KMS_Suite.v8.5.EN.cmd
This report is generated from a file or URL submitted to this webservice on April 11th 2020 21:57:21 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Reads system information using Windows Management Instrumentation Commandline (WMIC)
Reads the cryptographic machine GUID - Evasive
- References security related windows services
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
System Security
-
References security related windows services
- details
-
"set _4=wuauserv" (Indicator: "wuauserv")
"echo A Windows Update blocking program has safely disabled wuauserv." (Indicator: "wuauserv") - source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "cmd.exe" with commandline "/c ""C:\KMS_Suite.v8.5.EN.cmd" "" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=70 lines=3" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Suite.v8.5.EN.cmd') -split ':bat2file\:.*';iex ($f[1]);X 1;"" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\qeybru54.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES34AA.tmp" "%TEMP%\CSC3499.tmp"" (Show Process)
Spawned process "expand.exe" with commandline "-R 1 -F:* ." (Show Process)
Spawned process "mode.com" with commandline "mode con:cols=70 lines=1" (Show Process)
Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : '
|]*^"" (Show Process)
Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=92 lines=35" (Show Process)
Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process)
Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process)
Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=92 lines=38" (Show Process)
Spawned process "cmd.exe" with commandline "/c time /t" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul" (Show Process)
Spawned process "reg.exe" with commandline "query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS 10 & OFFICE (KMS Inject Method)" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10 (Dijital & KMS 2038 Activation Method)" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS 10 & OFFICE (Online Activation Method)" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:8 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:4 /R "^$" " [6] EXIT" nul" (Show Process)
Spawned process "choice.exe" with commandline "choice /C:123456 /N /M "YOUR CHOICE :"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 10
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"csc.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"cvtres.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"WMIC.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the windows product ID
- details
- "reg.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "DIGITALPRODUCTID")
- source
- Registry Access
- relevance
- 6/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/86 Antivirus vendors marked dropped file "f1240f6bcc6f73469e49a45709e0ffda.tmp" as malicious (classified as "Malware.Nemesis" with 1% detection rate)
2/81 Antivirus vendors marked dropped file "ccc24929ffec1245a0bb8d32ca99c3d0.tmp" as malicious (classified as "PUA.WinActivator" with 2% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Drops executable files
- details
-
"MODE.COM.5E9259B6.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"MODE.COM.5E9259BF.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"MODE.COM.5E9259C7.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"MODE.COM.5E925A7D.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"qeybru54.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"40d623b5f50b1441972abc03b0f7325a.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"RES34AA.tmp" has type "80386 COFF executable not stripped - version 25189"
"f1240f6bcc6f73469e49a45709e0ffda.tmp" has type "PE32 executable (console) Intel 80386 for MS Windows"
"ccc24929ffec1245a0bb8d32ca99c3d0.tmp" has type "PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB) for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops system driver
- details
- "ccc24929ffec1245a0bb8d32ca99c3d0.tmp" has type "PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB) for MS Windows"
- source
- Binary File
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "wmic path %spp% where ID='%app%' call SetKeyManagementServiceMachine MachineName="127.0.0.2" %_Nul3%"
Heuristic match: "set KMS_IP=172.16.0.2" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
- "set /a max_servers=n-1" (Indicator: "servers=")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Spyware/Information Retrieval
-
Reads system information using Windows Management Instrumentation Commandline (WMIC)
- details
-
Process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process)
Process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process)
Process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process) - source
- Monitored Target
- relevance
- 3/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads system information using Windows Management Instrumentation Commandline (WMIC)
-
Unusual Characteristics
-
Invokes the C# compiler
- details
- Process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\qeybru54.cmdline"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1500 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"mode.com" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"csc.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cvtres.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"expand.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"findstr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Invokes the C# compiler
-
Informative 17
-
Environment Awareness
-
Executes WMI queries
- details
-
"WMIC.exe" issued a query "SELECT Caption FROM Win32_OperatingSystem"
"WMIC.exe" issued a query "SELECT CSDVersion FROM Win32_OperatingSystem"
"WMIC.exe" issued a query "SELECT Version FROM Win32_OperatingSystem" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "WMIC.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes WMI queries
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/59 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\_SHuassist.mtx"
"_SHuassist.mtx"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex"
"\Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit"
"\Sessions\1\BaseNamedObjects\Global\SetupLog"
"Global\WdsSetupLogInit"
"Global\SetupLog" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MODE.COM.5E9259B6.bin" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "MODE.COM.5E9259BF.bin" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "MODE.COM.5E9259C7.bin" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "MODE.COM.5E925A7D.bin" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "KMS _ KMS 2038 _ Digital _ Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" as clean (type is "ASCII text with no line terminators with overstriking"), Antivirus vendors marked dropped file "40d623b5f50b1441972abc03b0f7325a.tmp" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads the .NET runtime environment
- details
-
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at EBFB0000
"csc.exe" loaded module "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\mscorlib.dll" at 03300000 - source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"powershell.exe" touched "NDP SymBinder" (Path: "HKCU\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\INPROCSERVER32")
"powershell.exe" touched "Custom Destination List" (Path: "HKCU\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}")
"powershell.exe" touched "Start Menu Cache" (Path: "HKCU\CLSID\{660B90C8-73A9-4B58-8CAE-355B7F55341B}")
"powershell.exe" touched "Start Menu Pin" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{A2A9545D-A0C2-42B4-9708-A0B2BADD77C8}")
"powershell.exe" touched "Taskband Pin" (Path: "HKCU\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\TREATAS")
"powershell.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"powershell.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"powershell.exe" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"powershell.exe" touched "Internet Shortcut" (Path: "HKCU\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\IMPLEMENTED CATEGORIES\{00021490-0000-0000-C000-000000000046}")
"powershell.exe" touched "User Pinned" (Path: "HKCU\CLSID\{1F3427C8-5C10-4210-AA03-2EE45287D668}\SHELLFOLDER")
"powershell.exe" touched "Shell File System Folder" (Path: "HKCU\CLSID\{F3364BA0-65B9-11CE-A9BA-00AA004AE837}\INPROCSERVER32")
"powershell.exe" touched "User Assist" (Path: "HKCU\CLSID\{DD313E04-FEFF-11D1-8ECD-0000F87A470C}\TREATAS")
"powershell.exe" touched "Shared Task Scheduler" (Path: "HKCU\CLSID\{603D3801-BD81-11D0-A3A5-00C04FD706EC}\TREATAS")
"powershell.exe" touched "A collection of IUnknown objects that can be enumerated" (Path: "HKCU\CLSID\{2D3468C1-36A7-43B6-AC24-D3F02FD9607A}\TREATAS")
"csc.exe" touched "Microsoft Common Language Runtime Meta Data" (Path: "HKCU\CLSID\{E5CB7A31-7512-11D2-89CE-0080C792E5D8}")
"WMIC.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}")
"WMIC.exe" touched "Free Threaded XML DOM Document" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F6D90F12-9C73-11D3-B32E-00C04F990BB4}")
"WMIC.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"WMIC.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"WMIC.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "mode.com" (Show Process) was launched with new environment variables: "ver="v8.5""
Process "mode.com" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE, CommonProgramFiles, ProgramFiles"
Process "mode.com" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "csc.exe" (Show Process) was launched with new environment variables: "localappdata="C:\Users\%USERNAME%\AppData\Local", commonprogramfiles(x86)="C:\Program Files (x86)\Common Files", _clrrestrictsecattributes="1", tmp="C:\Users\%USERNAME%\AppData\Local\Temp", path="%ALLUSERSPROFILE%\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", username="qXLIOAI", pathext=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", public="C:\Users\%USERNAME%\Program Files (x86)", commonprogramw6432="C:\Program Files\Common Files", processor_identifier="Intel64 Family 6 Model 79 Stepping 1
GenuineIntel", computername="rQTBCT0MGH", programdata="C:\ProgramData", programfiles="C:\Program Files", programw6432="C:\Program Files", processor_level="6", number_of_processors="2", homepath="\Users\qXLIOAI", temp="C:\Users\%USERNAME%\AppData\Local\Temp", prompt="$P$G", userdomain="rQTBCT0MGH", sessionname="Console", systemdrive="C:", psmodulepath="C:\Users\%USERNAME%\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItX", userprofile="C:\Users\%USERNAME%\\HAPUBWS-PC", appdata="C:\Users\%USERNAME%\AppData\Roaming", fp_no_host_check="NO", processor_revision="4f01", commonprogramfiles="C:\Program Files\Common Files", allusersprofile="C:\ProgramData", comspec="C:\Windows\system32\cmd.exe", processor_architecture="AMD64", homedrive="C:", systemroot="C:\Windows""
Process "csc.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITECTURE, PSModulePath, PROCESSOR_REVISION, PROCESSOR_LEVEL, PATHEXT, LOGONSERVER, USERDOMAIN, SystemRoot, ALLUSERSPROFILE, TMP, ProgramData, HOMEPATH, PUBLIC, PROMPT, LOCALAPPDATA, COMPUTERNAME, USERNAME, ComSpec, FP_NO_HOST_CHECK, USERPROFILE, ProgramFiles(x86), TEMP, SESSIONNAME, SystemDrive, ProgramW6432, CommonProgramW6432, PROCESSOR_IDENTIFIER, Path, CommonProgramFiles(x86), APPDATA, OS, CommonProgramFiles, HOMEDRIVE, ProgramFiles, NUMBER_OF_PROCESSORS"
Process "expand.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITECTURE="AMD64", PSModulePath="C:\Users\%USERNAME%\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItX", PROCESSOR_REVISION="4f01", PROCESSOR_LEVEL="6", PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", LOGONSERVER="\\HAPUBWS-PC", USERDOMAIN="rQTBCT0MGH", SystemRoot="C:\Windows", ALLUSERSPROFILE="C:\ProgramData", TMP="C:\Users\%USERNAME%\AppData\Local\Temp", ProgramData="C:\ProgramData", HOMEPATH="\Users\qXLIOAI", PUBLIC="C:\Users\%USERNAME%\Users\qXLIOAI\AppData\Local", COMPUTERNAME="rQTBCT0MGH", USERNAME="qXLIOAI", ComSpec="C:\Windows\system32\cmd.exe", FP_NO_HOST_CHECK="NO", USERPROFILE="C:\Users\%USERNAME%\Program Files (x86)", TEMP="C:\Users\%USERNAME%\AppData\Local\Temp", SESSIONNAME="Console", SystemDrive="C:", ProgramW6432="C:\Program Files", CommonProgramW6432="C:\Program Files\Common Files", PROCESSOR_IDENTIFIER="Intel64 Family 6 Model 79 Stepping 1
GenuineIntel", Path="C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", CommonProgramFiles(x86)="C:\Program Files (x86)\Common Files", APPDATA="C:\Users\%USERNAME%\AppData\Roaming", OS="Windows_NT", CommonProgramFiles="C:\Program Files\Common Files", HOMEDRIVE="C:", ProgramFiles="C:\Program Files", NUMBER_OF_PROCESSORS="2""
Process "expand.exe" (Show Process) was launched with missing environment variables: "localappdata, commonprogramfiles(x86), _clrrestrictsecattributes, tmp, path, username, pathext, public, os, programfiles(x86), commonprogramw6432, processor_identifier, computername, programdata, programfiles, programw6432, processor_level, number_of_processors, homepath, temp, prompt, userdomain, sessionname, systemdrive, psmodulepath, userprofile, logonserver, appdata, fp_no_host_check, processor_revision, commonprogramfiles, allusersprofile, comspec, processor_architecture, homedrive, systemroot"
Process "mode.com" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "findstr.exe" (Show Process) was launched with new environment variables: "param="C:\Users\%USERNAME%\AppData\Local\Temp\KMS_Suite\KMS_Suite.cmd", EchoRed="powershell -NoProfile write-host -back Black -fore Red", EchoYellow="powershell -NoProfile write-host -back Yellow -fore Black", EchoGreen1="powershell -NoProfile write-host -back Green -fore Black", EchoGreen="powershell -NoProfile write-host -back Black -fore Green""
Process "mode.com" (Show Process) was launched with new environment variables: "DEL=" ""
Process "cmd.exe" (Show Process) was launched with new environment variables: "KMS_RenewalInterval="10080", External="1", ActOffice="1", ActWindows="1", KMS_ActivationInterval="120", AutoR2V="1", Debug="0", KMS_IP="!server!", KMS_Port="1688", SkipKMS38="1", KMS_Emulation="1", KMS_HWID="0x3A1C049600B60076", Auto="0""
Process "cmd.exe" (Show Process) was launched with new environment variables: "NameOS="Microsoft Windows 7 Professional ""
Process "cmd.exe" (Show Process) was launched with new environment variables: "SP="Service Pack 1""
Process "mode.com" (Show Process) was launched with new environment variables: "Version="6.1.7601""
Process "cmd.exe" (Show Process) was launched with new environment variables: "mm="12", dd="04", yy="2020""
Process "findstr.exe" (Show Process) was launched with new environment variables: "mytime="12:02 AM"" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "mode.com" with commandline "mode con cols=70 lines=3" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Sui ..." (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\qeybru54.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES34AA.tmp" "%TEMP ..." (Show Process), Spawned process "expand.exe" with commandline "-R 1 -F:* ." (Show Process), Spawned process "mode.com" with commandline "mode con:cols=70 lines=1" (Show Process), Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process), Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : '
|]*^ ..." (Show Process), Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=35" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=38" (Show Process), Spawned process "cmd.exe" with commandline "/c time /t" (Show Process), Spawned process "findstr.exe" with commandline "findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online A ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "mode.com" with commandline "mode con cols=70 lines=3" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Sui ..." (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\qeybru54.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES34AA.tmp" "%TEMP ..." (Show Process), Spawned process "expand.exe" with commandline "-R 1 -F:* ." (Show Process), Spawned process "mode.com" with commandline "mode con:cols=70 lines=1" (Show Process), Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process), Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : '
|]*^ ..." (Show Process), Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=35" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=38" (Show Process), Spawned process "cmd.exe" with commandline "/c time /t" (Show Process), Spawned process "findstr.exe" with commandline "findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online A ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates mutants
-
Installation/Persistance
-
Dropped files
- details
-
"MODE.COM.5E9259B6.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"MODE.COM.5E9259BF.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"MODE.COM.5E9259C7.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"MODE.COM.5E925A7D.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"KMS _ KMS 2038 _ Digital _ Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" has type "ASCII text with no line terminators with overstriking"
"qeybru54.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"_3_ ACTIVATION START FOR WINDOWS 10 _ OFFICE _Online Activation Method_" has type "ASCII text with no line terminators with overstriking"
"40d623b5f50b1441972abc03b0f7325a.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"RES34AA.tmp" has type "80386 COFF executable not stripped - version 25189"
"a57303202cf51f4a930195a104c8aad3.tmp" has type "DOS batch file ASCII text with very long lines with CRLF line terminators"
"3290e9608f903c4ca5801e714ac2ab57.tmp" has type "DOS batch file ASCII text with CRLF line terminators"
"3fc5c231ee0fa245b76ee2b8a636ac3e.tmp" has type "DOS batch file ASCII text with very long lines with CRLF line terminators"
"qeybru54.cmdline" has type "UTF-8 Unicode (with BOM) text with very long lines with no line terminators"
"1" has type "Microsoft Cabinet archive data 230465 bytes 16 files"
"46cf4490b97d5b4aa03246520b02704e.tmp" has type "DOS batch file ASCII text with CRLF line terminators"
"_4_ WINDOWS _ OFFICE ACTIVATION STATUS CHECK" has type "ASCII text with no line terminators with overstriking"
"88b8c5e3fe70a243acc710c0490267b7.tmp" has type "DOS batch file ASCII text with very long lines with CRLF line terminators"
"f1240f6bcc6f73469e49a45709e0ffda.tmp" has type "PE32 executable (console) Intel 80386 for MS Windows"
"ccc24929ffec1245a0bb8d32ca99c3d0.tmp" has type "PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB) for MS Windows"
"_5_ KMS _ KMS 2038 _ DIJITAL _ ONLINE ACTIVATION VISIT WEBSITE" has type "ASCII text with no line terminators with overstriking" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"cmd.exe" touched file "C:\Windows\System32\en-US\cmd.exe.mui"
"cmd.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"cmd.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"powershell.exe" touched file "C:\Windows\System32\WindowsPowerShell\v1.0\en-US\powershell.exe.mui"
"powershell.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"powershell.exe" touched file "C:\Windows\System32\en-US\shell32.dll.mui"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"powershell.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini"
"powershell.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu"
"powershell.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk"
"powershell.exe" touched file "C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.TNCTR.com"
Heuristic match: "title KMS ^& KMS 2038 ^& Digital ^& Online Activation Suite %ver% by mephistooo2 - TNCTR.com"
Heuristic match: "title KMS (Online) Activation Windows ^& Office %ver% by mephistooo2 - TNCTR.com"
Pattern match: "https://www.tnctr.com/topic/450916-kms2038-dijital-online-aktivasyon-suite-v64/"
Heuristic match: "title KMS (Inject) Activation Windows ^& Office %ver% by mephistooo2 - TNCTR.com"
Heuristic match: "echo KMS (Inject) Activation Windows ^& Office %ver% by mephistooo2 - TNCTR.com"
Heuristic match: "title Digital ^& KMS 2038 Activation Windows 10 %ver% by mephistooo2 - TNCTR.com"
Pattern match: "https://www.tnctr.com/topic/450916-kms-dijital-online-aktivasyon-suite-v52/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"csc.exe" opened "\Device\KsecDD"
"cvtres.exe" opened "\Device\KsecDD"
"expand.exe" opened "\Device\KsecDD"
"WMIC.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
- details
-
"a57303202cf51f4a930195a104c8aad3.tmp" contains indicator "WScript.Shell" (Line: 22; Offset: 34)
"3fc5c231ee0fa245b76ee2b8a636ac3e.tmp" contains indicator "WScript.Shell" (Line: 112; Offset: 34)
"88b8c5e3fe70a243acc710c0490267b7.tmp" contains indicator "WScript.Shell" (Line: 157; Offset: 34) - source
- Binary File
- relevance
- 8/10
-
Drops cabinet archive files
- details
- "1" has type "Microsoft Cabinet archive data 230465 bytes 16 files"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"powershell.exe" wrote bytes "4893c40200000000" to virtual address "0x720C2658" (part of module "SYSTEM.DATA.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF75B3" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF7480" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF755E" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF760D" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "669065488b042588150000c366669066669090" to virtual address "0xF1FF5B40" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "1893c40200000000" to virtual address "0x720C2650" (part of module "SYSTEM.DATA.DLL")
"powershell.exe" wrote bytes "4889114881fa1810f402722448c1e90a80b94043f31aff7502f3c3c6814043f31affc366666690666666906666906690f3c3ff7502f3c3c60408ffc366666690f3c3666666906666669066669066669090" to virtual address "0xF1FF5F00" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF7403" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "87ce43404c100000" to virtual address "0xF1D81D70" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "eb11c366669066669066669066669066669090" to virtual address "0xF1FF5BC0" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF78AD" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042590150000" to virtual address "0xF1FF8C8B" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "e892c40200000000" to virtual address "0x720C2648" (part of module "SYSTEM.DATA.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xF1FF7A44" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF743F" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xF1FF7A25" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xF1FF7A60" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042590150000" to virtual address "0xF1FF8CCB" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xF1FF77AA" (part of module "MSCORWKS.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
File Details
KMS_Suite.v8.5.EN.cmd
- Filename
- KMS_Suite.v8.5.EN.cmd
- Size
- 279KiB (285831 bytes)
- Type
- script cmd
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- b8461b0dea9df1d5fa7317092e7716e3cda52319cb27c560299eeaca95c93d13
- MD5
- 1b3e810b470ea4cdde60627e77173d73
- SHA1
- ad38199b4be10d6c3f31c7cdc1a903257e2b4112
- ssdeep
- 6144:lcHSwvEwAc+2RMQ1zKH4eKOfOzALuTboqMr19a6H:GyXwAD2RMozKH4/woNngVH
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 30 processes in total (System Resource Monitor).
-
cmd.exe
/c ""C:\KMS_Suite.v8.5.EN.cmd" "
(PID: 2636)
- mode.com mode con cols=70 lines=3 (PID: 2624)
-
powershell.exe
powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Suite.v8.5.EN.cmd') -split ':bat2file\:.*';iex ($f[1]);X 1;"
(PID: 3368)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\qeybru54.cmdline"
(PID: 3784)
- cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES34AA.tmp" "%TEMP%\CSC3499.tmp" (PID: 3252)
- expand.exe -R 1 -F:* . (PID: 3580)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\qeybru54.cmdline"
(PID: 3784)
- mode.com mode con:cols=70 lines=1 (PID: 3056)
- reg.exe reg query HKEY_USERS\S-1-5-20 (PID: 1772)
- cmd.exe cmd /v:on /c echo(^!param^! (PID: 2096)
- findstr.exe findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : ' , |]*^" (PID: 3480)
- cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem" (PID: 1408)
- mode.com mode con cols=92 lines=35 (PID: 3148)
-
cmd.exe
/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"
(PID: 3284)
- WMIC.exe wmic Path Win32_OperatingSystem Get Caption /format:LIST (PID: 2964)
-
cmd.exe
/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"
(PID: 3424)
- WMIC.exe wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST (PID: 2248)
-
cmd.exe
/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"
(PID: 3612)
- WMIC.exe wmic Path Win32_OperatingSystem Get Version /format:LIST (PID: 3604)
- mode.com mode con cols=92 lines=38 (PID: 2972)
- cmd.exe /c time /t (PID: 3212)
- findstr.exe findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" nul (PID: 1392)
- findstr.exe findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul (PID: 1380)
- reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId (PID: 1616)
- findstr.exe findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS 10 & OFFICE (KMS Inject Method)" nul (PID: 4048)
- findstr.exe findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10 (Dijital & KMS 2038 Activation Method)" nul (PID: 3356)
- findstr.exe findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS 10 & OFFICE (Online Activation Method)" nul (PID: 4008)
- findstr.exe findstr /v /a:8 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul (PID: 2104)
- findstr.exe findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul (PID: 1792)
- findstr.exe findstr /v /a:4 /R "^$" " [6] EXIT" nul (PID: 3200)
- choice.exe choice /C:123456 /N /M "YOUR CHOICE :" (PID: 2256)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 26 extracted file(s). The remaining 12 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
ccc24929ffec1245a0bb8d32ca99c3d0.tmp
- Size
- 17KiB (17408 bytes)
- Type
- peexe native
- Description
- PE32 executable (DLL) (native) Intel 80386 (stripped to external PDB), for MS Windows
- AV Scan Result
- Labeled as "PUA.WinActivator" (2/81)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 1d7166510c4ba3546fb6c8b936bf6322
- SHA1
- cbc1f0631e8b1d753efd399245a59292b6c67de8
- SHA256
- 6a35996e6fc50af1a1a19d39233cc43055da92adf76cb567c39265ad007459e8
-
f1240f6bcc6f73469e49a45709e0ffda.tmp
- Size
- 17KiB (17408 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Nemesis" (1/86)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 5fd363d52d04ac200cd24f3bcc903200
- SHA1
- 39ed8659e7ca16aaccb86def94ce6cec4c847dd6
- SHA256
- 3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9
-
-
Clean 6
-
-
40d623b5f50b1441972abc03b0f7325a.tmp
- Size
- 330KiB (337920 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/85
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 15ce0753a16dd4f9b9f0f9926dd37c4e
- SHA1
- fabb5a0fc1e6a372219711152291339af36ed0b5
- SHA256
- 028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d
-
MODE.COM.5E9259B6.bin
- Size
- 30KiB (30208 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- AV Scan Result
- 0/83
- MD5
- 718e86cb060170430d4ef70ee39f93d4
- SHA1
- ef5269cd27ab6717b20af8e1d5427df3e305398b
- SHA256
- 64ad2057863172cbfef4328bc57be134f956a7736e87eb90b04f2be391bca517
-
MODE.COM.5E9259BF.bin
- Size
- 30KiB (30208 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- AV Scan Result
- 0/83
- MD5
- 718e86cb060170430d4ef70ee39f93d4
- SHA1
- ef5269cd27ab6717b20af8e1d5427df3e305398b
- SHA256
- 64ad2057863172cbfef4328bc57be134f956a7736e87eb90b04f2be391bca517
-
MODE.COM.5E9259C7.bin
- Size
- 30KiB (30208 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- AV Scan Result
- 0/83
- MD5
- 718e86cb060170430d4ef70ee39f93d4
- SHA1
- ef5269cd27ab6717b20af8e1d5427df3e305398b
- SHA256
- 64ad2057863172cbfef4328bc57be134f956a7736e87eb90b04f2be391bca517
-
MODE.COM.5E925A7D.bin
- Size
- 30KiB (30208 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- AV Scan Result
- 0/83
- MD5
- 718e86cb060170430d4ef70ee39f93d4
- SHA1
- ef5269cd27ab6717b20af8e1d5427df3e305398b
- SHA256
- 64ad2057863172cbfef4328bc57be134f956a7736e87eb90b04f2be391bca517
-
KMS _ KMS 2038 _ Digital _ Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com
- Size
- 3B (3 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators, with overstriking
- AV Scan Result
- 0/59
- MD5
- df66fa563a2fafdb93cc559deb0a38c4
- SHA1
- e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
- SHA256
- 3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
-
-
Informative Selection 3
-
-
1
- Size
- 225KiB (230465 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 230465 bytes, 16 files
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 5e691bea7ecb2acf45aaf5e55ecd6e28
- SHA1
- ead1b670a8b9c526ee5d7e63a0149858bfd7e9f5
- SHA256
- 879cb850148a6dd44c47cf7f4eadce82ace2bf7dfae92e94b7af2f34f65e0275
-
CSC3499.tmp
- Size
- 652B (652 bytes)
- Type
- unknown
- Description
- MSVC .res
- Runtime Process
- cvtres.exe (PID: 3252)
- MD5
- 623a8fb31d48f5447c8212a917f8c187
- SHA1
- b6cc98166f33246633f64f5a33cb46e8684dcfbf
- SHA256
- f49cd6989667b28a5a4dd17231f1bb79d81500a16c864322455624514a1cc5ae
-
RES34AA.tmp
- Size
- 1.2KiB (1204 bytes)
- Type
- unknown
- Description
- 80386 COFF executable not stripped - version 25189
- Runtime Process
- cvtres.exe (PID: 3252)
- MD5
- 7338c807624b45e1c8165dc8b8c0091e
- SHA1
- da5e84f0ad4bb98e68bccf14d3d4d2bd5b469920
- SHA256
- 9a0e8412b3d7b52a5ecae17e2e00a40d0244ba0874702f72cd563dd69f9a4f08
-
-
Informative 15
-
-
D9QF5NLL0K92FXQ1DU7Z.temp
- Size
- 7.8KiB (8016 bytes)
- Runtime Process
- powershell.exe (PID: 3368)
- MD5
- e366ae053c4eec41246b8a06bd11edda
- SHA1
- 78ed67e2639eb23522fb841fa95667f9cdae4d7c
- SHA256
- 966e053dcb76eb525fd85895149a5f11b77de62ae9cf6789ad832822cfcf0428
-
03e0c219c8987643b58747a507904a7a.tmp
- Size
- 3.4KiB (3512 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 38ed3d04da28762234d1e92002da087e
- SHA1
- 2dea3a095b0919bf094b1e6a111f822cc3b34bc3
- SHA256
- 6a622afaaa119140c6eca87ded2bd26cccb91fd6098c63d20b13628c06bb7a59
-
3290e9608f903c4ca5801e714ac2ab57.tmp
- Size
- 343B (343 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- c8b1e078fa12470d7a345f7681b33c8c
- SHA1
- 980c059dd2e739ed4e24afad2f9a48809604e9ea
- SHA256
- c1a38b1b906a66686cf4f58fd878f1a31203126545f0711359ec1c7095e99e15
-
3a94c14a1c1874498dc16d42e0e13fc9.tmp
- Size
- 29KiB (29709 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 5facbec38a2cbdd8e489a1917678cdd7
- SHA1
- 2adf06ba9dd3f14a48e75c27a6a22d8163790a37
- SHA256
- bfab0e410e994f62c8a62b3295ae7bcba15c62e41688b256db291ca119474a46
-
3fc5c231ee0fa245b76ee2b8a636ac3e.tmp
- Size
- 100KiB (102601 bytes)
- Type
- script javascript
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 74098f24795b49b77b512b6fa4991140
- SHA1
- 0f136b1cdf254dfaed8b6f8fa865427e85ee7087
- SHA256
- 1600d81ccac94c0881ea1144ef354bd8304fc8eb4a658a658b394b5600967811
-
46cf4490b97d5b4aa03246520b02704e.tmp
- Size
- 341B (341 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 90a53a1da9510c250ba348f06b3cdc50
- SHA1
- 678c620084c69586dfbb53f75acb4c63b8664364
- SHA256
- 3541af0d0a371c198a15383364b53daab8346d8d4f3ed25c6c9c562d83f98421
-
73f9915b15005d41972a518d0bb958a2.tmp
- Size
- 29KiB (29710 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 33048be510a509febd10804e09f241b7
- SHA1
- d04a62b1c515c1f2501a8dd3855b669490513657
- SHA256
- 33085d46373b469a67b8c1d102ef24d512d985e57687d982d0b58ffc52a67178
-
7ef63cbcf2bf6d48b7ad2b0935b966ba.tmp
- Size
- 19KiB (19456 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- e52f4dbaf955b0a869ec75506e47a00a
- SHA1
- c79a15c537ef42cf6fc795e8e960da1762c28368
- SHA256
- 1902f84a3dae23a598ddda1447957b421511d5df77480aa590f6463830685d7e
-
88b8c5e3fe70a243acc710c0490267b7.tmp
- Size
- 103KiB (105292 bytes)
- Type
- script javascript
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 236f08af040c8a6f55ad6b831219817a
- SHA1
- 585beb8fec3645b7388566a552a2a8086a519917
- SHA256
- e5bbd8a59895e5132eae29491e7b5e13ef9b067881fb04b7e4d8860257ea6465
-
8964896d027c074bac117fba0b035f81.tmp
- Size
- 7KiB (7168 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- b21c40aaf16ba46b2732618d089db3a4
- SHA1
- ca3a51fdfc8749b8be85f7904b1c238a6dfba135
- SHA256
- 9395a37c42e83568dc5ecb25d9e9fca4c6c1c4f47e336fb6ccae62df5c696b4d
-
8a96f4f8711fc645be0ec4a75dc4f20e.tmp
- Size
- 771B (771 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- c2d074dde317ff652a9a76cd6e6b1c26
- SHA1
- 92bdc210fbfe5cd758892ded2fd1b0a2d2fac866
- SHA256
- 080ec97e58cb3008f649a727a100290f0666acc61a729dba585fdd96fada180d
-
a57303202cf51f4a930195a104c8aad3.tmp
- Size
- 29KiB (29710 bytes)
- Type
- script javascript
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 33048be510a509febd10804e09f241b7
- SHA1
- d04a62b1c515c1f2501a8dd3855b669490513657
- SHA256
- 33085d46373b469a67b8c1d102ef24d512d985e57687d982d0b58ffc52a67178
-
e133c3642fa9af44854bd2fd48b898cd.tmp
- Size
- 20KiB (19968 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 162ab955cb2f002a73c1530aa796477f
- SHA1
- d30a0e4e5911d3ca705617d17225372731c770e2
- SHA256
- 5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e
-
f4f82f6201bfc34bb290a80bcbd2d411.tmp
- Size
- 100KiB (102601 bytes)
- Runtime Process
- expand.exe (PID: 3580)
- MD5
- 74098f24795b49b77b512b6fa4991140
- SHA1
- 0f136b1cdf254dfaed8b6f8fa865427e85ee7087
- SHA256
- 1600d81ccac94c0881ea1144ef354bd8304fc8eb4a658a658b394b5600967811
-
qeybru54.dll
- Size
- 4KiB (4096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- powershell.exe (PID: 3368)
- MD5
- 7dd4f8178f9ad9fb25c2377310c1e486
- SHA1
- da021e357cc26e0af9acf0e06340d8a2d051ab60
- SHA256
- a164a44a56cf8b0699bc53100551acacd41d44ae45efd10fc726cc16868322aa
-
Notifications
-
Runtime
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "string-43" are available in the report
- Not all sources for indicator ID "target-103" are available in the report
- Not all sources for indicator ID "target-25" are available in the report