69a8ae6352cffd366409df8e566e84315b4bffcf5865a4b8079c446123ba1d26

Resubmissions

21/05/2024, 19:03

21/05/2024, 18:41

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 18:41

Target

KMSAuto Net.exe
Size

6.7MB
MD5

6ee7f3ecd5111cd5306792fd3141515d
SHA1

45c92d0e691175a39a8c61228f526f80a7ca94fc
SHA256

69a8ae6352cffd366409df8e566e84315b4bffcf5865a4b8079c446123ba1d26
SHA512

1dc9b725115bc703373f5e4759f4081012538366e9fa2a497a06182908a1715659c876c3a471b176ce81e74181965750b7376d2a8492500c403231241522e16c
SSDEEP

196608:0eywBGqyw1lT3ywuywQyw1ywlywaywTyw9lywfywEyw1ywHywwywmIBywyywsywv:IwBGnw1l+wjwNw4wIw3w2w9IwqwJw4w4

Score

1^/10

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3456	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 1816	3256	KMSAuto Net.exe	90
PID 3256 wrote to memory of 1816	3256	KMSAuto Net.exe	90
PID 3256 wrote to memory of 1816	3256	KMSAuto Net.exe	90
PID 3256 wrote to memory of 2228	3256	KMSAuto Net.exe	92
PID 3256 wrote to memory of 2228	3256	KMSAuto Net.exe	92
PID 3256 wrote to memory of 2228	3256	KMSAuto Net.exe	92
PID 3256 wrote to memory of 3916	3256	KMSAuto Net.exe	94
PID 3256 wrote to memory of 3916	3256	KMSAuto Net.exe	94

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo test>>"C:\Users\Admin\AppData\Local\Temp\test.test"
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c del /F /Q "test.test"
  2⤵
  PID:3916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x318 0x424
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Local\Temp\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
memory/3256-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3256-1-0x0000000000830000-0x0000000000EDC000-memory.dmp

Filesize
6.7MB

Download
memory/3256-2-0x0000000005860000-0x00000000058FC000-memory.dmp

Filesize
624KB

Download
memory/3256-3-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/3256-4-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/3256-6-0x0000000005B90000-0x0000000005BE6000-memory.dmp

Filesize
344KB

Download
memory/3256-7-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-5-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/3256-8-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/3256-13-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3256-14-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download