b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

Analysis

max time kernel
81s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/12/2022, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto Net.exe
Size

8.4MB
MD5

2fb86be791b4bb4389e55df0fec04eb7
SHA1

375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256

b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA512

3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
SSDEEP

196608:wokKDywCAfywOweBzcyw3ywsywDywPbywgsywZywRywxywBywEyw4ywwywmIBywI:FywCAqwUBzBwiwxwGwPewgxwUwswMw84

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 4 IoCs

pid	Process
548	bin.dat
1760	AESDecoder.exe
1280	bin_x64.dat
1516	KMSSS.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1624	Netsh.exe
1048	Netsh.exe
1848	Netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\ProgramData\\KMSAuto\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP"	KMSAuto Net.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1768	sc.exe
1940	sc.exe
1952	sc.exe
1808	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1320	NETSTAT.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1104	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
548	bin.dat
1760	AESDecoder.exe
1280	bin_x64.dat

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	564	AUDIODG.EXE
Token: 33	564	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	564	AUDIODG.EXE
Token: SeDebugPrivilege	1320	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1784	KMSAuto Net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2040	1784	KMSAuto Net.exe	28
PID 1784 wrote to memory of 2040	1784	KMSAuto Net.exe	28
PID 1784 wrote to memory of 2040	1784	KMSAuto Net.exe	28
PID 1784 wrote to memory of 2040	1784	KMSAuto Net.exe	28
PID 1784 wrote to memory of 1740	1784	KMSAuto Net.exe	30
PID 1784 wrote to memory of 1740	1784	KMSAuto Net.exe	30
PID 1784 wrote to memory of 1740	1784	KMSAuto Net.exe	30
PID 1784 wrote to memory of 1740	1784	KMSAuto Net.exe	30
PID 1784 wrote to memory of 1852	1784	KMSAuto Net.exe	32
PID 1784 wrote to memory of 1852	1784	KMSAuto Net.exe	32
PID 1784 wrote to memory of 1852	1784	KMSAuto Net.exe	32
PID 1784 wrote to memory of 1852	1784	KMSAuto Net.exe	32
PID 1784 wrote to memory of 1048	1784	KMSAuto Net.exe	37
PID 1784 wrote to memory of 1048	1784	KMSAuto Net.exe	37
PID 1784 wrote to memory of 1048	1784	KMSAuto Net.exe	37
PID 1784 wrote to memory of 1048	1784	KMSAuto Net.exe	37
PID 1784 wrote to memory of 1052	1784	KMSAuto Net.exe	39
PID 1784 wrote to memory of 1052	1784	KMSAuto Net.exe	39
PID 1784 wrote to memory of 1052	1784	KMSAuto Net.exe	39
PID 1784 wrote to memory of 1052	1784	KMSAuto Net.exe	39
PID 1052 wrote to memory of 548	1052	cmd.exe	41
PID 1052 wrote to memory of 548	1052	cmd.exe	41
PID 1052 wrote to memory of 548	1052	cmd.exe	41
PID 1052 wrote to memory of 548	1052	cmd.exe	41
PID 1784 wrote to memory of 900	1784	KMSAuto Net.exe	42
PID 1784 wrote to memory of 900	1784	KMSAuto Net.exe	42
PID 1784 wrote to memory of 900	1784	KMSAuto Net.exe	42
PID 1784 wrote to memory of 900	1784	KMSAuto Net.exe	42
PID 1784 wrote to memory of 1660	1784	KMSAuto Net.exe	44
PID 1784 wrote to memory of 1660	1784	KMSAuto Net.exe	44
PID 1784 wrote to memory of 1660	1784	KMSAuto Net.exe	44
PID 1784 wrote to memory of 1660	1784	KMSAuto Net.exe	44
PID 1660 wrote to memory of 1760	1660	cmd.exe	46
PID 1660 wrote to memory of 1760	1660	cmd.exe	46
PID 1660 wrote to memory of 1760	1660	cmd.exe	46
PID 1660 wrote to memory of 1760	1660	cmd.exe	46
PID 1784 wrote to memory of 1068	1784	KMSAuto Net.exe	47
PID 1784 wrote to memory of 1068	1784	KMSAuto Net.exe	47
PID 1784 wrote to memory of 1068	1784	KMSAuto Net.exe	47
PID 1784 wrote to memory of 1068	1784	KMSAuto Net.exe	47
PID 1784 wrote to memory of 2016	1784	KMSAuto Net.exe	49
PID 1784 wrote to memory of 2016	1784	KMSAuto Net.exe	49
PID 1784 wrote to memory of 2016	1784	KMSAuto Net.exe	49
PID 1784 wrote to memory of 2016	1784	KMSAuto Net.exe	49
PID 2016 wrote to memory of 1280	2016	cmd.exe	51
PID 2016 wrote to memory of 1280	2016	cmd.exe	51
PID 2016 wrote to memory of 1280	2016	cmd.exe	51
PID 2016 wrote to memory of 1280	2016	cmd.exe	51
PID 1784 wrote to memory of 1208	1784	KMSAuto Net.exe	52
PID 1784 wrote to memory of 1208	1784	KMSAuto Net.exe	52
PID 1784 wrote to memory of 1208	1784	KMSAuto Net.exe	52
PID 1784 wrote to memory of 1208	1784	KMSAuto Net.exe	52
PID 1784 wrote to memory of 792	1784	KMSAuto Net.exe	54
PID 1784 wrote to memory of 792	1784	KMSAuto Net.exe	54
PID 1784 wrote to memory of 792	1784	KMSAuto Net.exe	54
PID 1784 wrote to memory of 792	1784	KMSAuto Net.exe	54
PID 792 wrote to memory of 1556	792	cmd.exe	56
PID 792 wrote to memory of 1556	792	cmd.exe	56
PID 792 wrote to memory of 1556	792	cmd.exe	56
PID 1556 wrote to memory of 1320	1556	cmd.exe	57
PID 1556 wrote to memory of 1320	1556	cmd.exe	57
PID 1556 wrote to memory of 1320	1556	cmd.exe	57
PID 1556 wrote to memory of 1536	1556	cmd.exe	58
PID 1556 wrote to memory of 1536	1556	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
1⤵
- Sets service image path in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo test>>"C:\Users\Admin\AppData\Local\Temp\test.test"
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
  2⤵
  PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
  2⤵
  PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\ProgramData\KMSAuto\bin.dat
    bin.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
  2⤵
  PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\ProgramData\KMSAuto\bin\AESDecoder.exe
    AESDecoder.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
  2⤵
  PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\ProgramData\KMSAuto\bin_x64.dat
    bin_x64.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
  2⤵
  PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\Windows\system32\find.exe
      find ":1688 "
      4⤵
      PID:1536
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
  2⤵
  - Modifies Windows Firewall
  PID:1624
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
  2⤵
  - Modifies Windows Firewall
  PID:1048
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  - Launches sc.exe
  PID:1768
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" start KMSEmulator
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\system32\reg.exe
  C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
  2⤵
  PID:1208
- C:\Windows\system32\reg.exe
  C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
  2⤵
  PID:1568
- C:\Windows\system32\reg.exe
  C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:948
- C:\Windows\system32\reg.exe
  C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:968
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop KMSEmulator
  2⤵
  - Launches sc.exe
  PID:1952
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete KMSEmulator
  2⤵
  - Launches sc.exe
  PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
  2⤵
  PID:1204
- - C:\Windows\system32\reg.exe
    reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
    3⤵
    - Modifies registry key
    PID:1104
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
  2⤵
  - Modifies Windows Firewall
  PID:1848
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
  2⤵
  PID:1916
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
  2⤵
  PID:820
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
  2⤵
  PID:1372
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
  2⤵
  PID:1588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\KMSAUT~1.EXE

Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\ProgramData\KMSAuto\bin.dat

Filesize
240KB

MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin.dat

Filesize
240KB

MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
53KB

MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
53KB

MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
34KB

MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
34KB

MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aes

Filesize
34KB

MD5
9192d6947f2a3abf00084deda48a2c6f

SHA1
0da74fc0329bba4f951e0df2923bf2ab303044ce

SHA256
ded5e9e73b2ba3bd188c98a58335c65fe149d2082b88c3d91516ed25e5a379ee

SHA512
3e7ff017cd67820752c1adf2a3910c5187de4d0e3ab6ac8e2e1399bfa7e7499b88664aee6b62f49890e172ef44e18219b7a021ec3537ee71baa94f7021c7e2c8

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.log

Filesize
1KB

MD5
c08cb5894d335dc53f234116b2e9de3b

SHA1
d20bd873c10c3067d0cb69732f6b37c41a8ad55a

SHA256
920a2ed2b57f033a29474920bb517450631ff3f7d1c138d6df708425892eb649

SHA512
cc9f2f12489f9af6972637071a1d28671afc1c8e7062a9829bfe7ac35978f84d15719e2074888274774ad397b00a934c4052798c3f259d90fd1cff09ff2245d1

Download Submit
C:\ProgramData\KMSAuto\bin\TUNMIR~1.EXE

Filesize
14KB

MD5
fb5f055633e4f7890004972e108a07cd

SHA1
b5ab55db9d323c00541e61412a55f3e4bdbeb61d

SHA256
02145c3f60e704df17919cd26cb79bd31a12b98d66b0b7fd1cf7ea894ad1f871

SHA512
ea2bd32f7db116f0224d2f7055414601c066e0369ce04cbaf7f1aa2ee780b257d6cff1a78953cd623885d9ceda6f8bc6c65c4d8436a62dd0320a8e49597f92fb

Download Submit
C:\ProgramData\KMSAuto\bin\TUNMIR~2.EXE

Filesize
14KB

MD5
3b33e3ab6e91806df4cae19405ab8846

SHA1
766747faf6a370270909891912ed2c5b2e6b2881

SHA256
d9cd47831faba4053225dac181709fd7ab9d066c3de6f541968fffeeee4a9bf9

SHA512
5e2b0c2a32ed522d1dec9bf1ea986d993868a97df1802ecd12877434a74f10c45dd370abcddd405083ac0c427a383e195a1fade34a95a80fcddb29e03d4a516f

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror.exe.aes

Filesize
14KB

MD5
6d6e295744d3750355227efd55824be1

SHA1
bd589d54c2578403bd9b58050ff33961a3fd9781

SHA256
f67f0232100f7cc7e469dc14079edf7d72ec25e48ca3b5ac9b40ed025f1ba0ef

SHA512
3cc436491433375fd23f2c204981d6489a412e5a62f7b92409080672a531019260366aca8df43b45d4d3dc538f76d883053ba8c4c9146bb4371305f2a27d9e7b

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aes

Filesize
14KB

MD5
a1a5afa53b578db6abf400a88548f487

SHA1
b73ae3c93a43074afe54e611bad938da98eee385

SHA256
a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a

SHA512
c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c

Download Submit
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cer

Filesize
1KB

MD5
0041584e5f66762b1fa9be8910d0b92b

SHA1
8788377c653a5b79ef04c05c15d3ca52d6253469

SHA256
bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc

SHA512
fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71

Download Submit
C:\ProgramData\KMSAuto\bin\driver\tap0901.cer

Filesize
1KB

MD5
3d5ffd53be77c32cbb147f32423c0a86

SHA1
ec4f1d31686625ecc004993cd0e89a4136dd3344

SHA256
669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c

SHA512
bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.inf

Filesize
7KB

MD5
864625122184689b4854483b51bd4c09

SHA1
2f041412e1e24d2398af1a6c934979d7d8c2bebe

SHA256
4a4cc81dd6655906e817ebaede1692871a79b7000a5f9188b30082c06c71894b

SHA512
6f43d345a7351a89d0888c8a33c75b299d34a53f4d579579fb820fc792274e880a8a475811026ae801540b265ec42fe80b8408e74a02f70b02b97737fb085381

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\ptun0901.cat

Filesize
9KB

MD5
28b3a205c15d9d722319d270b3500bd0

SHA1
d5740e1b21b121914e379bba4105f8f520cc67b1

SHA256
438b3cdb66a5e1ce7b659744b81a570eb7cb0c8b403738a17dd2629625b0c765

SHA512
2e172aab51badc0331fbd8b96e58077e3dc3134ea8f125dc6e61679d2eda428c767f961ca241618eeddd02daa107be66f305799f732075463143124a2347bdf3

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\ptun0901.sys

Filesize
26KB

MD5
d8eb393983b644879de0546122cc16df

SHA1
f179bbf33dad96131b823f07a0ec44856fd52534

SHA256
4a11ddfb016b560e770660183af1ada4831d97daeaf560e60259f81f2727cbfc

SHA512
09cd4fcf28fc55d9712d17fd633827781bfdce372602042cc6c76d7845e2120149180fb7719e4b923b1e45368da789d10015b6954c3d2e77be185845f9b4d661

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exe

Filesize
79KB

MD5
7f0c8f7b6f6d22ecd83013f2f26a71ae

SHA1
dbda3a84c97777a5b47f87868aea2a7cd4c6739b

SHA256
a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809

SHA512
e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.cat

Filesize
7KB

MD5
8dc91f1bf59f58554dc195c9ffcb59ec

SHA1
7f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f

SHA256
0b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87

SHA512
4b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.inf

Filesize
7KB

MD5
61243cb103543ee3163bf16df69bcb54

SHA1
4ffbe472cc93ff8a827a12e63ff79fc48c684402

SHA256
1652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1

SHA512
419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sys

Filesize
30KB

MD5
927d0cdb3f96efc1e98fb1a2c9fb67ad

SHA1
9bbb2d28f2f9736d59b94ea260abd4ded7d7b5be

SHA256
58f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c

SHA512
a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FAKECL~1.EXE

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WDFCOI~1.DLL

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.DLL

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.INF

Filesize
151B

MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.SYS

Filesize
34KB

MD5
a0d15d8727d0780c51628df46b7268b3

SHA1
c85f24ef961db67c829a676a941cbead24c62b21

SHA256
5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

SHA512
a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
memory/1624-85-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1784-54-0x0000000000B00000-0x0000000001360000-memory.dmp

Filesize
8.4MB

Download
memory/1784-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1784-60-0x00000000055F5000-0x0000000005606000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads