6650dcf52e02ab0459c72bf9bdbdeaa1c3748be49c4a45d04ebb18fae16baa01

Analysis

max time kernel
135s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2023, 06:58

Target

All-In-One-Version/MAS_1.5_AIO_CRC32_21D20776.cmd
Size

1.7MB
MD5

a0f1c3aa3cd2380b669f77f3b8bac024
SHA1

4d11828cac7728e25f6e2d1e76553d779d4a33ff
SHA256

0271e8f4113a31d688668d0e3bc7d06c525cf082930a8930273d5d9a69ce981d
SHA512

5a61b2aa6ffcb551760dec584bbe5261449200c2d0f34389af7879fe8f9dd6ab7bbfac3a7ea902e5231c9747ceb29118e02cd49ed535e634b7d79d3368fbc556
SSDEEP

24576:xI3OiPLyZpRvavXZGkRaOGTOzdutMO+pixuOSOihJv0bXuFH9:SNj6qbGTOXqSfLvH9

Score

1^/10

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3036	1516	cmd.exe	85
PID 1516 wrote to memory of 3036	1516	cmd.exe	85
PID 1516 wrote to memory of 4556	1516	cmd.exe	86
PID 1516 wrote to memory of 4556	1516	cmd.exe	86
PID 1516 wrote to memory of 4236	1516	cmd.exe	88
PID 1516 wrote to memory of 4236	1516	cmd.exe	88
PID 1516 wrote to memory of 1064	1516	cmd.exe	89
PID 1516 wrote to memory of 1064	1516	cmd.exe	89
PID 1064 wrote to memory of 2880	1064	cmd.exe	90
PID 1064 wrote to memory of 2880	1064	cmd.exe	90
PID 1064 wrote to memory of 3504	1064	cmd.exe	91
PID 1064 wrote to memory of 3504	1064	cmd.exe	91
PID 1516 wrote to memory of 1148	1516	cmd.exe	92
PID 1516 wrote to memory of 1148	1516	cmd.exe	92
PID 1516 wrote to memory of 3180	1516	cmd.exe	93
PID 1516 wrote to memory of 3180	1516	cmd.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\All-In-One-Version\MAS_1.5_AIO_CRC32_21D20776.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3036
- C:\Windows\System32\reg.exe
  reg query "HKCU\Console" /v ForceV2
  2⤵
  PID:4556
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
    3⤵
    PID:2880
- - C:\Windows\System32\cmd.exe
    cmd
    3⤵
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\All-In-One-Version\MAS_1.5_AIO_CRC32_21D20776.cmd" "
  2⤵
  PID:1148
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:3180