Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 24, 2023, 8:52 a.m.	April 24, 2023, 9 a.m.

Size	4.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fa24733f5a6a6f44d0e65d7d98b84aa6`
SHA256	`da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e`
CRC32	`AB274C8E`
ssdeep	`98304:5YoIz3Q2HM5Qp4WzMIaX8/BG6v/gIV0sba5mFkDzLb:5i3QDCpQaJGkDegFwL`
PDB Path	D:\ReleaseJob\win\Release\stubs\x86\ExternalUi.pdb
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Malicious_Library_Zero - Malicious_Library

installer.exe "C:\Users\test22\AppData\Local\Temp\installer.exe"
1372
- msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" AI_SETUPEXEPATH=C:\Users\test22\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\test22\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1682293816 "
  2280

Name	Response	Post-Analysis Lookup
collect.installeranalytics.com	A 3.222.139.61 A 54.204.22.198	54.204.22.198
cacerts.digicert.com	CNAME fp2E7A.wpc.2BE4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76

IP Address	Status	Action
152.195.38.76	Active	Moloch
164.124.101.2	Active	Moloch
54.204.22.198	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49177 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49198 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49209 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49214 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 54.204.22.198:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49177 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49193 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49171 54.204.22.198:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=installeranalytics.com	91:c7:41:e7:f2:b1:db:e8:52:e9:4a:c3:d0:2c:69:a9:7b:47:7e:00
TLSv1 192.168.56.103:49205 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49173 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49175 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49181 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49174 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49180 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49176 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49185 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49188 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49182 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49186 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49178 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49183 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49190 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49184 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49196 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49195 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49187 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49197 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49191 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49198 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49189 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49201 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49199 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49200 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49194 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49203 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49217 54.204.22.198:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=installeranalytics.com	91:c7:41:e7:f2:b1:db:e8:52:e9:4a:c3:d0:2c:69:a9:7b:47:7e:00
TLSv1 192.168.56.103:49210 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49204 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49208 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49207 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49209 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49212 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49214 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49179 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49192 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49202 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49206 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49211 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49213 54.204.22.198:443	None	None	None
TLSv1 192.168.56.103:49215 54.204.22.198:443	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 24, 2023, 8:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2023, 8:52 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 24, 2023, 8:52 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\ReleaseJob\win\Release\stubs\x86\ExternalUi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 24, 2023, 8:52 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	IMAGE_FILE
resource name	RTF_FILE

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 24, 2023, 8:53 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x75c6f777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x754d419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7555011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75b45d00 StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75b45ce1 StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75b45d3f SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x75b78f82 SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x75b78ec3 PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x75b6bac3 SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x75b788e8 New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x746c5180 MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x744c1bab BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 94105748 registers.edi: 1974991376 registers.eax: 94105748 registers.ebp: 94105828 registers.edx: 2147944122 registers.ebx: 10646764 registers.esi: 2147944122 registers.ecx: 0	1	0	0
__exception__ April 24, 2023, 8:53 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x75c6f777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x754d419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7555011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75b45d00 StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75b45ce1 StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75b45d3f SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x75b78f82 SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x75b78ec3 PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x75b6bac3 SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x75b788e8 New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x746c5180 MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x744c1bab BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 67039688 registers.edi: 1974991376 registers.eax: 67039688 registers.ebp: 67039768 registers.edx: 2147944122 registers.ebx: 62387084 registers.esi: 2147944122 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 24, 2023, 8:53 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x75c6f777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x754d419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7555011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75b45d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75b45ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75b45d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x75b78f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x75b78ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x75b6bac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x75b788e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x746c5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x744c1bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 94105748
registers.edi: 1974991376
registers.eax: 94105748
registers.ebp: 94105828
registers.edx: 2147944122
registers.ebx: 10646764
registers.esi: 2147944122
registers.ecx: 0

__exception__

April 24, 2023, 8:53 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x75c6f777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x754d419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7555011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x75b45d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x75b45ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x75b45d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x75b78f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x75b78ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x75b6bac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x75b788e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x746c5180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x744c1bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 67039688
registers.edi: 1974991376
registers.eax: 67039688
registers.ebp: 67039768
registers.edx: 2147944122
registers.ebx: 62387084
registers.esi: 2147944122
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://collect.installeranalytics.com/

Performs some HTTP requests (3 events)

request	GET http://cacerts.digicert.com/DigiCertGlobalRootG3.crt
request	GET http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
request	POST https://collect.installeranalytics.com/

Sends data using the HTTP POST Method (1 event)

request

POST https://collect.installeranalytics.com/

Allocates read-write-execute memory (usually to unpack itself) (30 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 1372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 1372 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 1372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 1372 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 1372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73491000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74961000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ca1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04040000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04240000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2023, 8:52 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73271000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (10 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 9931223040 free_bytes_available: 9931223040 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 9931223040	1	1
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 9931010048 free_bytes_available: 9931010048 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\ total_number_of_bytes: 9931010048	1	1
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 9929981952 free_bytes_available: 9929981952 root_path: \\?\C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\ total_number_of_bytes: 9929981952	1	1
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 9925984256 free_bytes_available: 9925984256 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 24, 2023, 8:52 a.m.	number_of_free_clusters: 2423336 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW April 24, 2023, 8:52 a.m.	total_number_of_free_bytes: 9925173248 free_bytes_available: 9925173248 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW April 24, 2023, 8:52 a.m.	number_of_free_clusters: 2423138 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\AppData\Local\Temp\MSI9228\embeddeduiproxy.dll
file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
file	C:\Users\test22\AppData\Local\Temp\MSIC3D9.tmp
file	C:\Users\test22\AppData\Local\Temp\MSIC774.tmp
file	C:\Users\test22\AppData\Local\Temp\MSI9228\embeddeduiproxy.dll
file	C:\Users\test22\AppData\Local\Temp\MSIC39A.tmp

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 24, 2023, 8:52 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (31 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 24, 2023, 8:52 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

One or more of the buffers contains an embedded PE file (8 events)

buffer	Buffer with sha1: b9a39bd56f19698cfae78cd1364892f9fdc08e1f
buffer	Buffer with sha1: 5d522d6e14ef34a06013f43bccf021e6caf6f148
buffer	Buffer with sha1: b4d17b7463adb9921630d125bb95854228360a4b
buffer	Buffer with sha1: 0a3b43ce625c764037ea6acbce0f9b1b60afba9d
buffer	Buffer with sha1: 2c21249b59d286ef7ad6fd20b1e9f42265258a0e
buffer	Buffer with sha1: 93ffe0b36e6c6e4af95f2e1e90766eb44e767265
buffer	Buffer with sha1: ca4715b1ec28e77397cccda667f89b0a748688ee
buffer	Buffer with sha1: a639c876b5bff89d44074497f16810c00d1fe82d

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 24, 2023, 8:53 a.m.	key_handle: 0x000005e0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Lionic	Trojan.Win32.Microleaves.4!c
MicroWorld-eScan	Trojan.GenericKD.65705581
FireEye	Trojan.GenericKD.65705581
CAT-QuickHeal	Trojan.Win64
McAfee	Artemis!FA24733F5A6A
Malwarebytes	Trojan.Dropper
Alibaba	Trojan:Win64/Microleaves.048d3f89
Arcabit	Trojan.Generic.D3EA966D
VirIT	PUP.Win32.MicroLeaves.A
Cyren	W32/ABRisk.NACY-6155
Symantec	Trojan.Gen.MBT
Paloalto	generic.ml
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Proxy.Win64.Microleaves.gen
BitDefender	Trojan.GenericKD.65705581
NANO-Antivirus	Trojan.Win32.OnlineGuard.jrqmwz
Avast	Win32:Malware-gen
Emsisoft	Trojan.GenericKD.65705581 (B)
F-Secure	Trojan.TR/Redcap.eotnr
DrWeb	Adware.OnlineGuard.10
VIPRE	Trojan.GenericKD.65705581
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
Sophos	Generic Reputation PUA (PUA)
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.eotnr
Gridinsoft	PUP.Microleaves.sd!c
Xcitium	Malware@#2se21unwb8xl9
Microsoft	Trojan:Win32/Mamson.A!ac
ZoneAlarm	HEUR:Trojan-Proxy.Win64.Microleaves.gen
GData	Trojan.GenericKD.65705581
Google	Detected
MAX	malware (ai score=100)
Cylance	unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R04AH07EI22
Rising	Trojan.Microleaves!8.13796 (CLOUD)
MaxSecure	Trojan.Malware.119942019.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS

installer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All