Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 1, 2024, 3:19 p.m.	July 1, 2024, 3:22 p.m.

Size	25.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`044b5657529471e023ee2da2dad94cfa`
SHA256	`0c6ed6426c29681b003b89bd43cb5a2ceb88d8ebb5a282a69fba0694c00faa5e`
CRC32	`74EAAD7D`
ssdeep	`786432:wBf+2b1qWyXlqN0WNXI8eLHTs3rdrpunA4:wxbqgN0WjeLQunA4`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

outbyte-pc-repair.exe "C:\Users\test22\AppData\Local\Temp\outbyte-pc-repair.exe"
2636
- Installer.exe "C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\Installer.exe" /spid:2636 /splha:31467424
  2764

Name	Response	Post-Analysis Lookup
www.google-analytics.com	A 172.217.24.78	216.239.34.178
outbyte.com	A 45.33.97.245	45.33.97.245

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.24.78	Active	Moloch
45.33.97.245	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 172.217.24.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f
TLSv1 192.168.56.101:49164 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f
TLSv1 192.168.56.101:49171 172.217.24.78:443	C=US, O=Google Trust Services, CN=WR2	CN=*.google-analytics.com	ba:5d:a9:7f:41:46:b0:37:01:9e:05:b0:92:ba:41:c9:31:5b:4b:4a
TLSv1 192.168.56.101:49169 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f
TLSv1 192.168.56.101:49170 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 1, 2024, 3:20 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 1, 2024, 3:20 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 1, 2024, 3:19 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:19 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:19 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:19 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:20 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:20 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:20 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:20 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:20 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:20 p.m.			0	0
IsDebuggerPresent July 1, 2024, 3:20 p.m.			0	0

At least one process apparently crashed during execution (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrLoadDll July 1, 2024, 3:19 p.m.	module_name: FaultRep.dll basename: FaultRep stack_pivoted: 0 flags: 0 module_address: 0x72ab0000	1	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2024, 3:20 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ July 1, 2024, 3:20 p.m.	stacktrace: TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 SHGetParameter+0x110 SHPerformOperation-0x2f4 setuphelper+0x278790 @ 0xc9a8790 madTraceProcess+0x382c6 dbkFCallWrapperAddr-0x62cce installer+0xa733e @ 0x4a733e madTraceProcess+0x38361 dbkFCallWrapperAddr-0x62c33 installer+0xa73d9 @ 0x4a73d9 madTraceProcess+0x37fbb dbkFCallWrapperAddr-0x62fd9 installer+0xa7033 @ 0x4a7033 madTraceProcess+0x838fe dbkFCallWrapperAddr-0x17696 installer+0xf2976 @ 0x4f2976 madTraceProcess+0x5a6f2 dbkFCallWrapperAddr-0x408a2 installer+0xc976a @ 0x4c976a madTraceProcess+0x833ee dbkFCallWrapperAddr-0x17ba6 installer+0xf2466 @ 0x4f2466 madTraceProcess+0x8fd6b dbkFCallWrapperAddr-0xb229 installer+0xfede3 @ 0x4fede3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637712 registers.edi: 0 registers.eax: 1637712 registers.ebp: 1637792 registers.edx: 0 registers.ebx: 1637960 registers.esi: 0 registers.ecx: 7	1
__exception__ July 1, 2024, 3:20 p.m.	stacktrace: TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 SHGetParameter+0x110 SHPerformOperation-0x2f4 setuphelper+0x278790 @ 0xc9a8790 madTraceProcess+0x382c6 dbkFCallWrapperAddr-0x62cce installer+0xa733e @ 0x4a733e madTraceProcess+0x38361 dbkFCallWrapperAddr-0x62c33 installer+0xa73d9 @ 0x4a73d9 madTraceProcess+0x37fbb dbkFCallWrapperAddr-0x62fd9 installer+0xa7033 @ 0x4a7033 madTraceProcess+0x83924 dbkFCallWrapperAddr-0x17670 installer+0xf299c @ 0x4f299c madTraceProcess+0x5a6f2 dbkFCallWrapperAddr-0x408a2 installer+0xc976a @ 0x4c976a madTraceProcess+0x833ee dbkFCallWrapperAddr-0x17ba6 installer+0xf2466 @ 0x4f2466 madTraceProcess+0x8fd6b dbkFCallWrapperAddr-0xb229 installer+0xfede3 @ 0x4fede3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637712 registers.edi: 0 registers.eax: 1637712 registers.ebp: 1637792 registers.edx: 0 registers.ebx: 1637960 registers.esi: 0 registers.ecx: 7	1
__exception__ July 1, 2024, 3:20 p.m.	stacktrace: TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212e18 SHFreeMem-0x2d8 setuphelper+0x277f94 @ 0xc9a7f94 SHGetParameter+0x2ff SHPerformOperation-0x105 setuphelper+0x27897f @ 0xc9a897f madTraceProcess+0x382c6 dbkFCallWrapperAddr-0x62cce installer+0xa733e @ 0x4a733e madTraceProcess+0x38361 dbkFCallWrapperAddr-0x62c33 installer+0xa73d9 @ 0x4a73d9 madTraceProcess+0x37e9b dbkFCallWrapperAddr-0x630f9 installer+0xa6f13 @ 0x4a6f13 madTraceProcess+0x57c43 dbkFCallWrapperAddr-0x43351 installer+0xc6cbb @ 0x4c6cbb madTraceProcess+0x82084 dbkFCallWrapperAddr-0x18f10 installer+0xf10fc @ 0x4f10fc madTraceProcess+0x5a713 dbkFCallWrapperAddr-0x40881 installer+0xc978b @ 0x4c978b madTraceProcess+0x833ee dbkFCallWrapperAddr-0x17ba6 installer+0xf2466 @ 0x4f2466 madTraceProcess+0x8fd6b dbkFCallWrapperAddr-0xb229 installer+0xfede3 @ 0x4fede3 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637532 registers.edi: 1637836 registers.eax: 1637532 registers.ebp: 1637612 registers.edx: 0 registers.ebx: 1637840 registers.esi: 0 registers.ecx: 7	1
__exception__ July 1, 2024, 3:20 p.m.	stacktrace: @System@Ioutils@TFile@InternalCheckFilePathParam$qqrx20System@UnicodeStringxo+0xf8 @System@Ioutils@TFile@Move$qqr20System@UnicodeStringt1-0x28 rtl250+0x176890 @ 0xbe6890 @System@Ioutils@TFile@CheckGetLastWriteTimeParameters$qqrx20System@UnicodeString+0x7 @System@Ioutils@TFile@CheckGetLastWriteTimeUtcParameters$qqrx20System@UnicodeString-0x1 rtl250+0x175507 @ 0xbe5507 __dbk_fcall_wrapper+0x7ae0d DllGetInstance-0xc905f browserhelper+0x7c869 @ 0xd74c869 __dbk_fcall_wrapper+0x2e272 DllGetInstance-0x115bfa browserhelper+0x2fcce @ 0xd6ffcce __dbk_fcall_wrapper+0x7a1b2 DllGetInstance-0xc9cba browserhelper+0x7bc0e @ 0xd74bc0e __dbk_fcall_wrapper+0x13e073 DllGetInstance-0x5df9 browserhelper+0x13facf @ 0xd80facf __dbk_fcall_wrapper+0x13dbf5 DllGetInstance-0x6277 browserhelper+0x13f651 @ 0xd80f651 @Axrtl@Project@Interfacedobject@DllGetInstanceInternal$qqsrx5_GUIDpvpp17System@TMetaClassxi+0x77 @Axrtl@Project@Interfacedobject@DllCanUnloadNowInternal$qqspp17System@TMetaClassxi-0x79 axcomponentsrtl+0xaaa2f @ 0x93aa2f DllGetInstance+0x29 DllCanUnloadNow-0x7 browserhelper+0x1458f1 @ 0xd8158f1 @Axrtl@Dllroutines@DllRoutines@TLibraryItem@GetInstance$qqrrx5_GUIDpv+0xe @Axrtl@Dllroutines@DllRoutines@TLibraryItem@GetVersion$qqrr16_DLLVERSIONINFO2-0xa axcomponentsrtl+0x21f22 @ 0x8b1f22 @Axrtl@Dllroutines@DllRoutines@GetInstanceInternal$qqrx20System@UnicodeStringrx5_GUIDpv+0xba @Axrtl@Dllroutines@DllRoutines@GetInstance$qqrx20System@UnicodeStringrx5_GUIDpv-0xe axcomponentsrtl+0x2276e @ 0x8b276e @Axrtl@Dllroutines@DllRoutines@GetInstance$qqrx20System@UnicodeStringrx5_GUIDpv+0x38 @Axrtl@Dllroutines@DllRoutines@TryGetInstance$qqrx20System@UnicodeStringrx5_GUIDpv-0x23c axcomponentsrtl+0x227b4 @ 0x8b27b4 madTraceProcess+0x392c4 dbkFCallWrapperAddr-0x61cd0 installer+0xa833c @ 0x4a833c madTraceProcess+0x6dbff dbkFCallWrapperAddr-0x2d395 installer+0xdcc77 @ 0x4dcc77 madTraceProcess+0x83138 dbkFCallWrapperAddr-0x17e5c installer+0xf21b0 @ 0x4f21b0 madTraceProcess+0x8268a dbkFCallWrapperAddr-0x1890a installer+0xf1702 @ 0x4f1702 @Axrtl@System@Thread@TThread@Execute$qqrv+0x57 @Axrtl@System@Thread@TThread@CallOnTerminate$qqrv-0x95 axcomponentsrtl+0x1a4b3 @ 0x8aa4b3 @Axrtl@System@Thread@TThread@TInternalThread@Execute$qqrv+0x6c @Axrtl@System@Thread@TThread@TInternalThread@TerminatedSet$qqrv-0x100 axcomponentsrtl+0x1ae5c @ 0x8aae5c __dbk_fcall_wrapper+0x6c7dd madTraceProcess-0xe47 installer+0x6e231 @ 0x46e231 @System@Classes@CheckSynchronize$qqri+0x28c @System@Classes@TThread@$bctr$qqrv-0x70 rtl250+0x11a94c @ 0xb8a94c @System@@Assert$qqrx20System@UnicodeStringt1i+0x66 @System@BeginThread$qqrpvuipqqrpv$it1uirui-0xe rtl250+0x119ba @ 0xa819ba __dbk_fcall_wrapper+0x6c6c3 madTraceProcess-0xf61 installer+0x6e117 @ 0x46e117 __dbk_fcall_wrapper+0x6c72b madTraceProcess-0xef9 installer+0x6e17f @ 0x46e17f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 96926184 registers.edi: 4883264 registers.eax: 96926184 registers.ebp: 96926264 registers.edx: 0 registers.ebx: 52251393 registers.esi: 52251484 registers.ecx: 7	1
__exception__ July 1, 2024, 3:20 p.m.	stacktrace: @System@Ioutils@TFile@InternalCheckFilePathParam$qqrx20System@UnicodeStringxo+0xf8 @System@Ioutils@TFile@Move$qqr20System@UnicodeStringt1-0x28 rtl250+0x176890 @ 0xbe6890 @System@Ioutils@TFile@CheckGetLastWriteTimeParameters$qqrx20System@UnicodeString+0x7 @System@Ioutils@TFile@CheckGetLastWriteTimeUtcParameters$qqrx20System@UnicodeString-0x1 rtl250+0x175507 @ 0xbe5507 __dbk_fcall_wrapper+0x7ae0d DllGetInstance-0xc905f browserhelper+0x7c869 @ 0xd74c869 __dbk_fcall_wrapper+0x2e272 DllGetInstance-0x115bfa browserhelper+0x2fcce @ 0xd6ffcce __dbk_fcall_wrapper+0x7a1b2 DllGetInstance-0xc9cba browserhelper+0x7bc0e @ 0xd74bc0e __dbk_fcall_wrapper+0x13e073 DllGetInstance-0x5df9 browserhelper+0x13facf @ 0xd80facf __dbk_fcall_wrapper+0x13dbf5 DllGetInstance-0x6277 browserhelper+0x13f651 @ 0xd80f651 @Axrtl@Project@Interfacedobject@DllGetInstanceInternal$qqsrx5_GUIDpvpp17System@TMetaClassxi+0x77 @Axrtl@Project@Interfacedobject@DllCanUnloadNowInternal$qqspp17System@TMetaClassxi-0x79 axcomponentsrtl+0xaaa2f @ 0x93aa2f DllGetInstance+0x29 DllCanUnloadNow-0x7 browserhelper+0x1458f1 @ 0xd8158f1 @Axrtl@Dllroutines@DllRoutines@TLibraryItem@GetInstance$qqrrx5_GUIDpv+0xe @Axrtl@Dllroutines@DllRoutines@TLibraryItem@GetVersion$qqrr16_DLLVERSIONINFO2-0xa axcomponentsrtl+0x21f22 @ 0x8b1f22 @Axrtl@Dllroutines@DllRoutines@GetInstanceInternal$qqrx20System@UnicodeStringrx5_GUIDpv+0xba @Axrtl@Dllroutines@DllRoutines@GetInstance$qqrx20System@UnicodeStringrx5_GUIDpv-0xe axcomponentsrtl+0x2276e @ 0x8b276e @Axrtl@Dllroutines@DllRoutines@GetInstance$qqrx20System@UnicodeStringrx5_GUIDpv+0x38 @Axrtl@Dllroutines@DllRoutines@TryGetInstance$qqrx20System@UnicodeStringrx5_GUIDpv-0x23c axcomponentsrtl+0x227b4 @ 0x8b27b4 madTraceProcess+0x392c4 dbkFCallWrapperAddr-0x61cd0 installer+0xa833c @ 0x4a833c madTraceProcess+0x826a8 dbkFCallWrapperAddr-0x188ec installer+0xf1720 @ 0x4f1720 @Axrtl@System@Thread@TThread@Execute$qqrv+0x57 @Axrtl@System@Thread@TThread@CallOnTerminate$qqrv-0x95 axcomponentsrtl+0x1a4b3 @ 0x8aa4b3 @Axrtl@System@Thread@TThread@TInternalThread@Execute$qqrv+0x6c @Axrtl@System@Thread@TThread@TInternalThread@TerminatedSet$qqrv-0x100 axcomponentsrtl+0x1ae5c @ 0x8aae5c __dbk_fcall_wrapper+0x6c7dd madTraceProcess-0xe47 installer+0x6e231 @ 0x46e231 @System@Classes@CheckSynchronize$qqri+0x28c @System@Classes@TThread@$bctr$qqrv-0x70 rtl250+0x11a94c @ 0xb8a94c @System@@Assert$qqrx20System@UnicodeStringt1i+0x66 @System@BeginThread$qqrpvuipqqrpv$it1uirui-0xe rtl250+0x119ba @ 0xa819ba __dbk_fcall_wrapper+0x6c6c3 madTraceProcess-0xf61 installer+0x6e117 @ 0x46e117 __dbk_fcall_wrapper+0x6c72b madTraceProcess-0xef9 installer+0x6e17f @ 0x46e17f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 96926380 registers.edi: 4883264 registers.eax: 96926380 registers.ebp: 96926460 registers.edx: 0 registers.ebx: 52252673 registers.esi: 52252636 registers.ecx: 7	1
__exception__ July 1, 2024, 3:20 p.m.	stacktrace: TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212e18 SHFreeMem-0x2d8 setuphelper+0x277f94 @ 0xc9a7f94 SHGetParameter+0x2ff SHPerformOperation-0x105 setuphelper+0x27897f @ 0xc9a897f madTraceProcess+0x382c6 dbkFCallWrapperAddr-0x62cce installer+0xa733e @ 0x4a733e madTraceProcess+0x38361 dbkFCallWrapperAddr-0x62c33 installer+0xa73d9 @ 0x4a73d9 madTraceProcess+0x8273f dbkFCallWrapperAddr-0x18855 installer+0xf17b7 @ 0x4f17b7 @Axrtl@System@Thread@TThread@Execute$qqrv+0x57 @Axrtl@System@Thread@TThread@CallOnTerminate$qqrv-0x95 axcomponentsrtl+0x1a4b3 @ 0x8aa4b3 @Axrtl@System@Thread@TThread@TInternalThread@Execute$qqrv+0x6c @Axrtl@System@Thread@TThread@TInternalThread@TerminatedSet$qqrv-0x100 axcomponentsrtl+0x1ae5c @ 0x8aae5c __dbk_fcall_wrapper+0x6c7dd madTraceProcess-0xe47 installer+0x6e231 @ 0x46e231 @System@Classes@CheckSynchronize$qqri+0x28c @System@Classes@TThread@$bctr$qqrv-0x70 rtl250+0x11a94c @ 0xb8a94c @System@@Assert$qqrx20System@UnicodeStringt1i+0x66 @System@BeginThread$qqrpvuipqqrpv$it1uirui-0xe rtl250+0x119ba @ 0xa819ba __dbk_fcall_wrapper+0x6c6c3 madTraceProcess-0xf61 installer+0x6e117 @ 0x46e117 __dbk_fcall_wrapper+0x6c72b madTraceProcess-0xef9 installer+0x6e17f @ 0x46e17f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 96926760 registers.edi: 96927064 registers.eax: 96926760 registers.ebp: 96926840 registers.edx: 0 registers.ebx: 96927068 registers.esi: 0 registers.ecx: 7	1
__exception__ July 1, 2024, 3:20 p.m.	stacktrace: TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212c2d SHFreeMem-0x4c3 setuphelper+0x277da9 @ 0xc9a7da9 TMethodImplementationIntercept+0x212e18 SHFreeMem-0x2d8 setuphelper+0x277f94 @ 0xc9a7f94 SHGetParameter+0x2ff SHPerformOperation-0x105 setuphelper+0x27897f @ 0xc9a897f madTraceProcess+0x382c6 dbkFCallWrapperAddr-0x62cce installer+0xa733e @ 0x4a733e madTraceProcess+0x38361 dbkFCallWrapperAddr-0x62c33 installer+0xa73d9 @ 0x4a73d9 madTraceProcess+0x38003 dbkFCallWrapperAddr-0x62f91 installer+0xa707b @ 0x4a707b madTraceProcess+0x865b4 dbkFCallWrapperAddr-0x149e0 installer+0xf562c @ 0x4f562c @Vcl@Forms@TCustomForm@DoCreate$qqrv+0x37 @Vcl@Forms@TCustomForm@DoDestroy$qqrv-0x45 vcl250+0x176a9f @ 0x50bf6a9f @Axvcl@Controls@Axform@TAxForm@DoCreate$qqrv+0x23 @Axvcl@Controls@Axform@TAxForm@CreateWnd$qqrv-0x109 axcomponentsvcl+0xea493 @ 0x500ea493 @Vcl@Forms@TCustomForm@AfterConstruction$qqrv+0x17 @Vcl@Forms@TCustomForm@InitializeNewForm$qqrv-0x21 vcl250+0x1766bb @ 0x50bf66bb @Axvcl@Controls@Axform@TAxForm@$bctr$qqrp25System@Classes@TComponent+0x95 @Axvcl@Controls@Axform@TAxForm@$bctr$qqrp25System@Classes@TComponenti-0x13 axcomponentsvcl+0xea059 @ 0x500ea059 madTraceProcess+0x85566 dbkFCallWrapperAddr-0x15a2e installer+0xf45de @ 0x4f45de madTraceProcess+0x8ac28 dbkFCallWrapperAddr-0x1036c installer+0xf9ca0 @ 0x4f9ca0 @Vcl@Forms@TCustomForm@DoCreate$qqrv+0x37 @Vcl@Forms@TCustomForm@DoDestroy$qqrv-0x45 vcl250+0x176a9f @ 0x50bf6a9f @Axvcl@Controls@Axform@TAxForm@DoCreate$qqrv+0x23 @Axvcl@Controls@Axform@TAxForm@CreateWnd$qqrv-0x109 axcomponentsvcl+0xea493 @ 0x500ea493 @Vcl@Forms@TCustomForm@AfterConstruction$qqrv+0x17 @Vcl@Forms@TCustomForm@InitializeNewForm$qqrv-0x21 vcl250+0x1766bb @ 0x50bf66bb madTraceProcess+0x8aaed dbkFCallWrapperAddr-0x104a7 installer+0xf9b65 @ 0x4f9b65 @Vcl@Forms@TApplication@CreateForm$qqrp17System@TMetaClasspv+0x79 @Vcl@Forms@TApplication@Run$qqrv-0xe3 vcl250+0x181b2d @ 0x50c01b2d madTraceProcess+0x8fdbe dbkFCallWrapperAddr-0xb1d6 installer+0xfee36 @ 0x4fee36 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637360 registers.edi: 1637664 registers.eax: 1637360 registers.ebp: 1637440 registers.edx: 0 registers.ebx: 1637668 registers.esi: 0 registers.ecx: 7	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header

suspicious_request

POST https://www.google-analytics.com/mp/collect?measurement_id=G-924XWBQ2KM&api_secret=MEBZff_HSwaYXMkgDlV-YQ

Performs some HTTP requests (1 event)

request

POST https://www.google-analytics.com/mp/collect?measurement_id=G-924XWBQ2KM&api_secret=MEBZff_HSwaYXMkgDlV-YQ

Sends data using the HTTP POST Method (1 event)

request

POST https://www.google-analytics.com/mp/collect?measurement_id=G-924XWBQ2KM&api_secret=MEBZff_HSwaYXMkgDlV-YQ

Allocates read-write-execute memory (usually to unpack itself) (50 out of 60 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50000000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b8a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00abc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01075000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50d12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73311000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73484000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75850000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x759d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 1, 2024, 3:19 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13237964800 root_path: C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 34252779520	1	1	0

Steals private information from local Internet browsers (9 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Pepper Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\IndexedDB
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\Application\browser.exe

Foreign language identified in PE resource (5 events)

name

RT_RCDATA

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00080090

size

0x00000065

name

RT_RCDATA

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00080090

size

0x00000065

name

RT_RCDATA

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00080090

size

0x00000065

name

RT_VERSION

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00080170

size

0x00000328

name

RT_MANIFEST

language

LANG_ENGLISH

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00080498

size

0x00000700

Creates executable files on the filesystem (12 events)

file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\PCRepair.exe
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\InstallerUtils.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\BrowserHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\GoogleAnalyticsHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\Localizer.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\Downloader.exe
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\Installer.exe
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\GoogleAnalyticsHelperIV.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\CommonForms.Site.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\SetupHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\CFAHelper.dll

Drops an executable to the user AppData folder (19 events)

file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\GoogleAnalyticsHelperIV.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\BrowserHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\Installer.exe
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\rtl250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\vcl250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\PCRepair.exe
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\GoogleAnalyticsHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\Localizer.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\SetupHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\OxComponentsRTL.bpl
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\CFAHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\vclie250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\Downloader.exe
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\AxComponentsVCL.bpl
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\AxComponentsRTL.bpl
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\vclimg250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\CommonForms.Site.dll
file	C:\Users\test22\AppData\Local\Temp\is-14082807.tmp\InstallerUtils.dll

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

DrWeb	Program.Unwanted.5457
Malwarebytes	PUP.Optional.Outbyte
CrowdStrike	win/grayware_confidence_60% (D)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2024, 3:19 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x072e1000 process_handle: 0xffffffff	1	0	0

Queries for potentially installed applications (22 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D5C6DB0C-BC43-4A77-9121-D1A07591F855}_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\D5C6DB0C-BC43-4A77-9121-D1A07591F855_is1		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020009 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000006e0 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020009 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020009 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ base_handle: 0x80000002 key_handle: 0x000006e4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\	1	0
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020009 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser		2
RegOpenKeyExW July 1, 2024, 3:20 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser		2

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp

Attempts to create or modify system certificates (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob

outbyte-pc-repair.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All