Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 29, 2021, 9:41 a.m.	Nov. 29, 2021, 10:08 a.m.

Size	3.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c313ddb7df24003d25bf62c5a218b215`
SHA256	`e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1`
CRC32	`CA9C313E`
ssdeep	`98304:h35E+vGaiDnXGtwcmoQvoTn0ib3xuisXNSAngKvbN/k:/vGacofn0IGtXK`
PDB Path	C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb
Yara	Antivirus - Contains references to security software PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

installer.exe "C:\Users\test22\AppData\Local\Temp\installer.exe"
2332
- msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" AI_SETUPEXEPATH=C:\Users\test22\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\test22\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1638146455 "
  2656

Name	Response	Post-Analysis Lookup
collect.installeranalytics.com	A 3.209.18.1 A 34.196.43.38	34.196.43.38

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.196.43.38	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49198 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49209 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 34.196.43.38:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49175 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49171 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49174 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49169 34.196.43.38:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=installeranalytics.com	6d:70:75:b4:e6:9d:21:a3:20:84:d3:79:ab:fe:0b:9a:79:d5:07:5c
TLSv1 192.168.56.103:49186 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49187 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49173 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49176 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49192 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49188 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49180 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49210 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49183 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49181 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49191 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49211 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49185 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49193 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49190 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49213 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49189 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49200 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49198 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49194 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49212 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49208 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49195 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49209 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49215 34.196.43.38:443	C=US, O=Amazon, OU=Server CA 1B, CN=Amazon	CN=installeranalytics.com	6d:70:75:b4:e6:9d:21:a3:20:84:d3:79:ab:fe:0b:9a:79:d5:07:5c
TLSv1 192.168.56.103:49199 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49201 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49202 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49203 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49207 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49172 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49179 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49184 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49196 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49177 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49206 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49178 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49182 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49197 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49204 34.196.43.38:443	None	None	None
TLSv1 192.168.56.103:49205 34.196.43.38:443	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 29, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 29, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 29, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 29, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 29, 2021, 9:41 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 29, 2021, 9:41 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	IMAGE_FILE
resource name	RTF_FILE

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 29, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x753af777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74df419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74e7011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x753ac8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x752a98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x752ab641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x752ab5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x752ab172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x752aa66e CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x752aa817 CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x752aa781 CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x752aaaf3 WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x753ad380 DllGetClassObject+0x5403 MsiCreateAndVerifyInstallerDirectory-0x464c msi+0x26c41 @ 0x73d96c41 DllGetClassObject+0x54a2 MsiCreateAndVerifyInstallerDirectory-0x45ad msi+0x26ce0 @ 0x73d96ce0 MsiInvalidateFeatureCache+0x30ae6 DllRegisterServer-0xa154 msi+0x9db21 @ 0x73e0db21 MsiDeterminePatchSequenceA+0x53f MsiCloseHandle-0x20fd msi+0xcdd98 @ 0x73e3dd98 MsiDeterminePatchSequenceA+0x24dd MsiCloseHandle-0x15f msi+0xcfd36 @ 0x73e3fd36 MsiCloseHandle+0x51 MsiCloseAllHandles-0x5d msi+0xcfee6 @ 0x73e3fee6 installer+0x101a97 @ 0x271a97 installer+0x2efce @ 0x19efce RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800401f0 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 83948348 registers.edi: 1965816336 registers.eax: 83948348 registers.ebp: 83948428 registers.edx: 1965849608 registers.ebx: 59856164 registers.esi: 2147746288 registers.ecx: 1965814016	1	0	0
__exception__ Nov. 29, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x753af777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74df419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74e7011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x753ac8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x752a98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x752ab641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x752ab5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x752ab172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x752aa66e StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75285d00 StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75285ce1 StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75285d3f SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x752b8f82 SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x752b8ec3 PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x752abac3 SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x752b88e8 New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x740d5180 MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x73ed1bab BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 68285364 registers.edi: 1965816336 registers.eax: 68285364 registers.ebp: 68285444 registers.edx: 2147944122 registers.ebx: 4670252 registers.esi: 2147944122 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 29, 2021, 9:42 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x753af777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74df419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74e7011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x753ac8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x752a98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x752ab641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x752ab5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x752ab172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x752aa66e
CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x752aa817
CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x752aa781
CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x752aaaf3
WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x753ad380
DllGetClassObject+0x5403 MsiCreateAndVerifyInstallerDirectory-0x464c msi+0x26c41 @ 0x73d96c41
DllGetClassObject+0x54a2 MsiCreateAndVerifyInstallerDirectory-0x45ad msi+0x26ce0 @ 0x73d96ce0
MsiInvalidateFeatureCache+0x30ae6 DllRegisterServer-0xa154 msi+0x9db21 @ 0x73e0db21
MsiDeterminePatchSequenceA+0x53f MsiCloseHandle-0x20fd msi+0xcdd98 @ 0x73e3dd98
MsiDeterminePatchSequenceA+0x24dd MsiCloseHandle-0x15f msi+0xcfd36 @ 0x73e3fd36
MsiCloseHandle+0x51 MsiCloseAllHandles-0x5d msi+0xcfee6 @ 0x73e3fee6
installer+0x101a97 @ 0x271a97
installer+0x2efce @ 0x19efce
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800401f0
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 83948348
registers.edi: 1965816336
registers.eax: 83948348
registers.ebp: 83948428
registers.edx: 1965849608
registers.ebx: 59856164
registers.esi: 2147746288
registers.ecx: 1965814016

__exception__

Nov. 29, 2021, 9:42 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x753af777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74df419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x74e7011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x753ac8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x752a98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x752ab641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x752ab5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x752ab172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x752aa66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75285d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75285ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75285d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x752b8f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x752b8ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x752abac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x752b88e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x740d5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x73ed1bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 68285364
registers.edi: 1965816336
registers.eax: 68285364
registers.ebp: 68285444
registers.edx: 2147944122
registers.ebx: 4670252
registers.esi: 2147944122
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://collect.installeranalytics.com/

Performs some HTTP requests (1 event)

request

POST https://collect.installeranalytics.com/

Sends data using the HTTP POST Method (1 event)

request

POST https://collect.installeranalytics.com/

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2332 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2332 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04080000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73881000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73661000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x723e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75551000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74eb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2021, 9:41 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cf1000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (10 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 10233008128 free_bytes_available: 10233008128 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 10233008128	1	1
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 10232799232 free_bytes_available: 10232799232 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 10232799232	1	1
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 10231304192 free_bytes_available: 10231304192 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\ total_number_of_bytes: 10231304192	1	1
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 10227830784 free_bytes_available: 10227830784 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Nov. 29, 2021, 9:41 a.m.	number_of_free_clusters: 2497029 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Nov. 29, 2021, 9:41 a.m.	total_number_of_free_bytes: 10227044352 free_bytes_available: 10227044352 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Nov. 29, 2021, 9:41 a.m.	number_of_free_clusters: 2496837 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
file	C:\Users\test22\AppData\Local\Temp\MSI30394\embeddeduiproxy.dll

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\MSI8E18.tmp
file	C:\Users\test22\AppData\Local\Temp\MSI30394\embeddeduiproxy.dll
file	C:\Users\test22\AppData\Local\Temp\MSI8E86.tmp
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\AppData\Local\Temp\MSI9C81.tmp

Checks for the Locally Unique Identifier on the system for a suspicious privilege (31 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Nov. 29, 2021, 9:41 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

One or more of the buffers contains an embedded PE file (8 events)

buffer	Buffer with sha1: c3b8f89b5346818dc3a5dae9a352bcd9a6961274
buffer	Buffer with sha1: 26816dea6c5274208e07cfee13108976a7d8ba5c
buffer	Buffer with sha1: 24f732917bba7f8e06359ceb122abb309a583511
buffer	Buffer with sha1: 0674cccae8519c229d9a2c70ac9a24ded875df96
buffer	Buffer with sha1: 231ac9daa6f34accc96e48c916281a5b93844a6d
buffer	Buffer with sha1: 704d00610eda305f30fb0e5b8cc340360028c06c
buffer	Buffer with sha1: 0a15086ccb936897cbd272b579c6bed354800227
buffer	Buffer with sha1: ea9a48fd57fe97a8563d6acc1746a20e50d24a3a

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Nov. 29, 2021, 9:42 a.m.	key_handle: 0x00000568 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Lionic	Adware.Win32.AdUpdater.2!c
CAT-QuickHeal	Trojan.Win32
Cylance	Unsafe
BitDefender	Application.Bundler.CTT
Arcabit	Application.Bundler.CTT
Cyren	W32/Trojan.XXQL-5033
ESET-NOD32	Win64/Microleaves.A potentially unwanted
Kaspersky	not-a-virus:HEUR:AdWare.Win32.AdUpdater.gen
Alibaba	AdWare:Win64/Microleaves.60b6fb1c
MicroWorld-eScan	Application.Bundler.CTT
Ad-Aware	Application.Bundler.CTT
DrWeb	Adware.OnlineGuard.9
VIPRE	Trojan.Win32.Generic!BT
FireEye	Application.Bundler.CTT
Emsisoft	Application.Bundler.CTT (B)
Webroot	W32.Adware.Gen
Gridinsoft	PUP.Microleaves.sd!c
GData	Application.Bundler.CTT
VBA32	TrojanProxy.Win64.Microleaves
ALYac	Application.Bundler.CTT
MAX	malware (ai score=76)
Malwarebytes	PUP.Optional.Microleaves
Fortinet	Riskware/Microleaves
MaxSecure	Trojan.Malware.120249320.susgen

installer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All