cb7075e0c6fd85aca009326634c1c2704a659e569b477339cac73370d5655dcb

Analysis

max time kernel
89s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSTools Lite.exe
Size

21.5MB
MD5

a993c2497dd9fdc67e5f5c2eca8a9cbd
SHA1

bc32a180a2c3a11f79e85050863d3570b5fc12fe
SHA256

cb7075e0c6fd85aca009326634c1c2704a659e569b477339cac73370d5655dcb
SHA512

c1ce8ec31c3db537f3d59a0f242790bc8bf90bf60941854e8fbe2b7d941503a0e5185219872e08de3e6bc57fbb9b9e3490f806a7e808126a5c0f14b4bb8c3e52
SSDEEP

393216:neWPB6YAYnUmDRX6ajZ3sU2za7gpyKHrCwdCKnuNAB6qnUEiNqK+8jnz3b/:b56YAYUmDRX6ajZ3sUca7giwvumADpLb

Score

9^/10

evasion

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002323a-15.dat	Nirsoft

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4408	netsh.exe
2848	netsh.exe
3572	netsh.exe
3136	netsh.exe
732	netsh.exe
3240	netsh.exe
2176	netsh.exe
2288	netsh.exe
5116	netsh.exe
2100	netsh.exe
4416	netsh.exe
1736	netsh.exe
4404	netsh.exe
2424	netsh.exe
2368	netsh.exe
2056	netsh.exe
3348	netsh.exe
3212	netsh.exe
2236	netsh.exe
2100	netsh.exe
448	netsh.exe
4128	netsh.exe
868	netsh.exe
3564	netsh.exe
4676	netsh.exe
3732	netsh.exe
1472	netsh.exe
2484	netsh.exe
116	netsh.exe
4232	netsh.exe
1640	netsh.exe
3104	netsh.exe
3560	netsh.exe
5080	netsh.exe
3988	netsh.exe
2784	netsh.exe
1980	netsh.exe
1512	netsh.exe
4624	netsh.exe
1148	netsh.exe
2136	netsh.exe
5100	netsh.exe
4328	netsh.exe
1908	netsh.exe
1988	netsh.exe
4128	netsh.exe
868	netsh.exe
3348	netsh.exe
5088	netsh.exe
2424	netsh.exe
4784	netsh.exe
4408	netsh.exe
1252	netsh.exe
1664	netsh.exe
3388	netsh.exe
5024	netsh.exe
1248	netsh.exe
1796	netsh.exe
4948	netsh.exe
3360	netsh.exe
4040	netsh.exe
4016	netsh.exe
1896	netsh.exe
944	netsh.exe

Executes dropped EXE 20 IoCs

pid	Process
968	7zaxxx.exe
4480	AAct_Network_x64.exe
2368	test.exe
2288	test.exe
1964	test.exe
1796	test.exe
3844	test.exe
5080	test.exe
4520	test.exe
408	test.exe
4048	test.exe
2528	test.exe
4564	test.exe
3392	test.exe
3232	test.exe
1508	test.exe
3368	test.exe
540	test.exe
2696	test.exe
2780	test.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3596	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1388	KMSTools Lite.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	344	AUDIODG.EXE
Token: SeRestorePrivilege	968	7zaxxx.exe
Token: 35	968	7zaxxx.exe
Token: SeSecurityPrivilege	968	7zaxxx.exe
Token: SeSecurityPrivilege	968	7zaxxx.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1388	KMSTools Lite.exe
1388	KMSTools Lite.exe
1388	KMSTools Lite.exe
1388	KMSTools Lite.exe
1388	KMSTools Lite.exe
4480	AAct_Network_x64.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1388	KMSTools Lite.exe
1388	KMSTools Lite.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2544	1388	KMSTools Lite.exe	91
PID 1388 wrote to memory of 2544	1388	KMSTools Lite.exe	91
PID 1388 wrote to memory of 968	1388	KMSTools Lite.exe	100
PID 1388 wrote to memory of 968	1388	KMSTools Lite.exe	100
PID 1388 wrote to memory of 968	1388	KMSTools Lite.exe	100
PID 1388 wrote to memory of 4480	1388	KMSTools Lite.exe	102
PID 1388 wrote to memory of 4480	1388	KMSTools Lite.exe	102
PID 4480 wrote to memory of 4456	4480	AAct_Network_x64.exe	103
PID 4480 wrote to memory of 4456	4480	AAct_Network_x64.exe	103
PID 4480 wrote to memory of 3504	4480	AAct_Network_x64.exe	105
PID 4480 wrote to memory of 3504	4480	AAct_Network_x64.exe	105
PID 3504 wrote to memory of 3596	3504	cmd.exe	107
PID 3504 wrote to memory of 3596	3504	cmd.exe	107
PID 4480 wrote to memory of 2904	4480	AAct_Network_x64.exe	302
PID 4480 wrote to memory of 2904	4480	AAct_Network_x64.exe	302
PID 2904 wrote to memory of 4232	2904	cmd.exe	110
PID 2904 wrote to memory of 4232	2904	cmd.exe	110
PID 4480 wrote to memory of 2176	4480	AAct_Network_x64.exe	228
PID 4480 wrote to memory of 2176	4480	AAct_Network_x64.exe	228
PID 2176 wrote to memory of 1736	2176	cmd.exe	113
PID 2176 wrote to memory of 1736	2176	cmd.exe	113
PID 4480 wrote to memory of 4120	4480	AAct_Network_x64.exe	114
PID 4480 wrote to memory of 4120	4480	AAct_Network_x64.exe	114
PID 4120 wrote to memory of 2236	4120	cmd.exe	226
PID 4120 wrote to memory of 2236	4120	cmd.exe	226
PID 4480 wrote to memory of 4084	4480	AAct_Network_x64.exe	117
PID 4480 wrote to memory of 4084	4480	AAct_Network_x64.exe	117
PID 4084 wrote to memory of 4404	4084	cmd.exe	158
PID 4084 wrote to memory of 4404	4084	cmd.exe	158
PID 4480 wrote to memory of 4412	4480	AAct_Network_x64.exe	120
PID 4480 wrote to memory of 4412	4480	AAct_Network_x64.exe	120
PID 4412 wrote to memory of 3136	4412	cmd.exe	274
PID 4412 wrote to memory of 3136	4412	cmd.exe	274
PID 4480 wrote to memory of 1800	4480	AAct_Network_x64.exe	123
PID 4480 wrote to memory of 1800	4480	AAct_Network_x64.exe	123
PID 1800 wrote to memory of 2368	1800	cmd.exe	125
PID 1800 wrote to memory of 2368	1800	cmd.exe	125
PID 1800 wrote to memory of 2368	1800	cmd.exe	125
PID 4480 wrote to memory of 4376	4480	AAct_Network_x64.exe	322
PID 4480 wrote to memory of 4376	4480	AAct_Network_x64.exe	322
PID 4376 wrote to memory of 868	4376	cmd.exe	205
PID 4376 wrote to memory of 868	4376	cmd.exe	205
PID 4480 wrote to memory of 1036	4480	AAct_Network_x64.exe	129
PID 4480 wrote to memory of 1036	4480	AAct_Network_x64.exe	129
PID 1036 wrote to memory of 2100	1036	cmd.exe	324
PID 1036 wrote to memory of 2100	1036	cmd.exe	324
PID 4480 wrote to memory of 3348	4480	AAct_Network_x64.exe	328
PID 4480 wrote to memory of 3348	4480	AAct_Network_x64.exe	328
PID 3348 wrote to memory of 3988	3348	cmd.exe	250
PID 3348 wrote to memory of 3988	3348	cmd.exe	250
PID 4480 wrote to memory of 3980	4480	AAct_Network_x64.exe	292
PID 4480 wrote to memory of 3980	4480	AAct_Network_x64.exe	292
PID 3980 wrote to memory of 1664	3980	cmd.exe	137
PID 3980 wrote to memory of 1664	3980	cmd.exe	137
PID 4480 wrote to memory of 3440	4480	AAct_Network_x64.exe	335
PID 4480 wrote to memory of 3440	4480	AAct_Network_x64.exe	335
PID 3440 wrote to memory of 1796	3440	cmd.exe	179
PID 3440 wrote to memory of 1796	3440	cmd.exe	179
PID 4480 wrote to memory of 5100	4480	AAct_Network_x64.exe	141
PID 4480 wrote to memory of 5100	4480	AAct_Network_x64.exe	141
PID 5100 wrote to memory of 2288	5100	cmd.exe	182
PID 5100 wrote to memory of 2288	5100	cmd.exe	182
PID 5100 wrote to memory of 2288	5100	cmd.exe	182
PID 4480 wrote to memory of 1304	4480	AAct_Network_x64.exe	144

C:\Users\Admin\AppData\Local\Temp\KMSTools Lite.exe
"C:\Users\Admin\AppData\Local\Temp\KMSTools Lite.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsruboard01222024 -y -bsp1 -aos -o"C:\Users\Admin\AppData\Local\Temp\Programs" "AAct Network"*
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ver.exe
    3⤵
    PID:4456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\System32\reg.exe
      REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
      4⤵
      Modifies registry key
      PID:3596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:4232
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:4404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:3136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.loli.best:1688 -l Windows -6
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.loli.best:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:2368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:3988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:1796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.digiboy.ir:1688 -l Windows -6
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.digiboy.ir:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:2288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1304
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:3032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:3232
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4680
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:376
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:4704
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:4404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.cgtsoft.com:1688 -l Windows -6
    3⤵
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.cgtsoft.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:1964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:2544
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:4128
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2964
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:868
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2336
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2008
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:3348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:5040
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:3980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.sixyin.com:1688 -l Windows -6
    3⤵
    PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.sixyin.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:1796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3100
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:432
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:3240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:3236
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:2784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:3584
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1640
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3156
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:3952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.000606.xyz:1688 -l Windows -6
    3⤵
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.000606.xyz:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:3844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1660
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:868
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:3104
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2848
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:3388
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1148
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:944
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3160
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:5116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.jm33.me:1688 -l Windows -6
    3⤵
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.jm33.me:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:5080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:4784
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2740
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:3560
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2236
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2176
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2248
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:3108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2652
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.kmzs123.cn:1688 -l Windows -6
    3⤵
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.kmzs123.cn:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:4520
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1928
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:4148
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:5024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4388
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:1988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4136
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:3564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3988
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:1724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.sdit163.com:1688 -l Windows -6
    3⤵
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.sdit163.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3468
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:4948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:4652
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:2904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2908
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1472
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1688
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:4408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3192
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:2264
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe xincheng213618.cn:1688 -l Windows -6
    3⤵
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe xincheng213618.cn:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:4048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3136
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:4128
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:1656
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:2544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4036
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:1660
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:3752
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:2484
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:2932
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:5088
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.myds.cloud:1688 -l Windows -6
    3⤵
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.myds.cloud:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:2528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3980
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:3608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:4512
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:3128
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4528
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:3032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2780
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2904
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:4328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3212
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2908
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.catqu.com:1688 -l Windows -6
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.catqu.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:4564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:4432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:732
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:3424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2056
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:620
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:4624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:3156
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3916
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:3360
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:4376
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.ghpym.com:1688 -l Windows -6
    3⤵
    PID:3784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.ghpym.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:3392
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3348
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:3568
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:1148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:3520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3440
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1248
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2948
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:3572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3504
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.mc06.net:1688 -l Windows -6
    3⤵
    PID:1736
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.mc06.net:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:3232
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:1048
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      PID:4704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:1428
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:4416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4460
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:3276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2308
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:4016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:4760
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:5108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.moeyuuko.top:1688 -l Windows -6
    3⤵
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.moeyuuko.top:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:1508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:620
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:448
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2544
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:4676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1660
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4632
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:1896
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1900
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4136
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:944
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms8.MSGuides.com:1688 -l Windows -6
    3⤵
    PID:3608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms8.MSGuides.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:3368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3628
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:5080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:4516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2948
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:4784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:2344
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      PID:4600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:5020
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:4408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:1048
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1688
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      PID:4000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms9.MSGuides.com:1688 -l Windows -6
    3⤵
    PID:2284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms9.MSGuides.com:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:960
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2236
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:2056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:876
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:3152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1788
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:4128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1508
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:4040
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3912
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:2136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe xykz.f3322.org:1688 -l Windows -6
    3⤵
    PID:2544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe xykz.f3322.org:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3484
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:3348
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:2488
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:2528
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:1092
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=in action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:3732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
    3⤵
    PID:3388
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4948
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=AAct_Network dir=out action=allow protocol=TCP program="C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe"
      4⤵
      Modifies Windows Firewall
      PID:5100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    PID:3068
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3520
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
      4⤵
      Modifies Windows Firewall
      PID:1252
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\test.exe kms.ddns.net:1688 -l Windows -6
    3⤵
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      C:\Users\Admin\AppData\Local\Temp\test.exe kms.ddns.net:1688 -l Windows -6
      4⤵
      Executes dropped EXE
      PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
    3⤵
    PID:3584
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3504
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=AAct_Network protocol=TCP
      4⤵
      Modifies Windows Firewall
      PID:3212
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    PID:4184
  - - C:\Windows\system32\netsh.exe
      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
      4⤵
      PID:4564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Programs\AAct Network\AAct_Network_x64.exe

Filesize
2.5MB

MD5
21d2de78029a3c71dcd7691839b1e32f

SHA1
a0f6adffccb5b121e999d9774596bccbef9b9bef

SHA256
0831596d9619d90d1f9910902e2e475766307ed60717852c528ba51b90d5c4c8

SHA512
4666601fbf4aad4f814ce643df2890e5786d68ca5215b23453b3307082711b970157d45df84809a19e03ed0126f2ba18f558caf2ad5d0413990f446e25e3db0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.pak

Filesize
18.4MB

MD5
42d57d16f18360cc8a2c5b2a71d1c667

SHA1
b6b53f5b947a1b5eade7d8ab7c5c3afe90d68158

SHA256
cf88585ba8544899472c85e8677bdd3061043a26bf3f67324b4f43df903b3ee7

SHA512
faaa1c1abf9dce8a34c1d286e592c5fb691987923d3f3b428be04874f38e6fda22a3312f648ed03d9d039531913803d1c5c0e323c85d671266cadf7e11572f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
58KB

MD5
cc470d06e9afc9a7c0b395274b02ac88

SHA1
8a7c21cd0e565c77fb78d33ad57fd4ab9d9439f4

SHA256
81f84a27c49ddd56c799d935787becb989a6e5b8e000e76e21c82b6cde4c42ff

SHA512
0b6539d9c9d31a7450e1c66108d259aa7fbe88fc614169e9288892890585f0779eda8e128584a47d5593df1ee013f7d8cc53b2d6601b2503817dcb4f21069a84

Download Submit
memory/408-48-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/540-81-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1508-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1796-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1964-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2288-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2368-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2528-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-85-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2780-89-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3232-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3368-77-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3392-64-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3844-36-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4048-52-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4520-44-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4564-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5080-40-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads