KMS_Suite.v8.7.EN.cmd
This report is generated from a file or URL submitted to this webservice on December 17th 2020 11:55:55 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.45.3 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Queries kernel debugger information
Queries the logged on user, group or privileges using Whoami
Reads the cryptographic machine GUID
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- f202f49282cb45dae62a7193e0064ea3f97beabf7ad49515ee9f9f1a56fb8d83
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/59 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Unusual Characteristics
-
References suspicious system modules
- details
-
"using System;using System.Diagnostics;using System.Runtime.InteropServices; public class AveYo{ [StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct SA {public uint l;public IntPtr d;public bool i;}
[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct SI {public int cb;string b;string c;string d;int e;int f;int g;int h;public int X;public int Y;int k;public int W;Int16 m;Int16 n;IntPtr o;IntPtr p;IntPtr r;IntPtr s;}
[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct SIEX {public SI e;public IntPtr l;} [StructLayout(LayoutKind.Sequential,Pack=1,CharSet=CharSet.Unicode)]public struct TL {public UInt32 c; public long l;public int a;} [DllImport("advapi32",CharSet=CharSet.Unicode)]static extern bool SetThreadToken(IntPtr h,IntPtr t);
[DllImport("advapi32",CharSet=CharSet.Unicode)]static extern bool CreateProcessWithTokenW(IntPtr t,uint l,string a,string c,uint f,IntPtr e,string d,ref SIEX s); [DllImport("advapi32",CharSet=CharSet.Unicode)]static extern bool OpenProcessToken(IntPtr p,uint a,ref IntPtr t);
[DllImport("advapi32",CharSet=CharSet.Unicode)]static extern bool DuplicateToken(IntPtr h,int l,out IntPtr d); [DllImport("advapi32",CharSet=CharSet.Unicode)]static extern bool AdjustTokenPrivileges(IntPtr h,bool d,ref TL n,int l,int p,int r); [DllImport("kernel32",CharSet=CharSet.Unicode)]static extern bool CloseHandle(IntPtr h);
[DllImport("advapi32",CharSet=CharSet.Unicode)]static extern bool DuplicateTokenEx(IntPtr t,uint a,ref SA s,Int32 i,Int32 f,ref IntPtr d); public static void RunAs(int mode,string cmd){ SIEX si=new SIEX();
SA sa=new SA(); IntPtr t,d; t=d=IntPtr.Zero; try{ IntPtr p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){
Process[] ar=Process.GetProcessesByName("TrustedInstaller");if(ar.Length>0){ DuplicateToken(t,3,out d); SetThreadToken(IntPtr.Zero,d);
CloseHandle(p);CloseHandle(t);CloseHandle(d); p=ar[0].Handle; OpenProcessToken(p,6,ref t);}} DuplicateTokenEx(t,268435456,ref sa,3,1,ref d); if(mode%2>0){
TL tk=new TL(); tk.c=1; tk.a=2; for(int i=0;i<37;i++){ tk.l=i; AdjustTokenPrivileges(d,false,ref tk,0,0,0); }}
si.e.cb=Marshal.SizeOf(si); si.e.X=131; si.e.Y=9999; si.e.W=8; CreateProcessWithTokenW(d,0,null,cmd,1024,IntPtr.Zero,null,ref si);
}finally{ if(t!=IntPtr.Zero) CloseHandle(t); if(d!=IntPtr.Zero) CloseHandle(d); if(sa.d!=IntPtr.Zero) CloseHandle(sa.d); if(si.l!=IntPtr.Zero) CloseHandle(si.l); } }}"
"SA sa=new SA(); IntPtr t,d; t=d=IntPtr.Zero; try{ IntPtr p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){" - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
- details
-
Spawned process "cmd.exe" with commandline "/c ""C:\KMS_Suite.v8.7.EN.cmd" "" (Show Process)
Spawned process "mode.com" with commandline "mode con cols=78 lines=3" (Show Process)
Spawned process "whoami.exe" with commandline "whoami /user" (Show Process)
Spawned process "findstr.exe" with commandline "findstr "S-1-5-18"" (Show Process)
Spawned process "whoami.exe" with commandline "whoami /user" (Show Process)
Spawned process "findstr.exe" with commandline "findstr "S-1-5-18"" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -c "start powershell -win 1 -verb runas -Arg ('-nop -c ',[char]34,'$mode=1; $cmd=''1 cmd.exe /c \\\"C:\KMS_Suite.v8.7.EN.cmd\\\"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])',[char]34) "" (Show Process), Spawned process "powershell.exe" with commandline "-nop -c " $mode=1; $cmd='1 cmd.exe /c \"C:\KMS_Suite.v8.7.EN.cmd\"'; iex(([io.file]::ReadAllText('C:\KMS_Suite.v8.7.EN.cmd')-split ':ps_TI\:.*')[1]) "" (Show Process)
Spawned process "timeout.exe" with commandline "TIME" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\yii-87e1.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA272.tmp" "%TEMP%\CSCA251.tmp"" (Show Process)
Spawned process "net.exe" with commandline "start TrustedInstaller" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 start TrustedInstaller" (Show Process)
Spawned process "cmd.exe" with commandline "/c "C:\KMS_Suite.v8.7.EN.cmd"" (Show Process)
Spawned process "wermgr.exe" with commandline ""-outproc" "2872" "1088"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
References suspicious system modules
-
Suspicious Indicators 11
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "cvtres.exe" at 00065577-00003752-00000033-103232176
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the active computer name
- details
-
"whoami.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"net1.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"wermgr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"csc.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"cvtres.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"wermgr.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
- "cmd.exe" allocated memory in "\Device\MountPointManager"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
- details
-
"MODE.COM.5FDB47BB.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"yii-87e1.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"RESA272.tmp" has type "80386 COFF executable not stripped - version 25189" - source
- Binary File
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\mode.com" (Handle: 96)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 96)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 96)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\whoami.exe" (Handle: 112)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\whoami.exe" (Handle: 112)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\whoami.exe" (Handle: 112)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 120)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 120)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 120)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\whoami.exe" (Handle: 12)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\whoami.exe" (Handle: 12)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\whoami.exe" (Handle: 12)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 124)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 124)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\findstr.exe" (Handle: 124)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 12)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 12)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 12)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\timeout.exe" (Handle: 112)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\timeout.exe" (Handle: 112)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\System32\timeout.exe" (Handle: 112)
"net.exe" wrote 32 bytes to a remote process "C:\Windows\System32\net1.exe" (Handle: 116)
"net.exe" wrote 52 bytes to a remote process "C:\Windows\System32\net1.exe" (Handle: 116)
"net.exe" wrote 8 bytes to a remote process "C:\Windows\System32\net1.exe" (Handle: 116) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Queries the logged on user, group or privileges using Whoami
- details
-
Process "whoami.exe" with commandline "whoami /user" (Show Process)
Process "whoami.exe" with commandline "whoami /user" (Show Process) - source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the logged on user, group or privileges using Whoami
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"start -win 1 -verb runas -Arg (' ','"','$mode=1; $cmd=''1 cmd.exe /c \\\"C:\KMS_Suite.v8.7.EN.cmd\\\"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])','"');" (Indicator: "cmd=")
"powershell -nop -c "start powershell -win 1 -verb runas -Arg ('-nop -c ',[char]34,'$mode=1; $cmd=''1 cmd.exe /c \\\"C:\KMS_Suite.v8.7.EN.cmd\\\"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])',[char]34) "" (Indicator: "cmd="), "-nop -c " $mode=1; $cmd='1 cmd.exe /c \"C:\KMS_Suite.v8.7.EN.cmd\"'; iex(([io.file]::ReadAllText('C:\KMS_Suite.v8.7.EN.cmd')-split ':ps_TI\:.*')[1]) "" (Indicator: "cmd=") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Unusual Characteristics
-
Invokes the C# compiler
- details
- Process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\yii-87e1.cmdline"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1500 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"mode.com" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"findstr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"csc.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cvtres.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"net.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"net1.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Invokes the C# compiler
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 18
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "powershell.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
General
-
Creates a writable file in a temporary directory
- details
-
"powershell.exe" created file "%TEMP%\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk"
"cvtres.exe" created file "%TEMP%\RESA272.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\ZonesLockedCacheCounterMutex"
"_SHuassist.mtx"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\_SHuassist.mtx"
"\Sessions\1\BaseNamedObjects\Global\"
"Global\"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MODE.COM.5FDB47BB.bin" as clean (type is "PE32+ executable (console) x86-64 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads the .NET runtime environment
- details
-
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at EDCC0000
"csc.exe" loaded module "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\mscorlib.dll" at 03220000
"wermgr.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at EDCC0000 - source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"csc.exe" touched "Microsoft Common Language Runtime Meta Data" (Path: "HKCU\CLSID\{E5CB7A31-7512-11D2-89CE-0080C792E5D8}")
"csc.exe" touched "Type name parser and builder" (Path: "HKCU\CLSID\{B81FF171-20F3-11D2-8DCC-00A0C9B00525}") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "mode.com" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "mode.com" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "whoami.exe" (Show Process) was launched with new environment variables: "ver="v8.7""
Process "whoami.exe" (Show Process) was launched with new environment variables: ">>="('-nop -c ',[char]34,'$mode=1; $cmd=''1 cmd.exe /c "C:\KMS_Suite.v8.7.EN.cmd"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])',[char]34)"", Process "powershell.exe" (Show Process) was launched with new environment variables: "MEOW="%SystemRoot%\system32\WindowsPowerShell\v1.0\"", Process "powershell.exe" (Show Process) was launched with modified environment variables: "PSModulePath", Process "timeout.exe" (Show Process) was launched with modified environment variables: "PSModulePath", Process "timeout.exe" (Show Process) was launched with missing environment variables: "MEOW", Process "csc.exe" (Show Process) was launched with new environment variables: "processor_architecture="AMD64", processor_identifier="Intel64 Family 6 Model 79 Stepping 1, GenuineIntel", computername="cUeua2T23C", logonserver="\\HAPUBWS-PC", programw6432="C:\Program Files", commonprogramfiles="C:\Program Files\Common Files", homedrive="C:", systemroot="C:\Windows", pathext=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", userdomain="cUeua2T23C", path="%ALLUSERSPROFILE%\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", commonprogramw6432="C:\Program Files\Common Files", allusersprofile="C:\ProgramData", comspec="C:\Windows\system32\cmd.exe", public="C:\Users\%USERNAME%\Users\EJ4aI2L", sessionname="Console", tmp="C:\Users\%USERNAME%\AppData\Local\Temp", processor_revision="4f01", fp_no_host_check="NO", temp="C:\Users\%USERNAME%\AppData\Local\Temp", localappdata="C:\Users\%USERNAME%\AppData\Local", os="Windows_NT", userprofile="C:\Users\%USERNAME%\ProgramData", number_of_processors="2", programfiles="C:\Program Files", meow="%SystemRoot%\system32\WindowsPowerShell\v1.0\", processor_level="6", programfiles(x86)="C:\Program Files (x86)", psmodulepath="C:\Users\%USERNAME%\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItX", commonprogramfiles(x86)="C:\Program Files (x86)\Common Files", _clrrestrictsecattributes="1", prompt="$P$G", systemdrive="C:", appdata="C:\Users\%USERNAME%\AppData\Roaming", username="EJ4aI2L"", Process "csc.exe" (Show Process) was launched with missing environment variables: "LOCALAPPDATA, PROCESSOR_LEVEL, FP_NO_HOST_CHECK, USERDOMAIN, LOGONSERVER, PROMPT, SESSIONNAME, ALLUSERSPROFILE, PROCESSOR_ARCHITECTURE, PSModulePath, SystemDrive, APPDATA, USERNAME, ProgramFiles(x86), CommonProgramFiles, Path, PATHEXT, OS, COMPUTERNAME, PROCESSOR_REVISION, CommonProgramW6432, ComSpec, ProgramData, ProgramW6432, HOMEPATH, SystemRoot, TEMP, HOMEDRIVE, PROCESSOR_IDENTIFIER, USERPROFILE, TMP, CommonProgramFiles(x86), PUBLIC, ProgramFiles, NUMBER_OF_PROCESSORS", Process "net.exe" (Show Process) was launched with new environment variables: "LOCALAPPDATA="C:\Users\%USERNAME%\AppData\Local", PROCESSOR_LEVEL="6", FP_NO_HOST_CHECK="NO", USERDOMAIN="cUeua2T23C", LOGONSERVER="\\HAPUBWS-PC", PROMPT="$P$G", SESSIONNAME="Console", ALLUSERSPROFILE="C:\ProgramData", PROCESSOR_ARCHITECTURE="AMD64", PSModulePath="C:\Users\%USERNAME%\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItX", SystemDrive="C:", APPDATA="C:\Users\%USERNAME%\AppData\Roaming", USERNAME="EJ4aI2L", ProgramFiles(x86)="C:\Program Files (x86)", CommonProgramFiles="C:\Program Files\Common Files", Path="C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", MEOW="%SystemRoot%\system32\WindowsPowerShell\v1.0\", OS="Windows_NT", COMPUTERNAME="cUeua2T23C", PROCESSOR_REVISION="4f01", CommonProgramW6432="C:\Program Files\Common Files", ComSpec="C:\Windows\system32\cmd.exe", ProgramData="C:\ProgramData", ProgramW6432="C:\Program Files", HOMEPATH="\Users\EJ4aI2L", SystemRoot="C:\Windows", TEMP="C:\Users\%USERNAME%\AppData\Local\Temp", HOMEDRIVE="C:", PROCESSOR_IDENTIFIER="Intel64 Family 6 Model 79 Stepping 1, GenuineIntel", USERPROFILE="C:\Users\%USERNAME%\Users\EJ4aI2L\AppData\Local\Temp", CommonProgramFiles(x86)="C:\Program Files (x86)\Common Files", PUBLIC="C:\Users\%USERNAME%\Program Files", NUMBER_OF_PROCESSORS="2"", Process "net.exe" (Show Process) was launched with missing environment variables: "processor_architecture, processor_identifier, computername, logonserver, programw6432, commonprogramfiles, homedrive, systemroot, pathext, userdomain, path, commonprogramw6432, allusersprofile, comspec, public, homepath, sessionname, tmp, processor_revision, fp_no_host_check, temp, localappdata, os, userprofile, programdata, number_of_processors, programfiles, meow, processor_level, programfiles(x86), psmodulepath, commonprogramfiles(x86), _clrrestrictsecattributes, prompt, systemdrive, appdata, username", Process "cmd.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, PSModulePath, HOMEPATH, TEMP, APPDATA, USERPROFILE, TMP", Process "cmd.exe" (Show Process) was launched with missing environment variables: ">>, ver, MEOW, LOGONSERVER, PROMPT", Process "wermgr.exe" (Show Process) was launched with new environment variables: ">>="('-nop -c ',[char]34,'$mode=1; $cmd=''1 cmd.exe /c "C:\KMS_Suite.v8.7.EN.cmd"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])'
[char]34)", ver="v8.7", MEOW="%SystemRoot%\system32\WindowsPowerShell\v1.0\", LOGONSERVER="\\HAPUBWS-PC", PROMPT="$P$G""
Process "wermgr.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, PSModulePath, HOMEPATH, TEMP, APPDATA, USERPROFILE, TMP" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "/c "C:\KMS_Suite.v8.7.EN.cmd"" on 2020-12-17.11:58:00.820
- source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1059 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "mode.com" with commandline "mode con cols=78 lines=3" (Show Process)
Spawned process "whoami.exe" with commandline "whoami /user" (Show Process)
Spawned process "findstr.exe" with commandline "findstr "S-1-5-18"" (Show Process)
Spawned process "whoami.exe" with commandline "whoami /user" (Show Process)
Spawned process "findstr.exe" with commandline "findstr "S-1-5-18"" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -c "start powershell -win 1 -verb runas -Arg (' ..." (UID: 00065251-00002968, Additional Context: "start -win 1 -verb runas -Arg (' ','"','$mode=1; $cmd=''1 cmd.exe /c \\\"C:\KMS_Suite.v8.7.EN.cmd\\\"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])','"');")
Spawned process "powershell.exe" with commandline "-nop -c " $mode=1; $cmd='1 cmd.exe /c \"C:\KMS_Suite.v8.7.EN.cm ..." (Show Process)
Spawned process "timeout.exe" with commandline "TIME" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\yii-87e1.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA272.tmp" "%TEMP ..." (Show Process), Spawned process "net.exe" with commandline "start TrustedInstaller" (Show Process), Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 start TrustedInstaller" (Show Process), Spawned process "cmd.exe" with commandline "/c "C:\KMS_Suite.v8.7.EN.cmd"" (Show Process), Spawned process "wermgr.exe" with commandline ""-outproc" "2872" "1088"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "mode.com" with commandline "mode con cols=78 lines=3" (Show Process)
Spawned process "whoami.exe" with commandline "whoami /user" (Show Process)
Spawned process "findstr.exe" with commandline "findstr "S-1-5-18"" (Show Process)
Spawned process "whoami.exe" with commandline "whoami /user" (Show Process)
Spawned process "findstr.exe" with commandline "findstr "S-1-5-18"" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -c "start powershell -win 1 -verb runas -Arg (' ..." (UID: 00065251-00002968, Additional Context: "start -win 1 -verb runas -Arg (' ','"','$mode=1; $cmd=''1 cmd.exe /c \\\"C:\KMS_Suite.v8.7.EN.cmd\\\"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])','"');")
Spawned process "powershell.exe" with commandline "-nop -c " $mode=1; $cmd='1 cmd.exe /c \"C:\KMS_Suite.v8.7.EN.cm ..." (Show Process)
Spawned process "timeout.exe" with commandline "TIME" (Show Process)
Spawned process "csc.exe" with commandline "/noconfig /fullpaths @"%TEMP%\yii-87e1.cmdline"" (Show Process)
Spawned process "cvtres.exe" with commandline "/NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA272.tmp" "%TEMP ..." (Show Process), Spawned process "net.exe" with commandline "start TrustedInstaller" (Show Process), Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 start TrustedInstaller" (Show Process), Spawned process "cmd.exe" with commandline "/c "C:\KMS_Suite.v8.7.EN.cmd"" (Show Process), Spawned process "wermgr.exe" with commandline ""-outproc" "2872" "1088"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistence
-
Creates new processes
- details
-
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\mode.com", Handle: 96)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\whoami.exe", Handle: 112)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\findstr.exe", Handle: 120)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\whoami.exe", Handle: 12)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\findstr.exe", Handle: 124)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 12)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\timeout.exe", Handle: 112)
"net.exe" is creating a new process (Name: "%WINDIR%\System32\net1.exe", Handle: 116)
"cmd.exe" is creating a new process - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"MODE.COM.5FDB47BB.bin" has type "PE32+ executable (console) x86-64 for MS Windows"
"yii-87e1.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"yii-87e1.out" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"yii-87e1.pdb" has type "MSVC program database ver \002"
"CSCA251.tmp" has type "MSVC .res"
"yii-87e1.cmdline" has type "UTF-8 Unicode (with BOM) text with very long lines with no line terminators"
"WERD8C4.tmp.mdmp" has type "MDMP crash report data"
"yii-87e1.0.cs" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"W3604N53IRD974A7AW6D.temp" has type "data"
"RESA272.tmp" has type "80386 COFF executable not stripped - version 25189"
"DJMGC58IMRVDOYKLOMJX.temp" has type "data"
"OutofProcReport1025605.txt" has type "data"
"WERB08A.tmp.hdmp" has type "MDMP crash report data"
"Report.wer" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "cmd.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"cmd.exe" touched file "C:\Windows\System32\en-US\cmd.exe.mui"
"cmd.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"cmd.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"whoami.exe" touched file "C:\Windows\System32\en-US\whoami.exe.mui"
"whoami.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"findstr.exe" touched file "C:\Windows\System32\en-US\findstr.exe.mui"
"powershell.exe" touched file "C:\Windows\System32\WindowsPowerShell\v1.0\en-US\powershell.exe.mui"
"powershell.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"powershell.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001d.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"powershell.exe" touched file "C:\Windows\System32\en-US\shell32.dll.mui"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu" - source
- API Call
- relevance
- 7/10
-
Creates new processes
-
System Security
-
Creates or modifies windows services
- details
- "wermgr.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"csc.exe" opened "\Device\KsecDD"
"cvtres.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xEEE57A25" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "40130000" to virtual address "0xFCB98538" (part of module "SSPICLI.DLL")
"powershell.exe" wrote bytes "40130000" to virtual address "0xFCB98478" (part of module "SSPICLI.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xEEE57A60" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEEE578AD" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "f5fa4e2563d40000" to virtual address "0xEEBE1D70" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEEE577AA" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "00100000" to virtual address "0xFCB98468" (part of module "SSPICLI.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEEE575B3" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xEEE5863C" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEEE5743F" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "00100000" to virtual address "0xFCB985A4" (part of module "SSPICLI.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEEE574FB" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xEEE57A44" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "669065488b042588150000c366669066669090" to virtual address "0xEEE55B40" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "eb11c366669066669066669066669066669090" to virtual address "0xEEE55BC0" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEEE57480" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "4889114881fa1810d702722448c1e90a80b9804ad61aff7502f3c3c681804ad61affc366666690666666906666906690f3c3ff7502f3c3c60408ffc366666690f3c3666666906666669066669066669090" to virtual address "0xEEE55F00" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xEEE57403" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "d813b70200000000" to virtual address "0x73372650" (part of module "SYSTEM.DATA.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
KMS_Suite.v8.7.EN.cmd
- Filename
- KMS_Suite.v8.7.EN.cmd
- Size
- 319KiB (326371 bytes)
- Type
- script cmd
- Description
- DOS batch file, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 475ea6d8fc0dbfa6bd1cd03cbe3a37f89d69a36b40faf02bd0e8d0e82377aed6
- MD5
- 6d0ca6a712dfec447948bbbbd60b2528
- SHA1
- 85591f05396ddcc0ff9c258bb6bcb1d324fc5ed3
- ssdeep
- 6144:OTKPGA4gcvdYwrmTfj63HNvfWfT8IWDaLvjc07R6u5m72EezjXv:+acewazj63HdWrjWjdumpe3f
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 15 processes in total.
-
cmd.exe
/c ""C:\KMS_Suite.v8.7.EN.cmd" "
(PID: 2928)
- mode.com mode con cols=78 lines=3 (PID: 2500)
- whoami.exe whoami /user (PID: 2728)
- findstr.exe findstr "S-1-5-18" (PID: 3012)
- whoami.exe whoami /user (PID: 2584)
- findstr.exe findstr "S-1-5-18" (PID: 1296)
-
powershell.exe
powershell -nop -c "start powershell -win 1 -verb runas -Arg ('-nop -c ',[char]34,'$mode=1; $cmd=''1 cmd.exe /c \\\"C:\KMS_Suite.v8.7.EN.cmd\\\"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])',[char]34) "
(PID: 2968, Additional Context: start -win 1 -verb runas -Arg (' ','"','$mode=1; $cmd=''1 cmd.exe /c \\\"C:\KMS_Suite.v8.7.EN.cmd\\\"''; iex(([io.file]::ReadAllText(''C:\KMS_Suite.v8.7.EN.cmd'')-split '':ps_TI\:.*'')[1])','"');)
-
powershell.exe
-nop -c " $mode=1; $cmd='1 cmd.exe /c \"C:\KMS_Suite.v8.7.EN.cmd\"'; iex(([io.file]::ReadAllText('C:\KMS_Suite.v8.7.EN.cmd')-split ':ps_TI\:.*')[1]) "
(PID: 2872)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\yii-87e1.cmdline"
(PID: 3264)
- cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA272.tmp" "%TEMP%\CSCA251.tmp" (PID: 3752)
-
net.exe
start TrustedInstaller
(PID: 3016)
- net1.exe %WINDIR%\system32\net1 start TrustedInstaller (PID: 2384)
- cmd.exe /c "C:\KMS_Suite.v8.7.EN.cmd" (PID: 1652)
- wermgr.exe "-outproc" "2872" "1088" (PID: 1536)
-
csc.exe
/noconfig /fullpaths @"%TEMP%\yii-87e1.cmdline"
(PID: 3264)
-
powershell.exe
-nop -c " $mode=1; $cmd='1 cmd.exe /c \"C:\KMS_Suite.v8.7.EN.cmd\"'; iex(([io.file]::ReadAllText('C:\KMS_Suite.v8.7.EN.cmd')-split ':ps_TI\:.*')[1]) "
(PID: 2872)
- timeout.exe TIME (PID: 2412)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 1
-
-
MODE.COM.5FDB47BB.bin
- Size
- 30KiB (30208 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- AV Scan Result
- 0/71
- MD5
- 718e86cb060170430d4ef70ee39f93d4
- SHA1
- ef5269cd27ab6717b20af8e1d5427df3e305398b
- SHA256
- 64ad2057863172cbfef4328bc57be134f956a7736e87eb90b04f2be391bca517
-
-
Informative Selection 4
-
-
DJMGC58IMRVDOYKLOMJX.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2872)
- MD5
- 5b4f9fa0b67bda98c575cd44b32f21c0
- SHA1
- 17e55f090979a3ee38f28fa2555b907decc8d573
- SHA256
- 60bc877d4f19b94a2ac8b6c10ada3c1ed1fc6ffc0a46dd7096d2cef6d4ee4aba
-
CSCA251.tmp
- Size
- 652B (652 bytes)
- Type
- unknown
- Description
- MSVC .res
- Runtime Process
- cvtres.exe (PID: 3752)
- MD5
- 46879d51249eacb56cfa48a5ddd96f82
- SHA1
- f6e9dbca6982bbc105f6ce423103615eb43f0c3f
- SHA256
- 0085cded995b060d33a5a3e02d42146b0de7b0f19df1c80d23dd060b56f2a5a4
-
RESA272.tmp
- Size
- 1.2KiB (1204 bytes)
- Type
- unknown
- Description
- 80386 COFF executable not stripped - version 25189
- Runtime Process
- cvtres.exe (PID: 3752)
- MD5
- 008524a3749fd60d7b7e3f2a4f2ba6d0
- SHA1
- 0af16d5c2c15d17b8f50c46cf1e2d0fd0e7abc8c
- SHA256
- 6088c5cf41ebc3444475145ad9adbd4641f64de1cd4fc8e232c29d1297a33add
-
yii-87e1.cmdline
- Size
- 313B (313 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
- Runtime Process
- powershell.exe (PID: 2872)
- MD5
- f5c1894774fdd5f904cffed659abd64d
- SHA1
- 5babb90d3ee503519af796efc836df94ce592d82
- SHA256
- a929f60b150fff0725ba2baffaedb8c80348c62cf9e902c5cd86d4b109357b84
-
-
Informative 9
-
-
W3604N53IRD974A7AW6D.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2968)
- MD5
- 5b4f9fa0b67bda98c575cd44b32f21c0
- SHA1
- 17e55f090979a3ee38f28fa2555b907decc8d573
- SHA256
- 60bc877d4f19b94a2ac8b6c10ada3c1ed1fc6ffc0a46dd7096d2cef6d4ee4aba
-
Report.wer
- Size
- 2.6KiB (2682 bytes)
- Type
- data
- Runtime Process
- wermgr.exe (PID: 1536)
- MD5
- b41409f23d0d362b32e563e679d8673e
- SHA1
- 399d7bdac721579937b0b87ae75c938f4e8d664d
- SHA256
- ea59be6f96a2aa72275f19a8ce400bbafd74cceb54383cf09616b3e57135da18
-
WERB08A.tmp.hdmp
- Size
- 5MiB (5216248 bytes)
- Type
- ppt office
- Description
- MDMP crash report data
- Runtime Process
- wermgr.exe (PID: 1536)
- MD5
- 708c25fa06d6b9b68cc95cd23c2aa814
- SHA1
- f03ce4e4c12208cf1d25ea039d1ee5fe18023426
- SHA256
- 4a387139a138c49060a893e5300c178bd59ba026a97af9ac6f198aac8facd199
-
WERD8C4.tmp.mdmp
- Size
- 4.9MiB (5183184 bytes)
- Type
- data
- Description
- MDMP crash report data
- Runtime Process
- wermgr.exe (PID: 1536)
- MD5
- d950dae35722f51145252b110d34f86f
- SHA1
- 15b9601dbe7b10efea05e20ba2e503d2964c99a9
- SHA256
- dc72b66ca211550df0568954a14ba8f514a37b78bc5f0fdda5777bfc65f77d26
-
OutofProcReport1025605.txt
- Size
- 1.9KiB (1916 bytes)
- Type
- data
- Runtime Process
- wermgr.exe (PID: 1536)
- MD5
- 74326646d31a946a917f747e66c5954c
- SHA1
- 3541a8eeb552d424dc10d17f1eb1a7d5f271a984
- SHA256
- 0825f70a7f86dea4542051b334b4d0ff85e7cb0502f083593920dd56d9dd63e2
-
yii-87e1.0.cs
- Size
- 2.4KiB (2485 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- powershell.exe (PID: 2872)
- MD5
- ce170f1e3a4a92e354e1fef848444db6
- SHA1
- a26fc4ebd5cbaacbabb5c5176d02514d137a21ab
- SHA256
- f5f1c91f742aae15c2bff2ef896b052053df4111cb4f6bc24a7951024cc509e8
-
yii-87e1.dll
- Size
- 5KiB (5120 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- powershell.exe (PID: 2872)
- MD5
- 5134254c1082a5758efdfb8bcfe7fa47
- SHA1
- 1b1c3fbaadff9da2965863e1d7b86eca2fc40968
- SHA256
- 0f20fb4468adacde44244339f7687a9fa6f18992fab60fdde10ecd188ca0bf87
-
yii-87e1.out
- Size
- 612B (612 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- powershell.exe (PID: 2872)
- MD5
- 28e7afe09b80bf04bde0df60379b0130
- SHA1
- dae83150fc1b1e78732c38c293d6cd0fac34f084
- SHA256
- f2dad327e7237b370fedae0b6ec6bd19289f702ae94fce83a062ab0b5fbb3857
-
yii-87e1.pdb
- Size
- 12KiB (11776 bytes)
- Type
- data
- Description
- MSVC program database ver \002
- Runtime Process
- csc.exe (PID: 3264)
- MD5
- ec79dc52ea8ab8d6e586f94f235ad222
- SHA1
- e9d85094d3ef61a4f45d0535f2a144f4ebc49aa0
- SHA256
- fc6c9b7a523849e6259d2794d3b26e14cceca098c4c42f2eed89d49d0aea378c
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all file accesses are visible for cmd.exe (PID: 1652)
- Not all file accesses are visible for csc.exe (PID: 3264)
- Not all file accesses are visible for cvtres.exe (PID: 3752)
- Not all file accesses are visible for findstr.exe (PID: 1296)
- Not all file accesses are visible for findstr.exe (PID: 3012)
- Not all file accesses are visible for net.exe (PID: 3016)
- Not all file accesses are visible for net1.exe (PID: 2384)
- Not all file accesses are visible for powershell.exe (PID: 2872)
- Not all file accesses are visible for powershell.exe (PID: 2968)
- Not all file accesses are visible for timeout.exe (PID: 2412)
- Not all file accesses are visible for wermgr.exe (PID: 1536)
- Not all file accesses are visible for whoami.exe (PID: 2584)
- Not all file accesses are visible for whoami.exe (PID: 2728)
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Some low-level data is hidden, as this is only a slim report