b03c86ae3de18f79382e9dc23992850c7c952c01aa14475e85f280bafe734bd4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	KMSpico_setup.tmp

Executes dropped EXE 9 IoCs

pid	Process
4924	KMSpico_setup.tmp
4384	KMSpico_setup.tmp
1428	_setup.exe
4144	_setup.tmp
2704	UninsHs.exe
1464	KMSELDI.exe
880	SECOH-QAD.exe
4284	AutoPico.exe
4312	KMSELDI.exe

Loads dropped DLL 3 IoCs

pid	Process
4924	KMSpico_setup.tmp
4384	KMSpico_setup.tmp
5000	SppExtComObj.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00010000000231ab-972.dat	upx
behavioral2/files/0x00010000000231ab-973.dat	upx
behavioral2/files/0x00010000000231ab-974.dat	upx
behavioral2/memory/2704-975-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	_setup.tmp
File opened (read-only)	\??\M:	_setup.tmp
File opened (read-only)	\??\P:	_setup.tmp
File opened (read-only)	\??\R:	_setup.tmp
File opened (read-only)	\??\T:	_setup.tmp
File opened (read-only)	\??\A:	_setup.tmp
File opened (read-only)	\??\E:	_setup.tmp
File opened (read-only)	\??\G:	_setup.tmp
File opened (read-only)	\??\V:	_setup.tmp
File opened (read-only)	\??\W:	_setup.tmp
File opened (read-only)	\??\X:	_setup.tmp
File opened (read-only)	\??\L:	_setup.tmp
File opened (read-only)	\??\S:	_setup.tmp
File opened (read-only)	\??\U:	_setup.tmp
File opened (read-only)	\??\Y:	_setup.tmp
File opened (read-only)	\??\Z:	_setup.tmp
File opened (read-only)	\??\H:	_setup.tmp
File opened (read-only)	\??\J:	_setup.tmp
File opened (read-only)	\??\K:	_setup.tmp
File opened (read-only)	\??\F:	_setup.tmp
File opened (read-only)	\??\O:	_setup.tmp
File opened (read-only)	\??\Q:	_setup.tmp
File opened (read-only)	\??\B:	_setup.tmp
File opened (read-only)	\??\N:	_setup.tmp

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	KMSpico_setup.tmp

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	_setup.tmp
File created	C:\Windows\system32\is-TBH0K.tmp	_setup.tmp
File created	C:\Windows\system32\is-28DO3.tmp	_setup.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-2V8DG.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-RJ2RM.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\scripts\is-8PJ5M.tmp	_setup.tmp
File opened for modification	C:\Program Files\KMSpico\TokensBackup\Windows\data.dat	KMSELDI.exe
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-Q0J3T.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Publisher\is-5ACHT.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-JBB5L.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-UQ220.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreN\is-HHO8D.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\scripts\is-VTHVR.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\TokensBackup\Windows\data.dat	KMSELDI.exe
File opened for modification	C:\Program Files\KMSpico\Service_KMS.exe	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Excel\is-JTBKF.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-H0UAN.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-43T0U.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-OKQD1.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-INKOK.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Word\is-1CC7F.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-93UHL.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Standard\is-O9O8M.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Access\is-UU2JU.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-GK42B.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-1LDR5.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-FQHVV.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-C0539.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Education\is-FABR7.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-TIPQQ.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-V0SNV.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-A5CS1.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\logs\is-NCONT.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\scripts\is-2JI54.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-IPJ92.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-LAE66.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-9RJ3F.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Access\is-7NUNG.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-APGE8.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-P95ND.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-BIEU2.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Word\is-UMBI4.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-IGF8U.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalN\is-BP50Q.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\scripts\is-9P0LU.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-I957U.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-3RUEM.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-2IA2A.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-HOB8O.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-NP7A1.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Word\is-JADI0.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\driver\is-DKD4L.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\sounds\is-44D06.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Access\is-L6UCG.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-L3DFS.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-NSU1F.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-AD3G1.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-CJ9QV.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-I6V8I.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-QMTMH.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-227E4.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-446NO.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\Professional\is-1A6R7.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\ServerDatacenter\is-F019O.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\driver\is-NC0GB.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-7JHCD.tmp	_setup.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-I7E73.tmp	_setup.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SECOH-QAD.dll	KMSELDI.exe
File created	C:\Windows\SECOH-QAD.exe	KMSELDI.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4904	sc.exe
3436	sc.exe
2512	sc.exe
4988	sc.exe
3920	sc.exe
1972	sc.exe
1088	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3468	schtasks.exe
1520	schtasks.exe
3460	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
988	taskkill.exe
4928	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	AutoPico.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	_setup.tmp

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "fe80::37:3ceb:a27b:5369%4"	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.105.7.164"	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "10.33.42.5"	SppExtComObj.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4384	KMSpico_setup.tmp
4384	KMSpico_setup.tmp
4144	_setup.tmp
4144	_setup.tmp
880	SECOH-QAD.exe
880	SECOH-QAD.exe
880	SECOH-QAD.exe
880	SECOH-QAD.exe
880	SECOH-QAD.exe
880	SECOH-QAD.exe
1464	KMSELDI.exe
4284	AutoPico.exe
4312	KMSELDI.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4144	_setup.tmp
4312	KMSELDI.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeSystemtimePrivilege	1464	KMSELDI.exe
Token: SeDebugPrivilege	1464	KMSELDI.exe
Token: SeSystemtimePrivilege	4284	AutoPico.exe
Token: SeDebugPrivilege	4284	AutoPico.exe
Token: SeSystemtimePrivilege	4312	KMSELDI.exe
Token: 33	3828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3828	AUDIODG.EXE
Token: SeDebugPrivilege	4312	KMSELDI.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4384	KMSpico_setup.tmp
4144	_setup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 4924	2584	KMSpico_setup.exe	87
PID 2584 wrote to memory of 4924	2584	KMSpico_setup.exe	87
PID 2584 wrote to memory of 4924	2584	KMSpico_setup.exe	87
PID 4924 wrote to memory of 2072	4924	KMSpico_setup.tmp	88
PID 4924 wrote to memory of 2072	4924	KMSpico_setup.tmp	88
PID 4924 wrote to memory of 2072	4924	KMSpico_setup.tmp	88
PID 2072 wrote to memory of 4384	2072	KMSpico_setup.exe	89
PID 2072 wrote to memory of 4384	2072	KMSpico_setup.exe	89
PID 2072 wrote to memory of 4384	2072	KMSpico_setup.exe	89
PID 4384 wrote to memory of 4928	4384	KMSpico_setup.tmp	90
PID 4384 wrote to memory of 4928	4384	KMSpico_setup.tmp	90
PID 4384 wrote to memory of 4928	4384	KMSpico_setup.tmp	90
PID 4384 wrote to memory of 988	4384	KMSpico_setup.tmp	92
PID 4384 wrote to memory of 988	4384	KMSpico_setup.tmp	92
PID 4384 wrote to memory of 988	4384	KMSpico_setup.tmp	92
PID 4384 wrote to memory of 1780	4384	KMSpico_setup.tmp	94
PID 4384 wrote to memory of 1780	4384	KMSpico_setup.tmp	94
PID 4384 wrote to memory of 1780	4384	KMSpico_setup.tmp	94
PID 4384 wrote to memory of 4904	4384	KMSpico_setup.tmp	98
PID 4384 wrote to memory of 4904	4384	KMSpico_setup.tmp	98
PID 4384 wrote to memory of 4904	4384	KMSpico_setup.tmp	98
PID 4384 wrote to memory of 3436	4384	KMSpico_setup.tmp	100
PID 4384 wrote to memory of 3436	4384	KMSpico_setup.tmp	100
PID 4384 wrote to memory of 3436	4384	KMSpico_setup.tmp	100
PID 4384 wrote to memory of 2512	4384	KMSpico_setup.tmp	102
PID 4384 wrote to memory of 2512	4384	KMSpico_setup.tmp	102
PID 4384 wrote to memory of 2512	4384	KMSpico_setup.tmp	102
PID 4384 wrote to memory of 4988	4384	KMSpico_setup.tmp	104
PID 4384 wrote to memory of 4988	4384	KMSpico_setup.tmp	104
PID 4384 wrote to memory of 4988	4384	KMSpico_setup.tmp	104
PID 4384 wrote to memory of 3920	4384	KMSpico_setup.tmp	106
PID 4384 wrote to memory of 3920	4384	KMSpico_setup.tmp	106
PID 4384 wrote to memory of 3920	4384	KMSpico_setup.tmp	106
PID 4384 wrote to memory of 1972	4384	KMSpico_setup.tmp	108
PID 4384 wrote to memory of 1972	4384	KMSpico_setup.tmp	108
PID 4384 wrote to memory of 1972	4384	KMSpico_setup.tmp	108
PID 4384 wrote to memory of 3468	4384	KMSpico_setup.tmp	110
PID 4384 wrote to memory of 3468	4384	KMSpico_setup.tmp	110
PID 4384 wrote to memory of 3468	4384	KMSpico_setup.tmp	110
PID 4384 wrote to memory of 1520	4384	KMSpico_setup.tmp	112
PID 4384 wrote to memory of 1520	4384	KMSpico_setup.tmp	112
PID 4384 wrote to memory of 1520	4384	KMSpico_setup.tmp	112
PID 4384 wrote to memory of 1428	4384	KMSpico_setup.tmp	115
PID 4384 wrote to memory of 1428	4384	KMSpico_setup.tmp	115
PID 4384 wrote to memory of 1428	4384	KMSpico_setup.tmp	115
PID 4384 wrote to memory of 1456	4384	KMSpico_setup.tmp	116
PID 4384 wrote to memory of 1456	4384	KMSpico_setup.tmp	116
PID 4384 wrote to memory of 1456	4384	KMSpico_setup.tmp	116
PID 1428 wrote to memory of 4144	1428	_setup.exe	118
PID 1428 wrote to memory of 4144	1428	_setup.exe	118
PID 1428 wrote to memory of 4144	1428	_setup.exe	118
PID 4384 wrote to memory of 2340	4384	KMSpico_setup.tmp	119
PID 4384 wrote to memory of 2340	4384	KMSpico_setup.tmp	119
PID 4384 wrote to memory of 2340	4384	KMSpico_setup.tmp	119
PID 4384 wrote to memory of 4824	4384	KMSpico_setup.tmp	121
PID 4384 wrote to memory of 4824	4384	KMSpico_setup.tmp	121
PID 4384 wrote to memory of 4824	4384	KMSpico_setup.tmp	121
PID 4384 wrote to memory of 224	4384	KMSpico_setup.tmp	123
PID 4384 wrote to memory of 224	4384	KMSpico_setup.tmp	123
PID 4384 wrote to memory of 224	4384	KMSpico_setup.tmp	123
PID 4384 wrote to memory of 3212	4384	KMSpico_setup.tmp	125
PID 4384 wrote to memory of 3212	4384	KMSpico_setup.tmp	125
PID 4384 wrote to memory of 3212	4384	KMSpico_setup.tmp	125
PID 4384 wrote to memory of 4160	4384	KMSpico_setup.tmp	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe
"C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\is-24B9H.tmp\KMSpico_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-24B9H.tmp\KMSpico_setup.tmp" /SL5="$A0030,3446020,122880,C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\is-DRQSQ.tmp\KMSpico_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DRQSQ.tmp\KMSpico_setup.tmp" /SL5="$D005C,3446020,122880,C:\Users\Admin\AppData\Local\Temp\KMSpico_setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /f /im "KMSUPD.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /f /im "isupdate.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /delete /tn * /f
        5⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete isupdate.exe
        5⤵
        Launches sc.exe
        
