dd4c86cf085ceb60020f03c2fcf1f669452f5bef09c753b03ab0a6b778b87b34

Analysis

max time kernel
104s
max time network
147s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
30/03/2025, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_Suite.v9.8.EN.bat
Size

1.1MB
MD5

17f656676e34f8a8252522d1a9e2bf40
SHA1

b34bc6fbf8a4f8f9e893b8703c14f8f51e90b7d6
SHA256

bed604d258d3e0ead02bd44c3c5c40feb56e0cee751169ab763887c727087747
SHA512

1835f1b25f13fb0f8c991e08593a9d60bbaca80c1b03dd62b861d8078d87ea5c0dac0efe79759b2270d76b5aad654ee0d1142ccae604d717163335c5e9da8511
SSDEEP

24576:5WDaRGrHDQCBdTx/pn6E9gMqfolasayo4QB0zx1:oDaRGbDXL/pnvYfSle4ue7

Score

7^/10

defense_evasion discovery execution privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2336	center.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
476	powershell.exe
4816	powershell.exe
5364	powershell.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3116	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
5284	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	center.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin\shell\runas	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin\shell\runas\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin\shell\runas	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin\shell\runas\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"	reg.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
4732	reg.exe
5028	reg.exe
4856	reg.exe
5284	reg.exe
5816	reg.exe
4068	reg.exe
6044	reg.exe
3948	reg.exe
1924	reg.exe
4204	reg.exe
6032	reg.exe
2348	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
476	powershell.exe
476	powershell.exe
4816	powershell.exe
4816	powershell.exe
5364	powershell.exe
5364	powershell.exe
2500	powershell.exe
2500	powershell.exe
3752	powershell.exe
3752	powershell.exe
1908	powershell.exe
1908	powershell.exe
4596	powershell.exe
4596	powershell.exe
2892	WMIC.exe
2892	WMIC.exe
2892	WMIC.exe
2892	WMIC.exe
5276	powershell.exe
5276	powershell.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	5364	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe
Token: 33	2892	WMIC.exe
Token: 34	2892	WMIC.exe
Token: 35	2892	WMIC.exe
Token: 36	2892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe
Token: 33	2892	WMIC.exe
Token: 34	2892	WMIC.exe
Token: 35	2892	WMIC.exe
Token: 36	2892	WMIC.exe
Token: SeDebugPrivilege	5276	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5584 wrote to memory of 3192	5584	cmd.exe	83
PID 5584 wrote to memory of 3192	5584	cmd.exe	83
PID 5584 wrote to memory of 5284	5584	cmd.exe	84
PID 5584 wrote to memory of 5284	5584	cmd.exe	84
PID 5584 wrote to memory of 1452	5584	cmd.exe	85
PID 5584 wrote to memory of 1452	5584	cmd.exe	85
PID 5584 wrote to memory of 3948	5584	cmd.exe	86
PID 5584 wrote to memory of 3948	5584	cmd.exe	86
PID 5584 wrote to memory of 476	5584	cmd.exe	87
PID 5584 wrote to memory of 476	5584	cmd.exe	87
PID 476 wrote to memory of 336	476	powershell.exe	88
PID 476 wrote to memory of 336	476	powershell.exe	88
PID 336 wrote to memory of 5872	336	csc.exe	89
PID 336 wrote to memory of 5872	336	csc.exe	89
PID 476 wrote to memory of 4412	476	powershell.exe	90
PID 476 wrote to memory of 4412	476	powershell.exe	90
PID 5584 wrote to memory of 2236	5584	cmd.exe	91
PID 5584 wrote to memory of 2236	5584	cmd.exe	91
PID 2236 wrote to memory of 2640	2236	cmd.exe	92
PID 2236 wrote to memory of 2640	2236	cmd.exe	92
PID 2236 wrote to memory of 4816	2236	cmd.exe	93
PID 2236 wrote to memory of 4816	2236	cmd.exe	93
PID 4816 wrote to memory of 5016	4816	powershell.exe	94
PID 4816 wrote to memory of 5016	4816	powershell.exe	94
PID 5016 wrote to memory of 5452	5016	csc.exe	95
PID 5016 wrote to memory of 5452	5016	csc.exe	95
PID 2236 wrote to memory of 5176	2236	cmd.exe	96
PID 2236 wrote to memory of 5176	2236	cmd.exe	96
PID 2236 wrote to memory of 5364	2236	cmd.exe	97
PID 2236 wrote to memory of 5364	2236	cmd.exe	97
PID 2236 wrote to memory of 2396	2236	cmd.exe	98
PID 2236 wrote to memory of 2396	2236	cmd.exe	98
PID 2236 wrote to memory of 2372	2236	cmd.exe	99
PID 2236 wrote to memory of 2372	2236	cmd.exe	99
PID 2236 wrote to memory of 2336	2236	cmd.exe	100
PID 2236 wrote to memory of 2336	2236	cmd.exe	100
PID 2236 wrote to memory of 2336	2236	cmd.exe	100
PID 2236 wrote to memory of 5092	2236	cmd.exe	101
PID 2236 wrote to memory of 5092	2236	cmd.exe	101
PID 2236 wrote to memory of 5808	2236	cmd.exe	102
PID 2236 wrote to memory of 5808	2236	cmd.exe	102
PID 5808 wrote to memory of 4656	5808	cmd.exe	103
PID 5808 wrote to memory of 4656	5808	cmd.exe	103
PID 2236 wrote to memory of 3152	2236	cmd.exe	104
PID 2236 wrote to memory of 3152	2236	cmd.exe	104
PID 3152 wrote to memory of 2500	3152	cmd.exe	105
PID 3152 wrote to memory of 2500	3152	cmd.exe	105
PID 2236 wrote to memory of 2648	2236	cmd.exe	107
PID 2236 wrote to memory of 2648	2236	cmd.exe	107
PID 2648 wrote to memory of 3752	2648	cmd.exe	108
PID 2648 wrote to memory of 3752	2648	cmd.exe	108
PID 2236 wrote to memory of 3104	2236	cmd.exe	109
PID 2236 wrote to memory of 3104	2236	cmd.exe	109
PID 2236 wrote to memory of 5140	2236	cmd.exe	110
PID 2236 wrote to memory of 5140	2236	cmd.exe	110
PID 2236 wrote to memory of 748	2236	cmd.exe	111
PID 2236 wrote to memory of 748	2236	cmd.exe	111
PID 2236 wrote to memory of 4348	2236	cmd.exe	112
PID 2236 wrote to memory of 4348	2236	cmd.exe	112
PID 2236 wrote to memory of 3064	2236	cmd.exe	115
PID 2236 wrote to memory of 3064	2236	cmd.exe	115
PID 2236 wrote to memory of 4212	2236	cmd.exe	116
PID 2236 wrote to memory of 4212	2236	cmd.exe	116
PID 2236 wrote to memory of 3032	2236	cmd.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.8.EN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Windows\system32\mode.com
  mode con cols=78 lines=5
  2⤵
  PID:3192
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Modifies registry class
  - Modifies registry key
  PID:5284
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:1452
- C:\Windows\system32\reg.exe
  reg delete hkcu\software\classes\.Admin\ /f
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMS_Suite\:.*';iex($f[1]); X(1)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:476
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2mojw2ow\2mojw2ow.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5832.tmp" "c:\Users\Admin\AppData\Local\Temp\2mojw2ow\CSCC309131050DC405292669789D7DF89DE.TMP"
      4⤵
      PID:5872
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:4412
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat -suite
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File disablex.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqu3mwer\pqu3mwer.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BAD.tmp" "c:\Users\Admin\AppData\Local\Temp\pqu3mwer\CSC24C6FD4835D3416CA5FDE96BA6F9386.TMP"
        5⤵
        
        PID:5452
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:2396
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5808
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:5140
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.8 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:748
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORTED MICROSOFT PRODUCTS" nul
    3⤵
    PID:4348
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:3064
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:4212
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:3032
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:1340
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:640
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:3592
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:4592
- - C:\Windows\system32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:5184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    PID:2532
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:6000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
- - C:\Windows\system32\mode.com
    mode con cols=82 lines=42
    3⤵
    PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1528
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1820
- - C:\Windows\system32\choice.exe
    choice /C:WOA /N /M "YOUR CHOICE : "
    3⤵
    PID:3368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Warning.vbs" )
    3⤵
    PID:1252
- - C:\Windows\System32\cmd.exe
    cmd /v:on /c echo(^!param^!
    3⤵
    PID:5884
- - C:\Windows\System32\findstr.exe
    findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
    3⤵
    PID:5216
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:5540
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
    3⤵
    - Modifies registry key
    PID:5816
- - C:\Windows\System32\find.exe
    find /i "0x4"
    3⤵
    PID:2044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\find.exe
    find /i "ComputerSystem"
    3⤵
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $ExecutionContext.SessionState.LanguageMode
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5276
- - C:\Windows\System32\find.exe
    find /i "Full"
    3⤵
    PID:1536
- - C:\Windows\System32\net.exe
    net use C:
    3⤵
    PID:340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:3908
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR 2>nul
    3⤵
    PID:3564
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR
      4⤵
      PID:5612
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:2544
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:5836
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:5868
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
    3⤵
    PID:1916
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:3116
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
    3⤵
    PID:1152
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
    3⤵
    - Modifies registry key
    PID:1924
- - C:\Windows\System32\find.exe
    find /i "0x1"
    3⤵
    PID:4648
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:4204
- - C:\Windows\System32\findstr.exe
    findstr /i /r ".*retail"
    3⤵
    PID:3860
- - C:\Windows\System32\findstr.exe
    findstr /i /v "project visio"
    3⤵
    PID:3944
- - C:\Windows\System32\find.exe
    find /i "0x2"
    3⤵
    PID:2744
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:4068
- - C:\Windows\System32\findstr.exe
    findstr /i /r ".*retail"
    3⤵
    PID:2984
- - C:\Windows\System32\findstr.exe
    findstr /i /v "project visio"
    3⤵
    PID:2664
- - C:\Windows\System32\find.exe
    find /i "0x3"
    3⤵
    PID:4464
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:6032
- - C:\Windows\System32\findstr.exe
    findstr /i /r ".*volume"
    3⤵
    PID:3132
- - C:\Windows\System32\findstr.exe
    findstr /i /v "project visio"
    3⤵
    PID:3828
- - C:\Windows\System32\find.exe
    find /i "0x2"
    3⤵
    PID:5224
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:2348
- - C:\Windows\System32\findstr.exe
    findstr /i /r ".*volume"
    3⤵
    PID:4924
- - C:\Windows\System32\findstr.exe
    findstr /i /v "project visio"
    3⤵
    PID:4972
- - C:\Windows\System32\find.exe
    find /i "0x3"
    3⤵
    PID:4968
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:4732
- - C:\Windows\System32\findstr.exe
    findstr /i /r "project.*"
    3⤵
    PID:4908
- - C:\Windows\System32\find.exe
    find /i "0x2"
    3⤵
    PID:4868
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:5028
- - C:\Windows\System32\findstr.exe
    findstr /i /r "project.*"
    3⤵
    PID:4820
- - C:\Windows\System32\find.exe
    find /i "0x3"
    3⤵
    PID:4876
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:4856
- - C:\Windows\System32\findstr.exe
    findstr /i /r "visio.*"
    3⤵
    PID:4804
- - C:\Windows\System32\find.exe
    find /i "0x2"
    3⤵
    PID:4288
- - C:\Windows\System32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext
    3⤵
    - Modifies registry key
    PID:6044
- - C:\Windows\System32\findstr.exe
    findstr /i /r "visio.*"
    3⤵
    PID:5016
- - C:\Windows\System32\find.exe
    find /i "0x3"
    3⤵
    PID:1028
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
    3⤵
    PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4521e67a3b03b060fde700c36d3b9297

SHA1
4a730cd86dc7a57ac001d59853dd500c1b83b4ab

SHA256
a72aa223a84c4fa011c8a2b0ef2475a83d5123de2cdfa6a7160231729e68383d

SHA512
90235850eef71c2f0921d04e6990147af9e76fec8ee49e12e6a5bab065ff0e63331a54be845026f17a7b1dd230ee94843099db4813c127c6bafb8cbaf59b753f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddbce69b410e4819cf63c2d78cef1efc

SHA1
91844be6fdd8a3f07c78437799ccae931258605f

SHA256
648bc93a7aef845cfad6ea718bc6c46055f963bcd1687c5471530f0546413911

SHA512
3b33e1cec7863cf4701081d95334f6a8c5b819fae4204e2e121442ad69b558ce1039bee9a9f998942a74830e90109268e526c56f40f7a503814c924983728c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5569ebf738bf34c54490657cf896917

SHA1
9794dc27b7f6d9c1638c940d6835d51571975744

SHA256
41798e1d5d7e3589756faa9361ef0c82c3560af0f99436234ce78045190a1bbb

SHA512
cb8d6e3acc7c0fe5bb69ba117809ce692be9f544d36f45a0a29c6c66639a35cdeeebe8252fd3627f98ab1feb612624103084881dd63087002629de053f7e4059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a2935921d84d5df764de5d162295dc7

SHA1
8e48b7a41b48efb4dd965d3dc46bf17280b6f8c9

SHA256
83580073f280fa73fe3e7997b9ad7355ab53bdd08d81805c4992cbe7c72889b1

SHA512
27803e069d98f346536935b3c49c98a88c6928aa30742e67ae43c362d444b60eb17c9a8c6a66c29766cc1a1890345486d99abc3045423265c1879ec39137bdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.8 - mephistooo2 - www.TNCTR.com

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
865KB

MD5
60b56dcf1ef66a07739c4faf9789fcbd

SHA1
3a22be0f32400d0ce9337169327141751a958ab2

SHA256
c43c53387b72ea36cd944f1d1f211c4bc22434cdc27839c693a81ffe4af71c06

SHA512
b06614c6c09cea4a3f8c3c4b091d9abe8e8443a7fc3dd0417f7621f256e59d068b5f48bf6aea79aa25f6c926cd060e8c87e85232a094fdc32684578b81bcba8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mojw2ow\2mojw2ow.dll

Filesize
3KB

MD5
368115350c7266353028bbe274022252

SHA1
447fc7b0f71078ed26e54a36fc8d1d0e67db114c

SHA256
e703dc5bff5b53113a98fbade231138dd097260868f4ad59ff23f4299a646baa

SHA512
6d8458deac64851223febfea9e3184df52341e19fe3795221266cbb91c54cd68eb4a565af6fd81e36566528138b997b523dc7b23970833e6fea24ebc138097b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite.bat

Filesize
143KB

MD5
f4bf6cb2324388678ecc2b0b600b0c6e

SHA1
cca2a203325d72f28e6ef3fc5bdca6a7308dfb8b

SHA256
8492bfef0395e601f810e841d50f51524ae6858556a41ba69710ceb2a9f48a56

SHA512
c30e68061059001f7c3984d70cc7522a2c31e9de4eba9e8008b0781169d3e9e41454e61ce21f1043cd4f8c0898adbc210409fd52d208b117f04c11ddef91bb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5832.tmp

Filesize
1KB

MD5
33f88bc77d1ecfd33dba7de2955c7c4b

SHA1
23ea1f80b173b9eda21402b54bcf4ae379542a8d

SHA256
da1d5fadfbef63eedd64fdc6eb10f83763e6b711a3e9765206c7a8ae8dee710c

SHA512
e1eb241fa143c52b4eb870162543885067ae0a3011819dc9f971897470aa75538cb540fb0be97f9e76c099dad79479ba16f8800bf152b297844f720d53765932

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5BAD.tmp

Filesize
1KB

MD5
7b458e3417467737b286ed2fdad52d15

SHA1
bba9355e5715b031a6d1aecfd6bb928b0f915320

SHA256
dcbe04aefed742f6738b71c2971975b347d779ab87d6ef80159974e8df3987c6

SHA512
fc5294ec83612305351890c3ab61bed2105d299ec6566558ebd40fdcd7ce339c13897b15a8a7c88390060557e5c64b47121b7d216db6f1584af08dbf3edd7700

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warning.vbs

Filesize
190B

MD5
92ef5604d8f3289e16eabb03338c104b

SHA1
088384b8db26231f66ed2b1e51207152b91de4ad

SHA256
329f42485a490671781cf084811000852d0ca5fce510bb6d6f4f08b809bbe945

SHA512
07f79e7ab883c94742cac1fb94fcbc0d2194a24be08cd6d17c1abcebbd003f1d6322bdf46e1c9a2c7df45553ff338344ad2175a6ca69bc2b2282f875caa26c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmixl3up.krq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\Inject\KMSInject.bat

Filesize
140KB

MD5
6de60c264cf9cd4d29bd1b3ee95133ec

SHA1
a7b25484e3e389cab628e7e4b4055cf5ca011c66

SHA256
6839a71a6e847ba1da83d9a7262690008e2cd36b231eadb68b87e2b4356ed028

SHA512
ae5b566bc64c6e13cf3f12768a7006251b917fd24af11cab0e0b3855eb3f58cc843d9b0649b2d3ae9686640572513b4524dd4e7108978f967ca4539ad221d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\disablex.ps1

Filesize
1KB

MD5
522c0e01b280581a62954cf1e7971eaa

SHA1
4b8a66cd6839d05a3bd2732124a4441797940075

SHA256
2d2e271131e130688218b369cada1444807a0a65120df942a98e7887bdfe7201

SHA512
c9299b176f3279f1f37a9744d6361009daafe815a8e8b96e3d9dd0865ef9f938e3c33773fde3dac93f5d3cebc6b1d2952c02e0816a9b0ca5c8d0c6f19f3f1950

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqu3mwer\pqu3mwer.dll

Filesize
3KB

MD5
d62f8143c01bc8d49ef95659f47b7ca8

SHA1
fa7ddf6bdc6bcf414e46c460cf402f5bcc6d9b9c

SHA256
1d90e74e24fdde0fa388870e45fc9f169f42a597c34dfb6cf5edcb85d7229405

SHA512
ad58807fef78df7f1cdd6dee5ea53ace7cea6457cf7db4df96b39932f5f2c5d5a3d3d7c3dc143fde3b2943eb673e4ddaf72de96bae88fc10edee877037da22ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2mojw2ow\2mojw2ow.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2mojw2ow\2mojw2ow.cmdline

Filesize
369B

MD5
8937a3bf9b31051d2f4a243a557260d4

SHA1
dcadd51e16569696e87900293ef63bc3fd58995f

SHA256
58e837d1207ea980f98c8d2b09ff669936bb7b2daaf5434d8ae8dce983f46128

SHA512
921ec49d2e1fb476101facc48caa7ddacffea04771e5332f81f6b2b67ab3c10c5f58b85ecb3e5ae267750f1baf5e8d39b15b7b86b2445749f97eab4826042cd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2mojw2ow\CSCC309131050DC405292669789D7DF89DE.TMP

Filesize
652B

MD5
851d7fed74b3849b576e98043c231bdf

SHA1
043d646dd9251152a16ad9c6a2598a465df29004

SHA256
a86a1529aaddf43f59cf2129ad05ad1cfda81e43c9b32ba3fc60bb9dfc45bd7f

SHA512
7ad39073008ee4b1648f7455c2b210a5ffe0bbf52b7cbc0c42f710aef108bdd528a1440be5cddee0bfb4db8c360954a3a07c575b2fa326d4374c656dcf718abd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pqu3mwer\CSC24C6FD4835D3416CA5FDE96BA6F9386.TMP

Filesize
652B

MD5
4f7004678c67c03ae13e2f6241194564

SHA1
5655446c474433a1da669f5bd729fb3557165e0c

SHA256
4c4e08a73ec68d7a99967560e45f3f98f8a8121714c52b38c18388c917ad15da

SHA512
31695be9a3880f6e2ad9feec1bd070f22427de84b7be813ec0605d2ab967889ddc5ee547b76c57ecb13f69d4e4d9cafd3ed5d4694d6853242084bb164ce40fd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pqu3mwer\pqu3mwer.0.cs

Filesize
1KB

MD5
810a30d3e12a7bb7b78a5ec70fec88ee

SHA1
921dc2985f892a800c2bb00e9166d232e78accf4

SHA256
86a49c1dfe76226db0daa8be63437e41d76c379f6c8a80d77930b771a6780487

SHA512
6792ef5c81b717b90f2bd211973d52be6ff2677915e76c2bb21b44610b5803852bac0d90df32faf9a50636c67ebc516abf3a2ca4a37ceb411133527740d5543a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pqu3mwer\pqu3mwer.cmdline

Filesize
369B

MD5
912b92e271d504677279103bf9ed6920

SHA1
a3a78e0b10c8110cc3eabfe568afacc2424e43ae

SHA256
18d498a4603e6704b4a977c861f06c7308437e88fcd1f4b3eae06897ce09c3f1

SHA512
7067cff062f10b0a04cefc1541a5de02992deb05a144dec7de6efad2588d47b0dde3467cef94dd13b690650a17ef905e9987167f76045415de8cdd29113f2186

Download Submit
memory/476-12-0x00007FF86A5B0000-0x00007FF86B072000-memory.dmp

Filesize
10.8MB

Download
memory/476-11-0x00007FF86A5B0000-0x00007FF86B072000-memory.dmp

Filesize
10.8MB

Download
memory/476-0-0x00007FF86A5B3000-0x00007FF86A5B5000-memory.dmp

Filesize
8KB

Download
memory/476-13-0x00007FF86A5B0000-0x00007FF86B072000-memory.dmp

Filesize
10.8MB

Download
memory/476-66-0x00007FF86A5B0000-0x00007FF86B072000-memory.dmp

Filesize
10.8MB

Download
memory/476-1-0x0000015AF48D0000-0x0000015AF48F2000-memory.dmp

Filesize
136KB

Download
memory/476-26-0x0000015AF48C0000-0x0000015AF48C8000-memory.dmp

Filesize
32KB

Download
memory/4816-92-0x0000016F05CF0000-0x0000016F05CF8000-memory.dmp

Filesize
32KB

Download