Analysis
-
max time kernel
547s -
max time network
548s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:19
Behavioral task
behavioral1
Sample
Activador 2019/KMSTools.exe
Resource
win10v2004-20231215-en
General
-
Target
Activador 2019/KMSTools.exe
-
Size
34.5MB
-
MD5
7dcc580b7546be2871f978db8d313905
-
SHA1
60d9b7541c661e83664d043f2b7f99a62b10ee84
-
SHA256
5c2819ebc600adc7fcad0002e6056e824e1af35d1e16334e16199712850a208f
-
SHA512
dcba8d146e8c30d61828074ceac99dfcc73d52390975df7a29aca9f277fb56ddb8d2f2b02eb99ea328cca15ef24c907f5b03fb5690f5c788e29df7581849b4af
-
SSDEEP
786432:VMh6YzBjJ7AxVM4Hh0CBS3sHPGtHilqNngktysVidq6igVVRoVl:Kh66PAxV/Hh+3sGilqlToyiU6igQ
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 12 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 1824 netsh.exe 2276 netsh.exe 3880 netsh.exe 764 netsh.exe 2248 netsh.exe 688 netsh.exe 4540 netsh.exe 652 netsh.exe 1912 netsh.exe 896 netsh.exe 2904 netsh.exe 3588 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
KMSAuto x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\Windows\\Temp\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP" KMSAuto x64.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 8 IoCs
Processes:
fver.exefver.exefver.exesigntool.exeFakeClient.exeKMSSS.exeFakeClient.exeKMSSS.exepid process 3256 fver.exe 4300 fver.exe 4892 fver.exe 1196 signtool.exe 2464 FakeClient.exe 4704 KMSSS.exe 2156 FakeClient.exe 4836 KMSSS.exe -
Loads dropped DLL 2 IoCs
Processes:
FakeClient.exeFakeClient.exepid process 2464 FakeClient.exe 2156 FakeClient.exe -
Processes:
resource yara_rule behavioral1/memory/4776-19-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-20-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-23-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-24-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-51-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-52-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-98-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-100-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-104-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-106-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-230-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-240-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral1/memory/4776-245-0x0000000140000000-0x000000014051A000-memory.dmp upx -
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3880 sc.exe 1228 sc.exe 3804 sc.exe 5016 sc.exe 4204 sc.exe 5076 sc.exe 3396 sc.exe 2244 sc.exe 3292 sc.exe 3840 sc.exe 4456 sc.exe 4432 sc.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1912 taskkill.exe 3952 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
KMSTools.exepid process 1744 KMSTools.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXEWMIC.exeWMIC.exedescription pid process Token: 33 1556 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1556 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 4560 WMIC.exe Token: SeSecurityPrivilege 4560 WMIC.exe Token: SeTakeOwnershipPrivilege 4560 WMIC.exe Token: SeLoadDriverPrivilege 4560 WMIC.exe Token: SeSystemProfilePrivilege 4560 WMIC.exe Token: SeSystemtimePrivilege 4560 WMIC.exe Token: SeProfSingleProcessPrivilege 4560 WMIC.exe Token: SeIncBasePriorityPrivilege 4560 WMIC.exe Token: SeCreatePagefilePrivilege 4560 WMIC.exe Token: SeBackupPrivilege 4560 WMIC.exe Token: SeRestorePrivilege 4560 WMIC.exe Token: SeShutdownPrivilege 4560 WMIC.exe Token: SeDebugPrivilege 4560 WMIC.exe Token: SeSystemEnvironmentPrivilege 4560 WMIC.exe Token: SeRemoteShutdownPrivilege 4560 WMIC.exe Token: SeUndockPrivilege 4560 WMIC.exe Token: SeManageVolumePrivilege 4560 WMIC.exe Token: 33 4560 WMIC.exe Token: 34 4560 WMIC.exe Token: 35 4560 WMIC.exe Token: 36 4560 WMIC.exe Token: SeIncreaseQuotaPrivilege 4560 WMIC.exe Token: SeSecurityPrivilege 4560 WMIC.exe Token: SeTakeOwnershipPrivilege 4560 WMIC.exe Token: SeLoadDriverPrivilege 4560 WMIC.exe Token: SeSystemProfilePrivilege 4560 WMIC.exe Token: SeSystemtimePrivilege 4560 WMIC.exe Token: SeProfSingleProcessPrivilege 4560 WMIC.exe Token: SeIncBasePriorityPrivilege 4560 WMIC.exe Token: SeCreatePagefilePrivilege 4560 WMIC.exe Token: SeBackupPrivilege 4560 WMIC.exe Token: SeRestorePrivilege 4560 WMIC.exe Token: SeShutdownPrivilege 4560 WMIC.exe Token: SeDebugPrivilege 4560 WMIC.exe Token: SeSystemEnvironmentPrivilege 4560 WMIC.exe Token: SeRemoteShutdownPrivilege 4560 WMIC.exe Token: SeUndockPrivilege 4560 WMIC.exe Token: SeManageVolumePrivilege 4560 WMIC.exe Token: 33 4560 WMIC.exe Token: 34 4560 WMIC.exe Token: 35 4560 WMIC.exe Token: 36 4560 WMIC.exe Token: SeIncreaseQuotaPrivilege 972 WMIC.exe Token: SeSecurityPrivilege 972 WMIC.exe Token: SeTakeOwnershipPrivilege 972 WMIC.exe Token: SeLoadDriverPrivilege 972 WMIC.exe Token: SeSystemProfilePrivilege 972 WMIC.exe Token: SeSystemtimePrivilege 972 WMIC.exe Token: SeProfSingleProcessPrivilege 972 WMIC.exe Token: SeIncBasePriorityPrivilege 972 WMIC.exe Token: SeCreatePagefilePrivilege 972 WMIC.exe Token: SeBackupPrivilege 972 WMIC.exe Token: SeRestorePrivilege 972 WMIC.exe Token: SeShutdownPrivilege 972 WMIC.exe Token: SeDebugPrivilege 972 WMIC.exe Token: SeSystemEnvironmentPrivilege 972 WMIC.exe Token: SeRemoteShutdownPrivilege 972 WMIC.exe Token: SeUndockPrivilege 972 WMIC.exe Token: SeManageVolumePrivilege 972 WMIC.exe Token: 33 972 WMIC.exe Token: 34 972 WMIC.exe Token: 35 972 WMIC.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
