URL:

https://install.avira-update.com/package/antivirus/win/en-us/avira_antivirus_en-us.exe

Full analysis: https://app.any.run/tasks/3bcfa2a8-704e-4eba-a210-5c26676a8b10
Verdict: Malicious activity
Analysis date: January 22, 2019, 18:24:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

ABB15D38831EE3EB9509B84FE6CC3D8A

SHA1:

52BC248BE1C5E00DBA2B98A4D2E6193FDAD3D0DD

SHA256:

FF6077DD4F1572B6149C69DE1749D7712B04F445D2D5262B45B3C7D5566D6BEC

SSDEEP:

3:N8LREJFRDElEGOTEUWQAZ/OTWQ6rA:2lgRZ3uGDSA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • presetup.exe (PID: 256)
      • avira_en____fm.exe (PID: 2188)
      • rundll32.exe (PID: 3844)
      • rundll32.exe (PID: 2144)
      • rundll32.exe (PID: 3252)
      • rundll32.exe (PID: 3012)
      • rundll32.exe (PID: 3328)
      • rundll32.exe (PID: 3088)
      • rundll32.exe (PID: 2576)
      • rundll32.exe (PID: 3524)
      • Avira.ServiceHost.exe (PID: 2692)
      • rundll32.exe (PID: 1944)
      • rundll32.exe (PID: 3580)
      • rundll32.exe (PID: 2344)
      • rundll32.exe (PID: 3548)
      • Avira.Systray.exe (PID: 3648)
      • rundll32.exe (PID: 2652)
      • Avira.Systray.exe (PID: 3752)
      • setup.exe (PID: 3168)
      • rundll32.exe (PID: 876)
      • fact.exe (PID: 3236)
      • avira.exe (PID: 904)
      • rundll32.exe (PID: 2676)
      • rundll32.exe (PID: 3720)
      • rundll32.exe (PID: 3604)
      • avconfig.exe (PID: 1008)
      • rundll32.exe (PID: 3748)
      • drvinstall32.exe (PID: 3560)
      • rundll32.exe (PID: 3768)
      • rundll32.exe (PID: 2696)
      • rundll32.exe (PID: 4044)
      • rundll32.exe (PID: 3928)
      • rundll32.exe (PID: 3788)
      • rundll32.exe (PID: 1920)
      • rundll32.exe (PID: 2704)
      • rundll32.exe (PID: 3224)
      • rundll32.exe (PID: 3992)
      • rundll32.exe (PID: 3016)
      • rundll32.exe (PID: 3652)
      • rundll32.exe (PID: 1160)
      • regsvr32.exe (PID: 2636)
      • licmgr.exe (PID: 4000)
      • rundll32.exe (PID: 1624)
      • rundll32.exe (PID: 2580)
      • rundll32.exe (PID: 2376)
      • AviraSecurityCenterAgent.exe (PID: 3308)
      • rundll32.exe (PID: 3312)
      • avguard.exe (PID: 940)
      • rundll32.exe (PID: 4036)
      • avconfig.exe (PID: 2196)
      • Avira.ServiceHost.exe (PID: 3592)
      • rundll32.exe (PID: 2772)
      • rundll32.exe (PID: 2872)
      • rundll32.exe (PID: 2288)
      • rundll32.exe (PID: 3256)
      • avshadow.exe (PID: 3268)
      • AviraSecurityCenterAgent.exe (PID: 2160)
      • rundll32.exe (PID: 2832)

    • Application was dropped or rewritten from another process

      • avira_en____fm.exe (PID: 2188)
      • Avira.OE.Setup.Prerequisites.exe (PID: 2568)
      • Avira.OE.Setup.Prerequisites.exe (PID: 3384)
      • Avira.OE.Setup.Bundle.exe (PID: 3028)
      • Avira.ServiceHost.exe (PID: 2692)
      • avira_en____fm.exe (PID: 3504)
      • Avira.Systray.exe (PID: 3648)
      • Avira.Systray.exe (PID: 3752)
      • setup.exe (PID: 3168)
      • fact.exe (PID: 3236)
      • presetup.exe (PID: 3148)
      • presetup.exe (PID: 256)
      • Avira.OE.Setup.Bundle.exe (PID: 3792)
      • avira.exe (PID: 904)
      • Avira.OE.Setup.Prerequisites.exe (PID: 2540)
      • avconfig.exe (PID: 1008)
      • licmgr.exe (PID: 4000)
      • drvinstall32.exe (PID: 3560)
      • avconfig.exe (PID: 2196)
      • avira.exe (PID: 2664)
      • AviraSecurityCenterAgent.exe (PID: 3308)
      • avguard.exe (PID: 940)
      • Avira.ServiceHost.exe (PID: 3592)
      • avshadow.exe (PID: 3268)
      • AviraSecurityCenterAgent.exe (PID: 2160)

