7ce2104ee4282e0538a6b3ee829da46cdc80ad1964972dadfb98924e95a134b3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 12:34

Target

IIS Compress - Off.cmd
Size

897B
MD5

8b6f3daa7d23b5874ef5bb5c90181719
SHA1

e108ba8cd6811910414518008ea70a28757847b4
SHA256

7ce2104ee4282e0538a6b3ee829da46cdc80ad1964972dadfb98924e95a134b3
SHA512

573a1fb608f39e91569f8ad069b4be5c71df2da57125e0fef5712b5c0a6f6f8886d5e38ab9a133030172c9081203af8961df64d77842493c332e85ce7db0b33a

Score

1^/10

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1588	1124	cmd.exe	84
PID 1124 wrote to memory of 1588	1124	cmd.exe	84
PID 1124 wrote to memory of 4552	1124	cmd.exe	85
PID 1124 wrote to memory of 4552	1124	cmd.exe	85
PID 1124 wrote to memory of 1940	1124	cmd.exe	86
PID 1124 wrote to memory of 1940	1124	cmd.exe	86
PID 1124 wrote to memory of 4640	1124	cmd.exe	87
PID 1124 wrote to memory of 4640	1124	cmd.exe	87
PID 1124 wrote to memory of 1012	1124	cmd.exe	88
PID 1124 wrote to memory of 1012	1124	cmd.exe	88
PID 1124 wrote to memory of 2164	1124	cmd.exe	89
PID 1124 wrote to memory of 2164	1124	cmd.exe	89
PID 1124 wrote to memory of 2228	1124	cmd.exe	90
PID 1124 wrote to memory of 2228	1124	cmd.exe	90
PID 1124 wrote to memory of 4256	1124	cmd.exe	91
PID 1124 wrote to memory of 4256	1124	cmd.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IIS Compress - Off.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/parameters/HcDoDynamicCompression false
  2⤵
  PID:1588
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/parameters/HcDoStaticCompression false
  2⤵
  PID:4552
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/gzip/hcdynamiccompressionlevel "0"
  2⤵
  PID:1940
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/deflate/hcdynamiccompressionlevel "0"
  2⤵
  PID:4640
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/gzip/hcscriptfileextensions "cfm"
  2⤵
  PID:1012
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/deflate/hcscriptfileextensions "cfm"
  2⤵
  PID:2164
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/gzip/hcfileextensions "vbs"
  2⤵
  PID:2228
- C:\Windows\system32\cscript.exe
  cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/filters/compression/deflate/hcfileextensions "vbs"
  2⤵
  PID:4256