63ff7f699ccb77d08b4d31b6c90627cf78c2c269e5ba51d6657d4baeacee7951

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 20:28

Target

WinSetView-main/Tools/WinSetBak.cmd
Size

4KB
MD5

050c3a4f7af319080e7757cd4d2e1565
SHA1

981e6aa6f8456b5dea79dae29660907a4205576e
SHA256

bddfcf49982865cd780ae877ef9fd2c7e67b9de653f6ff107709269e8d914cd1
SHA512

9be7b63e48ef977d1769f079d78e88060eea058cdad130dbc590146b2c3a8c09f2f59551641700897c78349ec3207bb1b56bb178a7f6f5cacc586ad28c665d04
SSDEEP

96:MRjT7Oxdvmxyk5ds5GsO1UoUefYpCiqcxUXK9obuRzgVCPBRkBh/:MRzyjgOxUXK9obuRzgVCPnu/

Score

1^/10

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1932	1236	cmd.exe	85
PID 1236 wrote to memory of 1932	1236	cmd.exe	85
PID 1932 wrote to memory of 484	1932	cmd.exe	86
PID 1932 wrote to memory of 484	1932	cmd.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WinSetView-main\Tools\WinSetBak.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop 2>Nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\reg.exe
    Reg Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:484