hxxps://mega[.]nz/file/QzpA0YST#JeDPGBmNphunJg6cW3nMZe6DQgtorQm1SP5Ev98rX3o

Analysis

max time kernel
737s
max time network
802s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/QzpA0YST#JeDPGBmNphunJg6cW3nMZe6DQgtorQm1SP5Ev98rX3o

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 6 IoCs

pid	Process
2864	ChromeRecovery.exe
1528	KMSAuto++.exe
2280	signtool.exe
2352	KMSSS.exe
2240	KMSSS.exe
2580	KMSSS.exe

Modifies Windows Firewall 1 TTPs 18 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2688	netsh.exe
2820	netsh.exe
756	netsh.exe
2180	netsh.exe
2792	netsh.exe
3012	netsh.exe
3028	netsh.exe
3032	netsh.exe
2020	netsh.exe
2060	netsh.exe
2120	netsh.exe
2924	netsh.exe
2152	netsh.exe
1740	netsh.exe
1404	netsh.exe
1592	netsh.exe
2320	netsh.exe
1140	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Users\\Admin\\Downloads\\KMSAuto++ 1.6.4 Portable Multilingual\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	KMSAuto++.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001cc5e-61.dat	upx
behavioral1/files/0x000500000001cc5e-63.dat	upx
behavioral1/memory/1528-70-0x0000000000400000-0x0000000001713000-memory.dmp	upx
behavioral1/memory/1528-76-0x0000000000400000-0x0000000001713000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1528	KMSAuto++.exe
1528	KMSAuto++.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\_metadata\verified_contents.json	elevation_service.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2908	sc.exe
2928	sc.exe
996	sc.exe
1640	sc.exe
2580	sc.exe
2756	sc.exe
2776	sc.exe
1800	sc.exe
2624	sc.exe
2224	sc.exe
2872	sc.exe
2512	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	signtool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	signtool.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
468	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
2140	chrome.exe
2616	chrome.exe
3012	chrome.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1088	AUDIODG.EXE
Token: 33	1088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1088	AUDIODG.EXE
Token: SeRestorePrivilege	2496	7zG.exe
Token: 35	2496	7zG.exe
Token: SeSecurityPrivilege	2496	7zG.exe
Token: SeSecurityPrivilege	2496	7zG.exe
Token: SeIncreaseQuotaPrivilege	2664	wmic.exe
Token: SeSecurityPrivilege	2664	wmic.exe
Token: SeTakeOwnershipPrivilege	2664	wmic.exe
Token: SeLoadDriverPrivilege	2664	wmic.exe
Token: SeSystemProfilePrivilege	2664	wmic.exe
Token: SeSystemtimePrivilege	2664	wmic.exe
Token: SeProfSingleProcessPrivilege	2664	wmic.exe
Token: SeIncBasePriorityPrivilege	2664	wmic.exe
Token: SeCreatePagefilePrivilege	2664	wmic.exe
Token: SeBackupPrivilege	2664	wmic.exe
Token: SeRestorePrivilege	2664	wmic.exe
Token: SeShutdownPrivilege	2664	wmic.exe
Token: SeDebugPrivilege	2664	wmic.exe
Token: SeSystemEnvironmentPrivilege	2664	wmic.exe
Token: SeRemoteShutdownPrivilege	2664	wmic.exe
Token: SeUndockPrivilege	2664	wmic.exe
Token: SeManageVolumePrivilege	2664	wmic.exe
Token: 33	2664	wmic.exe
Token: 34	2664	wmic.exe
Token: 35	2664	wmic.exe
Token: SeIncreaseQuotaPrivilege	2664	wmic.exe
Token: SeSecurityPrivilege	2664	wmic.exe
Token: SeTakeOwnershipPrivilege	2664	wmic.exe
Token: SeLoadDriverPrivilege	2664	wmic.exe
Token: SeSystemProfilePrivilege	2664	wmic.exe
Token: SeSystemtimePrivilege	2664	wmic.exe
Token: SeProfSingleProcessPrivilege	2664	wmic.exe
Token: SeIncBasePriorityPrivilege	2664	wmic.exe
Token: SeCreatePagefilePrivilege	2664	wmic.exe
Token: SeBackupPrivilege	2664	wmic.exe
Token: SeRestorePrivilege	2664	wmic.exe
Token: SeShutdownPrivilege	2664	wmic.exe
Token: SeDebugPrivilege	2664	wmic.exe
Token: SeSystemEnvironmentPrivilege	2664	wmic.exe
Token: SeRemoteShutdownPrivilege	2664	wmic.exe
Token: SeUndockPrivilege	2664	wmic.exe
Token: SeManageVolumePrivilege	2664	wmic.exe
Token: 33	2664	wmic.exe
Token: 34	2664	wmic.exe
Token: 35	2664	wmic.exe
Token: SeIncreaseQuotaPrivilege	2884	wmic.exe
Token: SeSecurityPrivilege	2884	wmic.exe
Token: SeTakeOwnershipPrivilege	2884	wmic.exe
Token: SeLoadDriverPrivilege	2884	wmic.exe
Token: SeSystemProfilePrivilege	2884	wmic.exe
Token: SeSystemtimePrivilege	2884	wmic.exe
Token: SeProfSingleProcessPrivilege	2884	wmic.exe
Token: SeIncBasePriorityPrivilege	2884	wmic.exe
Token: SeCreatePagefilePrivilege	2884	wmic.exe
Token: SeBackupPrivilege	2884	wmic.exe
Token: SeRestorePrivilege	2884	wmic.exe
Token: SeShutdownPrivilege	2884	wmic.exe
Token: SeDebugPrivilege	2884	wmic.exe
Token: SeSystemEnvironmentPrivilege	2884	wmic.exe
Token: SeRemoteShutdownPrivilege	2884	wmic.exe
Token: SeUndockPrivilege	2884	wmic.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
2496	7zG.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe
1556	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe
1528	KMSAuto++.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1728	1556	chrome.exe	27
PID 1556 wrote to memory of 1728	1556	chrome.exe	27
PID 1556 wrote to memory of 1728	1556	chrome.exe	27
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 2032	1556	chrome.exe	28
PID 1556 wrote to memory of 468	1556	chrome.exe	29
PID 1556 wrote to memory of 468	1556	chrome.exe	29
PID 1556 wrote to memory of 468	1556	chrome.exe	29
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30
PID 1556 wrote to memory of 524	1556	chrome.exe	30

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/QzpA0YST#JeDPGBmNphunJg6cW3nMZe6DQgtorQm1SP5Ev98rX3o
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef73f4f50,0x7fef73f4f60,0x7fef73f4f70
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1028 /prefetch:2
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3268 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3336 /prefetch:2
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3968 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4100 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1980 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,8334781470061792870,6832889572142663226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:8
  2⤵
  PID:3012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2792
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={dc0ff2d9-ca7b-482b-a598-b033839f022d} --system
  2⤵
  - Executes dropped EXE
  PID:2864

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\" -spe -an -ai#7zMap30585:136:7zEvent2204
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496

C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe
"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe"
1⤵
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1528
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\signtool.exe
  "C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2280
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingService get Version /value /FORMAT:List
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:2740
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2688
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
  2⤵
  PID:2616
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:3032
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:2604
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2820
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
  2⤵
  PID:1644
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:2020
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  PID:1948
- - C:\Windows\system32\sc.exe
    sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
    3⤵
    - Launches sc.exe
    PID:2928
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
  2⤵
  PID:2084
- - C:\Windows\system32\sc.exe
    sc.exe start KMSEmulator
    3⤵
    - Launches sc.exe
    PID:996
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
  2⤵
  PID:2480
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:2024
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:2500
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
  2⤵
  PID:884
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2344
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2648
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
  2⤵
  PID:2164
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:1104
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
  2⤵
  PID:2072
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2708
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
  2⤵
  PID:788
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
    3⤵
    PID:2844
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:2696
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:2504
- C:\Windows\system32\slui.exe
  "C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C003
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
  2⤵
  PID:2984
- - C:\Windows\system32\sc.exe
    sc.exe stop KMSEmulator
    3⤵
    - Launches sc.exe
    PID:1640
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
  2⤵
  PID:1712
- - C:\Windows\system32\sc.exe
    sc.exe delete KMSEmulator
    3⤵
    - Launches sc.exe
    PID:2580
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:2444
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:756
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:1928
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2060
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:2572
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2120
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
  2⤵
  PID:2104
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:2180
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:2316
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2320
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
  2⤵
  PID:2636
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:2924
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  PID:2856
- - C:\Windows\system32\sc.exe
    sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
    3⤵
    - Launches sc.exe
    PID:2624
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
  2⤵
  PID:2692
- - C:\Windows\system32\sc.exe
    sc.exe start KMSEmulator
    3⤵
    - Launches sc.exe
    PID:2224
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
  2⤵
  PID:2008
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
    3⤵
    PID:3040
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:1564
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:2504
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
  2⤵
  PID:2408
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:1752
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2604
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
  2⤵
  PID:1708
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
    3⤵
    PID:108
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:3028
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
  2⤵
  PID:2508
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2136
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2772
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
  2⤵
  PID:2928
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
    3⤵
    PID:556
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:2388
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:1692
- C:\Windows\system32\slui.exe
  "C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C003
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
  2⤵
  PID:2608
- - C:\Windows\system32\sc.exe
    sc.exe stop KMSEmulator
    3⤵
    - Launches sc.exe
    PID:2872
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
  2⤵
  PID:2656
- - C:\Windows\system32\sc.exe
    sc.exe delete KMSEmulator
    3⤵
    - Launches sc.exe
    PID:2756
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:2708
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2792
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:2336
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2152
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
  2⤵
  PID:2912
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:2064
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:3012
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
  2⤵
  PID:2696
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:1740
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:1404
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:1140
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
  2⤵
  PID:1592
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:3028
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  PID:2508
- - C:\Windows\system32\sc.exe
    sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
    3⤵
    - Launches sc.exe
    PID:2776
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
  2⤵
  PID:1336
- - C:\Windows\system32\sc.exe
    sc.exe start KMSEmulator
    3⤵
    - Launches sc.exe
    PID:1800
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
  2⤵
  PID:2444
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
    3⤵
    PID:2424
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:2500
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
  2⤵
  PID:2344
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
    3⤵
    PID:1092
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2544
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
  2⤵
  PID:2536
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
    3⤵
    PID:2156
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:2632
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
  2⤵
  PID:2108
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2380
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
  2⤵
  PID:2068
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
    3⤵
    PID:2728
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:2744
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:2924
- C:\Windows\system32\slui.exe
  "C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C003
  2⤵
  PID:2912
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
  2⤵
  PID:1976
- - C:\Windows\system32\sc.exe
    sc.exe stop KMSEmulator
    3⤵
    - Launches sc.exe
    PID:2512
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
  2⤵
  PID:2696
- - C:\Windows\system32\sc.exe
    sc.exe delete KMSEmulator
    3⤵
    - Launches sc.exe
    PID:2908
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:1568
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:1404
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:1704
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:1592
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:32
  2⤵
  PID:2260
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:32
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:556
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:64
  2⤵
  PID:1800
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:64
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2432
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:32
  2⤵
  PID:2428
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:32
    3⤵
    PID:944
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:1928
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:1692
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:64
  2⤵
  PID:2668
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d kms.03k.org /t REG_SZ /reg:64
    3⤵
    PID:2456
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2156
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms kms.03k.org:1688
  2⤵
  PID:2120
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms kms.03k.org:1688
    3⤵
    PID:2716
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:788
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:2792
- C:\Windows\system32\slui.exe
  "C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C003
  2⤵
  PID:2516

C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe
"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe
"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe
"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:2580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2792_213705561\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ec4ea50bb1357a8522ca64fc56a00557

SHA1
17387cf0fe0715998386ac15ea20a8e7d9970363

SHA256
7ebcd692491c4423c5f6f5aded81c18027d365948339a8c5d183b5b2ad17e058

SHA512
48196c313841813fa36de54cfead36a45a81a971619a79edda65c379129783d03ccf90f0d35f941f09bbb32716ba33901d9e8032ee5b80ee719fc31cfecde39c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual.zip

Filesize
16.7MB

MD5
2a457a91fdc9215f244356a9f789d2c9

SHA1
4044671f85a3d62078823f94c03a562bfb89bc98

SHA256
04f8e7b6cc83f41b78b1259f9406e8e8287efec1b0512a88a768e3125960b536

SHA512
cb87819b766aed902dd45db31dbeac657a5f6d03f4784281865aa72016028acb50a645c537b0f1bb1405bcb85ff7ed86e3feb364e4c17a5d90a9acb68a60fdef

