6d8ce5ddf48cb6bacf8e84ec8ee2c77b264325d288c7fcd40e0ddf7f50c6f547

Analysis

max time kernel
1604s
max time network
1607s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
01/01/2023, 17:49

Target

Separate-Files-Version/Install_HWID_Key.cmd
Size

15KB
MD5

a29a8d30d62d365dffba307ffcde9b25
SHA1

001863b0349c67a2c8bc54fd0cfaf1e58f505fa4
SHA256

a3dbe4b712888ff5d0b1caee65987806f36d379ecedd9ff059a069516a188c4d
SHA512

fd66d921fb648780a24cddfa473966a2a958be500b2c4907aa5d934270ae502f0261fffa92ba92349294c42fc7e2b093162f0288885d6316da92e1008014779d
SSDEEP

192:tIDP04IPIn3DX/GLeI2HActg5hC6UsG+ez3+NKhhXEZVjrBzkhibiwlVvsOHp+K7:qn3DX/RpggnnI7rBzzlrn7

Score

1^/10

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2132	2856	cmd.exe	67
PID 2856 wrote to memory of 2132	2856	cmd.exe	67
PID 2856 wrote to memory of 696	2856	cmd.exe	68
PID 2856 wrote to memory of 696	2856	cmd.exe	68
PID 2856 wrote to memory of 3232	2856	cmd.exe	69
PID 2856 wrote to memory of 3232	2856	cmd.exe	69
PID 2856 wrote to memory of 3748	2856	cmd.exe	70
PID 2856 wrote to memory of 3748	2856	cmd.exe	70
PID 2856 wrote to memory of 4460	2856	cmd.exe	71
PID 2856 wrote to memory of 4460	2856	cmd.exe	71
PID 4460 wrote to memory of 4564	4460	cmd.exe	72
PID 4460 wrote to memory of 4564	4460	cmd.exe	72
PID 4460 wrote to memory of 400	4460	cmd.exe	73
PID 4460 wrote to memory of 400	4460	cmd.exe	73
PID 2856 wrote to memory of 1688	2856	cmd.exe	75
PID 2856 wrote to memory of 1688	2856	cmd.exe	75
PID 2856 wrote to memory of 4776	2856	cmd.exe	74
PID 2856 wrote to memory of 4776	2856	cmd.exe	74

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Separate-Files-Version\Install_HWID_Key.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\findstr.exe
  findstr /rxc:".*" "Install_HWID_Key.cmd"
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:696
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3232
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:4564
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:400
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\Separate-Files-Version\Install_HWID_Key.cmd" "
  2⤵
  PID:1688