2e602dde39873af0f333245f1b71f90ba06c2a0c90a8a62debea4cb06d531b53

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSTools Lite.exe
Size

29.7MB
MD5

006385f066a2b5a32d2acf72aa4c5099
SHA1

1d594fbb0de15097ca45b69320dee240cc2eacac
SHA256

2e602dde39873af0f333245f1b71f90ba06c2a0c90a8a62debea4cb06d531b53
SHA512

0e11cc7879359fa968f1507e7b15885a5d67b10b3389fd4c4439b63fa69ba872736a01710ff78e24bd23b8d4dc8e0bf027642d0fc58d4e89af90fc4baac3746c
SSDEEP

786432:+56YPkl2yWK9G3gbiSL4I6bPWfa66QFD9WGto8XI1f1s:+56swuJ3gOLWfabcbXUf

Score

9^/10

evasion persistence

Malware Config

Signatures

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/2592-21-0x000001BD7CB00000-0x000001BD7CF10000-memory.dmp	Nirsoft
behavioral1/files/0x00070000000234dd-71.dat	Nirsoft

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
368	Netsh.exe
3036	Netsh.exe
3772	Netsh.exe
216	Netsh.exe
2308	Netsh.exe
4032	Netsh.exe
4048	Netsh.exe
1096	Netsh.exe

Sets file execution options in registry 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "11176813417530261616"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "11176813417530261616"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	reg.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 4 IoCs

pid	Process
696	7zaxxx.exe
2592	KMSoffline_x64.exe
2820	7zaxxx.exe
3300	W10DigitalActivation_x64.exe

