Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
7Activator/...ot.cmd
windows7-x64
1Activator/...ot.cmd
windows10-2004-x64
8Activator/...or.cmd
windows7-x64
8Activator/...or.cmd
windows10-2004-x64
8Activator/...ce.cmd
windows7-x64
8Activator/...ce.cmd
windows10-2004-x64
8Activator/...ws.cmd
windows7-x64
1Activator/...ws.cmd
windows10-2004-x64
8Activator/...TO.exe
windows7-x64
7Activator/...TO.exe
windows10-2004-x64
7Activator/...or.lnk
windows7-x64
1Activator/...or.lnk
windows10-2004-x64
1Activator/...er.exe
windows7-x64
1Activator/...er.exe
windows10-2004-x64
1Activator/...it.exe
windows7-x64
7Activator/...it.exe
windows10-2004-x64
7mini-KMS_A...NG.exe
windows7-x64
7mini-KMS_A...NG.exe
windows10-2004-x64
7mini-KMS_A...US.exe
windows7-x64
7mini-KMS_A...US.exe
windows10-2004-x64
7Analysis
-
max time kernel
130s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:32
Behavioral task
behavioral1
Sample
Activator/ActivationNextBoot.cmd
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Activator/ActivationNextBoot.cmd
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Activator/Activator.cmd
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
Activator/Activator.cmd
Resource
win10v2004-20231023-en
Behavioral task
behavioral5
Sample
Activator/ActivatorOffice.cmd
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
Activator/ActivatorOffice.cmd
Resource
win10v2004-20231020-en
Behavioral task
behavioral7
Sample
Activator/ActivatorWindows.cmd
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
Activator/ActivatorWindows.cmd
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
Activator/KMSAuto/KMSAUTO.exe
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
Activator/KMSAuto/KMSAUTO.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
Activator/KMSAuto/KMSAuto - Windows & Office Activator.lnk
Resource
win7-20231020-en
Behavioral task
behavioral12
Sample
Activator/KMSAuto/KMSAuto - Windows & Office Activator.lnk
Resource
win10v2004-20231020-en
Behavioral task
behavioral13
Sample
Activator/KMSAuto/KMSCleaner.exe
Resource
win7-20231023-en
Behavioral task
behavioral14
Sample
Activator/KMSAuto/KMSCleaner.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral15
Sample
Activator/KMSAuto/Wait.exe
Resource
win7-20231020-en
Behavioral task
behavioral16
Sample
Activator/KMSAuto/Wait.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral17
Sample
mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe
Resource
win7-20231025-en
Behavioral task
behavioral18
Sample
mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral19
Sample
mini-KMS_Activator_v1.1_Office.2010.VL.RUS.exe
Resource
win7-20231025-en
Behavioral task
behavioral20
Sample
mini-KMS_Activator_v1.1_Office.2010.VL.RUS.exe
Resource
win10v2004-20231020-en
General
-
Target
Activator/ActivatorOffice.cmd
-
Size
1KB
-
MD5
ebbf03821a2ea04ec5fb06f48675c239
-
SHA1
154f3c4ab5bb3e46d22bbdc8f838328bdd787953
-
SHA256
95c71bf19deb184b03124b3dbbcbbe0c98e9591eaaf249ace0eeec87ed9cb75a
-
SHA512
6da1d2459e2428801c7405035dc5473a29b9246bec7373e92a7c96e26dcc6920359ea8b65fe7943413842c68e60750449ba5e4d6f67509e369e21dd21cde0f7d
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 4 IoCs
pid Process 2240 netsh.exe 3584 netsh.exe 1488 netsh.exe 1192 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\Windows\\Temp\\KMSAuto\\bin\\KMSSS.exe\" -Port 1688 -PWin 05426-00206-471-254040-03-1049-14393.0000-2242016 -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Hwid DD279A0090B8D83E\uff00" KMSAUTO.EXE -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
pid Process 4676 bin.dat 1348 KMSSS.exe 944 bin_x64.dat 4460 FakeClient.exe -
Loads dropped DLL 2 IoCs
pid Process 4460 FakeClient.exe 4460 FakeClient.exe -
resource yara_rule behavioral6/memory/3696-2-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral6/memory/3696-19-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral6/memory/3696-18-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral6/memory/3696-44-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral6/memory/3696-47-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral6/memory/3696-49-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral6/memory/3696-51-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral6/memory/3696-19-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral6/memory/3696-18-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral6/memory/3696-44-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral6/memory/3696-47-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral6/memory/3696-49-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral6/memory/3696-51-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File created C:\Windows\KMSAuto.xml KMSAUTO.EXE File created C:\Windows\KMSAuto.exe KMSAUTO.EXE File opened for modification C:\Windows\KMSAuto.exe KMSAUTO.EXE File created C:\Windows\KMSAutoLite.ini KMSAUTO.EXE File opened for modification C:\Windows\KMSAuto.xml KMSAUTO.EXE -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3356 sc.exe 4416 sc.exe 972 sc.exe 1048 sc.exe 4396 sc.exe 1624 sc.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1740 schtasks.exe 1128 schtasks.exe 3480 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 5036 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe 3696 Wait.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5036 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1128 2016 cmd.exe 89 PID 2016 wrote to memory of 1128 2016 cmd.exe 89 PID 2016 wrote to memory of 3592 2016 cmd.exe 90 PID 2016 wrote to memory of 3592 2016 cmd.exe 90 PID 2016 wrote to memory of 3592 2016 cmd.exe 90 PID 2016 wrote to memory of 3696 2016 cmd.exe 92 PID 2016 wrote to memory of 3696 2016 cmd.exe 92 PID 2016 wrote to memory of 3696 2016 cmd.exe 92 PID 3592 wrote to memory of 4272 3592 KMSAUTO.EXE 93 PID 3592 wrote to memory of 4272 3592 KMSAUTO.EXE 93 PID 3592 wrote to memory of 2868 3592 KMSAUTO.EXE 95 PID 3592 wrote to memory of 2868 3592 KMSAUTO.EXE 95 PID 3592 wrote to memory of 1048 3592 KMSAUTO.EXE 97 PID 3592 wrote to memory of 1048 3592 KMSAUTO.EXE 97 PID 1048 wrote to memory of 5032 1048 cmd.exe 99 PID 1048 wrote to memory of 5032 1048 cmd.exe 99 PID 3592 wrote to memory of 464 3592 KMSAUTO.EXE 101 PID 3592 wrote to memory of 464 3592 KMSAUTO.EXE 101 PID 464 wrote to memory of 1396 464 cmd.exe 103 PID 464 wrote to memory of 1396 464 cmd.exe 103 PID 3592 wrote to memory of 2060 3592 KMSAUTO.EXE 104 PID 3592 wrote to memory of 2060 3592 KMSAUTO.EXE 104 PID 2060 wrote to memory of 3480 2060 cmd.exe 106 PID 2060 wrote to memory of 3480 2060 cmd.exe 106 PID 3592 wrote to memory of 1520 3592 KMSAUTO.EXE 107 PID 3592 wrote to memory of 1520 3592 KMSAUTO.EXE 107 PID 3592 wrote to memory of 2972 3592 KMSAUTO.EXE 109 PID 3592 wrote to memory of 2972 3592 KMSAUTO.EXE 109 PID 2972 wrote to memory of 2112 2972 cmd.exe 111 PID 2972 wrote to memory of 2112 2972 cmd.exe 111 PID 3592 wrote to memory of 2120 3592 KMSAUTO.EXE 114 PID 3592 wrote to memory of 2120 3592 KMSAUTO.EXE 114 PID 2120 wrote to memory of 4676 2120 cmd.exe 116 PID 2120 wrote to memory of 4676 2120 cmd.exe 116 PID 2120 wrote to memory of 4676 2120 cmd.exe 116 PID 3592 wrote to memory of 4420 3592 KMSAUTO.EXE 117 PID 3592 wrote to memory of 4420 3592 KMSAUTO.EXE 117 PID 4420 wrote to memory of 1192 4420 cmd.exe 119 PID 4420 wrote to memory of 1192 4420 cmd.exe 119 PID 3592 wrote to memory of 1920 3592 KMSAUTO.EXE 121 PID 3592 wrote to memory of 1920 3592 KMSAUTO.EXE 121 PID 1920 wrote to memory of 2240 1920 cmd.exe 123 PID 1920 wrote to memory of 2240 1920 cmd.exe 123 PID 3592 wrote to memory of 2076 3592 KMSAUTO.EXE 124 PID 3592 wrote to memory of 2076 3592 KMSAUTO.EXE 124 PID 2076 wrote to memory of 3356 2076 cmd.exe 126 PID 2076 wrote to memory of 3356 2076 cmd.exe 126 PID 3592 wrote to memory of 2284 3592 KMSAUTO.EXE 128 PID 3592 wrote to memory of 2284 3592 KMSAUTO.EXE 128 PID 2284 wrote to memory of 4416 2284 cmd.exe 129 PID 2284 wrote to memory of 4416 2284 cmd.exe 129 PID 3592 wrote to memory of 4744 3592 KMSAUTO.EXE 132 PID 3592 wrote to memory of 4744 3592 KMSAUTO.EXE 132 PID 4744 wrote to memory of 944 4744 cmd.exe 133 PID 4744 wrote to memory of 944 4744 cmd.exe 133 PID 4744 wrote to memory of 944 4744 cmd.exe 133 PID 3592 wrote to memory of 4896 3592 KMSAUTO.EXE 134 PID 3592 wrote to memory of 4896 3592 KMSAUTO.EXE 134 PID 4896 wrote to memory of 3868 4896 cmd.exe 136 PID 4896 wrote to memory of 3868 4896 cmd.exe 136 PID 3592 wrote to memory of 4460 3592 KMSAUTO.EXE 137 PID 3592 wrote to memory of 4460 3592 KMSAUTO.EXE 137 PID 3592 wrote to memory of 3572 3592 KMSAUTO.EXE 140 PID 3592 wrote to memory of 3572 3592 KMSAUTO.EXE 140 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Activator\ActivatorOffice.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\schtasks.exeschtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.xml" /TN "ActivationNextBoot"2⤵
- Creates scheduled task(s)
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.EXE"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAuto.exe" /ofs=act /sched=ofs /ofsgvlk=inst /ofs=conv2⤵
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵PID:4272
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵PID:2868
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /end /TN KMSAuto3⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\schtasks.exeschtasks.exe /end /TN KMSAuto4⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /delete /TN KMSAuto /F3⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\system32\schtasks.exeschtasks.exe /delete /TN KMSAuto /F4⤵PID:1396
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml3⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml4⤵
- Creates scheduled task(s)
PID:3480
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵PID:1520
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS3⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\cscript.execscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS4⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\Temp\KMSAuto\bin.datbin.dat -y -pkmsauto4⤵
- Executes dropped EXE
PID:4676
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
PID:1192
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
PID:2240
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
PID:3356
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator3⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
PID:4416
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c bin_x64.dat -y -pkmsauto3⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\Temp\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto4⤵
- Executes dropped EXE
PID:944
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c route.exe -p add 43.199.130.184 0.0.0.0 IF 13⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\ROUTE.EXEroute.exe -p add 43.199.130.184 0.0.0.0 IF 14⤵PID:3868
-
-
-
C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe"FakeClient.exe" 43.199.130.1843⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4460
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:43.199.130.184 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS3⤵PID:3572
-
C:\Windows\system32\cscript.execscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:43.199.130.184 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS4⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator3⤵PID:2768
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator4⤵
- Launches sc.exe
PID:972
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator3⤵PID:4416
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator4⤵
- Launches sc.exe
PID:1048
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c route delete 43.199.130.184 0.0.0.03⤵PID:2232
-
C:\Windows\system32\ROUTE.EXEroute delete 43.199.130.184 0.0.0.04⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe3⤵PID:4316
-
C:\Windows\system32\taskkill.exetaskkill.exe /t /f /IM FakeClient.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop WinDivert1.13⤵PID:2484
-
C:\Windows\system32\sc.exesc.exe stop WinDivert1.14⤵
- Launches sc.exe
PID:4396
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete WinDivert1.13⤵PID:3480
-
C:\Windows\system32\sc.exesc.exe delete WinDivert1.14⤵
- Launches sc.exe
PID:1624
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵PID:684
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
PID:3584
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵PID:4836
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
PID:1488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAutoOffice.xml" /TN "KMSAuto"2⤵
- Creates scheduled task(s)
PID:1740
-
-
C:\Windows\Temp\KMSAuto\bin\KMSSS.exe"C:\Windows\Temp\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin 05426-00206-471-254040-03-1049-14393.0000-2242016 -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Hwid DD279A0090B8D83E1⤵
- Executes dropped EXE
PID:1348
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57705817320930b4e3c062c5bc226d0c5
SHA1c0b49652ad56c1d7f80136f2041d7c80bf2bf277
SHA256f7235f8e72834034b858164c09e6bc941a132febae30466aa9dfd7b8cf325888
SHA5120708942e6beb65ed800d4d6e01f57707381553d6417db3b0a4068200e074a8c6da915a07ca46018ca615c831972f321b11f160107d98d782a4c9e52deb441671
-
Filesize
3KB
MD5b1d1b96a65ea2720588fc42787287f0a
SHA1c4f6ee33e424e8136aad018b13b154b35de4a52f
SHA2560ec31708eb1cd663ceca69188f9e1df3538d424ec7bec05a17271faa49b7cccc
SHA512f516dcc2b6ccd5ed0b7958080fec7560f6e8abd34a4a837b8c815325e01448f15ef1350a04c45d2d9712351ed969f7c2e8d77a900a9e0a8f605330577b88e1e2
-
Filesize
166KB
MD5ca62d4125a24ea98f90b8d7b7c92801b
SHA172f50ecc667713b8f357a048a6f621664fd1e361
SHA2569c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75
SHA512ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2
-
Filesize
166KB
MD5ca62d4125a24ea98f90b8d7b7c92801b
SHA172f50ecc667713b8f357a048a6f621664fd1e361
SHA2569c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75
SHA512ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2
-
Filesize
34KB
MD5be3f826075408b5d6ae7b66a55b4a520
SHA1cb2f05c14c75e140dcf68de310be1e9527f8193d
SHA2569dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418
SHA512295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2
-
Filesize
34KB
MD5be3f826075408b5d6ae7b66a55b4a520
SHA1cb2f05c14c75e140dcf68de310be1e9527f8193d
SHA2569dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418
SHA512295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2
-
Filesize
82KB
MD51e279e2ef92662bded2c7fd781306a73
SHA170da7979881b6a3b78c655b08de3c2aad8e60a10
SHA256a5c143fa70977717f136327938f52d1ad0dab56b1bbecf0d49bd0a985dfad42a
SHA5128afac7d4f591fe723d9602b54c508a74f15d6568ad4c01aef8eb9bee1862e5e55166f7f6f30468a0f4ed96031e6ecee67d2bb532e62a0b8c6bf8bf274d6c0fd1
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
13KB
MD591b75bcf59b2de235214ed47be8a99a5
SHA103129cd21f0bec38069fab1aecd69d6c9c80c13c
SHA256b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5
SHA51285e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b
-
Filesize
68KB
MD5be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
Filesize
68KB
MD5be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
Filesize
16KB
MD53f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
Filesize
16KB
MD53f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
Filesize
151B
MD5a94d989905a248afca52bc3cbfcb248b
SHA1cbb7b37584a58060da6a3dd748f17334384647e7
SHA2566c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d
SHA512864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f
-
Filesize
34KB
MD5a0d15d8727d0780c51628df46b7268b3
SHA1c85f24ef961db67c829a676a941cbead24c62b21
SHA2565e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64
SHA512a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361
-
Filesize
197KB
MD5b539aa381715ed2bdec01e33867b1a67
SHA17f71f9adddb2cd532cc311ec2738cced4702c4d5
SHA2562d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9
SHA512fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6
-
Filesize
197KB
MD5b539aa381715ed2bdec01e33867b1a67
SHA17f71f9adddb2cd532cc311ec2738cced4702c4d5
SHA2562d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9
SHA512fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6