82d8b325b7a98dec4d5187b6a3d488865e400a87d28a947b8ace056a3c2b49a0

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 15:33

Target

Microsoft-Activation-Scripts-master/MAS/Separate-Files-Version/Activators/KMS38_Activation.cmd
Size

49KB
MD5

4f90cb0f1cb3e13baa448d460d6cd484
SHA1

864866cbb2a3b07ab77995b5b9c6e493739e32c1
SHA256

d413f890b8612e359f23ca081e2cfe89789e5ba30281bdb24b9cccefadc2824b
SHA512

854c3f8c539f21729cb5b9c34395771d0e7d0ca7008cb983bbd3765320b5d9be6039473eed39ad72805ee8c557b2d18d67ed9b34cc93fb221a6149576a33c706
SSDEEP

1536:X53y9BOcZ9o8xbIyzcu346WGwopXlVTtRVx6/:p3l6TdvA

Score

1^/10

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 5008	3508	cmd.exe	86
PID 3508 wrote to memory of 5008	3508	cmd.exe	86
PID 3508 wrote to memory of 4024	3508	cmd.exe	87
PID 3508 wrote to memory of 4024	3508	cmd.exe	87
PID 3508 wrote to memory of 3804	3508	cmd.exe	88
PID 3508 wrote to memory of 3804	3508	cmd.exe	88
PID 3508 wrote to memory of 4344	3508	cmd.exe	89
PID 3508 wrote to memory of 4344	3508	cmd.exe	89
PID 3508 wrote to memory of 4128	3508	cmd.exe	90
PID 3508 wrote to memory of 4128	3508	cmd.exe	90
PID 4128 wrote to memory of 4468	4128	cmd.exe	91
PID 4128 wrote to memory of 4468	4128	cmd.exe	91
PID 4128 wrote to memory of 3632	4128	cmd.exe	92
PID 4128 wrote to memory of 3632	4128	cmd.exe	92
PID 3508 wrote to memory of 2992	3508	cmd.exe	94
PID 3508 wrote to memory of 2992	3508	cmd.exe	94
PID 3508 wrote to memory of 4476	3508	cmd.exe	95
PID 3508 wrote to memory of 4476	3508	cmd.exe	95

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\KMS38_Activation.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\System32\findstr.exe
  findstr /rxc:".*" "KMS38_Activation.cmd"
  2⤵
  PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:4024
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:3804
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:4468
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\Microsoft-Activation-Scripts-master\MAS\Separate-Files-Version\Activators\KMS38_Activation.cmd" "
  2⤵
  PID:2992
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:4476