Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
IOA.bat

Overview

General Information

Sample name:IOA.bat
Analysis ID:1512994
MD5:04ceefdab7aaca32fbb352ae88c3a89a
SHA1:098d423f086301e4f1a2465b804b9193affd9f70
SHA256:c59fbfc3d93e62c1a5e30f3c26fa6be9e99ea4273f6af31bdacd1332425d7777
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Obfuscated command line found
Creates a process in suspended mode (likely to inject code)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Dosfuscation Activity
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6756 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\IOA.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5460 cmdline: "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd", MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",, CommandLine: "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\IOA.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6756, ParentProcessName: cmd.exe, ProcessCommandLine: "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",, ProcessId: 5460, ProcessName: cmd.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results
Source: classification engineClassification label: sus22.winBAT@4/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\IOA.bat" "
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\IOA.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior

Data Obfuscation

barindex
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set key_name=\"hklm\\software\\microsoft\\datatransfer\\datamanagementgateway\\configurationmanager\">>temp.cmd&& echo for /f ^\"usebackq tokens=1,2,*\" ^a in (`reg query ^ /v diacmdpath 2^^^>nul ^^^| find ^\"diacmdpath\"`) do ( set diacmdfile=^c )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destdir=^\\microsoft\\data transfer\\datamanagementgateway\\userconfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo exit /b ^0>>temp.cmd&& temp.cmd && del temp.cmd",
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "cmd /c echo @echo off>temp.cmd&& echo set key_name=\"hklm\\software\\microsoft\\datatransfer\\datamanagementgateway\\configurationmanager\">>temp.cmd&& echo for /f ^\"usebackq tokens=1,2,*\" ^a in (`reg query ^ /v diacmdpath 2^^^>nul ^^^| find ^\"diacmdpath\"`) do ( set diacmdfile=^c )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destdir=^\\microsoft\\data transfer\\datamanagementgateway\\userconfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo exit /b ^0>>temp.cmd&& temp.cmd && del temp.cmd",Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts11
Command and Scripting Interpreter		1
Scripting		11
Process Injection		11
Process Injection		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1512994 Sample: IOA.bat Startdate: 18/09/2024 Architecture: WINDOWS Score: 22 5 cmd.exe 1 2->5         started        signatures3 12 Obfuscated command line found 5->12 8 cmd.exe 2 5->8         started        10 conhost.exe 5->10         started        process4

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1512994
Start date and time:2024-09-18 09:45:36 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:IOA.bat
Detection:SUS
Classification:sus22.winBAT@4/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .bat
  • Stop behavior analysis, all processes terminated
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\temp.cmd

Download File
Process:C:\Windows\System32\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):25
Entropy (8bit):4.213660689688185
Encrypted:false
SSDEEP:3:fbYbRQ8an:fbIPa
MD5:3B0125EEE0300F303EEEED5AB6800F99
SHA1:280F852C4C4DAC0A3A94DA2BB381BA6F60C27408
SHA-256:1C166CE7C90DED7C94A666E9EDB6FE98D6B30816EDDE583CF38B7DAACF723086
SHA-512:3966ECE716742A5CC36CBD9FC6FA1EBBFB9DA7F9BA7DB5033101EAFA929036366AFF39A7A5B1765B2FA4106DA0EF479D3BA698C0557D93449FC4D49BF93E24BB
Malicious:false
Reputation:low
Preview:set folder=>..EXIT /B 0..

Static File Info

General

File type:ASCII text, with very long lines (772), with no line terminators
Entropy (8bit):5.207505160698119
TrID:
    File name:IOA.bat
    File size:772 bytes
    MD5:04ceefdab7aaca32fbb352ae88c3a89a
    SHA1:098d423f086301e4f1a2465b804b9193affd9f70
    SHA256:c59fbfc3d93e62c1a5e30f3c26fa6be9e99ea4273f6af31bdacd1332425d7777
    SHA512:9a193b8f88a04c6117d03376c3d477d8c76aac90739a88d8577fe2344e9d0d797576c2b34e91a6be0435798dbff50893f66aa2aab474502e94f6b0032a5033c6
    SSDEEP:24:d+HsLQh1PIMum8IKw6Q+HNhiVWXej9ez4nHkdaDt:UHsM/Pzz+HNYVWXm9i4HcU
    TLSH:1801C402283C6E4638CA297BFF502508F319BDCF08C4AD475CA62035A8524D912EC6F6
    File Content Preview:"cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*^\" ^%^%A IN (`REG QUERY ^%KEY_NAME^% /v DiacmdPath 2^^^>nul ^^^|

    File Icon

    Icon Hash:9686878b929a9886

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    0246s020406080100

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:03:46:25
    Start date:18/09/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\IOA.bat" "
    Imagebase:0x7ff6e27a0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:1
    Start time:03:46:26
    Start date:18/09/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Mutex Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Thread Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:2
    Start time:03:46:26
    Start date:18/09/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:"cmd /c echo @echo off>temp.cmd&& echo set KEY_NAME=\"HKLM\\SOFTWARE\\Microsoft\\DataTransfer\\DataManagementGateway\\ConfigurationManager\">>temp.cmd&& echo FOR /F ^\"usebackq tokens=1,2,*\" ^A IN (`REG QUERY ^ /v DiacmdPath 2^^^>nul ^^^| find ^\"DiacmdPath\"`) DO ( set diacmdfile=^C )>>temp.cmd&& echo call :print ^\"^\">>temp.cmd&& echo set destDir=^\\Microsoft\\Data Transfer\\DataManagementGateway\\UserConfiguration\\>>temp.cmd&& echo move ^\"diawp.exe.config\" ^\"^\">>temp.cmd&& echo move ^\"diahost.exe.config\" ^\"^\">>temp.cmd&& echo goto :eof>>temp.cmd&& echo :print>>temp.cmd&& echo set folder=^>>temp.cmd&& echo EXIT /B ^0>>temp.cmd&& temp.cmd && del temp.cmd",
    Imagebase:0x7ff6e27a0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Disassembly

    No disassembly