KMSTools.exeKMSAuto x64.exepid process 1744 KMSTools.exe 1744 KMSTools.exe 1744 KMSTools.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe 4776 KMSAuto x64.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
KMSTools.exepid process 1744 KMSTools.exe 1744 KMSTools.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSTools.exeKMSAuto x64.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1744 wrote to memory of 3256 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 3256 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 3256 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 4300 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 4300 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 4300 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 4892 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 4892 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 4892 1744 KMSTools.exe fver.exe PID 1744 wrote to memory of 2544 1744 KMSTools.exe cmd.exe PID 1744 wrote to memory of 2544 1744 KMSTools.exe cmd.exe PID 1744 wrote to memory of 1196 1744 KMSTools.exe signtool.exe PID 1744 wrote to memory of 1196 1744 KMSTools.exe signtool.exe PID 1744 wrote to memory of 1196 1744 KMSTools.exe signtool.exe PID 1744 wrote to memory of 4776 1744 KMSTools.exe KMSAuto x64.exe PID 1744 wrote to memory of 4776 1744 KMSTools.exe KMSAuto x64.exe PID 4776 wrote to memory of 4172 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 4172 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 3556 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 3556 4776 KMSAuto x64.exe cmd.exe PID 3556 wrote to memory of 4560 3556 cmd.exe WMIC.exe PID 3556 wrote to memory of 4560 3556 cmd.exe WMIC.exe PID 4776 wrote to memory of 868 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 868 4776 KMSAuto x64.exe cmd.exe PID 868 wrote to memory of 972 868 cmd.exe WMIC.exe PID 868 wrote to memory of 972 868 cmd.exe WMIC.exe PID 4776 wrote to memory of 1684 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 1684 4776 KMSAuto x64.exe cmd.exe PID 1684 wrote to memory of 4944 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 4944 1684 cmd.exe WMIC.exe PID 4776 wrote to memory of 4368 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 4368 4776 KMSAuto x64.exe cmd.exe PID 4368 wrote to memory of 2044 4368 cmd.exe WMIC.exe PID 4368 wrote to memory of 2044 4368 cmd.exe WMIC.exe PID 4776 wrote to memory of 1480 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 1480 4776 KMSAuto x64.exe cmd.exe PID 1480 wrote to memory of 312 1480 cmd.exe cscript.exe PID 1480 wrote to memory of 312 1480 cmd.exe cscript.exe PID 4776 wrote to memory of 1136 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 1136 4776 KMSAuto x64.exe cmd.exe PID 1136 wrote to memory of 5012 1136 cmd.exe reg.exe PID 1136 wrote to memory of 5012 1136 cmd.exe reg.exe PID 4776 wrote to memory of 972 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 972 4776 KMSAuto x64.exe cmd.exe PID 972 wrote to memory of 1472 972 cmd.exe cscript.exe PID 972 wrote to memory of 1472 972 cmd.exe cscript.exe PID 4776 wrote to memory of 4956 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 4956 4776 KMSAuto x64.exe cmd.exe PID 4956 wrote to memory of 2324 4956 cmd.exe ROUTE.EXE PID 4956 wrote to memory of 2324 4956 cmd.exe ROUTE.EXE PID 4776 wrote to memory of 2464 4776 KMSAuto x64.exe FakeClient.exe PID 4776 wrote to memory of 2464 4776 KMSAuto x64.exe FakeClient.exe PID 4776 wrote to memory of 2588 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 2588 4776 KMSAuto x64.exe cmd.exe PID 2588 wrote to memory of 652 2588 cmd.exe netsh.exe PID 2588 wrote to memory of 652 2588 cmd.exe netsh.exe PID 4776 wrote to memory of 4500 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 4500 4776 KMSAuto x64.exe cmd.exe PID 4500 wrote to memory of 1912 4500 cmd.exe netsh.exe PID 4500 wrote to memory of 1912 4500 cmd.exe netsh.exe PID 4776 wrote to memory of 3296 4776 KMSAuto x64.exe cmd.exe PID 4776 wrote to memory of 3296 4776 KMSAuto x64.exe cmd.exe PID 3296 wrote to memory of 1824 3296 cmd.exe netsh.exe PID 3296 wrote to memory of 1824 3296 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activador 2019\KMSTools.exe"C:\Users\Admin\AppData\Local\Temp\Activador 2019\KMSTools.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\fver.exe"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\AAct v3.9.3 Portable\AAct.exe"2⤵
- Executes dropped EXE
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\fver.exe"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"2⤵
- Executes dropped EXE
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\fver.exe"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\Office 2013-2019 C2R Install v6.4.5\OInstall.exe"2⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y2⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\signtool.exe"C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"2⤵
- Executes dropped EXE
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"2⤵
- Sets service image path in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵PID:4172
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Temp\KMSAuto_Files"3⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Temp\KMSAuto_Files"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"4⤵PID:4944
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"4⤵PID:2044
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /dlv3⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /dlv4⤵PID:312
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\System32\reg.exeREG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:644⤵
- Modifies registry key
PID:5012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\cscript.execscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵PID:1472
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c route.exe -p add 10.3.0.20 0.0.0.0 IF 13⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\system32\ROUTE.EXEroute.exe -p add 10.3.0.20 0.0.0.0 IF 14⤵PID:2324
-
C:\Windows\Temp\KMSAuto_Files\bin\driver\x64WDV\FakeClient.exe"FakeClient.exe" 10.3.0.203⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
PID:652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16883⤵PID:2328
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵PID:1512
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
PID:3880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator3⤵PID:556
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
PID:1228 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:643⤵PID:2728
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:323⤵PID:4992
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:324⤵PID:2972
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:323⤵PID:2740
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:324⤵PID:3140
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:643⤵PID:972
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:644⤵PID:4892
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:643⤵PID:212
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:644⤵PID:1712
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 10.3.0.20:16883⤵PID:3220
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 10.3.0.20:16884⤵PID:5088
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List3⤵PID:4552
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List4⤵PID:1668
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato3⤵PID:2124
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato4⤵PID:1596
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator3⤵PID:2532
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator4⤵
- Launches sc.exe
PID:3804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator3⤵PID:2368
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator4⤵
- Launches sc.exe
PID:5076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c route delete 10.3.0.20 0.0.0.03⤵PID:2852
-
C:\Windows\system32\ROUTE.EXEroute delete 10.3.0.20 0.0.0.04⤵PID:4768
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe3⤵PID:3392
-
C:\Windows\system32\taskkill.exetaskkill.exe /t /f /IM FakeClient.exe4⤵
- Kills process with taskkill
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe stop WinDivert1.33⤵PID:224
-
C:\Windows\system32\sc.exesc.exe stop WinDivert1.34⤵
- Launches sc.exe
PID:5016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe delete WinDivert1.33⤵PID:892
-
C:\Windows\system32\sc.exesc.exe delete WinDivert1.34⤵
- Launches sc.exe
PID:3396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵PID:2284
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
PID:3880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵PID:2628
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c route.exe -p add 10.3.0.20 0.0.0.0 IF 13⤵PID:3484
-
C:\Windows\system32\ROUTE.EXEroute.exe -p add 10.3.0.20 0.0.0.0 IF 14⤵PID:2728
