Cuckoo Sandbox

File 7347f0b12918ef4e7b6cefdd29f8c6a39fcc8a4b06385f104460583808c2492a.bat

Summary
Download Resubmit sample

Size	1.3MB
Type	DOS batch file, ASCII text, with very long lines (62677), with CRLF line terminators
MD5	`d545f3a8ca8b9f11b4bcf941bd874892`
SHA1	`11cb58f5142dff7d634d991ac2cdf21e0267235f`
SHA256	`7347f0b12918ef4e7b6cefdd29f8c6a39fcc8a4b06385f104460583808c2492a`
SHA512	`26a949044f05b2685f678a2ecc4f55d9a7b6c8fed9e6d4644cbe917a3c0bc3391b7c302fb0783a297d60a2e090201f96fe02cc82f276438991eb7aa46cf1a69c`
CRC32	`09282139`
ssdeep	`None`
Yara	GEN_PowerShell - Generic PowerShell Malware Rule powershell - (no description)

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	April 4, 2026, 12:32 p.m.	April 4, 2026, 12:34 p.m.	152 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2026-04-04 12:32:05,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpwoh6zt
2026-04-04 12:32:05,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\GZMdyKahBsuHCKeVYaHBIzJGrB
2026-04-04 12:32:05,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\NQLIqsuQMYiqlvZfGHMPxjH
2026-04-04 12:32:05,296 [analyzer] DEBUG: Started auxiliary module Curtain
2026-04-04 12:32:05,296 [analyzer] DEBUG: Started auxiliary module DbgView
2026-04-04 12:32:05,750 [analyzer] DEBUG: Started auxiliary module Disguise
2026-04-04 12:32:05,937 [analyzer] DEBUG: Loaded monitor into process with pid 500
2026-04-04 12:32:05,937 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2026-04-04 12:32:05,937 [analyzer] DEBUG: Started auxiliary module Human
2026-04-04 12:32:05,937 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2026-04-04 12:32:05,953 [analyzer] DEBUG: Started auxiliary module Reboot
2026-04-04 12:32:06,062 [analyzer] DEBUG: Started auxiliary module RecentFiles
2026-04-04 12:32:06,062 [analyzer] DEBUG: Started auxiliary module Screenshots
2026-04-04 12:32:06,062 [analyzer] DEBUG: Started auxiliary module Sysmon
2026-04-04 12:32:06,062 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2026-04-04 12:32:06,140 [lib.api.process] INFO: Successfully executed process from path 'C:\\Windows\\System32\\cmd.exe' with arguments ['/c', 'start', '/wait', '"FvlWRBumgtoGwH"', u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\7347f0b12918ef4e7b6cefdd29f8c6a39fcc8a4b06385f104460583808c2492a.bat'] and pid 1272
2026-04-04 12:32:06,405 [analyzer] DEBUG: Loaded monitor into process with pid 1272
2026-04-04 12:32:06,530 [analyzer] INFO: Injected into process with pid 2392 and name u'cmd.exe'
2026-04-04 12:32:06,640 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 2392.
2026-04-04 12:32:06,858 [analyzer] DEBUG: Loaded monitor into process with pid 2392
2026-04-04 12:32:06,937 [analyzer] CRITICAL: Unable to change memory protection of advapi32!ControlService at 0x09f2f0 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,953 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,953 [analyzer] CRITICAL: Error creating function stub for advapi32!DeleteService.
2026-04-04 12:32:06,953 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,953 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceA at 0x09f43e 10 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,967 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 5 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,983 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 7 to RWX (error code 0xc000004e)!
2026-04-04 12:32:06,983 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,983 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:06,983 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceW at 0x09f4cc 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,000 [analyzer] CRITICAL: Unable to change memory protection of advapi32!ControlService at 0x09f2f0 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,000 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Error creating function stub for advapi32!DeleteService.
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceA at 0x09f43e 10 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 6 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,015 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 5 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,030 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 7 to RWX (error code 0xc000004e)!
2026-04-04 12:32:07,030 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,030 [analyzer] CRITICAL: Conditional jumps in 64-bit are considered unstable!
2026-04-04 12:32:07,030 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceW at 0x09f4cc 6 to RWX (error code 0xc000004e)!
2026-04-04 11:34:25,617 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2026-04-04 11:34:25,928 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1272.
2026-04-04 11:34:26,023 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 2392.
2026-04-04 11:34:26,523 [analyzer] INFO: Terminating remaining processes before shutdown.
2026-04-04 11:34:26,523 [lib.api.process] INFO: Successfully terminated process with pid 1272.
2026-04-04 11:34:26,523 [lib.api.process] INFO: Successfully terminated process with pid 2392.
2026-04-04 11:34:26,523 [analyzer] INFO: Analysis completed.

Cuckoo Log

2026-04-04 12:32:06,697 [cuckoo.core.scheduler] INFO: Task #7508624: acquired machine win7x643 (label=win7x643)
2026-04-04 12:32:06,697 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.203 for task #7508624
2026-04-04 12:32:07,226 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3087252 (interface=vboxnet0, host=192.168.168.203)
2026-04-04 12:32:07,276 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x643
2026-04-04 12:32:08,061 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x643 to vmcloak
2026-04-04 12:32:18,002 [cuckoo.core.guest] INFO: Starting analysis #7508624 on guest (id=win7x643, ip=192.168.168.203)
2026-04-04 12:32:19,009 [cuckoo.core.guest] DEBUG: win7x643: not ready yet
2026-04-04 12:32:24,041 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x643, ip=192.168.168.203)
2026-04-04 12:32:24,123 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x643, ip=192.168.168.203, monitor=latest, size=6660546)
2026-04-04 12:32:25,403 [cuckoo.core.resultserver] DEBUG: Task #7508624: live log analysis.log initialized.
2026-04-04 12:32:26,290 [cuckoo.core.resultserver] DEBUG: Task #7508624 is sending a BSON stream
2026-04-04 12:32:26,680 [cuckoo.core.resultserver] DEBUG: Task #7508624 is sending a BSON stream
2026-04-04 12:32:27,118 [cuckoo.core.resultserver] DEBUG: Task #7508624 is sending a BSON stream
2026-04-04 12:32:27,588 [cuckoo.core.resultserver] DEBUG: Task #7508624: File upload for 'shots/0001.jpg'
2026-04-04 12:32:27,603 [cuckoo.core.resultserver] DEBUG: Task #7508624 uploaded file length: 101361
2026-04-04 12:32:39,931 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:32:55,024 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:32:55,566 [cuckoo.core.resultserver] DEBUG: Task #7508624: File upload for 'shots/0002.jpg'
2026-04-04 12:32:55,579 [cuckoo.core.resultserver] DEBUG: Task #7508624 uploaded file length: 118344
2026-04-04 12:33:10,119 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:33:25,225 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:33:40,526 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:33:55,618 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:34:10,712 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:34:25,826 [cuckoo.core.guest] DEBUG: win7x643: analysis #7508624 still processing
2026-04-04 12:34:26,343 [cuckoo.core.resultserver] DEBUG: Task #7508624: File upload for 'curtain/1775295266.34.curtain.log'
2026-04-04 12:34:26,390 [cuckoo.core.resultserver] DEBUG: Task #7508624 uploaded file length: 3076618
2026-04-04 12:34:26,527 [cuckoo.core.resultserver] DEBUG: Task #7508624: File upload for 'sysmon/1775295266.52.sysmon.xml'
2026-04-04 12:34:26,536 [cuckoo.core.resultserver] DEBUG: Task #7508624 uploaded file length: 530546
2026-04-04 12:34:27,447 [cuckoo.core.resultserver] DEBUG: Task #7508624: File upload for 'shots/0003.jpg'
2026-04-04 12:34:27,463 [cuckoo.core.resultserver] DEBUG: Task #7508624 uploaded file length: 144193
2026-04-04 12:34:27,477 [cuckoo.core.resultserver] DEBUG: Task #7508624 had connection reset for <Context for LOG>
2026-04-04 12:34:28,843 [cuckoo.core.guest] INFO: win7x643: analysis completed successfully
2026-04-04 12:34:28,858 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2026-04-04 12:34:28,896 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2026-04-04 12:34:30,299 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x643 to path /srv/cuckoo/cwd/storage/analyses/7508624/memory.dmp
2026-04-04 12:34:30,301 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x643
2026-04-04 12:34:38,407 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.203 for task #7508624
2026-04-04 12:34:38,743 [cuckoo.core.scheduler] DEBUG: Released database task #7508624
2026-04-04 12:34:38,761 [cuckoo.core.scheduler] INFO: Task #7508624: analysis procedure completed

Signatures

Yara rules detected for file (2 events)

description	Generic PowerShell Malware Rule				rule	GEN_PowerShell
description	(no description)				rule	powershell

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /K "C:\Users\ADMINI~1\AppData\Local\Temp\7347f0b12918ef4e7b6cefdd29f8c6a39fcc8a4b06385f104460583808c2492a.bat"

File has been identified by 9 AntiVirus engine on IRMA as malicious (9 events)

G Data Antivirus (Windows)	Virus: Trojan.GenericKD.79590502 (Engine A)
Avast Core Security (Linux)	Other:Malware-gen [Trj]
C4S ClamAV (Linux)	YARA.GEN_PowerShell.UNOFFICIAL
eScan Antivirus (Linux)	Trojan.GenericKD.79590502(DB)
ESET Security (Windows)	PowerShell/TrojanDropper.Agent.AZQ trojan
DrWeb Antivirus (Linux)	BAT.Starter.721
Bitdefender Antivirus (Linux)	Trojan.GenericKD.79590502
Kaspersky Standard (Windows)	HEUR:Trojan.BAT.Cobalt.gen
Emsisoft Commandline Scanner (Windows)	Trojan.GenericKD.79590502 (B)

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Lionic	Trojan.Script.Cobalt.4!c
CTX	batch.trojan.cobalt
Skyhigh	BehavesLike.Backdoor.tq
ALYac	Trojan.GenericKD.79590502
VIPRE	Trojan.GenericKD.79590502
K7GW	Trojan ( 0001140e1 )
K7AntiVirus	Trojan ( 0001140e1 )
Arcabit	Trojan.Generic.D4BE7466
Symantec	Scr.Malcode!gen
ESET-NOD32	PowerShell/TrojanDropper.Agent.AZQ trojan
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.BAT.Cobalt.gen
BitDefender	Trojan.GenericKD.79590502
MicroWorld-eScan	Trojan.GenericKD.79590502
Rising	Trojan.Cobalt/BAT!9.5ABDA (XSE:WFNFX0JBVDoHVCjR5mBFaYAvPAB5skGt)
Emsisoft	Trojan.GenericKD.79590502 (B)
Google	Detected
Antiy-AVL	Trojan/BAT.Cobalt
Microsoft	Trojan:Win32/Egairtigado!rfn
GData	Trojan.GenericKD.79590502
Varist	BAT/Agent.BKJ
Tencent	Bat.Trojan.Cobalt.Lqil
Fortinet	BAT/Agent.AZQ!tr
AVG	Other:Malware-gen [Trj]
alibabacloud	Trojan:Win/Cobalt.gyf

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 7347f0b12918ef4e7b6cefdd29f8c6a39fcc8a4b06385f104460583808c2492a.bat

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample