Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 18, 2023, 7:47 a.m.	Dec. 18, 2023, 7:49 a.m.

Size	1.3MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`2e600b1ff7cd82c6402bb280720ced61`
SHA256	`c2ae169495738288c01df97f582da3db67e4f4d4514be563a7e2cbc069b76448`
CRC32	`1BE19488`
ssdeep	`24576:w+7dsbKHIny1loKiqxsbOMVolrhuXvc9Ft2rmeOaNRRL:Non782UTt2rm1KDL`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

TierDiagnosis.exe "C:\Users\test22\AppData\Local\Temp\TierDiagnosis.exe"
2544
- cmd.exe cmd /k cmd < Bathrooms & exit
  2680
  - cmd.exe cmd
    2764
    - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      2844
    - tasklist.exe tasklist
      2808
    - tasklist.exe tasklist
      2956
    - findstr.exe findstr /I "wrsa.exe"
      2992
    - cmd.exe cmd /c mkdir 29161
      3064
    - cmd.exe cmd /c copy /b Compound + Injection + Emperor + Worm + Participants 29161\Moscow.pif
      1964
    - cmd.exe cmd /c copy /b Lt 29161\x
      2120
    - Moscow.pif 29161\Moscow.pif 29161\x
      2136
    - PING.EXE ping -n 5 localhost
      2564
cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MarketWise.url" & echo URL="C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js" >> "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MarketWise.url" & exit
2220
cmd.exe cmd /c schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F
2260
- schtasks.exe schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F
  2516

Name	Response	Post-Analysis Lookup
KUHhhnlUmHdzjZFqZYoOtpryMyR.KUHhhnlUmHdzjZFqZYoOtpryMyR

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 18, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 18, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 18, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 18, 2023, 7:47 a.m.			0	0

Command line console output was observed (50 out of 403 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: Set FQLkahNYegmBKrGJudSfEMxVFzLxYDMisInPYTcXCzP=p console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: hJDeIuhCprScPFYBzqmBslwF=KhVUMlWwlaJosfbmFiEFzphvco console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'hJDeIuhCprScPFYBzqmBslwF' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: dRzrHXkYSsHvSWzFh=aeKewMebqvAZnnE console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'dRzrHXkYSsHvSWzFh' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: GlQgwkusEiXLMIqEqoruIhPHwl=ObSTpSwfoPYjiWzbUOdKsvWZdcno console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'GlQgwkusEiXLMIqEqoruIhPHwl' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: cohQgsTLgOSKzRPwV=lfQUSKmFsBTDNxSWNGKvSEmLFqnq console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'cohQgsTLgOSKzRPwV' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: FuXxmhTCAfDdJZaSKqnRvtosmrFPt=SjmHMxVoguZxjdi console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'FuXxmhTCAfDdJZaSKqnRvtosmrFPt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: pEiTUZZoBBY=VcIrbkbsRehXWCLaSwRRlx console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'pEiTUZZoBBY' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: qIlxSjdykvfjTbVWqTPhispXagG=mJuvBBHchREtAWwB console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'qIlxSjdykvfjTbVWqTPhispXagG' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: Set fSUWyRYxuMInhwEFqFCfSLsQAJpgKMldHfecMxxRow=g console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: YWZPqnAdmjPEAtccIJJzCaQYY=TGkKiQdDRDKzg console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'YWZPqnAdmjPEAtccIJJzCaQYY' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: jUQcAnVHYYpnaw=GywQREUyOtYgXj console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'jUQcAnVHYYpnaw' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: LgcbuHBcbAhjHjAJngdlbICvHaO=dClXxyhUeU console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'LgcbuHBcbAhjHjAJngdlbICvHaO' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: EyKDdEajTgcmZGexeMZQOTmtVdd=BYFGDzMyMtkSgyVNVelsaKlort console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'EyKDdEajTgcmZGexeMZQOTmtVdd' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: LFGIqgBKUIOW=UWIXAuCIXLoTyYnQNbDmhw console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'LFGIqgBKUIOW' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: uvkEMcwyiuEvvejIXCbN=bPUfeTukkvaScBBfCPhWGwMBBeN console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'uvkEMcwyiuEvvejIXCbN' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: OGXQhGJHdfJBUTWJjEqB=axMpQhvezNqyFvFmBFPSTYjy console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: 'OGXQhGJHdfJBUTWJjEqB' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\24091> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 18, 2023, 7:47 a.m.	buffer: Set eNyrfXwjPvklGvzjFXCJcfbspKYkJSzoHbOmsYrPZTQq=s console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 18, 2023, 7:47 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 18, 2023, 7:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 18, 2023, 7:47 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 18, 2023, 7:48 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js
file	C:\Users\test22\AppData\Local\Temp\24091\29161\Moscow.pif
file	C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.pif

Creates a suspicious process (2 events)

cmdline	schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F
cmdline	cmd /c schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\24091\29161\Moscow.pif

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\24091\29161\Moscow.pif
file	C:\Users\test22\AppData\Local\Temp\24091\Compound
file	C:\Users\test22\AppData\Local\Temp\TierDiagnosis.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x00000138 process_name: taskhost.exe process_identifier: 2352	1	1
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x00000138 process_name: TierDiagnosis.exe process_identifier: 2544	1	1
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x00000138 process_name: cmd.exe process_identifier: 2680	1	1
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x00000138 process_name: cmd.exe process_identifier: 2764	1	1
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x00000138 process_name: WmiPrvSE.exe process_identifier: 2916	1	1
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x00000138 process_name: Moscow.pif process_identifier: 2136	1	1
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x00000138 process_name: inject-x86.exe process_identifier: 2188	1	1
Process32NextW Dec. 18, 2023, 7:47 a.m.	snapshot_handle: 0x0000014c process_name: cmd.exe process_identifier: 2220	1	1
Process32NextW Dec. 18, 2023, 7:48 a.m.	snapshot_handle: 0x000001a4 process_name: taskhost.exe process_identifier: 2984	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 18, 2023, 7:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 18, 2023, 7:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (45 events)

description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Dec. 18, 2023, 7:47 a.m.	status_code: 0x00000000 process_identifier: 2544 process_handle: 0x0000015c		0	0
NtTerminateProcess Dec. 18, 2023, 7:47 a.m.	status_code: 0x00000000 process_identifier: 2544 process_handle: 0x0000015c	1	0	0

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	cmd /k echo [InternetShortcut] > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MarketWise.url" & echo URL="C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js" >> "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MarketWise.url" & exit
cmdline	tasklist
cmdline	schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F
cmdline	C:\Users\test22\AppData\Local\Temp\24091\29161\jsc.exe
cmdline	cmd /c schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F
cmdline	cmd /c mkdir 29161
cmdline	ping -n 5 localhost

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 89b460279f46ab33438ffd871d3624372adb73cb
buffer	Buffer with sha1: 4824521392df35491b51b2c0a0cf316eba307acb

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 18, 2023, 7:48 a.m.	process_identifier: 1264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 process_handle: 0x0000023c	1	0	0

Installs itself for autorun at Windows startup (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MarketWise.url
cmdline	schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F
cmdline	cmd /c schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 manipulating memory of non-child process 1264
NtAllocateVirtualMemory Dec. 18, 2023, 7:48 a.m.	process_identifier: 1264 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x000f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0	0
NtProtectVirtualMemory Dec. 18, 2023, 7:48 a.m.	process_identifier: 1264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 process_handle: 0x0000023c	1	0	0

Expresses interest in specific running processes (4 events)

process: potential process injection target	explorer.exe
process	tierdiagnosis.exe
process	moscow.pif
process	cmd.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2764 resumed a thread in remote process 2136
Process injection	Process 2136 resumed a thread in remote process 1264
NtResumeThread Dec. 18, 2023, 7:47 a.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2136	1	0	0
NtResumeThread Dec. 18, 2023, 7:48 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1264	1	0	0

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2684 thread_handle: 0x00000020 process_identifier: 2680 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: track: 1 command_line: cmd /k cmd < Bathrooms & exit filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000002c	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2768 thread_handle: 0x00000088 process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2812 thread_handle: 0x00000094 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000009c	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2848 thread_handle: 0x00000094 process_identifier: 2844 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2960 thread_handle: 0x0000009c process_identifier: 2956 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2996 thread_handle: 0x0000009c process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "wrsa.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 3068 thread_handle: 0x000000a8 process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c mkdir 29161 filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 908 thread_handle: 0x00000090 process_identifier: 1964 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Compound + Injection + Emperor + Worm + Participants 29161\Moscow.pif filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2124 thread_handle: 0x000000a8 process_identifier: 2120 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Lt 29161\x filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2064 thread_handle: 0x00000090 process_identifier: 2136 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\24091\29161\Moscow.pif track: 1 command_line: 29161\Moscow.pif 29161\x filepath_r: C:\Users\test22\AppData\Local\Temp\24091\29161\Moscow.pif stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a8	1	1
NtResumeThread Dec. 18, 2023, 7:47 a.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2136	1	0
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2556 thread_handle: 0x000000a8 process_identifier: 2564 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 5 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2228 thread_handle: 0x00000138 process_identifier: 2220 current_directory: filepath: track: 1 command_line: cmd /k echo [InternetShortcut] > "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MarketWise.url" & echo URL="C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js" >> "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MarketWise.url" & exit filepath_r: stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000148	1	1
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2264 thread_handle: 0x0000014c process_identifier: 2260 current_directory: filepath: track: 1 command_line: cmd /c schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F filepath_r: stack_pivoted: 0 creation_flags: 134742016 (CREATE_NO_WINDOW\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000154	1	1
CreateProcessInternalW Dec. 18, 2023, 7:48 a.m.	thread_identifier: 1336 thread_handle: 0x00000240 process_identifier: 1264 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\24091\29161\jsc.exe filepath_r: stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000023c	1	1
NtGetContextThread Dec. 18, 2023, 7:48 a.m.	thread_handle: 0x00000240	1	0
NtAllocateVirtualMemory Dec. 18, 2023, 7:48 a.m.	process_identifier: 1264 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x000f0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0
NtResumeThread Dec. 18, 2023, 7:48 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1264	1	0
CreateProcessInternalW Dec. 18, 2023, 7:47 a.m.	thread_identifier: 2512 thread_handle: 0x00000084 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp\24091 filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks.exe /create /tn "Watson" /tr "wscript 'C:\Users\test22\AppData\Local\Insightful Markets Technologies\MarketWise.js'" /sc minute /mo 3 /F filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 99)
FireEye	Trojan.GenericKD.70770412
CAT-QuickHeal	Backdoor.Agent
Skyhigh	BehavesLike.Win32.Infected.th
ALYac	Trojan.GenericKD.70770412
Malwarebytes	Backdoor.AsyncRAT
VIPRE	Trojan.GenericKD.70770412
Sangfor	Dropper.Win32.Agent.Vyxj
Alibaba	TrojanDropper:Win32/Generic.24361e2b
Symantec	Trojan.Gen.MBT
ESET-NOD32	Win32/TrojanDropper.Delf.ACL
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
BitDefender	Trojan.GenericKD.70770412
MicroWorld-eScan	Trojan.GenericKD.70770412
Avast	Win32:DropperX-gen [Drp]
Rising	Trojan.Generic@AI.92 (RDML:iHeXxLKlS01cvpkjzzcMoA)
Emsisoft	Trojan.GenericKD.70770412 (B)
F-Secure	Trojan.TR/AD.Nekark.eajia
DrWeb	Trojan.Siggen22.36855
TrendMicro	Backdoor.Win32.ASYNCRAT.YXDLMZ
Sophos	Mal/Generic-S
Ikarus	Trojan-Dropper.Win32.Delf
GData	Trojan.GenericKD.70770412
Webroot	W32.Trojan.GenKD
Varist	W32/ABRisk.XLHO-7244
Avira	TR/AD.Nekark.eajia
Antiy-AVL	Trojan[Dropper]/Win32.Delf
Kingsoft	Win32.Hack.Agent.gen
Gridinsoft	Trojan.Win32.AsyncRAT.tr
Xcitium	Malware@#vefedprwo46l
Arcabit	Trojan.Generic.D437DEEC
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
Microsoft	Trojan:Win32/ScarletFlash.A
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5562661
McAfee	Artemis!2E600B1FF7CD
MAX	malware (ai score=87)
VBA32	TScope.Trojan.Delf
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXDLMZ
Tencent	Win32.Backdoor.Agent.Wylw
MaxSecure	Trojan.Malware.9530778.susgen
Fortinet	PossibleThreat.MU
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

TierDiagnosis.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All