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe

Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe

Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.ini

Filesize
1KB

MD5
9d6166a1f176a87eecc5402f16a7c01b

SHA1
97b56815dc0fa855c279f88c91631a859bd7f3cd

SHA256
4c5eed44e3574f70bb4007523c49fc0328ba8944bc127c41817907d25c4d69d0

SHA512
99db8eca4bd27eb48b5b833a70aee78e57a2875d08b37705b8ae656e50547243ecbcb4d08a3af943e6aefe780ff39a858733506bda835b71eaa3dbce1e3daaa3

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe

Filesize
33KB

MD5
757a99654e7709aa3ef33056fc3dc8eb

SHA1
d63430b034d1587793dcb5d738b8c3f612546118

SHA256
ed1aaeb33ea7f8bc4d7fec92dd592eed6192830764e89c3aafa08c075a176817

SHA512
517cbfd2f07d104ca4a2d38ee320f9bf961f3ea46cf5c3fdee5e6e20cc0e45ef4bf7119580febdd841b835144ae2701eeca8b5398daab8593a4a1b57535e1f04

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe

Filesize
33KB

MD5
757a99654e7709aa3ef33056fc3dc8eb

SHA1
d63430b034d1587793dcb5d738b8c3f612546118

SHA256
ed1aaeb33ea7f8bc4d7fec92dd592eed6192830764e89c3aafa08c075a176817

SHA512
517cbfd2f07d104ca4a2d38ee320f9bf961f3ea46cf5c3fdee5e6e20cc0e45ef4bf7119580febdd841b835144ae2701eeca8b5398daab8593a4a1b57535e1f04

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.exe

Filesize
33KB

MD5
757a99654e7709aa3ef33056fc3dc8eb

SHA1
d63430b034d1587793dcb5d738b8c3f612546118

SHA256
ed1aaeb33ea7f8bc4d7fec92dd592eed6192830764e89c3aafa08c075a176817

SHA512
517cbfd2f07d104ca4a2d38ee320f9bf961f3ea46cf5c3fdee5e6e20cc0e45ef4bf7119580febdd841b835144ae2701eeca8b5398daab8593a4a1b57535e1f04

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.log

Filesize
773B

MD5
53d09f0092c231c09dd1c66665e40d3f

SHA1
e67a2bb78ecbcd18a8534f7c2f627006fee4863a

SHA256
53186e2a5dbcb2eec7181d5213edbd2b2bebb4b0c8ae6490923e6577556904fd

SHA512
f312293559da93c77edc328f5346e71531cc6a1c8550788d26e229a69f2ea2a7dafebd2c9281a8e5a2f976b5ce3fd2041c8bad1a9f0f16dc0eb25a8ad186ac99

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.log

Filesize
773B

MD5
53576ca0c9276426f71a3b5294f56348

SHA1
c077ddc1f842ebd805c856c999c0d0d280bd4a6c

SHA256
43fb658ce7a31f971a74ebc2707314ffa1bf4a4e2f19470436da02c0310de46d

SHA512
7e92a9d7eb4a02669b4654a6cff440a4b5a0ce4b265f9899d1b770559169e531b86bde87fc47e4d1bcf4c2c4b660dfe0f254d918c24e7c41ed3ae5dafeedce4e

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files\bin\KMSSS.log

Filesize
773B

MD5
b16588976c346c2d26e3efd421e36c5b

SHA1
73e22db61ddd52f84debef1aaa4ece1e211d34e0

SHA256
f28f84e9889ab0a0bfa478ddc60deea29863b41ce8e19b6903575e0a100672ec

SHA512
626644eaba6419de1057d262dce269e65ed61ac3dc0b9d892d20df83d3f19d5dd38c3878675b043b877135e53b4892643a01c0dd6a21a6fcac9e508f84204aab

Download Submit
\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
memory/1528-76-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/1528-70-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/1528-73-0x0000000074C21000-0x0000000074C23000-memory.dmp

Filesize
8KB

Download
memory/2496-59-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/2864-58-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download