e5ec5a26d7f6038fc29136c8d5382ed3a182f64fa70c058d5b7015345693176d

General

Target

Activador 2019/KMSTools.exe
Size

34.5MB
MD5

7dcc580b7546be2871f978db8d313905
SHA1

60d9b7541c661e83664d043f2b7f99a62b10ee84
SHA256

5c2819ebc600adc7fcad0002e6056e824e1af35d1e16334e16199712850a208f
SHA512

dcba8d146e8c30d61828074ceac99dfcc73d52390975df7a29aca9f277fb56ddb8d2f2b02eb99ea328cca15ef24c907f5b03fb5690f5c788e29df7581849b4af
SSDEEP

786432:VMh6YzBjJ7AxVM4Hh0CBS3sHPGtHilqNngktysVidq6igVVRoVl:Kh66PAxV/Hh+3sGilqlToyiU6igQ

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 2 TTPs 12 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1824	netsh.exe
2276	netsh.exe
3880	netsh.exe
764	netsh.exe
2248	netsh.exe
688	netsh.exe
4540	netsh.exe
652	netsh.exe
1912	netsh.exe
896	netsh.exe
2904	netsh.exe
3588	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

KMSAuto x64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\Windows\\Temp\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	KMSAuto x64.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 8 IoCs

Processes:

fver.exefver.exefver.exesigntool.exeFakeClient.exeKMSSS.exeFakeClient.exeKMSSS.exe

pid process

3256 fver.exe
4300 fver.exe
4892 fver.exe
1196 signtool.exe
2464 FakeClient.exe
4704 KMSSS.exe
2156 FakeClient.exe
4836 KMSSS.exe
Loads dropped DLL 2 IoCs

Processes:

FakeClient.exeFakeClient.exe

pid process

2464 FakeClient.exe
2156 FakeClient.exe

pid	process
3256	fver.exe
4300	fver.exe
4892	fver.exe
1196	signtool.exe
2464	FakeClient.exe
4704	KMSSS.exe
2156	FakeClient.exe
4836	KMSSS.exe

pid	process
2464	FakeClient.exe
2156	FakeClient.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4776-19-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-20-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-23-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-24-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-51-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-52-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-98-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-100-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-104-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-106-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-230-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-240-0x0000000140000000-0x000000014051A000-memory.dmp	upx
behavioral1/memory/4776-245-0x0000000140000000-0x000000014051A000-memory.dmp	upx

Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3880 sc.exe
1228 sc.exe
3804 sc.exe
5016 sc.exe
4204 sc.exe
5076 sc.exe
3396 sc.exe
2244 sc.exe
3292 sc.exe
3840 sc.exe
4456 sc.exe
4432 sc.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1912 taskkill.exe
3952 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5012 reg.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

KMSTools.exe

pid process

1744 KMSTools.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
3880	sc.exe
1228	sc.exe
3804	sc.exe
5016	sc.exe
4204	sc.exe
5076	sc.exe
3396	sc.exe
2244	sc.exe
3292	sc.exe
3840	sc.exe
4456	sc.exe
4432	sc.exe

pid	process
1912	taskkill.exe
3952	taskkill.exe

pid	process
5012	reg.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEWMIC.exeWMIC.exe

description	pid	process
Token: 33	1556	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1556	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	4560	WMIC.exe
Token: SeSecurityPrivilege	4560	WMIC.exe
Token: SeTakeOwnershipPrivilege	4560	WMIC.exe
Token: SeLoadDriverPrivilege	4560	WMIC.exe
Token: SeSystemProfilePrivilege	4560	WMIC.exe
Token: SeSystemtimePrivilege	4560	WMIC.exe
Token: SeProfSingleProcessPrivilege	4560	WMIC.exe
Token: SeIncBasePriorityPrivilege	4560	WMIC.exe
Token: SeCreatePagefilePrivilege	4560	WMIC.exe
Token: SeBackupPrivilege	4560	WMIC.exe
Token: SeRestorePrivilege	4560	WMIC.exe
Token: SeShutdownPrivilege	4560	WMIC.exe
Token: SeDebugPrivilege	4560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4560	WMIC.exe
Token: SeRemoteShutdownPrivilege	4560	WMIC.exe
Token: SeUndockPrivilege	4560	WMIC.exe
Token: SeManageVolumePrivilege	4560	WMIC.exe
Token: 33	4560	WMIC.exe
Token: 34	4560	WMIC.exe
Token: 35	4560	WMIC.exe
Token: 36	4560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4560	WMIC.exe
Token: SeSecurityPrivilege	4560	WMIC.exe
Token: SeTakeOwnershipPrivilege	4560	WMIC.exe
Token: SeLoadDriverPrivilege	4560	WMIC.exe
Token: SeSystemProfilePrivilege	4560	WMIC.exe
Token: SeSystemtimePrivilege	4560	WMIC.exe
Token: SeProfSingleProcessPrivilege	4560	WMIC.exe
Token: SeIncBasePriorityPrivilege	4560	WMIC.exe
Token: SeCreatePagefilePrivilege	4560	WMIC.exe
Token: SeBackupPrivilege	4560	WMIC.exe
Token: SeRestorePrivilege	4560	WMIC.exe
Token: SeShutdownPrivilege	4560	WMIC.exe
Token: SeDebugPrivilege	4560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4560	WMIC.exe
Token: SeRemoteShutdownPrivilege	4560	WMIC.exe
Token: SeUndockPrivilege	4560	WMIC.exe
Token: SeManageVolumePrivilege	4560	WMIC.exe
Token: 33	4560	WMIC.exe
Token: 34	4560	WMIC.exe
Token: 35	4560	WMIC.exe
Token: 36	4560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	972	WMIC.exe
Token: SeSecurityPrivilege	972	WMIC.exe
Token: SeTakeOwnershipPrivilege	972	WMIC.exe
Token: SeLoadDriverPrivilege	972	WMIC.exe
Token: SeSystemProfilePrivilege	972	WMIC.exe
Token: SeSystemtimePrivilege	972	WMIC.exe
Token: SeProfSingleProcessPrivilege	972	WMIC.exe
Token: SeIncBasePriorityPrivilege	972	WMIC.exe
Token: SeCreatePagefilePrivilege	972	WMIC.exe
Token: SeBackupPrivilege	972	WMIC.exe
Token: SeRestorePrivilege	972	WMIC.exe
Token: SeShutdownPrivilege	972	WMIC.exe
Token: SeDebugPrivilege	972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	972	WMIC.exe
Token: SeRemoteShutdownPrivilege	972	WMIC.exe
Token: SeUndockPrivilege	972	WMIC.exe
Token: SeManageVolumePrivilege	972	WMIC.exe
Token: 33	972	WMIC.exe
Token: 34	972	WMIC.exe
Token: 35	972	WMIC.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

KMSTools.exeKMSAuto x64.exe

pid	process
1744	KMSTools.exe
1744	KMSTools.exe
1744	KMSTools.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe
4776	KMSAuto x64.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

KMSTools.exe

pid process

1744 KMSTools.exe
1744 KMSTools.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSTools.exeKMSAuto x64.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 3256	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 3256	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 3256	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 4300	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 4300	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 4300	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 4892	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 4892	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 4892	1744	KMSTools.exe	fver.exe
PID 1744 wrote to memory of 2544	1744	KMSTools.exe	cmd.exe
PID 1744 wrote to memory of 2544	1744	KMSTools.exe	cmd.exe
PID 1744 wrote to memory of 1196	1744	KMSTools.exe	signtool.exe
PID 1744 wrote to memory of 1196	1744	KMSTools.exe	signtool.exe
PID 1744 wrote to memory of 1196	1744	KMSTools.exe	signtool.exe
PID 1744 wrote to memory of 4776	1744	KMSTools.exe	KMSAuto x64.exe
PID 1744 wrote to memory of 4776	1744	KMSTools.exe	KMSAuto x64.exe
PID 4776 wrote to memory of 4172	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 4172	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 3556	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 3556	4776	KMSAuto x64.exe	cmd.exe
PID 3556 wrote to memory of 4560	3556	cmd.exe	WMIC.exe
PID 3556 wrote to memory of 4560	3556	cmd.exe	WMIC.exe
PID 4776 wrote to memory of 868	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 868	4776	KMSAuto x64.exe	cmd.exe
PID 868 wrote to memory of 972	868	cmd.exe	WMIC.exe
PID 868 wrote to memory of 972	868	cmd.exe	WMIC.exe
PID 4776 wrote to memory of 1684	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 1684	4776	KMSAuto x64.exe	cmd.exe
PID 1684 wrote to memory of 4944	1684	cmd.exe	WMIC.exe
PID 1684 wrote to memory of 4944	1684	cmd.exe	WMIC.exe
PID 4776 wrote to memory of 4368	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 4368	4776	KMSAuto x64.exe	cmd.exe
PID 4368 wrote to memory of 2044	4368	cmd.exe	WMIC.exe
PID 4368 wrote to memory of 2044	4368	cmd.exe	WMIC.exe
PID 4776 wrote to memory of 1480	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 1480	4776	KMSAuto x64.exe	cmd.exe
PID 1480 wrote to memory of 312	1480	cmd.exe	cscript.exe
PID 1480 wrote to memory of 312	1480	cmd.exe	cscript.exe
PID 4776 wrote to memory of 1136	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 1136	4776	KMSAuto x64.exe	cmd.exe
PID 1136 wrote to memory of 5012	1136	cmd.exe	reg.exe
PID 1136 wrote to memory of 5012	1136	cmd.exe	reg.exe
PID 4776 wrote to memory of 972	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 972	4776	KMSAuto x64.exe	cmd.exe
PID 972 wrote to memory of 1472	972	cmd.exe	cscript.exe
PID 972 wrote to memory of 1472	972	cmd.exe	cscript.exe
PID 4776 wrote to memory of 4956	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 4956	4776	KMSAuto x64.exe	cmd.exe
PID 4956 wrote to memory of 2324	4956	cmd.exe	ROUTE.EXE
PID 4956 wrote to memory of 2324	4956	cmd.exe	ROUTE.EXE
PID 4776 wrote to memory of 2464	4776	KMSAuto x64.exe	FakeClient.exe
PID 4776 wrote to memory of 2464	4776	KMSAuto x64.exe	FakeClient.exe
PID 4776 wrote to memory of 2588	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 2588	4776	KMSAuto x64.exe	cmd.exe
PID 2588 wrote to memory of 652	2588	cmd.exe	netsh.exe
PID 2588 wrote to memory of 652	2588	cmd.exe	netsh.exe
PID 4776 wrote to memory of 4500	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 4500	4776	KMSAuto x64.exe	cmd.exe
PID 4500 wrote to memory of 1912	4500	cmd.exe	netsh.exe
PID 4500 wrote to memory of 1912	4500	cmd.exe	netsh.exe
PID 4776 wrote to memory of 3296	4776	KMSAuto x64.exe	cmd.exe
PID 4776 wrote to memory of 3296	4776	KMSAuto x64.exe	cmd.exe
PID 3296 wrote to memory of 1824	3296	cmd.exe	netsh.exe
PID 3296 wrote to memory of 1824	3296	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Activador 2019\KMSTools.exe
"C:\Users\Admin\AppData\Local\Temp\Activador 2019\KMSTools.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\fver.exe
"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\AAct v3.9.3 Portable\AAct.exe"
2⤵
- Executes dropped EXE
PID:3256

C:\Users\Admin\AppData\Local\Temp\fver.exe
"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"
2⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\AppData\Local\Temp\fver.exe
"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\Office 2013-2019 C2R Install v6.4.5\OInstall.exe"
2⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
2⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\signtool.exe
"C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"
2⤵
- Executes dropped EXE
PID:1196

C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe
"C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"
2⤵
- Sets service image path in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
3⤵
PID:4172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Temp\KMSAuto_Files"
3⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Temp\KMSAuto_Files"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
4⤵
PID:4944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
4⤵
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /dlv
3⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /dlv
4⤵
PID:312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\System32\reg.exe
REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
4⤵
- Modifies registry key
PID:5012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
3⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
4⤵
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c route.exe -p add 10.3.0.20 0.0.0.0 IF 1
3⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\ROUTE.EXE
route.exe -p add 10.3.0.20 0.0.0.0 IF 1
4⤵
PID:2324

C:\Windows\Temp\KMSAuto_Files\bin\driver\x64WDV\FakeClient.exe
"FakeClient.exe" 10.3.0.20
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
3⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:1912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
3⤵
PID:2328

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:2276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
3⤵
PID:1512

C:\Windows\system32\sc.exe
sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
4⤵
- Launches sc.exe
PID:3880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator
3⤵
PID:556

C:\Windows\system32\sc.exe
sc.exe start KMSEmulator
4⤵
- Launches sc.exe
PID:1228

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
3⤵
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:32
3⤵
PID:4992

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:32
4⤵
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
3⤵
PID:2740

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
4⤵
PID:3140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:64
3⤵
PID:972

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:64
4⤵
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
3⤵
PID:212

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
4⤵
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 10.3.0.20:1688
3⤵
PID:3220

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 10.3.0.20:1688
4⤵
PID:5088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List
3⤵
PID:4552

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List
4⤵
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
3⤵
PID:2124

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
4⤵
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator
3⤵
PID:2532

C:\Windows\system32\sc.exe
sc.exe stop KMSEmulator
4⤵
- Launches sc.exe
PID:3804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator
3⤵
PID:2368

C:\Windows\system32\sc.exe
sc.exe delete KMSEmulator
4⤵
- Launches sc.exe
PID:5076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c route delete 10.3.0.20 0.0.0.0
3⤵
PID:2852

C:\Windows\system32\ROUTE.EXE
route delete 10.3.0.20 0.0.0.0
4⤵
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe
3⤵
PID:3392

C:\Windows\system32\taskkill.exe
taskkill.exe /t /f /IM FakeClient.exe
4⤵
- Kills process with taskkill
PID:1912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop WinDivert1.3
3⤵
PID:224

C:\Windows\system32\sc.exe
sc.exe stop WinDivert1.3
4⤵
- Launches sc.exe
PID:5016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe delete WinDivert1.3
3⤵
PID:892

C:\Windows\system32\sc.exe
sc.exe delete WinDivert1.3
4⤵
- Launches sc.exe
PID:3396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
PID:2284

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:3880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
PID:2628

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c route.exe -p add 10.3.0.20 0.0.0.0 IF 1
3⤵
PID:3484

C:\Windows\system32\ROUTE.EXE
route.exe -p add 10.3.0.20 0.0.0.0 IF 1
4⤵
PID:2728

C:\Windows\Temp\KMSAuto_Files\bin\driver\x64WDV\FakeClient.exe
"FakeClient.exe" 10.3.0.20
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
PID:3620

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:2904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
3⤵
PID:3696

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:3588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
PID:3272

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
3⤵
PID:3604

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:2248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
3⤵
PID:3612

C:\Windows\system32\sc.exe
sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
4⤵
- Launches sc.exe
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator
3⤵
PID:5096

C:\Windows\system32\sc.exe
sc.exe start KMSEmulator
4⤵
- Launches sc.exe
PID:3292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /sethst:10.3.0.20
3⤵
PID:4696

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /sethst:10.3.0.20
4⤵
PID:2900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /setprt:1688
3⤵
PID:528

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /setprt:1688
4⤵
PID:2580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /act
3⤵
PID:4476

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /act
4⤵
PID:872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator
3⤵
PID:4876

C:\Windows\system32\sc.exe
sc.exe stop KMSEmulator
4⤵
- Launches sc.exe
PID:4204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator
3⤵
PID:4748

C:\Windows\system32\sc.exe
sc.exe delete KMSEmulator
4⤵
- Launches sc.exe
PID:3840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c route delete 10.3.0.20 0.0.0.0
3⤵
PID:3556

C:\Windows\system32\ROUTE.EXE
route delete 10.3.0.20 0.0.0.0
4⤵
PID:876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe
3⤵
PID:5028

C:\Windows\system32\taskkill.exe
taskkill.exe /t /f /IM FakeClient.exe
4⤵
- Kills process with taskkill
PID:3952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop WinDivert1.3
3⤵
PID:4124

C:\Windows\system32\sc.exe
sc.exe stop WinDivert1.3
4⤵
- Launches sc.exe
PID:4456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe delete WinDivert1.3
3⤵
PID:5080

C:\Windows\system32\sc.exe
sc.exe delete WinDivert1.3
4⤵
- Launches sc.exe
PID:4432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
PID:1692

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
PID:1476

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:4540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc 0x254
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe
"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe
"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

3

T1543

Windows Service

3

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

3

T1543

Windows Service

3

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\fver.exe

Filesize
12KB

MD5
0e6c873a80940c9729bc8017ad67b2de

SHA1
605b85c8908b29c98bb849e4aed5a3f22d0a5530

SHA256
9f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2

SHA512
81a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
139KB

MD5
3903bcab32a4a853dfa54962112d4d02

SHA1
ba6433fba48797cd43463441358004ac81b76a8b

SHA256
95fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816

SHA512
db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe

Filesize
33KB

MD5
463c7ce8e2ec2c33536e9697c0eeba7d

SHA1
8aba9b67484c647a9a01cac8c7a7170f1e7fe0a5

SHA256
d3ed9d3b8dd6a6a8dfa0a9bb02374b079e8e0c33e600677ef15bfa19264c4f04

SHA512
4f175d6ac12e53b32e8baaad058eda33378c5c0ca67c06ae77b5d7b4a1344d70a2a8e932a71c510a038fb6b19e2c280921bcfc64ed62a7906264844f7f121c41

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.log

Filesize
773B

MD5
38b69663135e1573b4ed19cd9b8d1614

SHA1
ee7f16857df7e5872554c0b1f0506a5c11537ee4

SHA256
fc9c013b2e278f707bfe46510d5ed9289716590721c241905eadb96c39adcb1c

SHA512
953519d859b0d50ae7d2f512d84bcc2f5309ae96da08c4401542b602a3b77ea176501fe812a9ad63fc4781aad043c17f4f9014a90d7e4a5fbfd3c1590fdacb55

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.log

Filesize
773B

MD5
710a93dcafcb7349ed6eb069bfc7a3ad

SHA1
7a7fed1e878d7977eadaea52663f7c9274ca3cc8

SHA256
3ff7c4885db3ba4ff6c6330bafe6ae6cf3cf6b4d4b9ee0743b3ace18e0dae277

SHA512
6369edc21ed6e5d975837af632736af3180ff823fee3df2f6cf05c2d71678a575672db4f4289356b3fa74b69551e01ed80f697637e18f40fe8ba4ac378365743

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\driver\x64WDV\FakeClient.exe

Filesize
10KB

MD5
6241a145a6bc3511e7690dcf107cefd8

SHA1
3052b10e7356bbb71a0519d9c089ce5ae18d4b6c

SHA256
2218293e4442deb06e398aa0357aef54df377b95e46b6ed79b48b65b666c9405

SHA512
8826f64b587df90b7990aed548644bd76e14c95763fe0175901f6d72e05666372a1694013a92b8b6da7a643aabc43df0dbd1703117667cfed2955a19845c4b83

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\driver\x64WDV\WinDivert.dll

Filesize
22KB

MD5
ee42f18f56e8ab20103d0eacc6cb3056

SHA1
8f75e1e7d1d1982d8bd57026d76fade124fe51f9

SHA256
d0d8e5806952ce8f321d106551c680afe5a074cb9366a54282ff83397c64c27f

SHA512
7823620af8ec86b4dc4f4e5c77c7adf6bbf44405f6074629261c2067691dc72521fca44066f998033f40b8ef79b2361a7d5ada1e16c48943fab8e1a7c5f508e7

Download Submit
memory/4776-23-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-52-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-51-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-24-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-20-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-98-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-100-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-104-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-106-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-230-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-19-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-240-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download
memory/4776-245-0x0000000140000000-0x000000014051A000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads