Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.BAT.Hosts

PUP.BAT.Hosts

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.BAT.Hosts
Signature status: No Signature

Known Samples

MD5: 523ea0370c7810f6a922131da5861a03
SHA1: 0c895f8dcec5040b30c757f2863e0ac92ad32f2d
SHA256: 39C48CE9E07598ADAE8D0D35C5BBAB3EAF57B610C9B0B3BE8F568655A558E89B
File Size: 1.45 MB, 1446785 bytes
MD5: 60d9284ac3611ee322c225214da2b2cf
SHA1: d63c9800afaa4cb520c5d22550eb3f31874a216a
SHA256: 19779CB1BE1AF4C41B55AA57AF6F2C92997DA597663F69796D1F6991E6BE3A42
File Size: 1.48 MB, 1475072 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments This installation was built with Inno Setup.
File Description KMS-VL-ALL Setup
Product Name KMS-VL-ALL

File Traits

  • Autoit
  • HighEntropy
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 4,350
Potentially Malicious Blocks: 32
Whitelisted Blocks: 3,200
Unknown Blocks: 1,118

Visual Map

0 1 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 ? ? 0 0 0 0 ? 0 0 0 ? 0 ? 0 0 1 0 0 0 ? 1 ? 0 x 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 ? 0 ? ? 0 ? ? 0 0 0 0 0 0 0 1 ? 0 ? ? 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 ? 0 0 0 0 0 1 0 0 0 ? ? 0 0 0 0 ? 0 ? ? 0 ? 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 ? 1 0 0 ? 0 0 0 ? 0 0 ? ? 0 ? ? 0 0 ? 0 0 ? ? 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 ? 0 0 0 0 ? 0 0 0 ? ? ? ? 0 ? 1 ? 0 0 ? 0 0 ? 0 0 0 0 0 ? ? 1 ? ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 ? ? 0 ? ? 0 0 ? ? 0 ? ? 1 ? 1 ? 0 0 ? ? 0 0 0 ? 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 1 0 0 0 0 0 ? ? 0 0 0 ? 0 0 0 ? 0 0 ? 0 0 ? 1 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 1 0 0 0 0 ? 0 ? 0 ? ? 0 0 0 ? 0 0 ? 0 0 ? 0 ? 0 ? 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 ? ? 0 0 1 ? 0 0 0 0 ? ? ? ? 0 0 0 ? 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 0 0 0 ? ? 0 0 ? ? 0 ? 0 ? ? 0 ? 1 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 ? ? 0 ? 0 ? ? 0 ? 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 ? ? 0 ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 ? ? 0 ? ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 ? 0 0 0 0 ? 0 ? 0 0 ? ? ? 0 ? 0 ? ? ? ? 0 0 0 0 ? 0 ? ? 0 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 ? ? ? 0 0 ? ? 0 0 0 ? 0 0 0 0 0 0 0 ? ? ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? ? 0 ? 0 0 ? 0 ? 0 0 0 0 0 0 x ? ? x 0 ? x 0 x x ? 0 0 0 0 0 0 ? 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 1 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? ? ? ? ? 0 0 ? ? ? 0 ? 0 0 0 ? 0 0 0 0 0 ? ? 0 ? 0 0 0 ? ? ? ? ? 0 ? ? ? ? ? 0 0 ? ? ? 0 0 ? ? 0 0 0 0 ? 0 0 0 0 ? 0 ? ? ? 0 0 ? 0 0 ? 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 ? ? ? 0 ? 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 x 0 ? 0 ? ? 0 0 0 0 ? ? 0 0 ? 0 ? 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 ? ? 1 0 ? ? ? 0 0 0 0 ? ? 0 ? ? 0 0 0 ? 0 ? 0 0 ? 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 ? ? ? 0 ? 0 ? ? 0 0 ? 0 ? 0 ? ? 0 ? 0 ? ? 0 0 ? 0 0 0 ? ? 0 ? ? 0 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 ? ? ? ? ? 0 0 ? ? 0 0 ? 0 0 0 1 0 0 0 0 ? 0 0 0 ? ? ? 0 0 0 0 ? 0 1 0 0 0 0 0 ? ? ? ? ? ? ? ? ? 0 0 ? 0 0 0 0 ? ? ? ? ? ? 0 0 0 ? 0 0 0 0 ? ? 0 0 0 0 ? ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 ? ? 0 0 0 ? 0 ? ? ? 0 0 0 ? ? ? 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 ? ? ? 0 0 0 0 0 ? 0 ? 0 ? 0 ? 0 0 0 ? 0 0 0 0 0 0 ? ? 0 ? ? 0 0 ? 0 0 0 x 0 0 x 0 0 0 ? 0 ? 0 0 ? 0 ? ? ? ? x 0 ? 0 0 0 0 0 ? 0 ? 0 ? 0 0 0 0 0 x 0 0 0 0 0 ? ? ? ? ? ? 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? 0 0 0 ? ? 0 0 0 0 0 0 1 0 ? 0 0 0 0 1 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 ? ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? 0 0 ? ? 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 ? 0 0 1 0 0 0 0 ? 0 0 0 ? 0 ? ? 0 0 0 0 0 ? 0 0 0 0 ? ? ? 0 ? 1 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 1 0 0 0 0 0 0 0 0 0 0 1 0 1 ? 0 ? 0 ? ? ? ? 0 0 0 ? ? ? 0 ? ? ? 0 ? 0 ? ? 0 0 0 0 0 ? 0 ? 0 0 0 0 ? ? 0 0 ? ? 0 0 ? 0 0 0 0 0 ? 0 ? ? 0 0 0 0 0 0 ? ? 0 0 ? ? 0 0 0 ? 0 ? 0 ? ? 0 ? 0 1 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 1 0 0 ? 0 ? 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\32-bit\vlmcsd.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\64-bit\secopatcher.dll Synchronize,Write Data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\_isetup\_isdecmp.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\check-activation-status.bak Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\cleanospp.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\convert-c2r.bak Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\fart.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\innocallback.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\keyoff.cmd Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\is-2kvi7.tmp\kms-vl-all.bak Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\kms38.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\kms38.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\msvcr100.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\secopatcher.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\vlmcsd.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2kvi7.tmp\x64\cleanospp.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\x64\msvcr100.dll Synchronize,Write Data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\x86\keyoff.cmd Synchronize,Write Data
c:\users\user\appdata\local\temp\is-2kvi7.tmp\xpr.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-gskch.tmp\0c895f8dcec5040b30c757f2863e0ac92ad32f2d_0001446785.tmp Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䀤谝삤ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
Show More
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Keyboard Access
  • GetAsyncKeyState
  • GetKeyState

Shell Command Execution

"C:\Users\Lgnbuoxd\AppData\Local\Temp\is-GSKCH.tmp\0c895f8dcec5040b30c757f2863e0ac92ad32f2d_0001446785.tmp" /SL5="$7033E,1031260,134656,c:\users\user\downloads\0c895f8dcec5040b30c757f2863e0ac92ad32f2d_0001446785"
"C:\WINDOWS\system32\cmd.exe" /C ""C:\Users\Lgnbuoxd\AppData\Local\Temp\is-2KVI7.tmp\kms38.cmd""
C:\WINDOWS\system32\cscript.exe cscript /nologo C:\WINDOWS\system32\slmgr.vbs /xpr
C:\WINDOWS\system32\findstr.exe findstr "38" xpr.log
WriteConsole: The batch file c

Trending

Most Viewed

Loading...