    • Changes the autorun value in the registry

      • Avira.OE.Setup.Bundle.exe (PID: 3028)
      • Avira.OE.Setup.Bundle.exe (PID: 3792)

    • Uses Task Scheduler to run other applications

      • MsiExec.exe (PID: 2340)
      • MsiExec.exe (PID: 2592)
      • setup.exe (PID: 3168)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2640)
      • schtasks.exe (PID: 2936)
      • schtasks.exe (PID: 3284)
      • schtasks.exe (PID: 996)
      • schtasks.exe (PID: 1036)

    • Changes settings of System certificates

      • Avira.ServiceHost.exe (PID: 2692)

    • Registers / Runs the DLL via REGSVR32.EXE

      • setup.exe (PID: 3168)

    • Changes internet zones settings

      • avguard.exe (PID: 940)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • avira_en____fm.exe (PID: 3504)
      • avira_en____fm.exe (PID: 2188)
      • rundll32.exe (PID: 2144)
      • Avira.OE.Setup.Bundle.exe (PID: 3028)
      • rundll32.exe (PID: 2576)
      • rundll32.exe (PID: 3524)
      • rundll32.exe (PID: 3252)
      • msiexec.exe (PID: 2260)
      • rundll32.exe (PID: 3580)
      • rundll32.exe (PID: 1944)
      • avira_antivirus_en-us[1].exe (PID: 3076)
      • rundll32.exe (PID: 2344)
      • rundll32.exe (PID: 876)
      • Avira.ServiceHost.exe (PID: 2692)
      • avira.exe (PID: 904)
      • avira.exe (PID: 2664)
      • setup.exe (PID: 3168)
      • Avira.OE.Setup.Bundle.exe (PID: 3792)
      • rundll32.exe (PID: 2676)
      • rundll32.exe (PID: 3748)
      • rundll32.exe (PID: 3768)
      • rundll32.exe (PID: 3604)
      • rundll32.exe (PID: 4044)
      • rundll32.exe (PID: 3788)
      • rundll32.exe (PID: 3928)
      • rundll32.exe (PID: 3992)
      • rundll32.exe (PID: 3016)
      • rundll32.exe (PID: 3652)
      • rundll32.exe (PID: 1160)
      • drvinstall32.exe (PID: 3560)
      • rundll32.exe (PID: 2580)
      • rundll32.exe (PID: 2376)
      • rundll32.exe (PID: 4036)
      • rundll32.exe (PID: 3312)
      • rundll32.exe (PID: 1624)
      • rundll32.exe (PID: 2772)
      • rundll32.exe (PID: 2872)
      • rundll32.exe (PID: 2288)
      • rundll32.exe (PID: 2832)

    • Creates files in the Windows directory

      • presetup.exe (PID: 256)
      • avira_en____fm.exe (PID: 3504)
      • avira_en____fm.exe (PID: 2188)
      • Avira.ServiceHost.exe (PID: 2692)
      • fact.exe (PID: 3236)
      • avira.exe (PID: 2664)
      • setup.exe (PID: 3168)
      • avira.exe (PID: 904)
      • Avira.OE.Setup.Bundle.exe (PID: 3792)
      • rundll32.exe (PID: 3720)
      • msiexec.exe (PID: 2260)
      • drvinstall32.exe (PID: 3560)
      • wusa.exe (PID: 2680)
      • Avira.ServiceHost.exe (PID: 3592)
      • avguard.exe (PID: 940)

    • Changes IE settings (feature browser emulation)

      • avira_en____fm.exe (PID: 2188)
      • Avira.Systray.exe (PID: 3648)
      • Avira.Systray.exe (PID: 3752)
      • avira.exe (PID: 904)

    • Reads internet explorer settings

      • avira_en____fm.exe (PID: 2188)
      • Avira.Systray.exe (PID: 3648)

    • Reads Internet Cache Settings

      • avira_en____fm.exe (PID: 2188)
      • avira.exe (PID: 904)

    • Starts itself from another location

      • avira_en____fm.exe (PID: 2188)
      • avira.exe (PID: 904)

    • Creates a software uninstall entry

      • Avira.OE.Setup.Bundle.exe (PID: 3028)
      • rundll32.exe (PID: 3012)
      • Avira.OE.Setup.Bundle.exe (PID: 3792)
      • rundll32.exe (PID: 3928)
      • setup.exe (PID: 3168)

    • Uses RUNDLL32.EXE to load library

      • MsiExec.exe (PID: 2340)
      • MsiExec.exe (PID: 2592)

    • Removes files from Windows directory

      • avira_en____fm.exe (PID: 2188)
      • Avira.ServiceHost.exe (PID: 2692)
      • avira_en____fm.exe (PID: 3504)
      • setup.exe (PID: 3168)
      • avira.exe (PID: 904)
      • drvinstall32.exe (PID: 3560)
      • rundll32.exe (PID: 2376)
      • Avira.ServiceHost.exe (PID: 3592)

    • Creates files in the program directory

      • Avira.OE.Setup.Bundle.exe (PID: 3028)
      • rundll32.exe (PID: 2576)
      • Avira.ServiceHost.exe (PID: 2692)
      • rundll32.exe (PID: 3580)
      • Avira.OE.Setup.Bundle.exe (PID: 3792)
      • setup.exe (PID: 3168)
      • avconfig.exe (PID: 2196)
      • avguard.exe (PID: 940)
      • rundll32.exe (PID: 2772)
      • Avira.ServiceHost.exe (PID: 3592)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 2260)

    • Adds / modifies Windows certificates

      • Avira.ServiceHost.exe (PID: 2692)

    • Reads Environment values

      • Avira.ServiceHost.exe (PID: 2692)
      • Avira.ServiceHost.exe (PID: 3592)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • avira.exe (PID: 904)

    • Searches for installed software

      • Avira.ServiceHost.exe (PID: 2692)
      • Avira.ServiceHost.exe (PID: 3592)

    • Creates files in the driver directory

      • setup.exe (PID: 3168)
      • drvinstall32.exe (PID: 3560)

    • Modifies the open verb of a shell class

      • avconfig.exe (PID: 1008)
      • licmgr.exe (PID: 4000)

    • Creates or modifies windows services

      • setup.exe (PID: 3168)
      • avguard.exe (PID: 940)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 2636)
      • avguard.exe (PID: 940)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2700)

    • Application launched itself

      • iexplore.exe (PID: 2700)
      • msiexec.exe (PID: 2260)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2700)
      • iexplore.exe (PID: 3340)

    • Dropped object may contain Bitcoin addresses

      • avira_antivirus_en-us[1].exe (PID: 3076)
      • setup.exe (PID: 3168)
      • msiexec.exe (PID: 2260)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2340)
      • msiexec.exe (PID: 2260)
      • MsiExec.exe (PID: 3944)
      • MsiExec.exe (PID: 2592)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2260)

    • Creates files in the program directory

      • msiexec.exe (PID: 2260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
80
Malicious processes
64
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe avira_antivirus_en-us[1].exe presetup.exe no specs presetup.exe avira_en____fm.exe avira_en____fm.exe avira.oe.setup.bundle.exe avira.oe.setup.prerequisites.exe no specs avira.oe.setup.prerequisites.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe rundll32.exe no specs schtasks.exe no specs rundll32.exe rundll32.exe rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe msiexec.exe no specs rundll32.exe no specs avira.servicehost.exe rundll32.exe rundll32.exe avira.systray.exe no specs avira.systray.exe rundll32.exe no specs rundll32.exe setup.exe fact.exe avira.exe avira.exe avira.oe.setup.bundle.exe avira.oe.setup.prerequisites.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe no specs rundll32.exe avconfig.exe no specs rundll32.exe drvinstall32.exe rundll32.exe wusa.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs schtasks.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe vssvc.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe rundll32.exe regsvr32.exe no specs licmgr.exe no specs rundll32.exe avconfig.exe no specs rundll32.exe avirasecuritycenteragent.exe no specs rundll32.exe rundll32.exe rundll32.exe avguard.exe rundll32.exe no specs avira.servicehost.exe rundll32.exe rundll32.exe rundll32.exe schtasks.exe no specs avshadow.exe no specs rundll32.exe avirasecuritycenteragent.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
256"C:\Users\admin\AppData\Local\Temp\RarSFX0\presetup.exe" /CLEANUPSRCFILES C:\Users\admin\AppData\Local\Temp\RarSFX0\presetup.exe
avira_antivirus_en-us[1].exe
User:
admin
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
HIGH
Description:
Avira Antivirus Presetup
Exit code:
0
Version:
15.0.43.20
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\presetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\appdata\local\temp\rarsfx0\msvcp140.dll
c:\users\admin\appdata\local\temp\rarsfx0\vcruntime140.dll
876rundll32.exe "C:\Windows\Installer\MSIBB01.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1751812 193 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.InstallFinalization.WaitUntilLauncherIsReadyC:\Windows\system32\rundll32.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
904"C:\Windows\Temp\{754EF3FE-37DA-4F0E-BADE-F798FA926159}\.cr\avira.exe" -burn.clean.room="C:\ProgramData\Avira\Launcher\Temp\avira.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156 /install /quiet /norestart CALLER_PARTNER_ID=aviraC:\Windows\Temp\{754EF3FE-37DA-4F0E-BADE-F798FA926159}\.cr\avira.exe
avira.exe
User:
SYSTEM
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
SYSTEM
Description:
Avira
Exit code:
0
Version:
1.2.126.28786
Modules
Images
c:\windows\temp\{754ef3fe-37da-4f0e-bade-f798fa926159}\.cr\avira.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
940"C:\Program Files\Avira\Antivirus\avguard.exe"C:\Program Files\Avira\Antivirus\avguard.exe
services.exe
User:
SYSTEM
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
SYSTEM
Description:
Antivirus Host Framework Service
Exit code:
0
Version:
15.0.43.20
Modules
Images
c:\program files\avira\antivirus\avguard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\avira\antivirus\msvcp140.dll
c:\program files\avira\antivirus\vcruntime140.dll
996"C:\Windows\system32\schtasks.exe" /Create /F /TN "Avira_Antivirus_Systray" /XML "C:\Program Files\Avira\Antivirus\tmp.xml"C:\Windows\system32\schtasks.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1008"C:\Program Files\Avira\Antivirus\avconfig.exe" /REGISTERCPLC:\Program Files\Avira\Antivirus\avconfig.exesetup.exe
User:
admin
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
HIGH
Description:
Configuration Panel
Exit code:
0
Version:
15.0.43.20
Modules
Images
c:\program files\avira\antivirus\avconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\avira\antivirus\ccwkrlib.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
1036"C:\Windows\system32\schtasks.exe" /Delete /TN "Avira SystrayStartTrigger" /FC:\Windows\system32\schtasks.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1160rundll32.exe "C:\Windows\Installer\MSI531D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1856265 373 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.Migration.MigrateOeSettingsConfigC:\Windows\system32\rundll32.exe
MsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1624rundll32.exe "C:\Windows\Installer\MSI57C1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1857437 380 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.Configuration.ConfigureOeSettingsConfigC:\Windows\system32\rundll32.exe
MsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
1920rundll32.exe "C:\Windows\Installer\MSIF54E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1832234 240 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.Configuration.RemovedOldServiceHostFirstStartPropertyC:\Windows\system32\rundll32.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
6 172
Read events
3 907
Write events
1 925
Delete events
340

Modification events

(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{F3A9D753-1E72-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307010002001600120018001C009203
Executable files
1 131
Suspicious files
134
Text files
1 289
Unknown types
638

Dropped files

PID
Process
Filename
Type
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB6749F9346748F59.TMP
MD5:
SHA256:
3340iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\avira_antivirus_en-us[1].exe
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\avira_antivirus_en-us[1].exe
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.datdat
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{F3A9D754-1E72-11E9-BAD8-5254004A04AF}.datbinary
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\avira_antivirus_en-us[1].exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3076avira_antivirus_en-us[1].exeC:\Users\admin\AppData\Local\Temp\RarSFX0\aeheur_agen.datbinary
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\avira_antivirus_en-us[1].exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2700
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2700
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3340
iexplore.exe
2.18.234.182:443
install.avira-update.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
install.avira-update.com
  • 2.18.234.182
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2692
Avira.ServiceHost.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3592
Avira.ServiceHost.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
Process
Message
avira_en____fm.exe
Launcher Install Start
avira_en____fm.exe
Launcher Install Start
avira_en____fm.exe
Launcher Install End
avira_en____fm.exe
DocHostUiHandler::Release(): delete this
avira_en____fm.exe
JSObject::Release(): delete this
avira_en____fm.exe
~WebBrowser: Finished
avira.exe
Launcher Update Start
avira.exe
Launcher Update Start
drvinstall32.exe
WdfCoInstaller: [01/22/2019 18:27.04.992] ReadComponents: WdfSection for Driver Service avusbflt using KMDF lib version Major 1, minor 11
drvinstall32.exe
WdfCoInstaller: [01/22/2019 18:27.05.007] DIF_INSTALLDEVICE: Coinstaller version: 1.11.0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://install.avira-update.com/package/antivirus/win/en-us/avira_antivirus_en-us.exe