.exe
GET
104.16.218.84:80
http://database.clamav.net/main.cvd
unknown
unknown
2036
eshield-free-antivirus-setup.exe
GET
301
89.42.218.147:80
http://eshieldav.com/counter/counter.php?idapp=281
unknown
html
707 b
unknown
1408
freshclam.exe
GET
104.16.219.84:80
http://database.clamav.net/main.cvd
unknown
unknown
680
msedge.exe
GET
200
192.229.221.95:80
http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
unknown
binary
1.19 Kb
unknown
1408
freshclam.exe
GET
104.16.218.84:80
http://database.clamav.net/main.cvd
unknown
unknown
3472
Installer.exe
GET
304
184.24.77.193:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?df105e8a6f8410c8
unknown
unknown
3472
Installer.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D
unknown
binary
471 b
unknown
3472
Installer.exe
GET
200
192.229.221.95:80
http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAOiOjjuz1GXFL4ZZIGXed8%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2036
eshield-free-antivirus-setup.exe
89.42.218.147:80
eshieldav.com
ROMARG SRL
RO
unknown
2036
eshield-free-antivirus-setup.exe
89.42.218.147:443
eshieldav.com
ROMARG SRL
RO
unknown
3508
msedge.exe
239.255.255.250:1900
unknown
680
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
680
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
680
msedge.exe
89.42.218.147:80
eshieldav.com
ROMARG SRL
RO
unknown
680
msedge.exe
89.42.218.147:443
eshieldav.com
ROMARG SRL
RO
unknown

DNS requests

Domain
IP
Reputation
eshieldav.com
  • 89.42.218.147
unknown
www.eshieldav.com
  • 89.42.218.147
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
fonts.gstatic.com
  • 172.217.18.3
whitelisted
fonts.googleapis.com
  • 142.250.186.106
whitelisted
s.w.org
  • 192.0.77.48
whitelisted
pagead2.googlesyndication.com
  • 172.217.18.2
whitelisted
googleads.g.doubleclick.net
  • 142.250.185.226
whitelisted
www.bing.com
  • 92.123.104.64
  • 92.123.104.33
  • 92.123.104.19
  • 92.123.104.40
  • 92.123.104.32
  • 92.123.104.28
  • 92.123.104.11
  • 92.123.104.38
  • 92.123.104.62
  • 92.123.104.30
  • 92.123.104.22
  • 92.123.104.8
  • 92.123.104.23
whitelisted

Threats

PID
Process
Class
Message
2036
eshield-free-antivirus-setup.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
680
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code.jquery .com)
680
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] A free CDN for open source projects (jsdelivr .net)
Process
Message
Setup.exe
A StopBlock was hit or a System Requirement was not met.
msedge.exe
[0216/230508.741:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eshield-free-antivirus-setup.exe