e7ec8e39fdfb299ab485a701fa6b18853e5e5fced4360abe9a65037d3457c731

Analysis

max time kernel
270s
max time network
57s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-02-2023 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activador Office 2019/KMSTools.exe
Size

34.5MB
MD5

7dcc580b7546be2871f978db8d313905
SHA1

60d9b7541c661e83664d043f2b7f99a62b10ee84
SHA256

5c2819ebc600adc7fcad0002e6056e824e1af35d1e16334e16199712850a208f
SHA512

dcba8d146e8c30d61828074ceac99dfcc73d52390975df7a29aca9f277fb56ddb8d2f2b02eb99ea328cca15ef24c907f5b03fb5690f5c788e29df7581849b4af
SSDEEP

786432:VMh6YzBjJ7AxVM4Hh0CBS3sHPGtHilqNngktysVidq6igVVRoVl:Kh66PAxV/Hh+3sGilqlToyiU6igQ

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 6 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1672 netsh.exe
1744 netsh.exe
1536 netsh.exe
1644 netsh.exe
1560 netsh.exe
272 netsh.exe

pid	process
1672	netsh.exe
1744	netsh.exe
1536	netsh.exe
1644	netsh.exe
1560	netsh.exe
272	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KMSAuto x64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Windows\\Temp\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	KMSAuto x64.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

fver.exe7zaxxx.exeAAct_x64.exeKMSSS.exe

pid process

940 fver.exe
936 7zaxxx.exe
1060 AAct_x64.exe
1656 KMSSS.exe
Loads dropped DLL 5 IoCs

Processes:

KMSTools.exe

pid process

924 KMSTools.exe
924 KMSTools.exe
924 KMSTools.exe
924 KMSTools.exe
924 KMSTools.exe

pid	process
940	fver.exe
936	7zaxxx.exe
1060	AAct_x64.exe
1656	KMSSS.exe

pid	process
924	KMSTools.exe
924	KMSTools.exe
924	KMSTools.exe
924	KMSTools.exe
924	KMSTools.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe	upx
behavioral5/memory/1060-87-0x0000000140000000-0x00000001402E4000-memory.dmp	upx
behavioral5/memory/1508-174-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral5/memory/1508-210-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral5/memory/1508-256-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral5/memory/1508-257-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral5/memory/1508-261-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral5/memory/1508-262-0x0000000140000000-0x000000014051A000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

Processes:

solitaire.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft Games\Solitaire\desktop.ini	solitaire.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1752 sc.exe
1628 sc.exe
1216 sc.exe
1176 sc.exe

pid	process
1752	sc.exe
1628	sc.exe
1216	sc.exe
1176	sc.exe

Modifies registry class 8 IoCs

Processes:

solitaire.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

912 reg.exe
1928 reg.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

KMSTools.exeKMSAuto x64.exe

pid process

924 KMSTools.exe
1508 KMSAuto x64.exe

pid	process
912	reg.exe
1928	reg.exe

pid	process
924	KMSTools.exe
1508	KMSAuto x64.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXE7zaxxx.exe

description	pid	process
Token: 33	1308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1308	AUDIODG.EXE
Token: 33	1308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1308	AUDIODG.EXE
Token: SeRestorePrivilege	936	7zaxxx.exe
Token: 35	936	7zaxxx.exe
Token: SeSecurityPrivilege	936	7zaxxx.exe
Token: SeSecurityPrivilege	936	7zaxxx.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

KMSTools.exeKMSAuto x64.exe

pid process

924 KMSTools.exe
924 KMSTools.exe
924 KMSTools.exe
924 KMSTools.exe
924 KMSTools.exe
1508 KMSAuto x64.exe
1508 KMSAuto x64.exe
1508 KMSAuto x64.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

KMSTools.exe

pid process

924 KMSTools.exe
924 KMSTools.exe

pid	process
924	KMSTools.exe
924	KMSTools.exe
924	KMSTools.exe
924	KMSTools.exe
924	KMSTools.exe
1508	KMSAuto x64.exe
1508	KMSAuto x64.exe
1508	KMSAuto x64.exe

pid	process
924	KMSTools.exe
924	KMSTools.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSTools.exeKMSAuto x64.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 924 wrote to memory of 940	924	KMSTools.exe	fver.exe
PID 924 wrote to memory of 940	924	KMSTools.exe	fver.exe
PID 924 wrote to memory of 940	924	KMSTools.exe	fver.exe
PID 924 wrote to memory of 940	924	KMSTools.exe	fver.exe
PID 924 wrote to memory of 860	924	KMSTools.exe	cmd.exe
PID 924 wrote to memory of 860	924	KMSTools.exe	cmd.exe
PID 924 wrote to memory of 860	924	KMSTools.exe	cmd.exe
PID 924 wrote to memory of 860	924	KMSTools.exe	cmd.exe
PID 924 wrote to memory of 936	924	KMSTools.exe	7zaxxx.exe
PID 924 wrote to memory of 936	924	KMSTools.exe	7zaxxx.exe
PID 924 wrote to memory of 936	924	KMSTools.exe	7zaxxx.exe
PID 924 wrote to memory of 936	924	KMSTools.exe	7zaxxx.exe
PID 924 wrote to memory of 1060	924	KMSTools.exe	AAct_x64.exe
PID 924 wrote to memory of 1060	924	KMSTools.exe	AAct_x64.exe
PID 924 wrote to memory of 1060	924	KMSTools.exe	AAct_x64.exe
PID 924 wrote to memory of 1060	924	KMSTools.exe	AAct_x64.exe
PID 924 wrote to memory of 1628	924	KMSTools.exe	signtool.exe
PID 924 wrote to memory of 1628	924	KMSTools.exe	signtool.exe
PID 924 wrote to memory of 1628	924	KMSTools.exe	signtool.exe
PID 924 wrote to memory of 1628	924	KMSTools.exe	signtool.exe
PID 924 wrote to memory of 1508	924	KMSTools.exe	KMSAuto x64.exe
PID 924 wrote to memory of 1508	924	KMSTools.exe	KMSAuto x64.exe
PID 924 wrote to memory of 1508	924	KMSTools.exe	KMSAuto x64.exe
PID 924 wrote to memory of 1508	924	KMSTools.exe	KMSAuto x64.exe
PID 1508 wrote to memory of 1112	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1112	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1112	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1840	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1840	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1840	1508	KMSAuto x64.exe	cmd.exe
PID 1840 wrote to memory of 912	1840	cmd.exe	reg.exe
PID 1840 wrote to memory of 912	1840	cmd.exe	reg.exe
PID 1840 wrote to memory of 912	1840	cmd.exe	reg.exe
PID 1508 wrote to memory of 1884	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1884	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1884	1508	KMSAuto x64.exe	cmd.exe
PID 1884 wrote to memory of 1928	1884	cmd.exe	reg.exe
PID 1884 wrote to memory of 1928	1884	cmd.exe	reg.exe
PID 1884 wrote to memory of 1928	1884	cmd.exe	reg.exe
PID 1508 wrote to memory of 1600	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1600	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1600	1508	KMSAuto x64.exe	cmd.exe
PID 1600 wrote to memory of 1672	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 1672	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 1672	1600	cmd.exe	netsh.exe
PID 1508 wrote to memory of 1216	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1216	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1216	1508	KMSAuto x64.exe	cmd.exe
PID 1216 wrote to memory of 1744	1216	cmd.exe	netsh.exe
PID 1216 wrote to memory of 1744	1216	cmd.exe	netsh.exe
PID 1216 wrote to memory of 1744	1216	cmd.exe	netsh.exe
PID 1508 wrote to memory of 1844	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1844	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1844	1508	KMSAuto x64.exe	cmd.exe
PID 1844 wrote to memory of 1536	1844	cmd.exe	netsh.exe
PID 1844 wrote to memory of 1536	1844	cmd.exe	netsh.exe
PID 1844 wrote to memory of 1536	1844	cmd.exe	netsh.exe
PID 1508 wrote to memory of 1620	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1620	1508	KMSAuto x64.exe	cmd.exe
PID 1508 wrote to memory of 1620	1508	KMSAuto x64.exe	cmd.exe
PID 1620 wrote to memory of 1644	1620	cmd.exe	netsh.exe
PID 1620 wrote to memory of 1644	1620	cmd.exe	netsh.exe
PID 1620 wrote to memory of 1644	1620	cmd.exe	netsh.exe
PID 1508 wrote to memory of 1136	1508	KMSAuto x64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\KMSTools.exe
"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\KMSTools.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\fver.exe
"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"
2⤵
- Executes dropped EXE
PID:940

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
2⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pkmstools -y -bsp1 -o"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs" "AAct v"*
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe"
2⤵
- Executes dropped EXE
PID:1060

C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\signtool.exe
"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"
2⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe
"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"
2⤵
- Sets service image path in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
3⤵
PID:1112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\reg.exe
REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
4⤵
- Modifies registry key
PID:912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\reg.exe
REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
4⤵
- Modifies registry key
PID:1928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
3⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
3⤵
PID:1136

C:\Windows\system32\sc.exe
sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
4⤵
- Launches sc.exe
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator
3⤵
PID:1156

C:\Windows\system32\sc.exe
sc.exe start KMSEmulator
4⤵
- Launches sc.exe
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /sethst:127.0.0.2
3⤵
PID:1264

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /sethst:127.0.0.2
4⤵
PID:752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /setprt:1688
3⤵
PID:1488

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /setprt:1688
4⤵
PID:568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /act
3⤵
PID:1044

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /act
4⤵
PID:1928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator
3⤵
PID:1720

C:\Windows\system32\sc.exe
sc.exe stop KMSEmulator
4⤵
- Launches sc.exe
PID:1216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator
3⤵
PID:1008

C:\Windows\system32\sc.exe
sc.exe delete KMSEmulator
4⤵
- Launches sc.exe
PID:1176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
PID:620

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
PID:1592

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
PID:1784

C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe
"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}.gamestats
Filesize
2KB

MD5
a338c1bb5704e723487ef4f8d5d592f5

SHA1
9b6e89c7fdf4ed588a98b673dcc3073f85eaea5d

SHA256
c096f55238f36481b0e846e37004e813ea0b34ddbc7a94f0155fd64ed4dd5672

SHA512
ab62aac5a5fb6f599616d0998cb8011ca18c0631e42451958af89bcaa8db2b6e179651cb14c94f3f6868b0c8632a4048f8c9e6ba7ea6a31abb168e1362188952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe
Filesize
1.5MB

MD5
c5a4ddda8b05571d055410b07d6233db

SHA1
d703d38bb9e686ed8dfe6e0520776dcb41ccc0bf

SHA256
cc645d2d65396777e08497b76c550659fd195da4ee3ce1cbf4a708ae81c709ad

SHA512
65d5d945b49c6557898ed1f6525585aaac9e0ccbca1f301b0d7e7eec0224b027c48a5df924bfec5b719b3e0732694cfef57cc74d15f086a8fc0e26af7243ab5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab516D.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51BE.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.pak
Filesize
31.5MB

MD5
a7915ec7148f37249e0beb7e5db9f2de

SHA1
9e8218811b994b604eb354703d46a61c37639d38

SHA256
dfb38d53ae49686e2b44362b314c66d1bc799af30f3bc9e3af950086f7874156

SHA512
d09ee71175e97a048ab97a7d10e9b26d6e16457d9bce124d8364f51fd85ccc9dd747aed1982ba5bad43fbc0e4a4ef84fa28a05a60428e125aca7bd04b091d583

Download Submit
C:\Users\Admin\AppData\Local\Temp\fver.exe
Filesize
12KB

MD5
0e6c873a80940c9729bc8017ad67b2de

SHA1
605b85c8908b29c98bb849e4aed5a3f22d0a5530

SHA256
9f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2

SHA512
81a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fver.exe
Filesize
12KB

MD5
0e6c873a80940c9729bc8017ad67b2de

SHA1
605b85c8908b29c98bb849e4aed5a3f22d0a5530

SHA256
9f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2

SHA512
81a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe
Filesize
33KB

MD5
463c7ce8e2ec2c33536e9697c0eeba7d

SHA1
8aba9b67484c647a9a01cac8c7a7170f1e7fe0a5

SHA256
d3ed9d3b8dd6a6a8dfa0a9bb02374b079e8e0c33e600677ef15bfa19264c4f04

SHA512
4f175d6ac12e53b32e8baaad058eda33378c5c0ca67c06ae77b5d7b4a1344d70a2a8e932a71c510a038fb6b19e2c280921bcfc64ed62a7906264844f7f121c41

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.log
Filesize
773B

MD5
ac1103a6a734aa83570ca8e9230f0eaf

SHA1
0dafc5c328c85e2d2ad8354da19b69b72fb1807d

SHA256
8cfb334a6f006af21384afdc5064a82187272372ea99c85f2a3379d81618c062

SHA512
8e85d17f0f3d2f887432204ec0017fb8b717c15c352fe9b6739df5f6801a53a47ba82a3d7377bb6440519121499df09724819ced0efb4787b22d61574c7ad3fd

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.log
Filesize
1KB

MD5
a4dc0897463a8ca11164a2f9a468badf

SHA1
7a03d252df05152ed8921be425ddfc667e8f3786

SHA256
969905d090234f9ae5969486a3715ae824dc41b30a68bbc391512f50e310684c

SHA512
316e63286723a1fef09a221e7ecb3a4d4a18b76343768026daf0e3bd32967f6884f0cb3b370fe87d644f4fa894db83973aaacb8273ffeac84ec8ad5dfdef970c

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.log
Filesize
1KB

MD5
a4dc0897463a8ca11164a2f9a468badf

SHA1
7a03d252df05152ed8921be425ddfc667e8f3786

SHA256
969905d090234f9ae5969486a3715ae824dc41b30a68bbc391512f50e310684c

SHA512
316e63286723a1fef09a221e7ecb3a4d4a18b76343768026daf0e3bd32967f6884f0cb3b370fe87d644f4fa894db83973aaacb8273ffeac84ec8ad5dfdef970c

Download Submit
\Users\Admin\AppData\Local\Temp\7zaxxx.exe
Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
\Users\Admin\AppData\Local\Temp\7zaxxx.exe
Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe
Filesize
1.5MB

MD5
c5a4ddda8b05571d055410b07d6233db

SHA1
d703d38bb9e686ed8dfe6e0520776dcb41ccc0bf

SHA256
cc645d2d65396777e08497b76c550659fd195da4ee3ce1cbf4a708ae81c709ad

SHA512
65d5d945b49c6557898ed1f6525585aaac9e0ccbca1f301b0d7e7eec0224b027c48a5df924bfec5b719b3e0732694cfef57cc74d15f086a8fc0e26af7243ab5f

Download Submit
\Users\Admin\AppData\Local\Temp\fver.exe
Filesize
12KB

MD5
0e6c873a80940c9729bc8017ad67b2de

SHA1
605b85c8908b29c98bb849e4aed5a3f22d0a5530

SHA256
9f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2

SHA512
81a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1

Download Submit
\Users\Admin\AppData\Local\Temp\fver.exe
Filesize
12KB

MD5
0e6c873a80940c9729bc8017ad67b2de

SHA1
605b85c8908b29c98bb849e4aed5a3f22d0a5530

SHA256
9f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2

SHA512
81a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1

Download Submit
memory/924-173-0x0000000006580000-0x0000000006A9A000-memory.dmp

Filesize
5.1MB

Download
memory/924-255-0x0000000006580000-0x0000000006A9A000-memory.dmp

Filesize
5.1MB

Download
memory/924-88-0x0000000006580000-0x0000000006864000-memory.dmp

Filesize
2.9MB

Download
memory/1060-87-0x0000000140000000-0x00000001402E4000-memory.dmp

Filesize
2.9MB

Download
memory/1508-174-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/1508-262-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/1508-261-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/1508-257-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/1508-256-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/1508-210-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/1784-90-0x0000000001C70000-0x0000000001C7A000-memory.dmp

Filesize
40KB

Download
memory/1784-96-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/1784-99-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/1784-97-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/1784-100-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/1784-101-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/1784-120-0x0000000001C70000-0x0000000001C76000-memory.dmp

Filesize
24KB

Download
memory/1784-98-0x0000000001D50000-0x0000000001D5A000-memory.dmp

Filesize
40KB

Download
memory/1784-89-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1784-95-0x0000000001C70000-0x0000000001C7A000-memory.dmp

Filesize
40KB

Download
memory/1784-91-0x0000000001C70000-0x0000000001C7A000-memory.dmp

Filesize
40KB

Download
memory/1784-92-0x0000000001C70000-0x0000000001C7A000-memory.dmp

Filesize
40KB

Download
memory/1784-93-0x0000000001C70000-0x0000000001C7A000-memory.dmp

Filesize
40KB

Download
memory/1784-94-0x0000000001C70000-0x0000000001C7A000-memory.dmp

Filesize
40KB

Download