00a99203103cd7e8bbe31a00141b2d487d7834492f62a26f0242d0f153e167d5

Analysis

max time kernel
1655s
max time network
1669s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
09-03-2024 15:50

Target

Pida Software Microsoft Original/ActivadorWindows/KMS_VL_ALL-44/Activate.cmd
Size

112KB
MD5

27dbbeda34fa7260a3dc9f6fd1398fdd
SHA1

5a7ad865b94d9d98099316fa2f78a1636e8cd8d4
SHA256

79731e75607973ed0cf7fb89174785691711dcb8032527b3cc70c72d3a61118d
SHA512

b56d8a1ee30b0893d4789f8dcd631b965cf2f22539fb00fe9da1c294b009d80823379cb648f5b9f4820e477bcf2592b41b7f7055db0cd055e3dc465a35962d5d
SSDEEP

1536:17u32nr4++uXxPjQxFchFyDZQxF5BFprbPrDY0ySbqbfYpM6/+RvLDx7qdzik:N9rKuVmwprbjc0ySbqbfYCTRvL0df

Score

4^/10

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1556	sc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3664	4280	cmd.exe	73
PID 4280 wrote to memory of 3664	4280	cmd.exe	73
PID 4280 wrote to memory of 5000	4280	cmd.exe	74
PID 4280 wrote to memory of 5000	4280	cmd.exe	74
PID 4280 wrote to memory of 952	4280	cmd.exe	75
PID 4280 wrote to memory of 952	4280	cmd.exe	75
PID 4280 wrote to memory of 4108	4280	cmd.exe	76
PID 4280 wrote to memory of 4108	4280	cmd.exe	76
PID 4108 wrote to memory of 2388	4108	cmd.exe	77
PID 4108 wrote to memory of 2388	4108	cmd.exe	77
PID 4280 wrote to memory of 4664	4280	cmd.exe	78
PID 4280 wrote to memory of 4664	4280	cmd.exe	78
PID 4280 wrote to memory of 2712	4280	cmd.exe	79
PID 4280 wrote to memory of 2712	4280	cmd.exe	79
PID 4280 wrote to memory of 1556	4280	cmd.exe	80
PID 4280 wrote to memory of 1556	4280	cmd.exe	80
PID 4280 wrote to memory of 4432	4280	cmd.exe	81
PID 4280 wrote to memory of 4432	4280	cmd.exe	81
PID 4280 wrote to memory of 4180	4280	cmd.exe	82
PID 4280 wrote to memory of 4180	4280	cmd.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Pida Software Microsoft Original\ActivadorWindows\KMS_VL_ALL-44\Activate.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\System32\cmd.exe
  cmd /v:on /c echo(^!param^!
  2⤵
  PID:3664
- C:\Windows\System32\findstr.exe
  findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
  2⤵
  PID:5000
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
  2⤵
  PID:2712
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:1556
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
  2⤵
  PID:4432
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
  2⤵
  PID:4180