-
C:\Windows\Temp\KMSAuto_Files\bin\driver\x64WDV\FakeClient.exe"FakeClient.exe" 10.3.0.203⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵PID:3620
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵PID:3696
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
PID:3588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵PID:3272
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
PID:764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16883⤵PID:3604
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵PID:3612
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
PID:2244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator3⤵PID:5096
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
PID:3292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /sethst:10.3.0.203⤵PID:4696
-
C:\Windows\system32\cscript.execscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /sethst:10.3.0.204⤵PID:2900
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /setprt:16883⤵PID:528
-
C:\Windows\system32\cscript.execscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /setprt:16884⤵PID:2580
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /act3⤵PID:4476
-
C:\Windows\system32\cscript.execscript //nologo "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /act4⤵PID:872
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator3⤵PID:4876
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator4⤵
- Launches sc.exe
PID:4204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator3⤵PID:4748
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator4⤵
- Launches sc.exe
PID:3840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c route delete 10.3.0.20 0.0.0.03⤵PID:3556
-
C:\Windows\system32\ROUTE.EXEroute delete 10.3.0.20 0.0.0.04⤵PID:876
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe3⤵PID:5028
-
C:\Windows\system32\taskkill.exetaskkill.exe /t /f /IM FakeClient.exe4⤵
- Kills process with taskkill
PID:3952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe stop WinDivert1.33⤵PID:4124
-
C:\Windows\system32\sc.exesc.exe stop WinDivert1.34⤵
- Launches sc.exe
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe delete WinDivert1.33⤵PID:5080
-
C:\Windows\system32\sc.exesc.exe delete WinDivert1.34⤵
- Launches sc.exe
PID:4432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵PID:1692
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
PID:688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵PID:1476
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
PID:4540
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3dc 0x2541⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP1⤵
- Executes dropped EXE
PID:4704
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP1⤵
- Executes dropped EXE
PID:4836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
Filesize
12KB
MD50e6c873a80940c9729bc8017ad67b2de
SHA1605b85c8908b29c98bb849e4aed5a3f22d0a5530
SHA2569f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2
SHA51281a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1
-
Filesize
139KB
MD53903bcab32a4a853dfa54962112d4d02
SHA1ba6433fba48797cd43463441358004ac81b76a8b
SHA25695fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816
SHA512db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a
-
Filesize
33KB
MD5463c7ce8e2ec2c33536e9697c0eeba7d
SHA18aba9b67484c647a9a01cac8c7a7170f1e7fe0a5
SHA256d3ed9d3b8dd6a6a8dfa0a9bb02374b079e8e0c33e600677ef15bfa19264c4f04
SHA5124f175d6ac12e53b32e8baaad058eda33378c5c0ca67c06ae77b5d7b4a1344d70a2a8e932a71c510a038fb6b19e2c280921bcfc64ed62a7906264844f7f121c41
-
Filesize
773B
MD538b69663135e1573b4ed19cd9b8d1614
SHA1ee7f16857df7e5872554c0b1f0506a5c11537ee4
SHA256fc9c013b2e278f707bfe46510d5ed9289716590721c241905eadb96c39adcb1c
SHA512953519d859b0d50ae7d2f512d84bcc2f5309ae96da08c4401542b602a3b77ea176501fe812a9ad63fc4781aad043c17f4f9014a90d7e4a5fbfd3c1590fdacb55
-
Filesize
773B
MD5710a93dcafcb7349ed6eb069bfc7a3ad
SHA17a7fed1e878d7977eadaea52663f7c9274ca3cc8
SHA2563ff7c4885db3ba4ff6c6330bafe6ae6cf3cf6b4d4b9ee0743b3ace18e0dae277
SHA5126369edc21ed6e5d975837af632736af3180ff823fee3df2f6cf05c2d71678a575672db4f4289356b3fa74b69551e01ed80f697637e18f40fe8ba4ac378365743
-
Filesize
10KB
MD56241a145a6bc3511e7690dcf107cefd8
SHA13052b10e7356bbb71a0519d9c089ce5ae18d4b6c
SHA2562218293e4442deb06e398aa0357aef54df377b95e46b6ed79b48b65b666c9405
SHA5128826f64b587df90b7990aed548644bd76e14c95763fe0175901f6d72e05666372a1694013a92b8b6da7a643aabc43df0dbd1703117667cfed2955a19845c4b83
-
Filesize
22KB
MD5ee42f18f56e8ab20103d0eacc6cb3056
SHA18f75e1e7d1d1982d8bd57026d76fade124fe51f9
SHA256d0d8e5806952ce8f321d106551c680afe5a074cb9366a54282ff83397c64c27f
SHA5127823620af8ec86b4dc4f4e5c77c7adf6bbf44405f6074629261c2067691dc72521fca44066f998033f40b8ef79b2361a7d5ada1e16c48943fab8e1a7c5f508e7