0d20d075cf8e97e778f907255f5d6fe18de6f7d0da42c7bc2af700a2f69b72b1

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2023 17:32

Target

data/plugins/tpm_on.bat
Size

281B
MD5

01548ec95cdac921856a9329a929ba02
SHA1

110041308436e5a366016b0f291404ff386b73b7
SHA256

f069b3952d0ffa55d88938c0be880d843fbb8a807a585408854631fddd6c0e10
SHA512

4adc68b4f05b0b665d197093b5682fa817dc1fc15481efd6a62c2b023160de638f8b6be1f8e32a2cc8b9a8b7949e765d0c6a3dc9a832b4be99d5c041e34f50a0

Score

1^/10

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 4244	628	cmd.exe	80
PID 628 wrote to memory of 4244	628	cmd.exe	80
PID 628 wrote to memory of 4712	628	cmd.exe	81
PID 628 wrote to memory of 4712	628	cmd.exe	81
PID 628 wrote to memory of 1340	628	cmd.exe	82
PID 628 wrote to memory of 1340	628	cmd.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\data\plugins\tpm_on.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig" /V BypassTPMCheck /T REG_DWORD /D 1 /F
  2⤵
  PID:4244
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig" /V BypassRAMCheck /T REG_DWORD /D 1 /F
  2⤵
  PID:4712
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig" /V BypassSecureBootCheck /T REG_DWORD /D 1 /F
  2⤵
  PID:1340