59675aabbd8a3d27a19f2b4f5683717042332a575f9cdd8a5727fa62a9d8c5bf

Analysis

max time kernel
90s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 07:17

Target

Windows 激活工具/Lite.cmd
Size

842B
MD5

5ae0aac595dab0ffe87b36e4cbb822a6
SHA1

29a36471f7280ca5bb5970e8e1e22a734615483e
SHA256

23bccb5d8c1036fac73b954710da88380cdf2125654fbef534a7ccd56d918bd0
SHA512

60dff8a051aca03c172299caf614999f3b317854d0e1311e97b72d55f2e3d9304b4bf93d7873da59be565001773da6b59dc390a8cbd3192a554b7bf2d9a4fbfb

Score

1^/10

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 640	2368	cmd.exe	86
PID 2368 wrote to memory of 640	2368	cmd.exe	86
PID 2368 wrote to memory of 944	2368	cmd.exe	87
PID 2368 wrote to memory of 944	2368	cmd.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windows 激活工具\Lite.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:640
- C:\Users\Admin\AppData\Local\Temp\Windows 激活工具\Activator.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows 激活工具\Activator.exe" /Lite
  2⤵
  PID:944

memory/944-0-0x00007FFE6E443000-0x00007FFE6E445000-memory.dmp

Filesize
8KB

Download
memory/944-1-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/944-2-0x000000001BAF0000-0x000000001C05E000-memory.dmp

Filesize
5.4MB

Download
memory/944-3-0x00007FFE6E440000-0x00007FFE6EF01000-memory.dmp

Filesize
10.8MB

Download
memory/944-4-0x00007FFE6E440000-0x00007FFE6EF01000-memory.dmp

Filesize
10.8MB

Download
memory/944-5-0x00007FFE6E443000-0x00007FFE6E445000-memory.dmp

Filesize
8KB

Download
memory/944-6-0x00007FFE6E440000-0x00007FFE6EF01000-memory.dmp

Filesize
10.8MB

Download