cb7075e0c6fd85aca009326634c1c2704a659e569b477339cac73370d5655dcb

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/04/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSTools Lite.exe
Size

21.5MB
MD5

a993c2497dd9fdc67e5f5c2eca8a9cbd
SHA1

bc32a180a2c3a11f79e85050863d3570b5fc12fe
SHA256

cb7075e0c6fd85aca009326634c1c2704a659e569b477339cac73370d5655dcb
SHA512

c1ce8ec31c3db537f3d59a0f242790bc8bf90bf60941854e8fbe2b7d941503a0e5185219872e08de3e6bc57fbb9b9e3490f806a7e808126a5c0f14b4bb8c3e52
SSDEEP

393216:neWPB6YAYnUmDRX6ajZ3sU2za7gpyKHrCwdCKnuNAB6qnUEiNqK+8jnz3b/:b56YAYUmDRX6ajZ3sUca7giwvumADpLb

Score

9^/10

evasion

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d34-22.dat	Nirsoft

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1536	netsh.exe
1144	netsh.exe
2880	netsh.exe
2012	netsh.exe
1500	netsh.exe
1620	netsh.exe
1936	netsh.exe
2000	netsh.exe
632	netsh.exe
2860	netsh.exe
1132	netsh.exe
1372	netsh.exe
2576	netsh.exe
1620	netsh.exe
2480	netsh.exe
2792	netsh.exe
864	netsh.exe
1144	netsh.exe
2968	netsh.exe
2260	netsh.exe
2624	netsh.exe
2880	netsh.exe
1992	netsh.exe
2032	netsh.exe
2188	netsh.exe
2928	netsh.exe
1952	netsh.exe
936	netsh.exe
1824	netsh.exe
2604	netsh.exe
1680	netsh.exe
2956	netsh.exe
2060	netsh.exe
2904	netsh.exe
1772	netsh.exe
2132	netsh.exe
580	netsh.exe
688	netsh.exe
2900	netsh.exe
784	netsh.exe
1900	netsh.exe
2196	netsh.exe
676	netsh.exe
2884	netsh.exe
2276	netsh.exe
1500	netsh.exe
2184	netsh.exe
1132	netsh.exe
1092	netsh.exe
2184	netsh.exe
1620	netsh.exe
1760	netsh.exe
1772	netsh.exe
1368	netsh.exe
2456	netsh.exe
1760	netsh.exe
1068	netsh.exe
2032	netsh.exe
1320	netsh.exe
1052	netsh.exe
1016	netsh.exe
2440	netsh.exe
1344	netsh.exe
2584	netsh.exe

Executes dropped EXE 20 IoCs

pid	Process
2732	7zaxxx.exe
3000	AAct_Network_x64.exe
1372	test.exe
3016	test.exe
1172	test.exe
2836	test.exe
2076	test.exe
1644	test.exe
2056	test.exe
1620	test.exe
1536	test.exe
2752	test.exe
2928	test.exe
1116	test.exe
2144	test.exe
892	test.exe
2596	test.exe
2052	test.exe
2488	test.exe
1596	test.exe

Loads dropped DLL 3 IoCs

pid	Process
1584	KMSTools Lite.exe
1584	KMSTools Lite.exe
1584	KMSTools Lite.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 18 IoCs

pid	Process
1372	test.exe
3016	test.exe
1172	test.exe
2836	test.exe
2076	test.exe
1644	test.exe
2056	test.exe
1620	test.exe
1536	test.exe
2752	test.exe
2928	test.exe
1116	test.exe
2144	test.exe
892	test.exe
2596	test.exe
2052	test.exe
2488	test.exe
1596	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1584	KMSTools Lite.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2732	7zaxxx.exe
Token: 35	2732	7zaxxx.exe
Token: SeSecurityPrivilege	2732	7zaxxx.exe
Token: SeSecurityPrivilege	2732	7zaxxx.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1584	KMSTools Lite.exe
1584	KMSTools Lite.exe
1584	KMSTools Lite.exe
1584	KMSTools Lite.exe
1584	KMSTools Lite.exe
3000	AAct_Network_x64.exe
3000	AAct_Network_x64.exe
3000	AAct_Network_x64.exe
3000	AAct_Network_x64.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1584	KMSTools Lite.exe
1584	KMSTools Lite.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2560	1584	KMSTools Lite.exe	28
PID 1584 wrote to memory of 2560	1584	KMSTools Lite.exe	28
PID 1584 wrote to memory of 2560	1584	KMSTools Lite.exe	28
PID 1584 wrote to memory of 2560	1584	KMSTools Lite.exe	28
PID 1584 wrote to memory of 2732	1584	KMSTools Lite.exe	30
PID 1584 wrote to memory of 2732	1584	KMSTools Lite.exe	30
PID 1584 wrote to memory of 2732	1584	KMSTools Lite.exe	30
PID 1584 wrote to memory of 2732	1584	KMSTools Lite.exe	30
PID 1584 wrote to memory of 3000	1584	KMSTools Lite.exe	32
PID 1584 wrote to memory of 3000	1584	KMSTools Lite.exe	32
PID 1584 wrote to memory of 3000	1584	KMSTools Lite.exe	32
PID 1584 wrote to memory of 3000	1584	KMSTools Lite.exe	32
PID 3000 wrote to memory of 1760	3000	AAct_Network_x64.exe	33
PID 3000 wrote to memory of 1760	3000	AAct_Network_x64.exe	33
PID 3000 wrote to memory of 1760	3000	AAct_Network_x64.exe	33
PID 1760 wrote to memory of 2180	1760	cmd.exe	35
PID 1760 wrote to memory of 2180	1760	cmd.exe	35
PID 1760 wrote to memory of 2180	1760	cmd.exe	35
PID 3000 wrote to memory of 2508	3000	AAct_Network_x64.exe	37
PID 3000 wrote to memory of 2508	3000	AAct_Network_x64.exe	37
PID 3000 wrote to memory of 2508	3000	AAct_Network_x64.exe	37
PID 2508 wrote to memory of 2800	2508	cmd.exe	39
PID 2508 wrote to memory of 2800	2508	cmd.exe	39
PID 2508 wrote to memory of 2800	2508	cmd.exe	39
PID 3000 wrote to memory of 2476	3000	AAct_Network_x64.exe	40
PID 3000 wrote to memory of 2476	3000	AAct_Network_x64.exe	40
PID 3000 wrote to memory of 2476	3000	AAct_Network_x64.exe	40
PID 2476 wrote to memory of 2624	2476	cmd.exe	42
PID 2476 wrote to memory of 2624	2476	cmd.exe	42
PID 2476 wrote to memory of 2624	2476	cmd.exe	42
PID 3000 wrote to memory of 1748	3000	AAct_Network_x64.exe	43
PID 3000 wrote to memory of 1748	3000	AAct_Network_x64.exe	43
PID 3000 wrote to memory of 1748	3000	AAct_Network_x64.exe	43
PID 1748 wrote to memory of 932	1748	cmd.exe	45
PID 1748 wrote to memory of 932	1748	cmd.exe	45
PID 1748 wrote to memory of 932	1748	cmd.exe	45
PID 3000 wrote to memory of 1972	3000	AAct_Network_x64.exe	46
PID 3000 wrote to memory of 1972	3000	AAct_Network_x64.exe	46
PID 3000 wrote to memory of 1972	3000	AAct_Network_x64.exe	46
PID 1972 wrote to memory of 1992	1972	cmd.exe	48
PID 1972 wrote to memory of 1992	1972	cmd.exe	48
PID 1972 wrote to memory of 1992	1972	cmd.exe	48
PID 3000 wrote to memory of 2632	3000	AAct_Network_x64.exe	49
PID 3000 wrote to memory of 2632	3000	AAct_Network_x64.exe	49
PID 3000 wrote to memory of 2632	3000	AAct_Network_x64.exe	49
PID 2632 wrote to memory of 2184	2632	cmd.exe	51
PID 2632 wrote to memory of 2184	2632	cmd.exe	51
PID 2632 wrote to memory of 2184	2632	cmd.exe	51
PID 3000 wrote to memory of 1568	3000	AAct_Network_x64.exe	52
PID 3000 wrote to memory of 1568	3000	AAct_Network_x64.exe	52
PID 3000 wrote to memory of 1568	3000	AAct_Network_x64.exe	52
PID 1568 wrote to memory of 1620	1568	cmd.exe	54
PID 1568 wrote to memory of 1620	1568	cmd.exe	54
PID 1568 wrote to memory of 1620	1568	cmd.exe	54
PID 3000 wrote to memory of 2264	3000	AAct_Network_x64.exe	55
PID 3000 wrote to memory of 2264	3000	AAct_Network_x64.exe	55
PID 3000 wrote to memory of 2264	3000	AAct_Network_x64.exe	55
PID 2264 wrote to memory of 1132	2264	cmd.exe	57
PID 2264 wrote to memory of 1132	2264	cmd.exe	57
PID 2264 wrote to memory of 1132	2264	cmd.exe	57
PID 3000 wrote to memory of 2308	3000	AAct_Network_x64.exe	58
PID 3000 wrote to memory of 2308	3000	AAct_Network_x64.exe	58
PID 3000 wrote to memory of 2308	3000	AAct_Network_x64.exe	58
PID 2308 wrote to memory of 2904	2308	cmd.exe	60

C:\Users\Admin\AppData\Local\Temp\KMSTools Lite.exe
"C:\Users\Admin\AppData\Local\Temp\KMSTools Lite.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsruboard01222024 -y -bsp1 -aos -o"C:\Users\Admin\AppData\Local\Temp\Programs" "AAct Network"*
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\System32\cscript.exe
      cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
      4⤵
      PID:2180
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\System32\cscript.exe
      cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
      4⤵
      PID:2800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\System32\cscript.exe
      cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
      4⤵
      PID:2624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\System32\cscript.exe
      cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
      4⤵
      PID:932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1132
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.loli.best:1688 -l Windows -6
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.loli.best:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:552
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:1464
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1016
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2060
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1144
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1984
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:1824
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.digiboy.ir:1688 -l Windows -6
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.digiboy.ir:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:3016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2880
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:1976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2012
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:688
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2344
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:1900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2832
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:2764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.cgtsoft.com:1688 -l Windows -6
    3⤵
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.cgtsoft.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2004
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:2016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2168
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2612
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2276
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1548
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:1620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.sixyin.com:1688 -l Windows -6
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.sixyin.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2836
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2900
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:2308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2260
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2924
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:1068
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2132
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1580
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:1536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.000606.xyz:1688 -l Windows -6
    3⤵
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.000606.xyz:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:576
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2216
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1232
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1964
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2672
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:2752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.jm33.me:1688 -l Windows -6
    3⤵
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.jm33.me:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1644
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2532
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:2424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2668
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:1956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2156
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:936
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2364
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.kmzs123.cn:1688 -l Windows -6
    3⤵
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.kmzs123.cn:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:940
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:1640
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:2624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2756
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1616
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1756
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.sdit163.com:1688 -l Windows -6
    3⤵
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.sdit163.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1988
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:2292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:768
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:3048
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1820
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1532
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2132
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe xincheng213618.cn:1688 -l Windows -6
    3⤵
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe xincheng213618.cn:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1600
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1500
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:860
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1052
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:308
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2068
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2012
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1700
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:688
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.myds.cloud:1688 -l Windows -6
    3⤵
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.myds.cloud:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2752
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2484
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2416
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:2532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1912
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:528
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2844
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.catqu.com:1688 -l Windows -6
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.catqu.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:800
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:948
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2004
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2168
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2760
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:1952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.ghpym.com:1688 -l Windows -6
    3⤵
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.ghpym.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1716
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:1696
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1132
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2128
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:616
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:300
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:1344
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.mc06.net:1688 -l Windows -6
    3⤵
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.mc06.net:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2144
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1176
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:1980
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1144
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2980
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:1692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:364
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2680
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:1680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.moeyuuko.top:1688 -l Windows -6
    3⤵
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.moeyuuko.top:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2712
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2536
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2460
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2432
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2020
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms8.MSGuides.com:1688 -l Windows -6
    3⤵
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms8.MSGuides.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2180
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2656
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1716
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1696
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2128
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms9.MSGuides.com:1688 -l Windows -6
    3⤵
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms9.MSGuides.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2052
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1264
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:2132
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:1688
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1176
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1500
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1980
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:1888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2980
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe xykz.f3322.org:1688 -l Windows -6
    3⤵
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe xykz.f3322.org:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:632
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:688
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2856
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2712
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2536
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2956
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.ddns.net:1688 -l Windows -6
    3⤵
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.ddns.net:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2968
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2596
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe

Filesize
2.5MB

MD5
21d2de78029a3c71dcd7691839b1e32f

SHA1
a0f6adffccb5b121e999d9774596bccbef9b9bef

SHA256
0831596d9619d90d1f9910902e2e475766307ed60717852c528ba51b90d5c4c8

SHA512
4666601fbf4aad4f814ce643df2890e5786d68ca5215b23453b3307082711b970157d45df84809a19e03ed0126f2ba18f558caf2ad5d0413990f446e25e3db0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.pak

Filesize
18.4MB

MD5
42d57d16f18360cc8a2c5b2a71d1c667

SHA1
b6b53f5b947a1b5eade7d8ab7c5c3afe90d68158

SHA256
cf88585ba8544899472c85e8677bdd3061043a26bf3f67324b4f43df903b3ee7

SHA512
faaa1c1abf9dce8a34c1d286e592c5fb691987923d3f3b428be04874f38e6fda22a3312f648ed03d9d039531913803d1c5c0e323c85d671266cadf7e11572f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
58KB

MD5
cc470d06e9afc9a7c0b395274b02ac88

SHA1
8a7c21cd0e565c77fb78d33ad57fd4ab9d9439f4

SHA256
81f84a27c49ddd56c799d935787becb989a6e5b8e000e76e21c82b6cde4c42ff

SHA512
0b6539d9c9d31a7450e1c66108d259aa7fbe88fc614169e9288892890585f0779eda8e128584a47d5593df1ee013f7d8cc53b2d6601b2503817dcb4f21069a84

Download Submit
\Users\Admin\AppData\Local\Temp\7zaxxx.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
memory/892-164-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1116-156-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1172-120-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1372-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1536-144-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1596-265-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1620-140-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1644-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2052-257-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2056-136-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2076-128-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2144-160-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2488-261-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2596-168-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2752-148-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2836-124-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2928-152-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3016-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads