Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/09/2024, 02:59
Static task
static1
Behavioral task
behavioral1
Sample
KMSpico-setup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
KMSpico-setup.exe
Resource
win11-20240802-en
General
-
Target
KMSpico-setup.exe
-
Size
3.1MB
-
MD5
a02164371a50c5ff9fa2870ef6e8cfa3
-
SHA1
060614723f8375ecaad8b249ff07e3be082d7f25
-
SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a
-
SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326
-
SSDEEP
98304:CgbTbhBxCLS0Kx/XRCsFlPsKh9ApbeicTkxchy6pA32b7SuzWl:rxBxCLS3xZCsFyBzxcE6pAGbq
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe AutoPico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe KMSELDI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" KMSELDI.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe KMSELDI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe AutoPico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\Debugger = "C:\\Windows\\SECOH-QAD.exe" AutoPico.exe -
Executes dropped EXE 5 IoCs
pid Process 2880 KMSpico-setup.tmp 4708 UninsHs.exe 4628 KMSELDI.exe 4920 SECOH-QAD.exe 4488 AutoPico.exe -
Loads dropped DLL 1 IoCs
pid Process 3144 SppExtComObj.exe -
resource yara_rule behavioral2/files/0x000100000002aadf-801.dat upx behavioral2/memory/4708-803-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/4708-806-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe KMSELDI.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe AutoPico.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\Vestris.ResourceLib.dll KMSpico-setup.tmp File created C:\Windows\system32\is-0JGKQ.tmp KMSpico-setup.tmp File created C:\Windows\system32\is-PCM11.tmp KMSpico-setup.tmp -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3548 tasklist.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-SI34O.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\OneNote\is-3HIRS.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-KN1R6.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\is-BFUAM.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-T3G5P.tmp KMSpico-setup.tmp File opened for modification C:\Program Files\KMSpico\logs\AutoPico.log AutoPico.exe File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-4E9HJ.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-E1VN8.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\driver\is-C5LHD.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-GHPAM.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-7Q1F5.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-9MLBI.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-R04VK.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-GKA7R.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-CH56P.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Publisher\is-IFIDT.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-SQGIA.tmp KMSpico-setup.tmp File opened for modification C:\Program Files\KMSpico\Service_KMS.exe KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-IBHAB.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-N8L2C.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalN\is-H1Q8T.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-VRLD9.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-3ANSP.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-JSNMS.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-97ES0.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-9O3TR.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\is-M07AK.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\scripts\is-NUBV4.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\ProjectStd\is-H4SKD.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-Q2D9P.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-URIVT.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\InfoPath\is-HUGMQ.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW81\ServerStandard\is-OR7MT.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\driver\is-461EO.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-0F324.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\Access\is-PI04V.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-Q8O7J.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\Excel\is-O92CS.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-UVRAE.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW8\ProfessionalWMC\is-RL11N.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Access\is-SFD5H.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\ProPlus\is-CL6K8.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-L8A68.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW8\Enterprise\is-N9HT7.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\sounds\is-32O3G.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\is-AIHQ0.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-5K1N9.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW10\Education\is-2QLUK.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW10\Professional\is-IT4SO.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Standard\is-IIK2F.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\sounds\is-7S37F.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-FPPNC.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\Mondo\is-5URCC.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\Business\is-2HK5N.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW7\Embedded\is-4ES77.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-UKHK7.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-OQQ6K.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\sounds\is-IQS5F.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\is-6JUF6.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\Standard\is-NTU3C.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-MUKUU.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2013\PowerPoint\is-NTBLT.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscert2016\VisioPro\is-DNQIE.tmp KMSpico-setup.tmp File created C:\Program Files\KMSpico\cert\kmscertW10\is-LS1A2.tmp KMSpico-setup.tmp -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\SECOH-QAD.exe KMSELDI.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File created C:\Windows\SECOH-QAD.dll KMSELDI.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1796 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KMSpico-setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KMSpico-setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UninsHs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\PaintDesktopVersion = "0" KMSELDI.exe Set value (int) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\PaintDesktopVersion = "0" AutoPico.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter KMSpico-setup.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" KMSpico-setup.tmp -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.201.137.146" SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE SppExtComObj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2880 KMSpico-setup.tmp 2880 KMSpico-setup.tmp 4920 SECOH-QAD.exe 4920 SECOH-QAD.exe 4920 SECOH-QAD.exe 4920 SECOH-QAD.exe 4920 SECOH-QAD.exe 4920 SECOH-QAD.exe 4628 KMSELDI.exe 4488 AutoPico.exe 4488 AutoPico.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4628 KMSELDI.exe Token: SeSystemtimePrivilege 4488 AutoPico.exe Token: SeDebugPrivilege 4488 AutoPico.exe Token: SeDebugPrivilege 3548 tasklist.exe Token: SeDebugPrivilege 2096 Taskmgr.exe Token: SeSystemProfilePrivilege 2096 Taskmgr.exe Token: SeCreateGlobalPrivilege 2096 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2880 KMSpico-setup.tmp 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe 2096 Taskmgr.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2880 1048 KMSpico-setup.exe 80 PID 1048 wrote to memory of 2880 1048 KMSpico-setup.exe 80 PID 1048 wrote to memory of 2880 1048 KMSpico-setup.exe 80 PID 2880 wrote to memory of 1500 2880 KMSpico-setup.tmp 82 PID 2880 wrote to memory of 1500 2880 KMSpico-setup.tmp 82 PID 2880 wrote to memory of 3848 2880 KMSpico-setup.tmp 83 PID 2880 wrote to memory of 3848 2880 KMSpico-setup.tmp 83 PID 2880 wrote to memory of 4708 2880 KMSpico-setup.tmp 84 PID 2880 wrote to memory of 4708 2880 KMSpico-setup.tmp 84 PID 2880 wrote to memory of 4708 2880 KMSpico-setup.tmp 84 PID 2880 wrote to memory of 4628 2880 KMSpico-setup.tmp 87 PID 2880 wrote to memory of 4628 2880 KMSpico-setup.tmp 87 PID 1500 wrote to memory of 1796 1500 cmd.exe 88 PID 1500 wrote to memory of 1796 1500 cmd.exe 88 PID 3848 wrote to memory of 1472 3848 cmd.exe 89 PID 3848 wrote to memory of 1472 3848 cmd.exe 89 PID 4920 wrote to memory of 3144 4920 SECOH-QAD.exe 105 PID 4920 wrote to memory of 3144 4920 SECOH-QAD.exe 105 PID 4920 wrote to memory of 3144 4920 SECOH-QAD.exe 105 PID 3144 wrote to memory of 1016 3144 SppExtComObj.exe 106 PID 3144 wrote to memory of 1016 3144 SppExtComObj.exe 106 PID 2880 wrote to memory of 4488 2880 KMSpico-setup.tmp 107 PID 2880 wrote to memory of 4488 2880 KMSpico-setup.tmp 107 PID 3144 wrote to memory of 3192 3144 SppExtComObj.exe 111 PID 3144 wrote to memory of 3192 3144 SppExtComObj.exe 111 PID 1108 wrote to memory of 2096 1108 cmd.exe 114 PID 1108 wrote to memory of 2096 1108 cmd.exe 114 PID 1108 wrote to memory of 3548 1108 cmd.exe 115 PID 1108 wrote to memory of 3548 1108 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSpico-setup.exe"C:\Users\Admin\AppData\Local\Temp\KMSpico-setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\is-01DQ1.tmp\KMSpico-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-01DQ1.tmp\KMSpico-setup.tmp" /SL5="$502B6,2952592,69120,C:\Users\Admin\AppData\Local\Temp\KMSpico-setup.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\sc.exesc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"4⤵
- Launches sc.exe
PID:1796
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\system32\schtasks.exeSCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F4⤵
- Scheduled Task/Job: Scheduled Task
PID:1472
-
-
-
C:\Program Files\KMSpico\UninsHs.exe"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\Admin\AppData\Local\Temp\KMSpico-setup.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708
-
-
C:\Program Files\KMSpico\KMSELDI.exe"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Indicator Removal: Clear Persistence
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Program Files\KMSpico\AutoPico.exe"C:\Program Files\KMSpico\AutoPico.exe" /silent3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Indicator Removal: Clear Persistence
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4972
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:1796
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:3496
-
C:\Windows\SECOH-QAD.exeC:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent3⤵PID:1016
-
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent3⤵PID:3192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\Taskmgr.exetaskmgr2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2096
-
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728KB
MD5cfe1c391464c446099a5eb33276f6d57
SHA19999bfcded2c953e025eabaa66b4971dab122c24
SHA2564a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa
SHA5124119a1722202bbc33339747ea02fd35b327890d55bb472cd1e2146ca446d8ba6fddb1e8cf8bbfaeb08aec8ed2a9d5c0fa71b73510d409ffacd3908fa72bb53b4
-
Filesize
5.2MB
MD51397b23f30681f97049df61f94f54d05
SHA15cb1ce6966e3d6d8b8c398cbd537c814312f194d
SHA256fa76151a783250014ac8fa55d4c833100a623fcad1d6e2ddadcde259f5709609
SHA5127d001b5942dad8ce1a83831b5a87f2fa6a1571bc133ce3c1ebe9988a43a7fcefc5cdb7870a6e692ef89fb815cfcff0e9c4b41f24ba0716c6808f190ea3c53535
-
Filesize
921KB
MD5f0280de3880ef581bf14f9cc72ec1c16
SHA143d348e164c35f9e02370f6f66186fbfb15ae2a3
SHA25650ebfa1dd5b147e40244607d5d5be25709edf2cc66247a78beb920c77ac514cc
SHA512ac31a972e9e93e6671f44d403139b0db89d950097c848fbaf6b9965b722215f74e9ed9bb9e083d31328101e6fcfe7f960a08b3bea0813900f11d5c1bb40539a6
-
Filesize
29KB
MD5245824502aefe21b01e42f61955aa7f4
SHA1a58682a8aae6302f1c934709c5aa1f6c86b2be99
SHA2560a265b4bb8acceafaffb001632fa7e4c3f8ac39a71eda37f253e15bc1b8db90d
SHA512204b39e31f22ba99cf09c5c8458fc94ea21b47aacc4abd305f71ba20a35d36bfc0ff53b95180542911c9c6f259db897dee76090d953f7ee18a8079caefda7981
-
Filesize
10KB
MD56ba22dbe6a7804b7d2e6f2a416d5235e
SHA15e5eb958d16a18f5be2437b8ee0397edcf3e850c
SHA2567f13c766991b4f23618844f83cb659cf7b3d5321da8925a82ea5357d8f7364d7
SHA512341fc408e00b97d81a1d0b1aa75520f238ed24f4a3b68006b7967c75ea80cb089b5722e081a3668a083dd7e016e4af94a004f39221eb9093d9bce174a1570904
-
Filesize
11KB
MD5f24231ee95d34878b9e88d2647a61861
SHA13ce6bb335d12db05fa604fbd13cea6616ebdaadd
SHA25637a1eeb50f69f20a4bf0bafb63b13308d51dbdc8f992832ffa64b87ffed84e2e
SHA512e4ee5f4feaaa7a730be00754416f98fef52803d6343a642102d9c020ff8ea4452320c0d18b1e4872589e410b795c295b82d7f422f8892a06a1181c063fb3e1f0
-
Filesize
9KB
MD5a08a813759a501db6500133ededcd0fe
SHA1399c186e5c00cba369aaeece635f9ad319f30b01
SHA2563aecba9f064a51d12785341fec10f7ac57ec156019dd71711ca1a8e0d844470e
SHA5128f96292c2bf483f55d08a55bc94eb2afa2fdbc2db60de68369becdb4eecd117dc4f4d86876b98d56ba4c1dcdc5ba4c9e99d24e8cd770d52b8bf1ffd77805d890
-
Filesize
3KB
MD533c1695d278f5917f28067d27b4868ee
SHA155137aa9a24d6a622f05315dfbb65fb1a0c74e03
SHA25665bccc008f5b44d2dbd880c0c33afcfff27c07dd24dc0cc7dda2b3bfa7e9ae74
SHA51284389ef315ff2f9d86062470ea6033dcb409a3061b898ab677987aa881e2f6d4be1dacc4fad0c606dde6a301f04dfa2f1ff54af86e3a3767ab9bcf6ac368e2f2
-
Filesize
3KB
MD5c8a546ad00a2f81bd39f23ac1d70b24a
SHA1cfbb628b1c014d0264536d908f6557dd6a01f4a9
SHA256f050e6022511f0f16661f82809ba65ab8d912bd9971d3747f6b58f2042a4a921
SHA5125b5cab22e808835a37fc1f1e17718baca95c03f1659022d51deca23685503cd4313fbf1363385e3f5c404c9958f6b6bd6b4b0efa7c1548113dd46f13f9ba33b0
-
Filesize
3KB
MD5aee8dc4536129edc9c1df17cb288e3e9
SHA113c872ac505add867c944da550e96bc69c8a4165
SHA2566e058fd0c8a4c2aafac6502de3ea739340917c6e75e6ec26ee60298c01baa826
SHA512a27811053173d30b56ce85837017305cc2d58a673498e4ef7e562e23147a22ed416e0e4dae9d062064bec77b3cf89e46302807cb2f0022189b88fcc8e31f0124
-
Filesize
3KB
MD5072b400f6cbb1123397d1c452740da04
SHA15f5615f5840252f4998c1c07ea717dfd7da970cc
SHA256afe8c45943567e747425f87e43f774c783c07392888078693188882bde1339e3
SHA512e7b8481e37f5ecc775b1e0e946c22051ff7c2b320c7deecd2fe6ae33b69abb230782ca397e5d799d8863026eee62f331000f7bf5b6f4f5b6614195c78dd2142f
-
Filesize
4KB
MD5582e03b41356083d04ce6191f560092a
SHA1607b41ac3d642b91655e0af54556f441682acacf
SHA256d40dbfddc97849f246a397e59187a3f97f70fa1687d578b3dacb92044fd51bea
SHA512c28f7d286369d8d4f9a9f79ed67912d2390030013ac4e3b549176cff8378ab0c34db37f2bf6712b5d9eb9b06cb7fe72203e85340889e38b85623e1dbb7d33887
-
Filesize
4KB
MD590642c5fd30ae5a2a34d4c217b4cab7f
SHA1b89cf6d9033a7bb52b4eb9e98c97b8978d91af43
SHA25608e15263cdd59b78c18c21777fd67579d14e65dfac15531312bed2c9c5497c0d
SHA5128ceadd13adafe4a582d64481dd357c9906e5a082629e4ebf576a9cb84c30b8bc9bd17f28b186594aae164415e4c42ffe78dcf83048a1f8377b97a4c24fa422dd
-
Filesize
576KB
MD56a46a4977e1b2780b9907de0530f5ee7
SHA122b19e90035112dd43d6c6dc100ebbbd2b57676c
SHA25690ba4e3c11f7a8260ae8fb93a73ab5af5fcfbb45b9fb2b15800c38485d3384f4
SHA51234a54f48dda9d1422c2949b4add88ec03f77f4f7c6b83386e395c1764cf9eedb5c75ed04119fbf6f53ee3670abefec60af1fbff49f54ba4854e4354f44ea1c6c
-
Filesize
3B
MD5ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5
-
Filesize
4KB
MD5acbe378f29bb6c8e834c24a1e6961b0f
SHA18f9d308ff6fcfcc8f22fbbf243f2d5e45b368b36
SHA2564db262604963605160ce6ee06c54579bee2b5eae55249d8aaa20d6ed448a875a
SHA51204f896da79573f1be5621b151ba187dfd0418b572d06cf81d6e84f66a5d0f8062bb4b15df3796e163ba18b323f52b68696b46a4db265aad6d4c0a907738dca9f
-
Filesize
1KB
MD5bbf3a9d0f8bb89f5b8f28c52970622bb
SHA1425b49a58f2e17b311a59333ed36aa75ead547fc
SHA2563e1f994705d7cd5e929ab2bd1f879d81e954e7c9d52148fc3ba153c133445bf8
SHA512546e73d61e595b87543fd01ce6c84755eeed267619f6d24903263d475c374418c4bc57e4d697ddfb86d7ceb8787fec69aa11fb631eb28f14b2a181e3a545d827
-
Filesize
4KB
MD56395daf3cb1bba9066d8bcc489a755fd
SHA12f39cd096d1fd536faf2d1b6a23bdf179cf4fa13
SHA2569571c59d2aed1ce73d628888e650abfe61cb7c93b83db18210542a66e20f9b4f
SHA512c71fb01963ee4b49c5d09e2a893e35213e9a322cf182275d82b2240d8fae5147291696b1210a7e4975c19c61427f9c8090c07caee63a1a58dca895a862eeae9a
-
Filesize
213B
MD59107cd31951f2cf90e0892740b9087c9
SHA1efac5c2e59ddef2f0a7782ad1dea8f6b25a07395
SHA25611578521b14c17fbbb070c13887161586d57196f4d408c41a0f02ed07ee32f2c
SHA512f6b66dcbbb8aa55793b63f20fc3718038d7c35f94570cf487b6e8393f67be6bd004dd64f3b8fc8345b7e02e2e8ec2d48ceed2494d9f1282ca020dbbaa621f457
-
Filesize
220B
MD5ade709ca6a00370a4a6fea2425f948c1
SHA15919c95ef78bd4ab200f8071b98970ff9541a24a
SHA2565b067073b968361fe489017d173040655f21890605d39cdb012a030dd75b52a8
SHA512860f9f12bc4995fae7c74481c2b24a346e763e32a782b3826c0f0772ad90be48377faefd883c9a28b221f8476fd203782932fee859b079fb7d4b1b152cce7b53
-
Filesize
703KB
MD51778c1f66ff205875a6435a33229ab3c
SHA15b6189159b16c6f85feed66834af3e06c0277a19
SHA25695c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6
SHA5128844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0
-
Filesize
3KB
MD56d7fdbf9ceac51a76750fd38cf801f30
SHA16ef8310627537b1d24409574bc3c398cd97c474c
SHA2560398221231cff97e1fdc03d357ac4610afb8f3cdde4c90a9ec4d7823b405699e
SHA512b48d7eb268f8b46ff6a4782070bf6f2109ccc43166b8c64beb73348533b98f69aab5630386f4b5966b6e706f906b599fec5ff885d3e4572ed24acb6c6691fec8
-
Filesize
4KB
MD538de5b216c33833af710e88f7f64fc98
SHA166c72019eafa41bbf3e708cc3824c7c4447bdab6
SHA2569896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
SHA51299b9a9d5970eb10a903bde703c638f7dc639eb4894dfd84d8d94ce1326087c09fa415ef5bc0db7fd0248827045de24b78a680f301a59395215e50051056d1490
-
Filesize
88KB
MD53d733144477cadcf77009ef614413630
SHA10a530a2524084f1d2a85b419f033e1892174ab31
SHA256392d73617fd0a55218261572ece2f50301e0cfa29b5ed24c3f692130aa406af3
SHA512be6b524d67d69385a02874a2d96d4270335846bece7b528308e136428fd67af66a4216d90da4f288aeefd00a0ba5d5f3b5493824fcb352b919ab25e7ef50b81c