Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 3, 2024, 9:25 a.m.	July 3, 2024, 9:27 a.m.

Size	20.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`19e7819eb886414b6bcab23db00541ec`
SHA256	`f42cfe4545c5c62bb19eabd37757c16d3fb69106d0ee25105319d5b15a51d9d2`
CRC32	`0899791F`
ssdeep	`393216:yRkA1LR74UgmMnRGfjXZYiJwBAOpVFwWJIXMGvmaWQg9m/QOtYzc:BA594xIbhmBAObCWeXMrNm/QOtYg`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

outbyte-driver-updater.exe "C:\Users\test22\AppData\Local\Temp\outbyte-driver-updater.exe"
2640
- Installer.exe "C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\Installer.exe" /spid:2640 /splha:8791968
  2788

Name	Response	Post-Analysis Lookup
www.google-analytics.com	A 142.251.130.14	142.250.207.110
outbyte.com	A 45.33.97.245	45.33.97.245

IP Address	Status	Action
142.251.130.14	Active	Moloch
164.124.101.2	Active	Moloch
45.33.97.245	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 142.251.130.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 45.33.97.245:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49163 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f
TLSv1 192.168.56.101:49165 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f
TLSv1 192.168.56.101:49164 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f
TLSv1 192.168.56.101:49167 142.251.130.14:443	C=US, O=Google Trust Services, CN=WR2	CN=*.google-analytics.com	ba:5d:a9:7f:41:46:b0:37:01:9e:05:b0:92:ba:41:c9:31:5b:4b:4a
TLSv1 192.168.56.101:49166 45.33.97.245:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1	CN=*.outbyte.com	d0:6e:29:18:9d:1c:99:37:a3:15:37:81:63:0c:69:08:8a:6c:31:4f

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0
IsDebuggerPresent July 3, 2024, 9:25 a.m.			0	0

At least one process apparently crashed during execution (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrLoadDll July 3, 2024, 9:25 a.m.	module_name: FaultRep.dll basename: FaultRep stack_pivoted: 0 flags: 0 module_address: 0x72ab0000	1	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2024, 9:25 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header

suspicious_request

POST https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8RMmcg

Performs some HTTP requests (1 event)

request

POST https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8RMmcg

Sends data using the HTTP POST Method (1 event)

request

POST https://www.google-analytics.com/mp/collect?measurement_id=G-SEW4YMR3XJ&api_secret=Bwp8gLa9SqG7iUYK8RMmcg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 61 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50000000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c9a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bcc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00506000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01185000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x50d12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73311000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73484000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74821000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75850000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x759d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 3, 2024, 9:25 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13250097152 root_path: C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\Installer.exe
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\BrowserHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\SetupHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\CFAHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\DriverUpdater.exe
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\GoogleAnalyticsHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\GoogleAnalyticsHelperIV.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\Localizer.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\CommonForms.Site.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\Downloader.exe
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\InstallerUtils.dll

Drops an executable to the user AppData folder (18 events)

file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\OxComponentsRTL.bpl
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\CFAHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\CommonForms.Site.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\vclie250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\DriverUpdater.exe
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\SetupHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\Downloader.exe
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\Installer.exe
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\AxComponentsVCL.bpl
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\vcl250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\vclimg250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\GoogleAnalyticsHelperIV.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\BrowserHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\GoogleAnalyticsHelper.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\rtl250.bpl
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\AxComponentsRTL.bpl
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\Localizer.dll
file	C:\Users\test22\AppData\Local\Temp\is-22500844.tmp\InstallerUtils.dll

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

ESET-NOD32	a variant of Generik.IXKVLWK potentially unwanted
DrWeb	Program.Unwanted.5457
Malwarebytes	PUP.Optional.Outbyte
CrowdStrike	win/grayware_confidence_90% (D)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 3, 2024, 9:25 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x07481000 process_handle: 0xffffffff	1	0	0

Queries for potentially installed applications (8 events)

Time & API	Arguments	Return
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1	2
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1	2
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1	2
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1	2
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1	2
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1	2
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B38B494B-46F8-4765-8D92-31B8F10D8FD3}_is1	2
RegOpenKeyExW July 3, 2024, 9:25 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\B38B494B-46F8-4765-8D92-31B8F10D8FD3_is1	2

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp

Attempts to create or modify system certificates (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob

outbyte-driver-updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All