KMS_Suite.v8.5.EN.cmd
This report is generated from a file or URL submitted to this webservice on November 15th 2020 21:41:41 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.45.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Queries kernel debugger information
Reads system information using Windows Management Instrumentation Commandline (WMIC)
Reads the cryptographic machine GUID - Evasive
- References security related windows services
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/59 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
System Security
-
References security related windows services
- details
-
"set _4=wuauserv" (Indicator: "wuauserv")
"echo A Windows Update blocking program has safely disabled wuauserv." (Indicator: "wuauserv") - source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "cmd.exe" with commandline "/c ""C:\KMS_Suite.v8.5.EN.cmd" "" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=70 lines=3" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Suite.v8.5.EN.cmd') -split ':bat2file\:.*';iex ($f[1]);X 1;"" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\tw8k8b7x.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C00.tmp" "%TEMP%\CSC6BE0.tmp"" (Show Process)
Spawned process "expand.exe" with commandline "-R 1 -F:* ." (Show Process)
Spawned process "mode.com" with commandline "mode con:cols=70 lines=1" (Show Process)
Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : '
|]*^"" (Show Process)
Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=92 lines=35" (Show Process)
Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process)
Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process)
Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"" (Show Process)
Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=92 lines=38" (Show Process)
Spawned process "cmd.exe" with commandline "/c time /t" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul" (Show Process)
Spawned process "reg.exe" with commandline "query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS 10 & OFFICE (KMS Inject Method)" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10 (Dijital & KMS 2038 Activation Method)" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS 10 & OFFICE (Online Activation Method)" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:8 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /v /a:4 /R "^$" " [6] EXIT" nul" (Show Process)
Spawned process "choice.exe" with commandline "choice /C:123456 /N /M "YOUR CHOICE :"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 13
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "cvtres.exe" at 00064685-00002836-00000105-62518
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"csc.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"cvtres.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"WMIC.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the windows product ID
- details
- "reg.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "DIGITALPRODUCTID")
- source
- Registry Access
- relevance
- 6/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/70 Antivirus vendors marked dropped file "e79297b69ae7cd4ea850db29304735be.tmp" as malicious (classified as "W32.AIDetectVM" with 1% detection rate)
2/68 Antivirus vendors marked dropped file "7e32f79ab148f044bb0fd2ba3da1bd85.tmp" as malicious (classified as "PUA.Win64.WinActivator" with 2% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
- "cmd.exe" allocated memory in "C:\Users"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
- details
-
"MODE.COM.5FB1A102.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"MODE.COM.5FB1A10C.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"MODE.COM.5FB1A116.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"MODE.COM.5FB1A1A8.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"tw8k8b7x.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"e79297b69ae7cd4ea850db29304735be.tmp" has type "PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB) for MS Windows"
"2beef9ba2ad2ba4783a69840aed324d7.tmp" has type "PE32 executable (console) Intel 80386 for MS Windows"
"7e32f79ab148f044bb0fd2ba3da1bd85.tmp" has type "PE32+ executable (DLL) (native) x86-64 (stripped to external PDB) for MS Windows"
"RES6C00.tmp" has type "80386 COFF executable not stripped - version 25189" - source
- Binary File
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\mode.com" (Handle: 88)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 88)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 88)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 100)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 100)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 100)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 92)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 92)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 92)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 80)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 80)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\wbem\WMIC.exe" (Handle: 80) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "set KMS_IP=172.16.0.2"
Heuristic match: "wmic path %spp% where ID='%app%' call SetKeyManagementServiceMachine MachineName="127.0.0.2" %_Nul3%" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Reads system information using Windows Management Instrumentation Commandline (WMIC)
- details
-
Process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process)
Process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process)
Process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process) - source
- Monitored Target
- relevance
- 3/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads system information using Windows Management Instrumentation Commandline (WMIC)
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "WMIC.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Invokes the C# compiler
- details
- Process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\tw8k8b7x.cmdline"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1500 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"mode.com" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"csc.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cvtres.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"expand.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"findstr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Checks for a resource fork (ADS) file
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 23
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "powershell.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Executes WMI queries
- details
-
"WMIC.exe" issued a query "SELECT Caption FROM Win32_OperatingSystem"
"WMIC.exe" issued a query "SELECT CSDVersion FROM Win32_OperatingSystem"
"WMIC.exe" issued a query "SELECT Version FROM Win32_OperatingSystem" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "WMIC.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes WMI queries
-
General
-
Creates a writable file in a temporary directory
- details
-
"powershell.exe" created file "%TEMP%\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk"
"cvtres.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\RES6C00.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\228069c17dfcf5418b5f42f486258743.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\f0dfa598a0818a409bba21182dce42e0.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\2beef9ba2ad2ba4783a69840aed324d7.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\f90fffe03aefef48920b1628ddd7ebbe.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\6b2d04a06a79ce4f81a276ae519da673.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\e79297b69ae7cd4ea850db29304735be.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\f2c4a1e9b3fc924da1e6e2f1484b2853.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\98ac4beda3929540b63c1390f5dfe827.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\548f552de344ee468e1a974841976f88.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\09a99bcedbea714fbe2286f9ab159373.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\fa2850373f760943a085cbf7bf428b42.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\a88fa1ab70bccf429c29b621fd233e17.tmp"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\59780ede1f8dbc4a86db54cba0abe017.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\_SHuassist.mtx"
"_SHuassist.mtx"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex"
"\Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit"
"\Sessions\1\BaseNamedObjects\Global\SetupLog"
"Global\SetupLog"
"Global\WdsSetupLogInit" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MODE.COM.5FB1A102.bin" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MODE.COM.5FB1A10C.bin" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MODE.COM.5FB1A116.bin" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MODE.COM.5FB1A1A8.bin" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "KMS _ KMS 2038 _ Digital _ Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" as clean (type is "ASCII text with no line terminators with overstriking"), Antivirus vendors marked dropped file "2beef9ba2ad2ba4783a69840aed324d7.tmp" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads the .NET runtime environment
- details
-
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 690F0000
"csc.exe" loaded module "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll" at 02740000 - source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"csc.exe" touched "Microsoft Common Language Runtime Meta Data" (Path: "HKCU\CLSID\{E5CB7A31-7512-11D2-89CE-0080C792E5D8}")
"WMIC.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}")
"WMIC.exe" touched "Free Threaded XML DOM Document" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F6D90F12-9C73-11D3-B32E-00C04F990BB4}")
"WMIC.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"WMIC.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"WMIC.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"WMIC.exe" touched "Microsoft WBEM WbemClassObject Marshalling proxy" (Path: "HKCU\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"WMIC.exe" touched "Microsoft WBEM WMI Object Factory" (Path: "HKCU\CLSID\{8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6}\TREATAS")
"WMIC.exe" touched "Microsoft WBEM Call Context" (Path: "HKCU\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\TREATAS")
"WMIC.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"WMIC.exe" touched "XSL Template" (Path: "HKCU\CLSID\{2933BF94-7B36-11D2-B20E-00C04F983E60}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "mode.com" (Show Process) was launched with new environment variables: "ver="v8.5""
Process "csc.exe" (Show Process) was launched with new environment variables: "processor_architecture="x86", processor_identifier="x86 Family 6 Model 79 Stepping 1
GenuineIntel", computername="VbgmRypLdd", logonserver="\\HAPUBWS-PC", commonprogramfiles="C:\Program Files\Common Files", homedrive="C:", systemroot="C:\Windows", pathext=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", userdomain="VbgmRypLdd", path="%ALLUSERSPROFILE%\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python36-32\Scripts\;C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python36-32\", allusersprofile="C:\ProgramData", comspec="C:\Windows\system32\cmd.exe", public="C:\Users\%USERNAME%\Users\Yi2c1wy", sessionname="Console", tmp="C:\Users\%USERNAME%\AppData\Local\Temp", processor_revision="4f01", fp_no_host_check="NO", temp="C:\Users\%USERNAME%\AppData\Local\Temp", localappdata="C:\Users\%USERNAME%\AppData\Local", os="Windows_NT", userprofile="C:\Users\%USERNAME%\ProgramData", number_of_processors="2", programfiles="C:\Program Files", processor_level="6", psmodulepath="C:\Users\%USERNAME%\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItX", _clrrestrictsecattributes="1", prompt="$P$G", systemdrive="C:", appdata="C:\Users\%USERNAME%\AppData\Roaming", username="Yi2c1wy""
Process "csc.exe" (Show Process) was launched with missing environment variables: "LOCALAPPDATA, PROCESSOR_LEVEL, FP_NO_HOST_CHECK, USERDOMAIN, LOGONSERVER, PROMPT, SESSIONNAME, ALLUSERSPROFILE, PROCESSOR_ARCHITECTURE, PSModulePath, SystemDrive, APPDATA, USERNAME, CommonProgramFiles, Path, PATHEXT, OS, COMPUTERNAME, PROCESSOR_REVISION, ComSpec, ProgramData, HOMEPATH, SystemRoot, TEMP, HOMEDRIVE, PROCESSOR_IDENTIFIER, USERPROFILE, TMP, PUBLIC, ProgramFiles, NUMBER_OF_PROCESSORS"
Process "expand.exe" (Show Process) was launched with new environment variables: "LOCALAPPDATA="C:\Users\%USERNAME%\AppData\Local", PROCESSOR_LEVEL="6", FP_NO_HOST_CHECK="NO", USERDOMAIN="VbgmRypLdd", LOGONSERVER="\\HAPUBWS-PC", PROMPT="$P$G", SESSIONNAME="Console", ALLUSERSPROFILE="C:\ProgramData", PROCESSOR_ARCHITECTURE="x86", PSModulePath="C:\Users\%USERNAME%\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItX", SystemDrive="C:", APPDATA="C:\Users\%USERNAME%\AppData\Roaming", USERNAME="Yi2c1wy", CommonProgramFiles="C:\Program Files\Common Files", Path="C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python36-32\Scripts\;C:\Users\%USERNAME%\AppData\Local\Programs\Python\Python36-32\", PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", OS="Windows_NT", COMPUTERNAME="VbgmRypLdd", PROCESSOR_REVISION="4f01", ComSpec="C:\Windows\system32\cmd.exe", ProgramData="C:\ProgramData", HOMEPATH="\Users\Yi2c1wy", SystemRoot="C:\Windows", TEMP="C:\Users\%USERNAME%\AppData\Local\Temp", HOMEDRIVE="C:", PROCESSOR_IDENTIFIER="x86 Family 6 Model 79 Stepping 1
GenuineIntel", USERPROFILE="C:\Users\%USERNAME%\Users\Yi2c1wy\AppData\Local\Temp", PUBLIC="C:\Users\%USERNAME%\Program Files", NUMBER_OF_PROCESSORS="2""
Process "expand.exe" (Show Process) was launched with missing environment variables: "processor_architecture, processor_identifier, computername, logonserver, commonprogramfiles, homedrive, systemroot, pathext, userdomain, path, allusersprofile, comspec, public, homepath, sessionname, tmp, processor_revision, fp_no_host_check, temp, localappdata, os, userprofile, programdata, number_of_processors, programfiles, processor_level, psmodulepath, _clrrestrictsecattributes, prompt, systemdrive, appdata, username"
Process "mode.com" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "findstr.exe" (Show Process) was launched with new environment variables: "EchoRed="powershell -NoProfile write-host -back Black -fore Red", EchoGreen="powershell -NoProfile write-host -back Black -fore Green", EchoYellow="powershell -NoProfile write-host -back Yellow -fore Black", param="C:\Users\%USERNAME%\AppData\Local\Temp\KMS_Suite\KMS_Suite.cmd", EchoGreen1="powershell -NoProfile write-host -back Green -fore Black""
Process "mode.com" (Show Process) was launched with new environment variables: "DEL=" ""
Process "cmd.exe" (Show Process) was launched with new environment variables: "KMS_RenewalInterval="10080", SkipKMS38="1", KMS_IP="!server!", ActOffice="1", KMS_HWID="0x3A1C049600B60076", Auto="0", KMS_ActivationInterval="120", KMS_Emulation="1", AutoR2V="1", KMS_Port="1688", External="1", ActWindows="1", xOS="x86", Debug="0""
Process "cmd.exe" (Show Process) was launched with new environment variables: "NameOS="Microsoft Windows 7 Professional ""
Process "cmd.exe" (Show Process) was launched with new environment variables: "SP="Service Pack 1""
Process "mode.com" (Show Process) was launched with new environment variables: "Version="6.1.7601""
Process "cmd.exe" (Show Process) was launched with new environment variables: "dd="11", mm="15", yy="2020""
Process "findstr.exe" (Show Process) was launched with new environment variables: "mytime="09:47 PM"" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "mode.com" with commandline "mode con cols=70 lines=3" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Sui ..." (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\tw8k8b7x.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C00.tmp" "%TEMP ..." (Show Process), Spawned process "expand.exe" with commandline "-R 1 -F:* ." (Show Process), Spawned process "mode.com" with commandline "mode con:cols=70 lines=1" (Show Process), Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process), Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : '
|]*^ ..." (Show Process), Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=35" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=38" (Show Process), Spawned process "cmd.exe" with commandline "/c time /t" (Show Process), Spawned process "findstr.exe" with commandline "findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online A ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "mode.com" with commandline "mode con cols=70 lines=3" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Sui ..." (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\tw8k8b7x.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C00.tmp" "%TEMP ..." (Show Process), Spawned process "expand.exe" with commandline "-R 1 -F:* ." (Show Process), Spawned process "mode.com" with commandline "mode con:cols=70 lines=1" (Show Process), Spawned process "reg.exe" with commandline "reg query HKEY_USERS\S-1-5-20" (Show Process), Spawned process "cmd.exe" with commandline "cmd /v:on /c echo(^!param^!" (Show Process)
Spawned process "findstr.exe" with commandline "findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : '
|]*^ ..." (Show Process), Spawned process "cmd.exe" with commandline "/c "prompt #$H#$E# & echo on & for %b in (1) do rem"" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=35" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Caption /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST" (Show Process), Spawned process "cmd.exe" with commandline "/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"" (Show Process), Spawned process "WMIC.exe" with commandline "wmic Path Win32_OperatingSystem Get Version /format:LIST" (Show Process), Spawned process "mode.com" with commandline "mode con cols=92 lines=38" (Show Process), Spawned process "cmd.exe" with commandline "/c time /t" (Show Process), Spawned process "findstr.exe" with commandline "findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online A ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistence
-
Connects to LPC ports
- details
- "WMIC.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Creates new processes
- details
-
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\mode.com", Handle: 88)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 100)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\reg.exe", Handle: 92)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 120)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\findstr.exe", Handle: 92)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\wbem\WMIC.exe", Handle: 80) - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"MODE.COM.5FB1A102.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"MODE.COM.5FB1A10C.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"MODE.COM.5FB1A116.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"MODE.COM.5FB1A1A8.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"KMS _ KMS 2038 _ Digital _ Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" has type "ASCII text with no line terminators with overstriking"
"tw8k8b7x.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"e79297b69ae7cd4ea850db29304735be.tmp" has type "PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB) for MS Windows"
"_3_ ACTIVATION START FOR WINDOWS 10 _ OFFICE _Online Activation Method_" has type "ASCII text with no line terminators with overstriking"
"09a99bcedbea714fbe2286f9ab159373.tmp" has type "DOS batch file ASCII text with very long lines with CRLF line terminators"
"tw8k8b7x.pdb" has type "MSVC program database ver \002"
"tw8k8b7x.out" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"2beef9ba2ad2ba4783a69840aed324d7.tmp" has type "PE32 executable (console) Intel 80386 for MS Windows"
"98ac4beda3929540b63c1390f5dfe827.tmp" has type "DOS batch file ASCII text with very long lines with CRLF line terminators"
"1" has type "Microsoft Cabinet archive data 230465 bytes 16 files"
"7e32f79ab148f044bb0fd2ba3da1bd85.tmp" has type "PE32+ executable (DLL) (native) x86-64 (stripped to external PDB) for MS Windows"
"_4_ WINDOWS _ OFFICE ACTIVATION STATUS CHECK" has type "ASCII text with no line terminators with overstriking"
"f0dfa598a0818a409bba21182dce42e0.tmp" has type "DOS batch file ASCII text with CRLF line terminators"
"_5_ KMS _ KMS 2038 _ DIJITAL _ ONLINE ACTIVATION VISIT WEBSITE" has type "ASCII text with no line terminators with overstriking"
"548f552de344ee468e1a974841976f88.tmp" has type "DOS batch file ASCII text with CRLF line terminators"
"_2_ ACTIVATION START FOR WINDOWS 10 _Dijital _ KMS 2038 Activation Method_" has type "ASCII text with no line terminators with overstriking" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "cmd.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"cmd.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"cmd.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"cmd.exe" touched file "C:\Windows\System32\mode.com"
"powershell.exe" touched file "C:\Windows\System32\WindowsPowerShell\v1.0\en-US\powershell.exe.mui"
"powershell.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000027.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"powershell.exe" touched file "C:\Windows\System32\en-US\shell32.dll.mui"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"powershell.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk"
"powershell.exe" touched file "C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.TNCTR.com"
Heuristic match: "title KMS (Inject) Activation Windows ^& Office %ver% by mephistooo2 - TNCTR.com"
Heuristic match: "echo KMS (Inject) Activation Windows ^& Office %ver% by mephistooo2 - TNCTR.com"
Pattern match: "https://www.tnctr.com/topic/450916-kms2038-dijital-online-aktivasyon-suite-v64/"
Heuristic match: "title Digital ^& KMS 2038 Activation Windows 10 %ver% by mephistooo2 - TNCTR.com"
Pattern match: "https://www.tnctr.com/topic/450916-kms-dijital-online-aktivasyon-suite-v52/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
- "WMIC.exe" (Indicator: "wmic.exe")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
-
System Destruction
-
Opens file with deletion access rights
- details
-
"expand.exe" opened "%TEMP%\$dpx$.tmp\228069c17dfcf5418b5f42f486258743.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\f2c4a1e9b3fc924da1e6e2f1484b2853.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\f90fffe03aefef48920b1628ddd7ebbe.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\6b2d04a06a79ce4f81a276ae519da673.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\e79297b69ae7cd4ea850db29304735be.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\f0dfa598a0818a409bba21182dce42e0.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\98ac4beda3929540b63c1390f5dfe827.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\548f552de344ee468e1a974841976f88.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\09a99bcedbea714fbe2286f9ab159373.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\fa2850373f760943a085cbf7bf428b42.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\a88fa1ab70bccf429c29b621fd233e17.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\59780ede1f8dbc4a86db54cba0abe017.tmp" with delete access
"expand.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\2beef9ba2ad2ba4783a69840aed324d7.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"csc.exe" opened "\Device\KsecDD"
"cvtres.exe" opened "\Device\KsecDD"
"expand.exe" opened "\Device\KsecDD"
"WMIC.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
- details
-
"09a99bcedbea714fbe2286f9ab159373.tmp" contains indicator "WScript.Shell" (Line: 112; Offset: 34)
"98ac4beda3929540b63c1390f5dfe827.tmp" contains indicator "WScript.Shell" (Line: 22; Offset: 34) - source
- Binary File
- relevance
- 8/10
-
Drops cabinet archive files
- details
- "1" has type "Microsoft Cabinet archive data 230465 bytes 16 files"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"powershell.exe" wrote bytes "7750ee99" to virtual address "0x69BF1FFC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "c04e797720547a77e0657a77b5387b770000000000d05d7700000000c5ea5d770000000088ea5d7700000000e968737582287b77ee297b7700000000d2697375000000007dbb5d770000000009be737500000000ba185d7700000000" to virtual address "0x778C1000" (part of module "NSI.DLL")
"powershell.exe" wrote bytes "d0554e76647357760000000051c1207694982076ee9c207675dc2276273e22760fb3267600000000acdc5d771bf75d77c1085f77c0d95d77152e5d7736da5d77d5d95d7730c65d77e0c25d7742c65d771bc65d7786c45d7772c65d7700000000" to virtual address "0x6F4F1000" (part of module "SHFOLDER.DLL")
"reg.exe" wrote bytes "c04e797720547a77e0657a77b5387b770000000000d05d7700000000c5ea5d770000000088ea5d7700000000e968737582287b77ee297b7700000000d2697375000000007dbb5d770000000009be737500000000ba185d7700000000" to virtual address "0x778C1000" (part of module "NSI.DLL")
"WMIC.exe" wrote bytes "c04e797720547a77e0657a77b5387b770000000000d05d7700000000c5ea5d770000000088ea5d7700000000e968737582287b77ee297b7700000000d2697375000000007dbb5d770000000009be737500000000ba185d7700000000" to virtual address "0x778C1000" (part of module "NSI.DLL")
"choice.exe" wrote bytes "c04e797720547a77e0657a77b5387b770000000000d05d7700000000c5ea5d770000000088ea5d7700000000e968737582287b77ee297b7700000000d2697375000000007dbb5d770000000009be737500000000ba185d7700000000" to virtual address "0x778C1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
File Details
KMS_Suite.v8.5.EN.cmd
- Filename
- KMS_Suite.v8.5.EN.cmd
- Size
- 279KiB (285831 bytes)
- Type
- script cmd
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- b8461b0dea9df1d5fa7317092e7716e3cda52319cb27c560299eeaca95c93d13
- MD5
- 1b3e810b470ea4cdde60627e77173d73
- SHA1
- ad38199b4be10d6c3f31c7cdc1a903257e2b4112
- ssdeep
- 6144:lcHSwvEwAc+2RMQ1zKH4eKOfOzALuTboqMr19a6H:GyXwAD2RMozKH4/woNngVH
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 30 processes in total (System Resource Monitor).
-
cmd.exe
/c ""C:\KMS_Suite.v8.5.EN.cmd" "
(PID: 2968)
- mode.com mode con cols=70 lines=3 (PID: 3336)
-
powershell.exe
powershell -noprofile -c "$f=[io.file]::ReadAllText('C:\KMS_Suite.v8.5.EN.cmd') -split ':bat2file\:.*';iex ($f[1]);X 1;"
(PID: 3688)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\tw8k8b7x.cmdline"
(PID: 3552)
- cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C00.tmp" "%TEMP%\CSC6BE0.tmp" (PID: 2836)
- expand.exe -R 1 -F:* . (PID: 2208)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\tw8k8b7x.cmdline"
(PID: 3552)
- mode.com mode con:cols=70 lines=1 (PID: 3432)
- reg.exe reg query HKEY_USERS\S-1-5-20 (PID: 3828)
- cmd.exe cmd /v:on /c echo(^!param^! (PID: 4064)
- findstr.exe findstr /R "[| ` ~ ! @ % \ / ^ & ( ) \[ \] { } + = ; : ' , |]*^" (PID: 2464)
- cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem" (PID: 1236)
- mode.com mode con cols=92 lines=35 (PID: 2212)
-
cmd.exe
/c "wmic Path Win32_OperatingSystem Get Caption /format:LIST"
(PID: 3600)
- WMIC.exe wmic Path Win32_OperatingSystem Get Caption /format:LIST (PID: 2008)
-
cmd.exe
/c "wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST"
(PID: 3616)
- WMIC.exe wmic Path Win32_OperatingSystem Get CSDVersion /format:LIST (PID: 3632)
-
cmd.exe
/c "wmic Path Win32_OperatingSystem Get Version /format:LIST"
(PID: 3248)
- WMIC.exe wmic Path Win32_OperatingSystem Get Version /format:LIST (PID: 2868)
- mode.com mode con cols=92 lines=38 (PID: 4036)
- cmd.exe /c time /t (PID: 3636)
- findstr.exe findstr /v /a:80 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com" nul (PID: 4068)
- findstr.exe findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul (PID: 3852)
- reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId (PID: 3028)
- findstr.exe findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS 10 & OFFICE (KMS Inject Method)" nul (PID: 3916)
- findstr.exe findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10 (Dijital & KMS 2038 Activation Method)" nul (PID: 3096)
- findstr.exe findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS 10 & OFFICE (Online Activation Method)" nul (PID: 3128)
- findstr.exe findstr /v /a:8 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul (PID: 2268)
- findstr.exe findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul (PID: 3596)
- findstr.exe findstr /v /a:4 /R "^$" " [6] EXIT" nul (PID: 4040)
- choice.exe choice /C:123456 /N /M "YOUR CHOICE :" (PID: 2216)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 28 extracted file(s). The remaining 10 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
7e32f79ab148f044bb0fd2ba3da1bd85.tmp
- Size
- 19KiB (19456 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (DLL) (native) x86-64 (stripped to external PDB), for MS Windows
- AV Scan Result
- Labeled as "PUA.Win64.WinActivator" (2/68)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- e52f4dbaf955b0a869ec75506e47a00a
- SHA1
- c79a15c537ef42cf6fc795e8e960da1762c28368
- SHA256
- 1902f84a3dae23a598ddda1447957b421511d5df77480aa590f6463830685d7e
-
e79297b69ae7cd4ea850db29304735be.tmp
- Size
- 7KiB (7168 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
- AV Scan Result
- Labeled as "W32.AIDetectVM" (1/70)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- b21c40aaf16ba46b2732618d089db3a4
- SHA1
- ca3a51fdfc8749b8be85f7904b1c238a6dfba135
- SHA256
- 9395a37c42e83568dc5ecb25d9e9fca4c6c1c4f47e336fb6ccae62df5c696b4d
-
-
Clean 6
-
-
2beef9ba2ad2ba4783a69840aed324d7.tmp
- Size
- 17KiB (17408 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 5fd363d52d04ac200cd24f3bcc903200
- SHA1
- 39ed8659e7ca16aaccb86def94ce6cec4c847dd6
- SHA256
- 3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9
-
MODE.COM.5FB1A102.bin
- Size
- 25KiB (25088 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- MD5
- f015208f1f8473ba2e4bc229e0d38efd
- SHA1
- 1b959d6c227e41ab4eb2b381ea69358a2e04febb
- SHA256
- efc11f8fcdd0a8649ebee758b105db10536e895ea6d586a07b61f68b1e5dbd20
-
MODE.COM.5FB1A10C.bin
- Size
- 25KiB (25088 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- MD5
- f015208f1f8473ba2e4bc229e0d38efd
- SHA1
- 1b959d6c227e41ab4eb2b381ea69358a2e04febb
- SHA256
- efc11f8fcdd0a8649ebee758b105db10536e895ea6d586a07b61f68b1e5dbd20
-
MODE.COM.5FB1A116.bin
- Size
- 25KiB (25088 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- MD5
- f015208f1f8473ba2e4bc229e0d38efd
- SHA1
- 1b959d6c227e41ab4eb2b381ea69358a2e04febb
- SHA256
- efc11f8fcdd0a8649ebee758b105db10536e895ea6d586a07b61f68b1e5dbd20
-
MODE.COM.5FB1A1A8.bin
- Size
- 25KiB (25088 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- MD5
- f015208f1f8473ba2e4bc229e0d38efd
- SHA1
- 1b959d6c227e41ab4eb2b381ea69358a2e04febb
- SHA256
- efc11f8fcdd0a8649ebee758b105db10536e895ea6d586a07b61f68b1e5dbd20
-
KMS _ KMS 2038 _ Digital _ Online Activation Suite v8.5 - mephistooo2 - www.TNCTR.com
- Size
- 3B (3 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators, with overstriking
- AV Scan Result
- 0/59
- MD5
- df66fa563a2fafdb93cc559deb0a38c4
- SHA1
- e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
- SHA256
- 3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
-
-
Informative Selection 5
-
-
1
- Size
- 225KiB (230465 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 230465 bytes, 16 files
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 5e691bea7ecb2acf45aaf5e55ecd6e28
- SHA1
- ead1b670a8b9c526ee5d7e63a0149858bfd7e9f5
- SHA256
- 879cb850148a6dd44c47cf7f4eadce82ace2bf7dfae92e94b7af2f34f65e0275
-
CSC6BE0.tmp
- Size
- 652B (652 bytes)
- Type
- unknown
- Description
- MSVC .res
- Runtime Process
- csc.exe (PID: 3552)
- MD5
- e558f0536718c72afae5a4718985e7ca
- SHA1
- aef5f0f77da92fa864189884594a2f9dc975b50f
- SHA256
- bb960cd8b9d15ff4636ec4ae3270d30494f76fe1e832d864b8551cca28b13da3
-
RES6C00.tmp
- Size
- 1.2KiB (1204 bytes)
- Type
- unknown
- Description
- 80386 COFF executable not stripped - version 25189
- Runtime Process
- csc.exe (PID: 3552)
- MD5
- 0bebdabd38ee4e6df55f886f51a7b6d4
- SHA1
- 98061c93f4c4be0393138d3b0a1a0dcc18686acb
- SHA256
- ecc24e98b9ecc2d33d508b2989d1fd3ee0f96948b6cf0e7b3225348f99ea1a75
-
tw8k8b7x.cmdline
- Size
- 313B (313 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
- Runtime Process
- csc.exe (PID: 3552)
- MD5
- 43b83a9594c2a3bbb169ba90b80f770f
- SHA1
- 7137b472bc96f357d5025fc74f39cd63c0178673
- SHA256
- 6166909a9a5662fa2417005428ed10dc4c55b99076acb2057d22e265c768d9b6
-
SUPPORT MICROSOFT PRUDUCTS
- Size
- 3B (3 bytes)
- Type
- text
- Description
- ASCII text, with no line terminators, with overstriking
- MD5
- df66fa563a2fafdb93cc559deb0a38c4
- SHA1
- e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
- SHA256
- 3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
-
-
Informative 15
-
-
QO7VFEBG2PM5SMTI7NNI.temp
- Size
- 7.8KiB (8016 bytes)
- Runtime Process
- powershell.exe (PID: 3688)
- MD5
- f5beedefc59de32ae9413686164e8d64
- SHA1
- 9b270b1ae0549ea351fa7e23c3d4eb701564bdcd
- SHA256
- 828908a06c20281d801d6b2c40208e4b9c1ff7f98c4a8ab347d3a684eed24ff8
-
09a99bcedbea714fbe2286f9ab159373.tmp
- Size
- 100KiB (102601 bytes)
- Type
- script javascript
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 74098f24795b49b77b512b6fa4991140
- SHA1
- 0f136b1cdf254dfaed8b6f8fa865427e85ee7087
- SHA256
- 1600d81ccac94c0881ea1144ef354bd8304fc8eb4a658a658b394b5600967811
-
228069c17dfcf5418b5f42f486258743.tmp
- Size
- 103KiB (105292 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 236f08af040c8a6f55ad6b831219817a
- SHA1
- 585beb8fec3645b7388566a552a2a8086a519917
- SHA256
- e5bbd8a59895e5132eae29491e7b5e13ef9b067881fb04b7e4d8860257ea6465
-
4cbe374f21a29f47be415908f3be489c.tmp
- Size
- 17KiB (17408 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 1d7166510c4ba3546fb6c8b936bf6322
- SHA1
- cbc1f0631e8b1d753efd399245a59292b6c67de8
- SHA256
- 6a35996e6fc50af1a1a19d39233cc43055da92adf76cb567c39265ad007459e8
-
548f552de344ee468e1a974841976f88.tmp
- Size
- 343B (343 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- c8b1e078fa12470d7a345f7681b33c8c
- SHA1
- 980c059dd2e739ed4e24afad2f9a48809604e9ea
- SHA256
- c1a38b1b906a66686cf4f58fd878f1a31203126545f0711359ec1c7095e99e15
-
59780ede1f8dbc4a86db54cba0abe017.tmp
- Size
- 20KiB (19968 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 162ab955cb2f002a73c1530aa796477f
- SHA1
- d30a0e4e5911d3ca705617d17225372731c770e2
- SHA256
- 5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e
-
6b2d04a06a79ce4f81a276ae519da673.tmp
- Size
- 330KiB (337920 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 15ce0753a16dd4f9b9f0f9926dd37c4e
- SHA1
- fabb5a0fc1e6a372219711152291339af36ed0b5
- SHA256
- 028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d
-
98ac4beda3929540b63c1390f5dfe827.tmp
- Size
- 29KiB (29710 bytes)
- Type
- script javascript
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 33048be510a509febd10804e09f241b7
- SHA1
- d04a62b1c515c1f2501a8dd3855b669490513657
- SHA256
- 33085d46373b469a67b8c1d102ef24d512d985e57687d982d0b58ffc52a67178
-
a88fa1ab70bccf429c29b621fd233e17.tmp
- Size
- 771B (771 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- c2d074dde317ff652a9a76cd6e6b1c26
- SHA1
- 92bdc210fbfe5cd758892ded2fd1b0a2d2fac866
- SHA256
- 080ec97e58cb3008f649a727a100290f0666acc61a729dba585fdd96fada180d
-
f0dfa598a0818a409bba21182dce42e0.tmp
- Size
- 341B (341 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 90a53a1da9510c250ba348f06b3cdc50
- SHA1
- 678c620084c69586dfbb53f75acb4c63b8664364
- SHA256
- 3541af0d0a371c198a15383364b53daab8346d8d4f3ed25c6c9c562d83f98421
-
f2c4a1e9b3fc924da1e6e2f1484b2853.tmp
- Size
- 29KiB (29710 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 33048be510a509febd10804e09f241b7
- SHA1
- d04a62b1c515c1f2501a8dd3855b669490513657
- SHA256
- 33085d46373b469a67b8c1d102ef24d512d985e57687d982d0b58ffc52a67178
-
f90fffe03aefef48920b1628ddd7ebbe.tmp
- Size
- 29KiB (29709 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 5facbec38a2cbdd8e489a1917678cdd7
- SHA1
- 2adf06ba9dd3f14a48e75c27a6a22d8163790a37
- SHA256
- bfab0e410e994f62c8a62b3295ae7bcba15c62e41688b256db291ca119474a46
-
f9721725c8c3834480678310fd227fb7.tmp
- Size
- 3.4KiB (3512 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 38ed3d04da28762234d1e92002da087e
- SHA1
- 2dea3a095b0919bf094b1e6a111f822cc3b34bc3
- SHA256
- 6a622afaaa119140c6eca87ded2bd26cccb91fd6098c63d20b13628c06bb7a59
-
fa2850373f760943a085cbf7bf428b42.tmp
- Size
- 100KiB (102601 bytes)
- Runtime Process
- expand.exe (PID: 2208)
- MD5
- 74098f24795b49b77b512b6fa4991140
- SHA1
- 0f136b1cdf254dfaed8b6f8fa865427e85ee7087
- SHA256
- 1600d81ccac94c0881ea1144ef354bd8304fc8eb4a658a658b394b5600967811
-
tw8k8b7x.dll
- Size
- 4KiB (4096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- csc.exe (PID: 3552)
- MD5
- 20379dd93188ef2e62408c947729c505
- SHA1
- 26338616d22c04d2b239b78b34420bb322ac8f4d
- SHA256
- 7080cfcd1a5f2553f32df21286ad22ded833707a804f276ad6406e1e25dd3d19
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "string-43" are available in the report
- Not all sources for indicator ID "target-103" are available in the report
- Not all sources for indicator ID "target-25" are available in the report
- Some low-level data is hidden, as this is only a slim report