        PID:4904
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete ISUSPM.exe
        5⤵
        Launches sc.exe
        
        PID:3436
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete msiupd.exe
        5⤵
        Launches sc.exe
        
        PID:2512
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete router.exe
        5⤵
        Launches sc.exe
        
        PID:4988
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete Updater.exe
        5⤵
        Launches sc.exe
        
        PID:3920
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete updatesvc.exe
        5⤵
        Launches sc.exe
        
        PID:1972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /F /SC ONLOGON /RL HIGHEST /TN "KMSpico Automatic Update Scheduler" /TR "\"C:\Program Files\KMSpico\KMSUPD.exe\"
        5⤵
        Creates scheduled task(s)
        
        PID:3468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /F /SC WEEKLY /D WED,SUN /ST 12:00 /RL HIGHEST /TN "Optimize Thumbnail Cache" /TR "\"C:\Program Files (x86)\Common Files\installshield\engine\8\intel 32\isupdate.exe\"
        5⤵
        Creates scheduled task(s)
        
        PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\is-75BB6.tmp\_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-75BB6.tmp\_setup.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Users\Admin\AppData\Local\Temp\is-529J9.tmp\_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-529J9.tmp\_setup.tmp" /SL5="$20160,2952592,69120,C:\Users\Admin\AppData\Local\Temp\is-75BB6.tmp\_setup.exe"
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies Internet Explorer Phishing Filter
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        
        PID:4144
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
        7⤵
        
        PID:996
        
        C:\Windows\system32\sc.exe
        
        sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
        8⤵
        Launches sc.exe
        
        PID:1088
        
        C:\Program Files\KMSpico\UninsHs.exe
        
        "C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\Admin\AppData\Local\Temp\is-75BB6.tmp\_setup.exe
        7⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
        7⤵
        
        PID:2444
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
        8⤵
        Creates scheduled task(s)
        
        PID:3460
        
        C:\Program Files\KMSpico\KMSELDI.exe
        
        "C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
        7⤵
        Sets file execution options in registry
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies Control Panel
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Program Files\KMSpico\AutoPico.exe
        
        "C:\Program Files\KMSpico\AutoPico.exe" /silent
        7⤵
        Sets file execution options in registry
        Executes dropped EXE
        Modifies Control Panel
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=ActiveSync
        5⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy
        5⤵
        
        PID:224
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy
        5⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
        5⤵
        
        PID:4160
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.AccountsControl_cw5n1h2txyewy
        5⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.AsyncTextService_8wekyb3d8bbwe
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.BioEnrollment_cw5n1h2txyewy
        5⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.CredDialogHost_cw5n1h2txyewy
        5⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.ECApp_8wekyb3d8bbwe
        5⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.LockApp_cw5n1h2txyewy
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe
        5⤵
        
        PID:4080
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
        5⤵
        
        PID:3844
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        5⤵
        
        PID:3704
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Win32WebViewHost_cw5n1h2txyewy
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy
        5⤵
        
        PID:4100
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy
        5⤵
        
        PID:3080
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.CallingShellApp_cw5n1h2txyewy
        5⤵
        
        PID:1400
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.CapturePicker_cw5n1h2txyewy
        5⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy
        5⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
        5⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe
        5⤵
        
        PID:4948
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy
        5⤵
        
        PID:3812
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.ParentalControls_cw5n1h2txyewy
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy
        5⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy
        5⤵
        
        PID:4952
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.Search_cw5n1h2txyewy
        5⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy
        5⤵
        
        PID:3660
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
        5⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy
        5⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.XboxGameCallableUI_cw5n1h2txyewy
        5⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=MicrosoftWindows.Client.CBS_cw5n1h2txyewy
        5⤵
        
        PID:916
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy
        5⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=NcsiUwpApp_8wekyb3d8bbwe
        5⤵
        
        PID:676
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Windows.CBSPreview_cw5n1h2txyewy
        5⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=windows.immersivecontrolpanel_cw5n1h2txyewy
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Windows.PrintDialog_cw5n1h2txyewy
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=windows_ie_ac_001
        5⤵
        
        PID:2796

C:\Windows\SECOH-QAD.exe
C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:880
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:5000
- - C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    3⤵
    PID:1668
- - C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
    3⤵
    PID:1672

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe"
1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x530 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery