34820759e0f4a6ddaf59a636dd31a74d
Hash
- MD5: 34820759e0f4a6ddaf59a636dd31a74d
- SHA1: 3327f019904b0e4ca05800bfaa6e93716b69896c
- SHA256: 62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb
- First Seen: 2026-06-08
- Last Seen: 2026-06-08
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb"
},
"attributes": {
"tlsh": "T127A2F924BA921E0CE55F1F0C98A7524872F4E2AFBC121CB0DD13C6BE5651EE935DEB18",
"type_description": "DOS batch file",
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260606",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260608",
"category": "malicious",
"result": "batch.unknown.generic"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.238",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260607",
"category": "malicious",
"result": "Gen:Heur.PHS.1"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20230417",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.55.59746",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.55.59745",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260608",
"category": "malicious",
"result": "Trojan.PHS.1"
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1222",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260608",
"category": "malicious",
"result": "Gen:Heur.PHS.1"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260608",
"category": "malicious",
"result": "Gen:Heur.PHS.1"
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5616",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260608",
"category": "malicious",
"result": "Gen:Heur.PHS.1 (B)"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "73e0c6e:73e0c6e:d28a123:d28a123",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1780905658",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38711",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107382",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44833AVA:64.31380",
"engine_update": "20260608",
"category": "malicious",
"result": "Gen:Heur.PHS.1"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-08.02",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "undetected",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260608-00",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260603",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.786",
"engine_update": "20260607",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": null,
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
}
},
"type_extension": "bat",
"first_submission_date": 1780913247,
"type_tags": [
"script",
"bat"
],
"last_analysis_stats": {
"malicious": 7,
"suspicious": 0,
"undetected": 53,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 14
},
"sha1": "3327f019904b0e4ca05800bfaa6e93716b69896c",
"filecondis": {
"dhash": "ac9cba8e8e8a82a0",
"raw_md5": "2bbecd5c43e15725a001ba2f4f9b4b97"
},
"sigma_analysis_stats": {
"critical": 0,
"high": 2,
"medium": 1,
"low": 1
},
"trid": [
{
"file_type": "file seems to be plain text/ASCII",
"probability": 0.0
}
],
"names": [
"run-update.cmd"
],
"magic": "DOS batch file, ASCII text",
"last_analysis_date": 1780913247,
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "2d3c931bf891955b7bf9d7745ece5f7bf306ac6c9a9ab72ee992a6d199bc2aae",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File Decoded From Base64/Hex Via Certutil.EXE",
"rule_description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution",
"rule_author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community",
"match_context": [
{
"values": {
"Hashes": "MD5=2EE61062AF648FF954408D422CA408F4,SHA256=1C010BFBF42A6A32EC9BFF5A3A559B51C983D77CE47D30074AA170417FA4CF1D,IMPHASH=92EAFDFBCF8B4ECD46E832973B0649D6",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "CertUtil.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "CertUtil.exe",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Bruno\\Desktop\\run.bat\"",
"CommandLine": "certutil -f -decode \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\~gb3512300.b64\" \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\~gu164204114.cmd\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\certutil.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "CertUtil.exe",
"Hashes": "SHA1=C2319F1E8ADB193FC1B3466F32E4F134B97DF9E3,MD5=2D3C8A1DEA8BA4677B4199EAE9DE148B,SHA256=6AF299712FE257BF7A51CBA7E86206E43452040D82CF28180AD9F9EF13488692,IMPHASH=323A326D7B550351B75EC637A5575902",
"Description": "CertUtil.exe",
"FileVersion": "10.0.22621.1992 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Bruno\\Desktop\\install.bat\" \"",
"CommandLine": "certutil -f -decode \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\~gb1670310489.b64\" \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\~gu25069278.cmd\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\certutil.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "90afad317a6d65bcc7b9e564768ca43cc58d7e3bd4912fb10af175477b0aedd1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Legitimate Application Writing Files In Uncommon Location",
"rule_description": "Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.\nAdversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\certutil.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\~gu164204114.cmd"
}
},
{
"values": {
"Image": "C:\\Windows\\system32\\certutil.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\~gu25069278.cmd"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"CommandLine": "powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Bruno\\Desktop\\run.bat\"",
"CommandLine": "powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"try { [IO.File]::WriteAllText($env:GUS_WS_TXT, [string]$env:GUS_WS_FOR_HASH) } catch { exit 1 }\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"CommandLine": "powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"CommandLine": "powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /K \"C:\\Users\\Bruno\\Desktop\\run.bat\"",
"CommandLine": "powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"try { [IO.File]::WriteAllText($env:GUS_WS_TXT, [string]$env:GUS_WS_FOR_HASH) } catch { exit 1 }\" ",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"CommandLine": "powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"$ProgressPreference='SilentlyContinue'; $o=''; $e=$env:GUS_WS_RAW; if (-not [string]::IsNullOrWhiteSpace($e)) { try { $o=[System.IO.Path]::GetFullPath($e) } catch { $o=$e } }; Write-Output $o\"",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"reputation": 0,
"unique_sources": 1,
"md5": "34820759e0f4a6ddaf59a636dd31a74d",
"popular_threat_classification": {
"popular_threat_category": [
{
"count": 1,
"value": "trojan"
}
],
"suggested_threat_label": "trojan.batch",
"popular_threat_name": [
{
"count": 1,
"value": "batch"
}
]
},
"size": 23356,
"sha256": "62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"ssdeep": "384:rouV5l2V8eZIuLefZNq8Se5aAWS6ACTK6zOJQPcX2cEpdhhTmQUl6kUqgwSizEWO:PlKL6qu5TWl5ZHufgwdXjq5",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 2,
"medium": 1,
"low": 1
}
},
"type_tag": "bat",
"times_submitted": 1,
"sandbox_verdicts": {
"Zenbox": {
"category": "harmless",
"malware_classification": [
"CLEAN"
],
"sandbox_name": "Zenbox",
"confidence": 100
}
},
"last_modification_date": 1780913715,
"last_submission_date": 1780913247,
"meaningful_name": "run-update.cmd",
"tags": [
"bat"
]
}
}
}