thanks for VT support link, lots of useful info, but didn't answer my questions !
the last submission date is still a puzzle !
I compared the details/behaviour with another avast installer downloaded using edge, hence my earlier qu's.
I also noticed some different calls, specifically; IsDebuggerPresent and searching found the following description;
IsDebuggerPresent is a function available in the kernel32.dll library. This function is often used in malwares to complexify the reverse engineering because it will take different paths in the program's flow when the malware is analyzed in a user-mode debugger such as OllyDbg
I appreciate no engines detected the file as malicious, however, as the certificate was out of date, how sure are you, that the file hasn't been modified/tampered with ?