URL: | https://install.avira-update.com/package/antivirus/win/en-us/avira_antivirus_en-us.exe |
Full analysis: | https://app.any.run/tasks/3bcfa2a8-704e-4eba-a210-5c26676a8b10 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 18:24:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | ABB15D38831EE3EB9509B84FE6CC3D8A |
SHA1: | 52BC248BE1C5E00DBA2B98A4D2E6193FDAD3D0DD |
SHA256: | FF6077DD4F1572B6149C69DE1749D7712B04F445D2D5262B45B3C7D5566D6BEC |
SSDEEP: | 3:N8LREJFRDElEGOTEUWQAZ/OTWQ6rA:2lgRZ3uGDSA |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2700 | "C:\Program Files\Internet Explorer\iexplore.exe" https://install.avira-update.com/package/antivirus/win/en-us/avira_antivirus_en-us.exe | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3340 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2700 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3076 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\avira_antivirus_en-us[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\avira_antivirus_en-us[1].exe | iexplore.exe | |
User: admin Integrity Level: MEDIUM | ||||
3148 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\presetup.exe" /CLEANUPSRCFILES | C:\Users\admin\AppData\Local\Temp\RarSFX0\presetup.exe | — | avira_antivirus_en-us[1].exe |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: MEDIUM Description: Avira Antivirus Presetup Exit code: 3221226540 Version: 15.0.43.20 | ||||
256 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\presetup.exe" /CLEANUPSRCFILES | C:\Users\admin\AppData\Local\Temp\RarSFX0\presetup.exe | avira_antivirus_en-us[1].exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: HIGH Description: Avira Antivirus Presetup Version: 15.0.43.20 | ||||
3504 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\en-us\avira_en____fm.exe" /norestart NOAFTERINSTALLPAGE=1 | C:\Users\admin\AppData\Local\Temp\RarSFX0\en-us\avira_en____fm.exe | presetup.exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: HIGH Description: Avira Exit code: 0 Version: 1.2.121.24663 | ||||
2188 | "C:\Windows\Temp\{059666DF-4945-4815-9B7E-465D95DE618E}\.cr\avira_en____fm.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\RarSFX0\en-us\avira_en____fm.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156 /norestart NOAFTERINSTALLPAGE=1 | C:\Windows\Temp\{059666DF-4945-4815-9B7E-465D95DE618E}\.cr\avira_en____fm.exe | avira_en____fm.exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: HIGH Description: Avira Exit code: 0 Version: 1.2.121.24663 | ||||
3028 | "C:\Windows\Temp\{93550457-4129-4D01-B130-6998F9447925}\.be\Avira.OE.Setup.Bundle.exe" -q -burn.elevated BurnPipe.{1855EA7C-7D03-4051-83D0-20CEFE88A9D6} {E7A3ABA6-900E-4D92-AC2E-538686CBB6BE} 2188 | C:\Windows\Temp\{93550457-4129-4D01-B130-6998F9447925}\.be\Avira.OE.Setup.Bundle.exe | avira_en____fm.exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: HIGH Description: Avira Exit code: 0 Version: 1.2.121.24663 | ||||
2568 | "C:\ProgramData\Package Cache\82948C2FF20668DA368EC7C3871AC0E1CE99142A\Avira.OE.Setup.Prerequisites.exe" /enableMsiService /checkRebootRequired | C:\ProgramData\Package Cache\82948C2FF20668DA368EC7C3871AC0E1CE99142A\Avira.OE.Setup.Prerequisites.exe | — | Avira.OE.Setup.Bundle.exe |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: HIGH Description: Avira.OE.Setup.Prerequisites Exit code: 0 Version: 1.2.121.24663 | ||||
3384 | "C:\ProgramData\Package Cache\82948C2FF20668DA368EC7C3871AC0E1CE99142A\Avira.OE.Setup.Prerequisites.exe" /writeCrossDetectionKey | C:\ProgramData\Package Cache\82948C2FF20668DA368EC7C3871AC0E1CE99142A\Avira.OE.Setup.Prerequisites.exe | — | Avira.OE.Setup.Bundle.exe |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: HIGH Description: Avira.OE.Setup.Prerequisites Exit code: 0 Version: 1.2.121.24663 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2700 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2700 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2700 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFB6749F9346748F59.TMP | — | |
MD5:— | SHA256:— | |||
3340 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\avira_antivirus_en-us[1].exe | — | |
MD5:— | SHA256:— | |||
2700 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\avira_antivirus_en-us[1].exe | — | |
MD5:— | SHA256:— | |||
3076 | avira_antivirus_en-us[1].exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\addr_file.html | html | |
MD5:701F9A86DF4EAD62C9D7FE721C9B2788 | SHA256:F5EEB97238D40588333E743DD98076DBC25105042DB541A5BA1C763E735A4112 | |||
3076 | avira_antivirus_en-us[1].exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\aecore.dll | executable | |
MD5:1B921BE91A1D5477A251C216BFA6B776 | SHA256:1277DD1F65D30AE2055EB732A4F7B9C31310F4868DD6ED38AC9A8D6D09962271 | |||
3076 | avira_antivirus_en-us[1].exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\aeexp.dll | executable | |
MD5:4378FBB60289074E4A95D3C60058DB43 | SHA256:F4FDEC19E9E5CEE7B0FD55D022A02603F797821D99C9AEC4817B8F3C418B7D38 | |||
3076 | avira_antivirus_en-us[1].exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\aebb.dll | executable | |
MD5:CA7497DFEC41AE39C2ABA49DF489716C | SHA256:BE84CA71660188E04C3A777E19019412E280AF4BF6BE9E14CA2D54EA2EC47B17 | |||
3340 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019012220190123\index.dat | dat | |
MD5:E03B70922DA5D526480F9F01220F20DF | SHA256:7E784FE0A2C414488DAE84F8A718CFF2B086BBFAE00530D056C049FD2463E73F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2700 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2700 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3340 | iexplore.exe | 2.18.234.182:443 | install.avira-update.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
install.avira-update.com |
| suspicious |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2692 | Avira.ServiceHost.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3592 | Avira.ServiceHost.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
Process | Message |
---|---|
avira_en____fm.exe | Launcher Install Start |
avira_en____fm.exe | Launcher Install Start |
avira_en____fm.exe | Launcher Install End |
avira_en____fm.exe | DocHostUiHandler::Release(): delete this
|
avira_en____fm.exe | JSObject::Release(): delete this
|
avira_en____fm.exe | ~WebBrowser: Finished
|
avira.exe | Launcher Update Start |
avira.exe | Launcher Update Start |
drvinstall32.exe | WdfCoInstaller: [01/22/2019 18:27.04.992] ReadComponents: WdfSection for Driver Service avusbflt using KMDF lib version Major 1, minor 11
|
drvinstall32.exe | WdfCoInstaller: [01/22/2019 18:27.05.007] DIF_INSTALLDEVICE: Coinstaller version: 1.11.0
|