59f02c2c87f02a687c1977b6afccfbf662ba6e9e0ab4b4b8522b42278967b490

Analysis

max time kernel
131s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 06:15

Target

KMSAuto Lite Portable v1.3.5.3/KMSAuto.exe
Size

1.7MB
MD5

9129cf390af59e8883c2ad2b441f0fc8
SHA1

316945b06058ffccc032fb456c67064f69e8ded5
SHA256

839e6f62f594bb48882c8b86ba1c950a1e68d02adf729f78550cbb01483be0ea
SHA512

5fd1b5fb96506122f3f9b7effdeb6dab9726d7df3c3b4fdb6cfb6d6dbcb61683e8d048eb943dac4c20a2baaef984e5618ec4c7f2f033d092269c6d09927756cc
SSDEEP

24576:/kJw8EIRYk40u443yE4lpWc2eNZkC3196UKtZh1QpoP+l1OwQsv+pG+97IiGAWcs:T8EIH40Y394XWgZkCcZbQjQpDu

Score

1^/10

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

KMSAuto.exe

pid process

2456 KMSAuto.exe
2456 KMSAuto.exe

pid	process
2456	KMSAuto.exe
2456	KMSAuto.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

KMSAuto.exe

description	pid	process	target process
PID 2456 wrote to memory of 2068	2456	KMSAuto.exe	cmd.exe
PID 2456 wrote to memory of 2068	2456	KMSAuto.exe	cmd.exe
PID 2456 wrote to memory of 2068	2456	KMSAuto.exe	cmd.exe
PID 2456 wrote to memory of 2068	2456	KMSAuto.exe	cmd.exe

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
2⤵
PID:2068

memory/2456-0-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2456-3-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2456-4-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2456-2-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2456-1-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2456-5-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download