f1f219c3c61e1cdd64e2034ecd81e7476e86d59d407d0364753cf13efaa580e2

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 13:49

Target

okkk.bat
Size

242B
MD5

8964acdcbd316bd4846fa4baa9840609
SHA1

465ec38bd8a77affb506dae3bef78efb2e2d6bdf
SHA256

f1f219c3c61e1cdd64e2034ecd81e7476e86d59d407d0364753cf13efaa580e2
SHA512

54d83048d69cc961e5b82d8e52817c5faeb5a2b2c78b0dbf83efeb7e0b38d114eec3fb15e574716fda1c1a02ad96c172fe90de530feb0d1388195005af8f4cab

Score

1^/10

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2692	2864	cmd.exe	83
PID 2864 wrote to memory of 2692	2864	cmd.exe	83
PID 2864 wrote to memory of 4912	2864	cmd.exe	84
PID 2864 wrote to memory of 4912	2864	cmd.exe	84
PID 2864 wrote to memory of 1836	2864	cmd.exe	86
PID 2864 wrote to memory of 1836	2864	cmd.exe	86
PID 2864 wrote to memory of 4188	2864	cmd.exe	88
PID 2864 wrote to memory of 4188	2864	cmd.exe	88
PID 2864 wrote to memory of 1612	2864	cmd.exe	89
PID 2864 wrote to memory of 1612	2864	cmd.exe	89
PID 4912 wrote to memory of 968	4912	cmd.exe	93
PID 4912 wrote to memory of 968	4912	cmd.exe	93
PID 1612 wrote to memory of 2212	1612	cmd.exe	94
PID 1612 wrote to memory of 2212	1612	cmd.exe	94
PID 4188 wrote to memory of 2408	4188	cmd.exe	95
PID 4188 wrote to memory of 2408	4188	cmd.exe	95
PID 1836 wrote to memory of 2964	1836	cmd.exe	96
PID 1836 wrote to memory of 2964	1836	cmd.exe	96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\okkk.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\system32\msg.exe
  msg * you have successfully downloaded porn
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  cmd /c msg * you are retarded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\msg.exe
    msg * you are retarded
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /c msg * please kys now u worthless pedo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\msg.exe
    msg * please kys now u worthless pedo
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd /c msg * what would your mother think?
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\system32\msg.exe
    msg * what would your mother think?
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  cmd /c msg * tell your family I said hey
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\msg.exe
    msg * tell your family I said hey
    3⤵
    PID:2212