Loads dropped DLL 2 IoCs

pid	Process
3960	Process not Found
744	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe
File opened for modification	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe
File created	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe
File opened for modification	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3520	sc.exe
2436	sc.exe
2440	sc.exe
748	sc.exe
2968	sc.exe
1108	sc.exe
2612	sc.exe
1964	sc.exe
720	sc.exe
1328	sc.exe
1364	sc.exe
4556	sc.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
976	taskkill.exe
4612	taskkill.exe
3860	taskkill.exe
1924	taskkill.exe
4792	taskkill.exe
1528	taskkill.exe
2972	taskkill.exe
4504	taskkill.exe
4556	taskkill.exe
1028	taskkill.exe
4808	taskkill.exe
2480	taskkill.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4596	KMSTools Lite.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: 33	1576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1576	AUDIODG.EXE
Token: SeRestorePrivilege	696	7zaxxx.exe
Token: 35	696	7zaxxx.exe
Token: SeSecurityPrivilege	696	7zaxxx.exe
Token: SeSecurityPrivilege	696	7zaxxx.exe
Token: SeDebugPrivilege	2592	KMSoffline_x64.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeRestorePrivilege	2820	7zaxxx.exe
Token: 35	2820	7zaxxx.exe
Token: SeSecurityPrivilege	2820	7zaxxx.exe
Token: SeSecurityPrivilege	2820	7zaxxx.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4596	KMSTools Lite.exe
4596	KMSTools Lite.exe
4596	KMSTools Lite.exe
4596	KMSTools Lite.exe
4596	KMSTools Lite.exe
2592	KMSoffline_x64.exe
4596	KMSTools Lite.exe
4596	KMSTools Lite.exe
3300	W10DigitalActivation_x64.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4596	KMSTools Lite.exe
4596	KMSTools Lite.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3064	4596	KMSTools Lite.exe	91
PID 4596 wrote to memory of 3064	4596	KMSTools Lite.exe	91
PID 4596 wrote to memory of 696	4596	KMSTools Lite.exe	102
PID 4596 wrote to memory of 696	4596	KMSTools Lite.exe	102
PID 4596 wrote to memory of 696	4596	KMSTools Lite.exe	102
PID 4596 wrote to memory of 2592	4596	KMSTools Lite.exe	104
PID 4596 wrote to memory of 2592	4596	KMSTools Lite.exe	104
PID 2592 wrote to memory of 3908	2592	KMSoffline_x64.exe	108
PID 2592 wrote to memory of 3908	2592	KMSoffline_x64.exe	108
PID 2592 wrote to memory of 684	2592	KMSoffline_x64.exe	110
PID 2592 wrote to memory of 684	2592	KMSoffline_x64.exe	110
PID 2592 wrote to memory of 4872	2592	KMSoffline_x64.exe	112
PID 2592 wrote to memory of 4872	2592	KMSoffline_x64.exe	112
PID 2592 wrote to memory of 2744	2592	KMSoffline_x64.exe	114
PID 2592 wrote to memory of 2744	2592	KMSoffline_x64.exe	114
PID 2592 wrote to memory of 1144	2592	KMSoffline_x64.exe	116
PID 2592 wrote to memory of 1144	2592	KMSoffline_x64.exe	116
PID 1144 wrote to memory of 1964	1144	cmd.exe	118
PID 1144 wrote to memory of 1964	1144	cmd.exe	118
PID 2592 wrote to memory of 1784	2592	KMSoffline_x64.exe	119
PID 2592 wrote to memory of 1784	2592	KMSoffline_x64.exe	119
PID 1784 wrote to memory of 4260	1784	cmd.exe	121
PID 1784 wrote to memory of 4260	1784	cmd.exe	121
PID 4260 wrote to memory of 4980	4260	net.exe	122
PID 4260 wrote to memory of 4980	4260	net.exe	122
PID 2592 wrote to memory of 976	2592	KMSoffline_x64.exe	123
PID 2592 wrote to memory of 976	2592	KMSoffline_x64.exe	123
PID 2592 wrote to memory of 4896	2592	KMSoffline_x64.exe	125
PID 2592 wrote to memory of 4896	2592	KMSoffline_x64.exe	125
PID 2592 wrote to memory of 772	2592	KMSoffline_x64.exe	127
PID 2592 wrote to memory of 772	2592	KMSoffline_x64.exe	127
PID 2592 wrote to memory of 4884	2592	KMSoffline_x64.exe	129
PID 2592 wrote to memory of 4884	2592	KMSoffline_x64.exe	129
PID 2592 wrote to memory of 2392	2592	KMSoffline_x64.exe	131
PID 2592 wrote to memory of 2392	2592	KMSoffline_x64.exe	131
PID 2592 wrote to memory of 1568	2592	KMSoffline_x64.exe	133
PID 2592 wrote to memory of 1568	2592	KMSoffline_x64.exe	133
PID 2592 wrote to memory of 228	2592	KMSoffline_x64.exe	135
PID 2592 wrote to memory of 228	2592	KMSoffline_x64.exe	135
PID 2592 wrote to memory of 1512	2592	KMSoffline_x64.exe	137
PID 2592 wrote to memory of 1512	2592	KMSoffline_x64.exe	137
PID 2592 wrote to memory of 1664	2592	KMSoffline_x64.exe	139
PID 2592 wrote to memory of 1664	2592	KMSoffline_x64.exe	139
PID 2592 wrote to memory of 1864	2592	KMSoffline_x64.exe	141
PID 2592 wrote to memory of 1864	2592	KMSoffline_x64.exe	141
PID 2592 wrote to memory of 2340	2592	KMSoffline_x64.exe	143
PID 2592 wrote to memory of 2340	2592	KMSoffline_x64.exe	143
PID 2592 wrote to memory of 4048	2592	KMSoffline_x64.exe	145
PID 2592 wrote to memory of 4048	2592	KMSoffline_x64.exe	145
PID 2592 wrote to memory of 1096	2592	KMSoffline_x64.exe	147
PID 2592 wrote to memory of 1096	2592	KMSoffline_x64.exe	147
PID 2592 wrote to memory of 3288	2592	KMSoffline_x64.exe	149
PID 2592 wrote to memory of 3288	2592	KMSoffline_x64.exe	149
PID 3288 wrote to memory of 2436	3288	cmd.exe	151
PID 3288 wrote to memory of 2436	3288	cmd.exe	151
PID 2592 wrote to memory of 4920	2592	KMSoffline_x64.exe	152
PID 2592 wrote to memory of 4920	2592	KMSoffline_x64.exe	152
PID 4920 wrote to memory of 2820	4920	cmd.exe	154
PID 4920 wrote to memory of 2820	4920	cmd.exe	154
PID 2820 wrote to memory of 2416	2820	net.exe	155
PID 2820 wrote to memory of 2416	2820	net.exe	155
PID 2592 wrote to memory of 2972	2592	KMSoffline_x64.exe	156
PID 2592 wrote to memory of 2972	2592	KMSoffline_x64.exe	156
PID 2592 wrote to memory of 1260	2592	KMSoffline_x64.exe	158

C:\Users\Admin\AppData\Local\Temp\KMSTools Lite.exe
"C:\Users\Admin\AppData\Local\Temp\KMSTools Lite.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsruboard01522024 -y -bsp1 -aos -o"C:\Users\Admin\AppData\Local\Temp\Programs" "KMSoffline"*
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Users\Admin\AppData\Local\Temp\Programs\KMSoffline\KMSoffline_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Programs\KMSoffline\KMSoffline_x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:3908
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:684
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:4872
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:2744
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop SppExtComObj.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\System32\sc.exe
      sc.exe stop SppExtComObj.exe
      4⤵
      Launches sc.exe
      PID:1964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop SppExtComObj.exe /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\System32\net.exe
      net.exe stop SppExtComObj.exe /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SppExtComObj.exe /y
        5⤵
        
        PID:4980
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM SppExtComObj.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\SppExtComObjHook.dll" "C:\Windows\System32\SppExtComObjHook.dll" /Y
    3⤵
    - Drops file in System32 directory
    PID:4896
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "Debugger"
    3⤵
    PID:772
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Sets file execution options in registry
    PID:4884
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Sets file execution options in registry
    PID:2392
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Sets file execution options in registry
    PID:1568
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Sets file execution options in registry
    PID:228
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Sets file execution options in registry
    PID:1512
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_HWID" /t REG_QWORD /d 0x9B1C049600B60070
    3⤵
    - Sets file execution options in registry
    PID:1664
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:1864
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:2340
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:4048
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:1096
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop osppsvc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\System32\sc.exe
      sc.exe stop osppsvc.exe
      4⤵
      Launches sc.exe
      PID:2436
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop osppsvc.exe /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\System32\net.exe
      net.exe stop osppsvc.exe /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop osppsvc.exe /y
        5⤵
        
        PID:2416
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM osppsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\SppExtComObjHook.dll" "C:\Windows\System32\SppExtComObjHook.dll" /Y
    3⤵
    PID:1260
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger"
    3⤵
    PID:3192
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Sets file execution options in registry
    PID:1772
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Sets file execution options in registry
    PID:216
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Sets file execution options in registry
    PID:696
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Sets file execution options in registry
    PID:4584
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Sets file execution options in registry
    PID:4792
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:3504
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:3548
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:1664
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:744
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:368
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:3036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop SppExtComObj.exe
    3⤵
    PID:4060
  - - C:\Windows\System32\sc.exe
      sc.exe stop SppExtComObj.exe
      4⤵
      Launches sc.exe
      PID:720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop SppExtComObj.exe /y
    3⤵
    PID:4984
  - - C:\Windows\System32\net.exe
      net.exe stop SppExtComObj.exe /y
      4⤵
      PID:2968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SppExtComObj.exe /y
        5⤵
        
        PID:1448
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM SppExtComObj.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc
    3⤵
    PID:2120
  - - C:\Windows\System32\sc.exe
      sc.exe stop sppsvc
      4⤵
      Launches sc.exe
      PID:2440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y
    3⤵
    PID:4576
  - - C:\Windows\System32\net.exe
      net.exe stop sppsvc /y
      4⤵
      PID:3676
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sppsvc /y
        5⤵
        
        PID:3776
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM sppsvc
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SppExtComObjHook.dll" /F /Q
    3⤵
    PID:2340
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
    3⤵
    - Sets file execution options in registry
    PID:4500
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop osppsvc.exe
    3⤵
    PID:3588
  - - C:\Windows\System32\sc.exe
      sc.exe stop osppsvc.exe
      4⤵
      Launches sc.exe
      PID:1328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop osppsvc.exe /y
    3⤵
    PID:3692
  - - C:\Windows\System32\net.exe
      net.exe stop osppsvc.exe /y
      4⤵
      PID:116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop osppsvc.exe /y
        5⤵
        
        PID:1432
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM osppsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc
    3⤵
    PID:1664
  - - C:\Windows\System32\sc.exe
      sc.exe stop sppsvc
      4⤵
      Launches sc.exe
      PID:748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y
    3⤵
    PID:3520
  - - C:\Windows\System32\net.exe
      net.exe stop sppsvc /y
      4⤵
      PID:1768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sppsvc /y
        5⤵
        
        PID:4784
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM sppsvc
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SppExtComObjHook.dll" /F /Q
    3⤵
    PID:3960
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
    3⤵
    - Sets file execution options in registry
    PID:5052
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:1504
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:4196
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:4836
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:4336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop SppExtComObj.exe
    3⤵
    PID:4332
  - - C:\Windows\System32\sc.exe
      sc.exe stop SppExtComObj.exe
      4⤵
      Launches sc.exe
      PID:1364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop SppExtComObj.exe /y
    3⤵
    PID:3636
  - - C:\Windows\System32\net.exe
      net.exe stop SppExtComObj.exe /y
      4⤵
      PID:3476
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SppExtComObj.exe /y
        5⤵
        
        PID:4972
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM SppExtComObj.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\SppExtComObjHook.dll" "C:\Windows\System32\SppExtComObjHook.dll" /Y
    3⤵
    - Drops file in System32 directory
    PID:1352
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "Debugger"
    3⤵
    PID:1200
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Sets file execution options in registry
    PID:2940
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Sets file execution options in registry
    PID:2032
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Sets file execution options in registry
    PID:2996
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Sets file execution options in registry
    PID:2948
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Sets file execution options in registry
    PID:4056
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v "KMS_HWID" /t REG_QWORD /d 0x9B1C049600B60070
    3⤵
    - Sets file execution options in registry
    PID:1988
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:4320
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:2956
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:3772
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop osppsvc.exe
    3⤵
    PID:1960
  - - C:\Windows\System32\sc.exe
      sc.exe stop osppsvc.exe
      4⤵
      Launches sc.exe
      PID:4556
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop osppsvc.exe /y
    3⤵
    PID:4484
  - - C:\Windows\System32\net.exe
      net.exe stop osppsvc.exe /y
      4⤵
      PID:4924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop osppsvc.exe /y
        5⤵
        
        PID:2460
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM osppsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\SppExtComObjHook.dll" "C:\Windows\System32\SppExtComObjHook.dll" /Y
    3⤵
    PID:4604
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger"
    3⤵
    PID:4360
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Sets file execution options in registry
    PID:2852
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Sets file execution options in registry
    PID:4576
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Sets file execution options in registry
    PID:4292
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Sets file execution options in registry
    PID:3608
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Sets file execution options in registry
    PID:2984
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:2468
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:1580
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d 10.3.0.20
    3⤵
    PID:976
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:552
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2308
- - C:\Windows\System32\Netsh.exe
    "C:\Windows\System32\Netsh.exe" Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:4032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop SppExtComObj.exe
    3⤵
    PID:3228
  - - C:\Windows\System32\sc.exe
      sc.exe stop SppExtComObj.exe
      4⤵
      Launches sc.exe
      PID:2968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop SppExtComObj.exe /y
    3⤵
    PID:2408
  - - C:\Windows\System32\net.exe
      net.exe stop SppExtComObj.exe /y
      4⤵
      PID:3200
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SppExtComObj.exe /y
        5⤵
        
        PID:3812
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM SppExtComObj.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc
    3⤵
    PID:2500
  - - C:\Windows\System32\sc.exe
      sc.exe stop sppsvc
      4⤵
      Launches sc.exe
      PID:1108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y
    3⤵
    PID:1360
  - - C:\Windows\System32\net.exe
      net.exe stop sppsvc /y
      4⤵
      PID:4052
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sppsvc /y
        5⤵
        
        PID:4908
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM sppsvc
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SppExtComObjHook.dll" /F /Q
    3⤵
    PID:4324
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
    3⤵
    - Sets file execution options in registry
    PID:4124
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop osppsvc.exe
    3⤵
    PID:1600
  - - C:\Windows\System32\sc.exe
      sc.exe stop osppsvc.exe
      4⤵
      Launches sc.exe
      PID:2612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop osppsvc.exe /y
    3⤵
    PID:2164
  - - C:\Windows\System32\net.exe
      net.exe stop osppsvc.exe /y
      4⤵
      PID:5024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop osppsvc.exe /y
        5⤵
        
        PID:2768
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM osppsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc
    3⤵
    PID:4788
  - - C:\Windows\System32\sc.exe
      sc.exe stop sppsvc
      4⤵
      Launches sc.exe
      PID:3520
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y
    3⤵
    PID:3616
  - - C:\Windows\System32\net.exe
      net.exe stop sppsvc /y
      4⤵
      PID:4032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sppsvc /y
        5⤵
        
        PID:2984
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /t /f /IM sppsvc
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SppExtComObjHook.dll" /F /Q
    3⤵
    PID:3960
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
    3⤵
    - Sets file execution options in registry
    PID:1196
- C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsruboard01522024 -y -bsp1 -aos -o"C:\Users\Admin\AppData\Local\Temp\Programs" "W10 Digital Activation Program"*
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\Programs\W10 Digital Activation Program\W10DigitalActivation_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Programs\W10 Digital Activation Program\W10DigitalActivation_x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3300
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
    3⤵
    PID:552
  - - C:\Windows\System32\cscript.exe
      cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
      4⤵
      PID:1632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /xpr
    3⤵
    PID:4232
  - - C:\Windows\System32\cscript.exe
      cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /xpr
      4⤵
      PID:632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Programs\KMSoffline\KMSoffline.ini

Filesize
63B

MD5
1353e6dbb94a36c74958634258ba1857

SHA1
4e5af79d8e9415bff1b9510ecde7c9dd4ebf5179

SHA256
78d7bb6cded6169dba4350c7450c5da45ba95c5e4e94e7716b21777edd62a2a7

SHA512
961b4973db9e3d431305a54eb6556e70bb5e56ba0d7e7ca9be490e367e4cc8d4c6ab4632451cb47336c27259085982e58202390f5c1a034038b2e532815edf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Programs\KMSoffline\KMSoffline_x64.exe

Filesize
317KB

MD5
4673bfa1973494ed7c114bf278df33bc

SHA1
23392ef71062187b4ed217a427fa2f4dfcc05d55

SHA256
e9c66c461ab81d41e2a3e740035830fc8ef334ee4098e23deb179fa449c6fe06

SHA512
a912758fa204abe990b3a18a8884ebd56fdedac8d62a226c725e9f85b8fbb708044bf95236a5f7c21cbebd7406ef507f90c441d0939c441457ea2ac7e0604da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Programs\KMSoffline\KMSoffline_x64.exe

Filesize
392KB

MD5
e5cbc87dc74875d8c610f93b3d247ac6

SHA1
51a4109cc19dcc1173fee45abf167b051b5da9d4

SHA256
06d8d180d8a96688141f6f299e8e24790394b9673c4409b1c1cf3a892761a7aa

SHA512
8ece6b4d57057b4c2bc44d4078769a4e7332cd1e7afdba7f015ca4e504778379fa4a00205de9d38834eaa00bef4f134251aec063722d62a38f6db6fd183e3e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Programs\W10 Digital Activation Program\W10DigitalActivation_x64.exe

Filesize
5.0MB

MD5
fc13ccb4e96e3b0ca8015eee2d4347df

SHA1
25a3a37595a99112f443977632240ace6336263b

SHA256
d6a051f8119f9a95833aa7ea59eaf5b7fdb5abc65d9545b14ecd2095cba62e5c

SHA512
f2d43c27edd87529b7751ed572d6c2a57c37ecbfcf3a9011921d109a3edcfc5f397874b40af002d4a489297d645c344b74e39bea227059194e6e6871629f0d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\SppExtComObjHook.dll

Filesize
18KB

MD5
95f143ec661a5da85c3c8199d9fe06e7

SHA1
94ee8c5856dc0570a8f12cd08ecb0560f3a61908

SHA256
f239c27b50cef792fea5b34378fbac83bcc06b8442d508bd9add7ddf8ca5c632

SHA512
0fe0304f4fd4810a6aab5f35410b195c44302332c721ebfdb1c87e3081ec98a9ea9ec796bb135883ddf2906d82db51d29e34017c989f4f8ad4e17bbb1b00781e

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.pak

Filesize
7.6MB

MD5
6e8cee280d9aac8afed00122d5f1c1c4

SHA1
48a56b65a8ecbea9f234469c3b8a85f343577df4

SHA256
6ba94ebf49f3e9cdde6e848fcc8ac790140bcf3c04299929cc511c238d083328

SHA512
640969e9cebaf31cdc59e66e535a18a3c87166bca461a46480840b273394c98e05ae0441f4a1942523cbc1420b00654af8622938eff5748d7e9334df27f36deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.pak

Filesize
5.6MB

MD5
b3a96648faef496e9b44da0e9346bad1

SHA1
0210f3b39088123de46753adbd74430f37b252da

SHA256
19f61b92cac74ae8e0136c8e829c224cf506c9debb0ed42911f5732fcc14ea3e

SHA512
99d93d5af0980230f081bacfaec61bfdbc360f6dcbb7e4198d9e301c956e276709b398bd82ece3a2cf89e3718957272dbd0d6bdc172b2b9f4965413b5da2337f

Download Submit
memory/2592-26-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-18-0x00007FFFA25E0000-0x00007FFFA30A1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-23-0x000001BD18810000-0x000001BD188BA000-memory.dmp

Filesize
680KB

Download
memory/2592-24-0x000001BD7E0F0000-0x000001BD7E112000-memory.dmp

Filesize
136KB

Download
memory/2592-22-0x000001BD7AA50000-0x000001BD7AAAC000-memory.dmp

Filesize
368KB

Download
memory/2592-25-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-27-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-29-0x000001BD1A730000-0x000001BD1A74E000-memory.dmp

Filesize
120KB

Download
memory/2592-28-0x000001BD1A6A0000-0x000001BD1A72A000-memory.dmp

Filesize
552KB

Download
memory/2592-21-0x000001BD7CB00000-0x000001BD7CF10000-memory.dmp

Filesize
4.1MB

Download
memory/2592-32-0x00007FFFA25E0000-0x00007FFFA30A1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-33-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-34-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-35-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-36-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-20-0x000001BD7AAB0000-0x000001BD7AAC0000-memory.dmp

Filesize
64KB

Download
memory/2592-54-0x00007FFFA25E0000-0x00007FFFA30A1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-19-0x000001BD7A9A0000-0x000001BD7A9A1000-memory.dmp

Filesize
4KB

Download
memory/2592-17-0x000001BD7A260000-0x000001BD7A60C000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads