hxxps://kmspico[.]io/windows-10-activator/

Analysis

max time kernel
112s
max time network
108s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26/07/2024, 13:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://kmspico.io/windows-10-activator/

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
45	href.li
46	href.li
47	href.li

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133664737149891374"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4520	vlc.exe
4388	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4520	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4520	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe
4388	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3920	OpenWith.exe
3920	OpenWith.exe
3920	OpenWith.exe
3920	OpenWith.exe
3920	OpenWith.exe
4520	vlc.exe
4388	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 4780	1472	chrome.exe	73
PID 1472 wrote to memory of 4780	1472	chrome.exe	73
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 2756	1472	chrome.exe	75
PID 1472 wrote to memory of 1352	1472	chrome.exe	76
PID 1472 wrote to memory of 1352	1472	chrome.exe	76
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77
PID 1472 wrote to memory of 2552	1472	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kmspico.io/windows-10-activator/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa35589758,0x7ffa35589768,0x7ffa35589778
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:2
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4868 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3128 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5316 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5496 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5116 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5968 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\KMSpico (1).rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 --field-trial-handle=1808,i,5745828574690676696,8832947105119497212,131072 /prefetch:8
  2⤵
  PID:416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c
1⤵
PID:2160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3920
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\KMSpico.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
868e0f28cf3453f7dba1d9bc041a86e8

SHA1
f3e32a775ba4253f4c1338aca9cf314a03c68292

SHA256
953bd9145f729cfca2d335816ae9b321d5f09b19d9152cc60add5c60acf00713

SHA512
64fab8ff88dab301f5709bf7e02ffe9d25d947d3b5bb16aece3d6d94e964615f5696ccab7646ba38c624c0cc56ab17c256a67be3a548fa974e26ffc2a627c8ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
2b3c8ed454ce2402fd4293089ebf0a53

SHA1
c5bedb15e01c2a60c2fd9c02c8ccd07a16a8b89a

SHA256
0b9dcedd080456a677f58acb385a86d4c93caff0a138082551e9b8fd28bc73a2

SHA512
3e46467f60434bd268692fe5024b22ecdb50396f253f4957e993fa5c3ad093797deaaa7bd3213e04bc8d882002b6535b6f93570a71a4c3cd050586ff6de373fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
f4a3d0ffb1fe2b11a8fe4f2f4bc57554

SHA1
8fda1b80ed052bdcdc2b6ca3917595994442f126

SHA256
2769940a822ec07937395e09f157592e3ad5c1c959c15c88fd658dc43a385ecc

SHA512
b30314cec379ba00575f0779a5450e40fd1fecefa9b2152199c31b35bdbfb1730509c84cbad36d37ac8bb2c441ce88ed52fbe2ff844d8903cdaa0ace5ef1f277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
203b892606df8f3f9f40feb1f3d0dfa9

SHA1
7607eb4fe7b3cb0312594fd403056c5a565b2c03

SHA256
6736cbae96696116e62badb92ce2bb085893c36ad0367a8d5e57c111eca44d86

SHA512
d63c40ee8924ca5d779edd2f1506937ee6c8fa62142f367b7532ae8738fe5833724137c72f5f77a88e045ae9c9b756949398338f385fe32d8a02d29a11bf5835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
fd6de268deff29fcab7575dbb2aeb59c

SHA1
ad30da494ea1d2248d8825611d15fd7a62b752dc

SHA256
71b9630d9cbebefe352a4d69464c5a248a40d2f29e7a0d4edd8354f15d657f12

SHA512
964ba8ae8907ddd98e0bedc358a0359fd998850f73e1673d0ceafd3758ae76a238a8789d49c01b6928ca42a283893206b52e2c05c62eec1b4c9558a710924ba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
7b9a5f0daf816bf0d178366d9ced7fc2

SHA1
8a5c94745caa3cd705bbc9110e56e7606272a9df

SHA256
6c5efac33d5ec0a6336c6de6fb1904ae98ed9832f09778c91021972f5114b2de

SHA512
9c6f1ba3ed6571012c471e13b75bf4a75d69bed8ff0332f1c71fc6f90ddbdc0134a9c2228c988fb4c3ce15ad33dd735b9b1a83e8fb7dde79dbe5d0aefed11390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
7011d80bdeb9a0c160693dac8b58ea6b

SHA1
ae3a8e31477f863c034b0e0d1b53d78889726227

SHA256
93eb50f05e163f5e56a87eb86088cde29e90249798f45f62bd35ad42a7f8571a

SHA512
dc15325054e7436dbdcb34e8d92de21ea7693c7ca6ce34115ca445ac0b058bfa54c1c126622d7d63de76e0a207983e795a4012ddc7e5782043c87ee30532f784

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
e139f37596ea343d895a2d7fcf2557eb

SHA1
e46c399d3905bd8ae85336eb7ca97f7406a058d6

SHA256
31481dba2359556f700b68cc05ff5ff486ecf6a3a3bd8b5e6ecb02b327bfb72c

SHA512
294404830c3ccf5ff0b0b47dda15fa20098795cfa279b7de8c196124fe43206f7bca2c0d96f1ea945c427aac3fe7c754a89becdc35182b723fdcbe01a38da696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
92cecffd508b6cb7066932efaf1f83d6

SHA1
cec416735d081d1938dae3e32bfe9a64689d1fea

SHA256
3f12763f09302932c434a87dd0d1303d4bf4cb4af476e94b08cddaae50a9ac98

SHA512
27969a16d5afe2211779b26a9c189d2c63fee444d595b412302669f151733a239b3a0329da8219701cf79c15f8847a35f5c30f956d7039f14cd20715d9cc9ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
31798acd227c7d4faf06badf206d8de7

SHA1
a8cd4b3d875b32e19befbd3f4ea96c92e57dacff

SHA256
c0503ea94870500bfa2713c4d2de9e762590c06dac32b754906a59510e167e71

SHA512
ffe70447af76c0a3870f3e4d7f16f9174502a4f3d5305fb591ca7ccfcdf1941f408e40bbe7da0435757139a4a4c84cc71edeb5a466241f60e73c63dd81a7a8e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
87d4bcad9a42c80235181193a636c91b

SHA1
86e99934c20496a9630cc1fb9bb9f7c8d33993c8

SHA256
f0ddfd97380ba5e42d8b1135cfef32c7b173aeb3513b57548d5f6b91eabe9e21

SHA512
8bdd5f43e4c23cbb8f0c9a1f2a839831873911ee90759d0f8929d27c78447c551f659443103d6f620ea74e7ed6c4d2ed2b77cb0d1ed513317eb95dbe220556c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
859d2a1cb8bce0bb7d00b0bdc0803612

SHA1
e018f6cba666798ba118c3c5f2f9d31b5cc348ff

SHA256
d2dc6cf35def0efb06d750c16d60b118afc790b9a9c83438fcde5185bad58196

SHA512
551f14deb3ca7b3ad924fb8211f8a65e3953d0e59a3327f47e8f8003b07f6ab3143f44b5ee2dd617aa140fbb5a995b66bc72da6bf60a6a17e2f3705e19477409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e78e884607bb9acb9c3edf7710fc9b9e

SHA1
c115125bf0008db31d815f5aba6d0c7e879dcd75

SHA256
5971a06999187d5d58951817c88d36d923709c3e2345638da990470acf78945d

SHA512
ec900398a45178b6e1d8fc9273b8c4bea19e95287459b93803090a4c87e7148e78674b9246ac351917e9f7e9f351a6f8eddd829ed79c134f8dbac96d233e0f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
17c3934b62bc9faf614d36400adb3a99

SHA1
9e30d5202ac0a36e1bffc407bef5ee2865ef7062

SHA256
cc240ab5736ea9901a2fc241384bf838375e3bf27504effae562852ef72124e2

SHA512
e840e1cfddddd6994eb4dd64a695fbc706b77b7eb5abb18bd6a1b0631be9c29bd23e1c9a671ee555303c05d17ae1bbd1d39193258dcbb19b2e8097c6021a1981

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58436d.TMP

Filesize
48B

MD5
ebcc4552341657ec8506106f1b06e1d2

SHA1
2478030515e1452652e2ed37b2241d6f8da51d7e

SHA256
348066203198d896bffc122c84d44ccb6f3a71aa8831368f4fbb42a707f90f23

SHA512
051fc97669d56ff2d8c9622a8912ef4cca1c94dbd64cd8cf4ab5be11320d68114ebb7a09cbe44629393ef601734d8155c5ab6f242d96657af259f491e1e2811f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
7576ae9f2fb3287b6b399726cf13bdb4

SHA1
0c7abb63c3b2c366bded803c353151c5a659e2b4

SHA256
b18c3aba869154b50a54028385ce57f21c65fda781229a1e2bc6b438ab819a23

SHA512
8864dc4d8b4479a5ea1a8ac9f3b22cd68aa062fc95aac64f2315a4db3e8adac5d955bc2c1dd709d449877fa4a2a4a25202001127eba616572d72fa272fb1c4fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
8cd7c3b2e9274a839c4162167ddeb2f5

SHA1
f2cf3983266b21f26d10c36ffd9a3d4e13aeade9

SHA256
25f509cc5b36bbd40c8a39eb8c4016f4bda0bcc2f52e565b19d98e45c6c38c08

SHA512
a8a6d12728356651bda827078b859c10dcc5fc6f3f2517a7681e22a992e158eb131eda1ae370dd9ed2e0eb6dd3ee5b116362850c26edbd4096d83038785bb5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
abab7b0db919a388bf7cb5f0691cab5c

SHA1
356bbbef914ed3a8256a3587b60a67c40dc7ff3b

SHA256
ab8c4858ee5dfc583dd6116b00b20b55904bd14aaf35ce52e7051bed9359a432

SHA512
40f266ff2b3321901f6182ff9ee19f057ec79153e9aa7ba020a680cb39acf6a9e964c31c19eaec975e503a1c3053e6cfd95f5461c4f475c1f71ed04b8ed68260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
56cbfe85c4a3857c41effda8fee58b66

SHA1
a741080c89cb53f78f01ee0dfa2d5aa4b08898ea

SHA256
8c8c8902de315854b09a8d8bf0aa483b6471624b0cf6727ecd5555fd19a33b9d

SHA512
49a592a88a08599ea319c9ef719ee08d81aabdad3bed61f07296fd1ac4ad70ce9268fdd41fa05310c05876bb65176dd726568f584654710e9d9c435ea0b400a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583dee.TMP

Filesize
98KB

MD5
65ac52ccc2a0f9ff7a43d55dea89b3a3

SHA1
f68d0d42b1e78aa9998ae8d380665c163ec5c3cd

SHA256
a3a4b148769a94b561ad1db900fe26db4aa90aa1d086351fb222bd1d1e276ba9

SHA512
6a370d864fb4bf952cce4def6740fb0fc239f7db05152b56367e6d89bb116f3a6f22c59bbfb34779f6662813b3ab4f608544a6b291105abacf11623016d9e5b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f554ffd7-b327-4777-a4bb-b735937d81ef.tmp

Filesize
110KB

MD5
f08eabbf93322eef0d9bdcb97b40b473

SHA1
c18cf05d5cb4a82ef2ab96ebafd1583ff12b77a4

SHA256
ee35ed5d5fe741ea687c1dbda6f1ed426275f7908e1ac4b24aade938c745ace4

SHA512
bc5db0e15599a1ab75b27afe80f9cd336c6a0ffa022174ac9438d3c930b0d4e64cd65c47844a4a87ae0e7941d0d73aa3079c7dc2cd11bb45ae398f14587831e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
529B

MD5
9b2f07bbb83f7322a15dba082c5ae263

SHA1
c15831e5e8c09c82eddc7120aec8131e698c2eea

SHA256
756faaf1172cb96c9516ac3a24258b17eaa0af58bab0e50b5a07542308dd8f75

SHA512
c23a22d7ea98ce4cbe2f1cc4bc015349c468cd47f4511b11b73e2e64cebaf9160ebaed6f2eb522606e2a9706406375fbbe2effa68ade22da2347d69f073c9e62

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
C:\Users\Admin\Downloads\KMSpico.rar

Filesize
3.0MB

MD5
40c608f35a3163393e0c0a77949e7edf

SHA1
40f6da6c08d7125949233f042063bcaa939653bf

SHA256
1a6ac493023da1085a8f116dc5482c40ecfacf8e36295a9b09a8bd9c6422e8e9

SHA512
71d0aad7ac20a1127c9e12b927d5b11539a113976137c25770d3d076a9d5511032613f1d3686621b528ffdc09d5c81ea10274990e5d4e6a1f04c1311d579ac06

Download Submit
memory/4388-532-0x00007FFA21B20000-0x00007FFA21C2E000-memory.dmp

Filesize
1.1MB

Download
memory/4388-530-0x00007FFA355F0000-0x00007FFA35624000-memory.dmp

Filesize
208KB

Download
memory/4388-529-0x00007FF788EE0000-0x00007FF788FD8000-memory.dmp

Filesize
992KB

Download
memory/4388-531-0x00007FFA217B0000-0x00007FFA21A66000-memory.dmp

Filesize
2.7MB

Download
memory/4520-321-0x00007FFA2DC90000-0x00007FFA2DCC4000-memory.dmp

Filesize
208KB

Download
memory/4520-320-0x00007FF788EE0000-0x00007FF788FD8000-memory.dmp

Filesize
992KB

Download
memory/4520-322-0x00007FFA217B0000-0x00007FFA21A66000-memory.dmp

Filesize
2.7MB

Download
memory/4520-323-0x00007FFA1F8B0000-0x00007FFA20960000-memory.dmp

Filesize
16.7MB

Download