Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 18, 2021, 11:40 p.m.	Nov. 18, 2021, 11:41 p.m.

Size	228.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8d0f89e42853ecfae8f33b7daf879d2d`
SHA256	`d8621a1ef17df2fbe929282c99d3442039868c7d031c1ad15819569030996128`
CRC32	`E04DB9F2`
ssdeep	`3072:AJ8pnDfKTzlowcqcotOMFFp9t19Ty0Vf9f3pH6VV7rfA6wYkh9dQDUCjhhI0omL5:A4nDSkqxtOAtTTyOf9vwVpfOjM1z`
PDB Path	D:\work\8b0ebd312dc47f30\projects\avast\microstub\x86\Release\microstub.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

avast_free_antivirus_setup_online.exe "C:\Users\test22\AppData\Local\Temp\avast_free_antivirus_setup_online.exe"
2780
- avast_free_antivirus_setup_online_x64.exe "C:\Windows\Temp\asw.a341460ac6b04306\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_sft_dlp_006_114_a /ga_clientid:a5f0d411-5d95-441f-8cc5-905e7f2a1fd6 /edat_dir:C:\Windows\Temp\asw.a341460ac6b04306
  3000
  - Instup.exe "C:\Windows\Temp\asw.1cab2291ba13df7b\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.1cab2291ba13df7b /edition:1 /prod:ais /guid:234c5730-5ff5-4ae3-9a6b-efc31a53275f /ga_clientid:a5f0d411-5d95-441f-8cc5-905e7f2a1fd6 /cookie:mmm_sft_dlp_006_114_a /ga_clientid:a5f0d411-5d95-441f-8cc5-905e7f2a1fd6 /edat_dir:C:\Windows\Temp\asw.a341460ac6b04306
    2120
    - instup.exe "C:\Windows\Temp\asw.1cab2291ba13df7b\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.1cab2291ba13df7b /edition:1 /prod:ais /guid:234c5730-5ff5-4ae3-9a6b-efc31a53275f /ga_clientid:a5f0d411-5d95-441f-8cc5-905e7f2a1fd6 /cookie:mmm_sft_dlp_006_114_a /edat_dir:C:\Windows\Temp\asw.a341460ac6b04306 /online_installer
      2760
      - aswOfferTool.exe "C:\Windows\Temp\asw.1cab2291ba13df7b\New_15020997\aswOfferTool.exe" -checkGToolbar -elevated
        2304
      - aswOfferTool.exe "C:\Windows\Temp\asw.1cab2291ba13df7b\New_15020997\aswOfferTool.exe" /check_secure_browser
        2428

Name	Response	Post-Analysis Lookup
shepherd.ff.avast.com	CNAME shepherd.ns1.ff.avast.com	69.94.69.113
r0965026.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.203
h4305360.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a532 AAAA 2600:1410:1000::172b:a54b	119.207.64.112
l4691727.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.203
s-vps18tiny.avcdn.net	CNAME fallbackupdates.avcdn.net.edgekey.net CNAME e9229.dscd.akamaiedge.net AAAA 2600:1410:4000:291::240d AAAA 2600:1410:4000:2a0::240d	23.201.37.31
r6726306.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a54b AAAA 2600:1410:1000::172b:a532	119.207.64.112
f3461309.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net A 119.207.64.99 A 119.207.64.115	119.207.64.99
t1024579.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a54b AAAA 2600:1410:1000::172b:a532	119.207.64.203
s-iavs9x.avcdn.net	CNAME fallbackupdates.avcdn.net.edgekey.net CNAME e9229.dscd.akamaiedge.net AAAA 2600:1410:4000:2a0::240d AAAA 2600:1410:4000:291::240d	23.201.37.31
s-vps18tiny.avcdn.net	CNAME fallbackupdates.avcdn.net.edgekey.net CNAME e9229.dscd.akamaiedge.net A 23.201.37.31	23.201.37.31
2.pool.ntp.org	A 23.94.219.121 A 216.229.0.49 A 176.9.157.155 A 147.135.207.214	65.19.142.137
www.google-analytics.com	A 172.217.31.238 CNAME www-google-analytics.l.google.com A 142.250.204.46 A 142.250.207.78	172.217.161.46
w5805295.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.112
c3978047.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a54b AAAA 2600:1410:1000::172b:a532	119.207.64.112
z4055813.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a532 AAAA 2600:1410:1000::172b:a54b	119.207.64.112
n8283613.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.203
n4291289.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net A 119.207.64.99 A 119.207.64.115	119.207.64.99
0.pool.ntp.org	A 132.226.17.96 A 194.0.5.123	211.233.40.78
1.pool.ntp.org	A 37.187.122.11 A 159.69.4.181 A 193.182.111.141 A 89.111.54.85	194.0.5.123
d3176133.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a54b AAAA 2600:1410:1000::172b:a532	119.207.64.112
c3978047.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net AAAA 2600:1410:1000::172b:a530 AAAA 2600:1410:1000::172b:a50a	119.207.64.99
alpha-iqs.ff.avast.com	A 77.234.45.9 CNAME alpha-xqs.ns1.ff.avast.com A 77.234.45.11 A 77.234.45.249	77.234.45.249
l4691727.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a54b AAAA 2600:1410:1000::172b:a532	119.207.64.203
c3978047.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net A 119.207.64.99 A 119.207.64.115	119.207.64.99
3.pool.ntp.org	A 106.247.248.106 A 158.247.211.195	211.233.84.186
r0965026.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a54b AAAA 2600:1410:1000::172b:a532	119.207.64.203
t1024579.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.203
iavs9x.u.avast.com	CNAME a117.dscd.akamai.net CNAME iavs9x4.u.avcdn.net.edgesuite.net A 96.7.251.185 A 96.7.251.224	119.207.64.112
t1024579.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net A 119.207.64.99 A 119.207.64.115	119.207.64.113
v7event.stats.avast.com	CNAME analytics.ff.avast.com CNAME analytics.ns1.ff.avast.com	69.94.68.202
w5805295.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a532 AAAA 2600:1410:1000::172b:a54b	119.207.64.112
shepherd.ff.avast.com	A 5.62.48.204 CNAME shepherd.ns1.ff.avast.com A 69.94.69.113 A 5.62.40.201 A 77.234.42.94 A 5.62.48.207 A 77.234.44.103 A 69.94.76.71 A 5.62.44.66	69.94.69.113
z4055813.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.112
h4305360.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.112
n4291289.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net AAAA 2600:1410:1000::172b:a530 AAAA 2600:1410:1000::172b:a50a	119.207.64.99
r6726306.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.112
d3176133.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net AAAA 2600:1410:1000::172b:a530 AAAA 2600:1410:1000::172b:a50a	119.207.64.113
f3461309.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net AAAA 2600:1410:1000::172b:a530 AAAA 2600:1410:1000::172b:a50a	119.207.64.99
alpha-license-dealer.ff.avast.com	A 5.62.38.18 A 5.62.38.16 CNAME alpha-ld-stack.ns1.ff.avast.com A 5.62.38.35	5.62.38.12
d3176133.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.112
s-iavs9x.avcdn.net	CNAME fallbackupdates.avcdn.net.edgekey.net CNAME e9229.dscd.akamaiedge.net A 23.201.37.31	23.201.37.31
t1024579.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net AAAA 2600:1410:1000::172b:a530 AAAA 2600:1410:1000::172b:a50a	119.207.64.113
n8283613.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net AAAA 2600:1410:1000::172b:a54b AAAA 2600:1410:1000::172b:a532	119.207.64.203
v7event.stats.avast.com	CNAME analytics.ff.avast.com CNAME analytics.ns1.ff.avast.com A 5.62.53.238 A 5.62.53.222 A 5.62.53.225 A 5.62.53.226 A 5.62.53.239 A 69.94.68.200 A 69.94.68.205	69.94.68.202
c3978047.iavs9x.u.avast.com	CNAME iavs9x4.u.avcdn.net.edgesuite.net CNAME a117.dscd.akamai.net A 119.207.64.112 A 119.207.64.203	119.207.64.112
d3176133.vps18tiny.u.avcdn.net	CNAME u4.avcdn.net.edgesuite.net CNAME a27.dscd.akamai.net A 119.207.64.115 A 119.207.64.99	119.207.64.113

IP Address	Status	Action
106.247.248.106	Active	Moloch
119.207.64.112	Active	Moloch
119.207.64.115	Active	Moloch
119.207.64.203	Active	Moloch
132.226.17.96	Active	Moloch
142.250.204.46	Active	Moloch
142.250.207.78	Active	Moloch
164.124.101.2	Active	Moloch
172.217.31.238	Active	Moloch
176.9.157.155	Active	Moloch
193.182.111.141	Active	Moloch
5.62.38.18	Active	Moloch
5.62.40.201	Active	Moloch
5.62.48.207	Active	Moloch
5.62.53.222	Active	Moloch
5.62.53.226	Active	Moloch
5.62.53.238	Active	Moloch
77.234.45.9	Active	Moloch
96.7.251.185	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 96.7.251.185:80 -> 192.168.56.101:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49203 -> 5.62.53.222:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.1 192.168.56.101:49168 96.7.251.185:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, Inc., CN=a248.e.akamai.net	4e:74:27:b2:2c:d7:8f:7a:a4:71:65:18:cf:6a:09:fb:74:a8:72:e8
TLS 1.1 192.168.56.101:49164 96.7.251.185:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, Inc., CN=a248.e.akamai.net	4e:74:27:b2:2c:d7:8f:7a:a4:71:65:18:cf:6a:09:fb:74:a8:72:e8
TLS 1.1 192.168.56.101:49166 96.7.251.185:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, Inc., CN=a248.e.akamai.net	4e:74:27:b2:2c:d7:8f:7a:a4:71:65:18:cf:6a:09:fb:74:a8:72:e8
TLS 1.1 192.168.56.101:49167 96.7.251.185:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, Inc., CN=a248.e.akamai.net	4e:74:27:b2:2c:d7:8f:7a:a4:71:65:18:cf:6a:09:fb:74:a8:72:e8
TLS 1.1 192.168.56.101:49169 96.7.251.185:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, Inc., CN=a248.e.akamai.net	4e:74:27:b2:2c:d7:8f:7a:a4:71:65:18:cf:6a:09:fb:74:a8:72:e8
TLS 1.1 192.168.56.101:49180 5.62.48.207:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=GB, L=London, O=Avast plc, OU=certificates@avast.com, CN=*.avast.com	ff:ac:7e:c7:dd:bd:f0:a5:c2:b1:c0:f6:42:9e:68:49:f6:68:a8:cc
TLS 1.1 192.168.56.101:49175 5.62.53.238:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=GB, L=London, O=Avast plc, CN=*.avast.com	34:92:a3:a3:65:65:33:d4:f1:e1:26:ed:59:64:32:ee:96:67:4b:6e
TLS 1.1 192.168.56.101:49201 5.62.38.18:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=GB, L=London, O=Avast plc, CN=*.avast.com	12:d8:7c:36:23:88:53:d4:88:42:1d:fc:43:cb:ec:09:b6:a9:2a:57
TLS 1.1 192.168.56.101:49202 77.234.45.9:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=GB, L=London, O=Avast plc, CN=*.avast.com	0c:e9:59:e4:20:cc:7c:d0:d3:88:66:d0:9a:e7:37:27:bc:61:f6:af
TLS 1.2 192.168.56.101:49203 5.62.53.222:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=GB, L=London, O=Avast plc, CN=*.avast.com	34:92:a3:a3:65:65:33:d4:f1:e1:26:ed:59:64:32:ee:96:67:4b:6e
TLS 1.1 192.168.56.101:49200 5.62.40.201:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=GB, L=London, O=Avast plc, OU=certificates@avast.com, CN=*.avast.com	ff:ac:7e:c7:dd:bd:f0:a5:c2:b1:c0:f6:42:9e:68:49:f6:68:a8:cc

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 18, 2021, 11:40 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 11:40 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 11:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 11:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 11:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 11:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 11:41 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\work\8b0ebd312dc47f30\projects\avast\microstub\x86\Release\microstub.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 11:40 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 18, 2021, 11:41 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 CoGetInstanceFromFile+0x9574 HACCEL_UserFree-0x285c ole32+0x175124 @ 0x7feff305124 Ndr64AsyncServerCallAll+0x14e4 Ndr64AsyncClientCall-0x4fc rpcrt4+0xdb964 @ 0x7fefdf1b964 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feff3021d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feff1bd8a2 ObjectStublessClient6+0x311 CoCreateInstanceEx-0x11f ole32+0xdd71 @ 0x7feff19dd71 ObjectStublessClient6+0xf5 CoCreateInstanceEx-0x33b ole32+0xdb55 @ 0x7feff19db55 CLSIDFromString+0x101a CoGetTreatAsClass-0x27f6 ole32+0x1169a @ 0x7feff1a169a CLSIDFromString+0x1a10 CoGetTreatAsClass-0x1e00 ole32+0x12090 @ 0x7feff1a2090 CoCreateInstanceEx+0x140 CoEnableCallCancellation-0x3a0 ole32+0xdfd0 @ 0x7feff19dfd0 CoCreateInstanceEx+0x64 CoEnableCallCancellation-0x47c ole32+0xdef4 @ 0x7feff19def4 New_ole32_CoCreateInstanceEx+0x1d4 New_ole32_CoGetClassObject-0xa5 @ 0x740c7353 DllCanUnloadNow+0xf58 DllGetClassObject-0x770 wbemprox+0x1f68 @ 0x7fef97e1f68 DllCanUnloadNow+0xedb DllGetClassObject-0x7ed wbemprox+0x1eeb @ 0x7fef97e1eeb DllCanUnloadNow+0x755 DllGetClassObject-0xf73 wbemprox+0x1765 @ 0x7fef97e1765 DllCanUnloadNow+0xcd8 DllGetClassObject-0x9f0 wbemprox+0x1ce8 @ 0x7fef97e1ce8 DllCanUnloadNow+0x1695 DllGetClassObject-0x33 wbemprox+0x26a5 @ 0x7fef97e26a5 ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeac4b on_avast_dll_unload-0x1c30b5 instup+0x1bf88b @ 0x7fef1cdf88b ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeafd0 on_avast_dll_unload-0x1c2d30 instup+0x1bfc10 @ 0x7fef1cdfc10 ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeb560 on_avast_dll_unload-0x1c27a0 instup+0x1c01a0 @ 0x7fef1ce01a0 ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeb60b on_avast_dll_unload-0x1c26f5 instup+0x1c024b @ 0x7fef1ce024b ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x8eb96 on_avast_dll_unload-0x21f16a instup+0x1637d6 @ 0x7fef1c837d6 ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x8b486 on_avast_dll_unload-0x22287a instup+0x1600c6 @ 0x7fef1c800c6 ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x90446 on_avast_dll_unload-0x21d8ba instup+0x165086 @ 0x7fef1c85086 ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x8b486 on_avast_dll_unload-0x22287a instup+0x1600c6 @ 0x7fef1c800c6 ?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xbf71 on_avast_dll_unload-0x2a1d8f instup+0xe0bb1 @ 0x7fef1c00bb1 InstupInit-0x31cfd instup+0x632e3 @ 0x7fef1b832e3 on_avast_dll_unload+0xd955 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x3a1a4b instup+0x390295 @ 0x7fef1eb0295 on_avast_dll_unload+0x2e99e ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x380a02 instup+0x3b12de @ 0x7fef1ed12de on_avast_dll_unload+0x639d3 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x34b9cd instup+0x3e6313 @ 0x7fef1f06313 HTMLayoutAnimateElement+0xd7f HTMLayoutTraverseUIEvent-0x12e1 htmlayout+0x15dff @ 0x7fef1115dff ValueInvoke+0x70f8e htmlayout+0xb5d5e @ 0x7fef11b5d5e ValueInvoke+0x73012 htmlayout+0xb7de2 @ 0x7fef11b7de2 ValueInvoke+0x728c6 htmlayout+0xb7696 @ 0x7fef11b7696 ValueInvoke+0x70b04 htmlayout+0xb58d4 @ 0x7fef11b58d4 ValueInvoke+0xc532e htmlayout+0x10a0fe @ 0x7fef120a0fe ValueInvoke+0x17876b htmlayout+0x1bd53b @ 0x7fef12bd53b ValueInvoke+0x1781c2 htmlayout+0x1bcf92 @ 0x7fef12bcf92 ValueInvoke+0xbd9a9 htmlayout+0x102779 @ 0x7fef1202779 ValueInvoke+0x7a021 htmlayout+0xbedf1 @ 0x7fef11bedf1 ValueInvoke+0xbac96 htmlayout+0xffa66 @ 0x7fef11ffa66 HTMLayoutTranslateMessage+0x1f14 HTMLayoutProcND-0x507c htmlayout+0x7ef4 @ 0x7fef1107ef4 HTMLayoutRequestElementData+0x1c2 HTMLayoutHttpRequest-0x5e htmlayout+0x2ece2 @ 0x7fef112ece2 on_avast_dll_unload+0x230e4 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x38c2bc instup+0x3a5a24 @ 0x7fef1ec5a24 on_avast_dll_unload+0xf89e1 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2b69bf instup+0x47b321 @ 0x7fef1f9b321 on_avast_dll_unload+0xf9f6f ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2b5431 instup+0x47c8af @ 0x7fef1f9c8af on_avast_dll_unload+0x78ccc ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x3366d4 instup+0x3fb60c @ 0x7fef1f1b60c on_avast_dll_unload+0x229b9 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x38c9e7 instup+0x3a52f9 @ 0x7fef1ec52f9 on_avast_dll_unload+0xf38ba ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2bbae6 instup+0x4761fa @ 0x7fef1f961fa on_avast_dll_unload+0xf4374 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2bb02c instup+0x476cb4 @ 0x7fef1f96cb4 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 SetWindowTextW+0x277 SetWindowLongPtrW-0x3f5 user32+0x172cb @ 0x773772cb IsDialogMessageW+0x169 SetTimer-0x107 user32+0x16829 @ 0x77376829 KiUserCallbackDispatcher+0x1f KiUserExceptionDispatcher-0x25 ntdll+0x51225 @ 0x774b1225 SfmDxSetSwapChainStats+0x1a GetMessageW-0xa user32+0x19e6a @ 0x77379e6a GetMessageW+0x2a UserClientDllInitialize-0x42a user32+0x19e9e @ 0x77379e9e on_avast_dll_unload+0xed457 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2c1f49 instup+0x46fd97 @ 0x7fef1f8fd97 on_avast_dll_unload+0xedd65 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2c163b instup+0x4706a5 @ 0x7fef1f906a5 on_avast_dll_unload+0xedf80 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2c1420 instup+0x4708c0 @ 0x7fef1f908c0 ?do_out@?$codecvt_null@_W@archive@boost@@EEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z+0x32d30 ?lock@?1??get_lock@singleton_module@serialization@boost@@AEAAAEA_NXZ@4_NA-0x3b21f8 instup+0x764b50 @ 0x7fef2284b50 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x8001010d exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 104117232 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 104136560 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1902945449 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 18, 2021, 11:41 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3
CoGetInstanceFromFile+0x9574 HACCEL_UserFree-0x285c ole32+0x175124 @ 0x7feff305124
Ndr64AsyncServerCallAll+0x14e4 Ndr64AsyncClientCall-0x4fc rpcrt4+0xdb964 @ 0x7fefdf1b964
CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feff3021d0
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feff1bd8a2
ObjectStublessClient6+0x311 CoCreateInstanceEx-0x11f ole32+0xdd71 @ 0x7feff19dd71
ObjectStublessClient6+0xf5 CoCreateInstanceEx-0x33b ole32+0xdb55 @ 0x7feff19db55
CLSIDFromString+0x101a CoGetTreatAsClass-0x27f6 ole32+0x1169a @ 0x7feff1a169a
CLSIDFromString+0x1a10 CoGetTreatAsClass-0x1e00 ole32+0x12090 @ 0x7feff1a2090
CoCreateInstanceEx+0x140 CoEnableCallCancellation-0x3a0 ole32+0xdfd0 @ 0x7feff19dfd0
CoCreateInstanceEx+0x64 CoEnableCallCancellation-0x47c ole32+0xdef4 @ 0x7feff19def4
New_ole32_CoCreateInstanceEx+0x1d4 New_ole32_CoGetClassObject-0xa5 @ 0x740c7353
DllCanUnloadNow+0xf58 DllGetClassObject-0x770 wbemprox+0x1f68 @ 0x7fef97e1f68
DllCanUnloadNow+0xedb DllGetClassObject-0x7ed wbemprox+0x1eeb @ 0x7fef97e1eeb
DllCanUnloadNow+0x755 DllGetClassObject-0xf73 wbemprox+0x1765 @ 0x7fef97e1765
DllCanUnloadNow+0xcd8 DllGetClassObject-0x9f0 wbemprox+0x1ce8 @ 0x7fef97e1ce8
DllCanUnloadNow+0x1695 DllGetClassObject-0x33 wbemprox+0x26a5 @ 0x7fef97e26a5
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeac4b on_avast_dll_unload-0x1c30b5 instup+0x1bf88b @ 0x7fef1cdf88b
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeafd0 on_avast_dll_unload-0x1c2d30 instup+0x1bfc10 @ 0x7fef1cdfc10
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeb560 on_avast_dll_unload-0x1c27a0 instup+0x1c01a0 @ 0x7fef1ce01a0
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xeb60b on_avast_dll_unload-0x1c26f5 instup+0x1c024b @ 0x7fef1ce024b
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x8eb96 on_avast_dll_unload-0x21f16a instup+0x1637d6 @ 0x7fef1c837d6
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x8b486 on_avast_dll_unload-0x22287a instup+0x1600c6 @ 0x7fef1c800c6
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x90446 on_avast_dll_unload-0x21d8ba instup+0x165086 @ 0x7fef1c85086
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0x8b486 on_avast_dll_unload-0x22287a instup+0x1600c6 @ 0x7fef1c800c6
?is_locked@singleton_module@serialization@boost@@QEAA_NXZ+0xbf71 on_avast_dll_unload-0x2a1d8f instup+0xe0bb1 @ 0x7fef1c00bb1
InstupInit-0x31cfd instup+0x632e3 @ 0x7fef1b832e3
on_avast_dll_unload+0xd955 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x3a1a4b instup+0x390295 @ 0x7fef1eb0295
on_avast_dll_unload+0x2e99e ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x380a02 instup+0x3b12de @ 0x7fef1ed12de
on_avast_dll_unload+0x639d3 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x34b9cd instup+0x3e6313 @ 0x7fef1f06313
HTMLayoutAnimateElement+0xd7f HTMLayoutTraverseUIEvent-0x12e1 htmlayout+0x15dff @ 0x7fef1115dff
ValueInvoke+0x70f8e htmlayout+0xb5d5e @ 0x7fef11b5d5e
ValueInvoke+0x73012 htmlayout+0xb7de2 @ 0x7fef11b7de2
ValueInvoke+0x728c6 htmlayout+0xb7696 @ 0x7fef11b7696
ValueInvoke+0x70b04 htmlayout+0xb58d4 @ 0x7fef11b58d4
ValueInvoke+0xc532e htmlayout+0x10a0fe @ 0x7fef120a0fe
ValueInvoke+0x17876b htmlayout+0x1bd53b @ 0x7fef12bd53b
ValueInvoke+0x1781c2 htmlayout+0x1bcf92 @ 0x7fef12bcf92
ValueInvoke+0xbd9a9 htmlayout+0x102779 @ 0x7fef1202779
ValueInvoke+0x7a021 htmlayout+0xbedf1 @ 0x7fef11bedf1
ValueInvoke+0xbac96 htmlayout+0xffa66 @ 0x7fef11ffa66
HTMLayoutTranslateMessage+0x1f14 HTMLayoutProcND-0x507c htmlayout+0x7ef4 @ 0x7fef1107ef4
HTMLayoutRequestElementData+0x1c2 HTMLayoutHttpRequest-0x5e htmlayout+0x2ece2 @ 0x7fef112ece2
on_avast_dll_unload+0x230e4 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x38c2bc instup+0x3a5a24 @ 0x7fef1ec5a24
on_avast_dll_unload+0xf89e1 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2b69bf instup+0x47b321 @ 0x7fef1f9b321
on_avast_dll_unload+0xf9f6f ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2b5431 instup+0x47c8af @ 0x7fef1f9c8af
on_avast_dll_unload+0x78ccc ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x3366d4 instup+0x3fb60c @ 0x7fef1f1b60c
on_avast_dll_unload+0x229b9 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x38c9e7 instup+0x3a52f9 @ 0x7fef1ec52f9
on_avast_dll_unload+0xf38ba ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2bbae6 instup+0x4761fa @ 0x7fef1f961fa
on_avast_dll_unload+0xf4374 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2bb02c instup+0x476cb4 @ 0x7fef1f96cb4
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1
SetWindowTextW+0x277 SetWindowLongPtrW-0x3f5 user32+0x172cb @ 0x773772cb
IsDialogMessageW+0x169 SetTimer-0x107 user32+0x16829 @ 0x77376829
KiUserCallbackDispatcher+0x1f KiUserExceptionDispatcher-0x25 ntdll+0x51225 @ 0x774b1225
SfmDxSetSwapChainStats+0x1a GetMessageW-0xa user32+0x19e6a @ 0x77379e6a
GetMessageW+0x2a UserClientDllInitialize-0x42a user32+0x19e9e @ 0x77379e9e
on_avast_dll_unload+0xed457 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2c1f49 instup+0x46fd97 @ 0x7fef1f8fd97
on_avast_dll_unload+0xedd65 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2c163b instup+0x4706a5 @ 0x7fef1f906a5
on_avast_dll_unload+0xedf80 ??0?$codecvt_null@_W@archive@boost@@QEAA@_K@Z-0x2c1420 instup+0x4708c0 @ 0x7fef1f908c0
?do_out@?$codecvt_null@_W@archive@boost@@EEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z+0x32d30 ?lock@?1??get_lock@singleton_module@serialization@boost@@AEAAAEA_NXZ@4_NA-0x3b21f8 instup+0x764b50 @ 0x7fef2284b50
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x8001010d
exception.offset: 42141
exception.address: 0x7fefda7a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 104117232
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 104136560
registers.r11: 514
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1902945449
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://www.google-analytics.com/collect
suspicious_features	POST method with no referer header	suspicious_request	POST http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
suspicious_features	POST method with no referer header	suspicious_request	POST https://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
suspicious_features	POST method with no referer header	suspicious_request	POST https://shepherd.ff.avast.com/
suspicious_features	POST method with no referer header	suspicious_request	POST https://alpha-license-dealer.ff.avast.com/common/v1/device/unattendedtrial
suspicious_features	POST method with no referer header	suspicious_request	POST https://alpha-iqs.ff.avast.com/inifiles

Performs some HTTP requests (24 events)

request	POST http://www.google-analytics.com/collect
request	POST http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
request	GET http://iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online_x64.exe
request	GET http://www.google-analytics.com/collect?aiid=mmm_sft_dlp_006_114_a&an=Free&av=21.9.6698&cd=stub-extended&cd3=Online&cid=234c5730-5ff5-4ae3-9a6b-efc31a53275f&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
request	GET http://w5805295.iavs9x.u.avast.com/iavs9x/servers.def.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/part-setup_ais-15020997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/avbugreport_x64_ais-997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/avdump_x64_ais-997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/instcont_x64_ais-997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/instup_x64_ais-997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/offertool_x64_ais-997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/sbr_x64_ais-997.vpx
request	GET http://z4055813.iavs9x.u.avast.com/iavs9x/setgui_x64_ais-997.vpx
request	GET http://d3176133.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx
request	GET http://d3176133.iavs9x.u.avast.com/iavs9x/part-prg_ais-15020997.vpx
request	GET http://n4291289.vps18tiny.u.avcdn.net/vps18tiny/prod-vps.vpx
request	GET http://n4291289.vps18tiny.u.avcdn.net/vps18tiny/part-jrog2-57.vpx
request	GET http://n4291289.vps18tiny.u.avcdn.net/vps18tiny/part-vps_windows-21111613.vpx
request	POST https://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
request	POST https://shepherd.ff.avast.com/
request	POST https://alpha-license-dealer.ff.avast.com/common/v1/device/unattendedtrial
request	POST https://alpha-iqs.ff.avast.com/inifiles

Sends data using the HTTP POST Method (6 events)

request	POST http://www.google-analytics.com/collect
request	POST http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
request	POST https://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
request	POST https://shepherd.ff.avast.com/
request	POST https://alpha-license-dealer.ff.avast.com/common/v1/device/unattendedtrial
request	POST https://alpha-iqs.ff.avast.com/inifiles

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73393000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f99000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:40 p.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f99000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 11:41 p.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13719523328 root_path: C:\Windows\Temp\asw.a341460ac6b04306 total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13710159872 root_path: total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13673738240 root_path: total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13673738240 root_path: total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13673738240 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13604085760 root_path: total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13604085760 root_path: total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 18, 2021, 11:40 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13604085760 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (6 events)

file	C:\Windows\Temp\asw.a341460ac6b04306\avast_free_antivirus_setup_online_x64.exe
file	C:\Windows\Temp\asw.1cab2291ba13df7b\HTMLayout.dll
file	C:\Windows\Temp\asw.1cab2291ba13df7b\Instup.exe
file	C:\Windows\Temp\asw.1cab2291ba13df7b\uat_2120.dll
file	C:\Windows\Temp\asw.1cab2291ba13df7b\Instup.dll
file	C:\Windows\Temp\asw.1cab2291ba13df7b\uat_2760.dll

Drops a binary and executes it (1 event)

file	C:\Windows\Temp\asw.1cab2291ba13df7b\Instup.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 18, 2021, 11:40 p.m.	snapshot_handle: 0x00000000000000ec process_name: taskhost.exe process_identifier: 2600	1	1
Process32NextW Nov. 18, 2021, 11:40 p.m.	snapshot_handle: 0x00000000000000ec process_name: avast_free_antivirus_setup_online.exe process_identifier: 2780	1	1
Process32NextW Nov. 18, 2021, 11:40 p.m.	snapshot_handle: 0x00000000000000ec process_name: avast_free_antivirus_setup_online_x64.exe process_identifier: 3000	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 18, 2021, 11:40 p.m.	flags: 0 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 18, 2021, 11:40 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 18, 2021, 11:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 18, 2021, 11:40 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://ns.adobe.com/xap/1.0/mm/
url	http://ns.adobe.com/xap/1.0/sType/ResourceRef
url	http://ns.adobe.com/xap/1.0/

Yara rule detected in process memory (33 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Nov. 18, 2021, 11:40 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVDA base_handle: 0xffffffff80000002 key_handle: 0x0000000000000000 options: 0 access: 0x00020219 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVDA		2	0

Attempts to identify installed AV products by installation directory (11 events)

file	C:\Program Files\Avast Software\Avast\setup\Vps64Reboot.txt
file	C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log.tmp.c51b8de2-9e20-47ad-a0f3-d8073c96c73f
file	\\.\C:\ProgramData\Avast Software
file	C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log
file	C:\ProgramData\Avast Software\Avast\Ring\farewell.ini
file	C:\ProgramData\Avast Software\Avast\log
file	C:\ProgramData\Avast Software\Persistent Data\Avast\Logs
file	C:\Users\test22\AppData\Local\Avast Software\Avast\vaults.ini
file	C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\event_manager.log.tmp.2d177213-3dfa-4e71-85de-740bc8ef5014
file	C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log
file	C:\ProgramData\Avast Software\Persistent Data\Avast\Reboot.txt

Attempts to identify installed AV products by registry key (27 events)

registry	HKEY_LOCAL_MACHINE\Software\AVG\Antivirus
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\properties
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\LogFolder
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder
registry	HKEY_LOCAL_MACHINE\Software\AVAST Software\SecureLine
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\SetupLog
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\TempFolder
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Avast Software\SymbolicLinkValue
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\SymbolicLinkValue
registry	HKEY_LOCAL_MACHINE\Software\AVAST Software\TuneUp
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\dst
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder
registry	HKEY_LOCAL_MACHINE\Software\AVAST Software\DriverUpdater
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Subscriptions\ActiveProducts
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\DataFolder
registry	HKEY_LOCAL_MACHINE\Software\AVAST Software\Avast
registry	HKEY_LOCAL_MACHINE\Software\Avast Software\Browser
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 18, 2021, 11:40 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Deletes executed files from disk (1 event)

file	C:\Windows\Temp\asw.1cab2291ba13df7b\New_15020997\aswOfferTool.exe

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 18, 2021, 11:40 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x000000a0 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl Nov. 18, 2021, 11:40 p.m.	input_buffer: control_code: 2954240 () device_handle: 0x000000a0 output_buffer: (§Lu~$ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2780 resumed a thread in remote process 3000
Process injection	Process 3000 resumed a thread in remote process 2120
Process injection	Process 2120 resumed a thread in remote process 2760
NtResumeThread Nov. 18, 2021, 11:40 p.m.	thread_handle: 0x00000488 suspend_count: 1 process_identifier: 3000	1	0	0
NtResumeThread Nov. 18, 2021, 11:40 p.m.	thread_handle: 0x00000000000001c4 suspend_count: 1 process_identifier: 2120	1	0	0
NtResumeThread Nov. 18, 2021, 11:40 p.m.	thread_handle: 0x00000000000005d8 suspend_count: 1 process_identifier: 2760	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 18, 2021, 11:40 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Nov. 18, 2021, 11:41 p.m.	ordinal: 0 function_address: 0x000007fe00000001 function_name: wine_get_version module: ntdll module_address: 0x0000000077460000		-1073741511	0

avast_free_antivirus_setup_online.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All