7ff6222008305bf26db6593077544d57bfaa9138ffed2118cd8f07071fda15f7

Analysis

max time kernel
145s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 04:46

Target

KMSAuto Net.exe
Size

7.9MB
MD5

f1fe671bcefd4630e5ed8b87c9283534
SHA1

9ff0546074213231e695e67324aba64e2e65d2c2
SHA256

58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
SHA512

aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b
SSDEEP

196608:C38lywCAfywOweqyw3ywsywXywZywnywZywBywEyw4ywwywmIBywyywsyw/ywiys:EDwCAqwUnwiwxwCwUwywUw8wJwVwtwiB

Score

1^/10

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	64	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	64	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 5032	4816	KMSAuto Net.exe	88
PID 4816 wrote to memory of 5032	4816	KMSAuto Net.exe	88
PID 4816 wrote to memory of 5032	4816	KMSAuto Net.exe	88
PID 4816 wrote to memory of 1676	4816	KMSAuto Net.exe	90
PID 4816 wrote to memory of 1676	4816	KMSAuto Net.exe	90
PID 4816 wrote to memory of 216	4816	KMSAuto Net.exe	92
PID 4816 wrote to memory of 216	4816	KMSAuto Net.exe	92

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\AppData\Local\Temp\test.test"
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
  2⤵
  PID:216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478 0x424
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Users\Admin\AppData\Local\Temp\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
memory/4816-0-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4816-1-0x0000000000E90000-0x0000000001682000-memory.dmp

Filesize
7.9MB

Download
memory/4816-2-0x0000000005F70000-0x000000000600C000-memory.dmp

Filesize
624KB

Download
memory/4816-3-0x0000000006710000-0x0000000006CB4000-memory.dmp

Filesize
5.6MB

Download
memory/4816-4-0x0000000006010000-0x00000000060A2000-memory.dmp

Filesize
584KB

Download
memory/4816-6-0x00000000039D0000-0x00000000039DA000-memory.dmp

Filesize
40KB

Download
memory/4816-5-0x0000000006330000-0x0000000006340000-memory.dmp

Filesize
64KB

Download
memory/4816-7-0x0000000006250000-0x00000000062A6000-memory.dmp

Filesize
344KB

Download
memory/4816-12-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4816-13-0x0000000006330000-0x0000000006340000-memory.dmp

Filesize
64KB

Download
memory/4816-14-0x0000000006330000-0x0000000006340000-memory.dmp

Filesize
64KB

Download