b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2022 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto Net.exe
Size

8.4MB
MD5

2fb86be791b4bb4389e55df0fec04eb7
SHA1

375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256

b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA512

3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
SSDEEP

196608:wokKDywCAfywOweBzcyw3ywsywDywPbywgsywZywRywxywBywEyw4ywwywmIBywI:FywCAqwUBzBwiwxwGwPewgxwUwswMw84

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 11 IoCs

pid	Process
4260	bin.dat
1352	AESDecoder.exe
5052	bin_x64.dat
4912	KMSSS.exe
1476	FakeClient.exe
3356	FakeClient.exe
220	FakeClient.exe
4844	FakeClient.exe
3220	FakeClient.exe
3996	FakeClient.exe
864	FakeClient.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3564	Netsh.exe
1728	Netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\ProgramData\\KMSAuto\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP"	KMSAuto Net.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 14 IoCs

pid	Process
1476	FakeClient.exe
1476	FakeClient.exe
3356	FakeClient.exe
3356	FakeClient.exe
220	FakeClient.exe
220	FakeClient.exe
4844	FakeClient.exe
4844	FakeClient.exe
3220	FakeClient.exe
3220	FakeClient.exe
3996	FakeClient.exe
3996	FakeClient.exe
864	FakeClient.exe
864	FakeClient.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1824	sc.exe
1728	sc.exe
2476	sc.exe
4820	sc.exe
216	sc.exe
2512	sc.exe
4652	sc.exe
432	sc.exe
996	sc.exe
2292	sc.exe
4216	sc.exe
2040	sc.exe
4824	sc.exe
4280	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2480	NETSTAT.EXE

Kills process with taskkill 6 IoCs

evasion

pid	Process
3984	taskkill.exe
3304	taskkill.exe
4860	taskkill.exe
1100	taskkill.exe
2732	taskkill.exe
828	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1720	KMSAuto Net.exe
1720	KMSAuto Net.exe
1720	KMSAuto Net.exe
1720	KMSAuto Net.exe
1720	KMSAuto Net.exe
1720	KMSAuto Net.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	4416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4416	AUDIODG.EXE
Token: SeDebugPrivilege	2480	NETSTAT.EXE
Token: SeDebugPrivilege	1720	KMSAuto Net.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2084	1720	KMSAuto Net.exe	85
PID 1720 wrote to memory of 2084	1720	KMSAuto Net.exe	85
PID 1720 wrote to memory of 2084	1720	KMSAuto Net.exe	85
PID 1720 wrote to memory of 3760	1720	KMSAuto Net.exe	87
PID 1720 wrote to memory of 3760	1720	KMSAuto Net.exe	87
PID 1720 wrote to memory of 3760	1720	KMSAuto Net.exe	87
PID 1720 wrote to memory of 3912	1720	KMSAuto Net.exe	89
PID 1720 wrote to memory of 3912	1720	KMSAuto Net.exe	89
PID 1720 wrote to memory of 384	1720	KMSAuto Net.exe	100
PID 1720 wrote to memory of 384	1720	KMSAuto Net.exe	100
PID 1720 wrote to memory of 3652	1720	KMSAuto Net.exe	102
PID 1720 wrote to memory of 3652	1720	KMSAuto Net.exe	102
PID 3652 wrote to memory of 4260	3652	cmd.exe	104
PID 3652 wrote to memory of 4260	3652	cmd.exe	104
PID 3652 wrote to memory of 4260	3652	cmd.exe	104
PID 1720 wrote to memory of 4960	1720	KMSAuto Net.exe	105
PID 1720 wrote to memory of 4960	1720	KMSAuto Net.exe	105
PID 1720 wrote to memory of 2516	1720	KMSAuto Net.exe	107
PID 1720 wrote to memory of 2516	1720	KMSAuto Net.exe	107
PID 2516 wrote to memory of 1352	2516	cmd.exe	109
PID 2516 wrote to memory of 1352	2516	cmd.exe	109
PID 2516 wrote to memory of 1352	2516	cmd.exe	109
PID 1720 wrote to memory of 4020	1720	KMSAuto Net.exe	110
PID 1720 wrote to memory of 4020	1720	KMSAuto Net.exe	110
PID 1720 wrote to memory of 1292	1720	KMSAuto Net.exe	112
PID 1720 wrote to memory of 1292	1720	KMSAuto Net.exe	112
PID 1292 wrote to memory of 5052	1292	cmd.exe	114
PID 1292 wrote to memory of 5052	1292	cmd.exe	114
PID 1292 wrote to memory of 5052	1292	cmd.exe	114
PID 1720 wrote to memory of 544	1720	KMSAuto Net.exe	115
PID 1720 wrote to memory of 544	1720	KMSAuto Net.exe	115
PID 1720 wrote to memory of 3512	1720	KMSAuto Net.exe	117
PID 1720 wrote to memory of 3512	1720	KMSAuto Net.exe	117
PID 3512 wrote to memory of 4504	3512	cmd.exe	119
PID 3512 wrote to memory of 4504	3512	cmd.exe	119
PID 4504 wrote to memory of 2480	4504	cmd.exe	120
PID 4504 wrote to memory of 2480	4504	cmd.exe	120
PID 4504 wrote to memory of 3508	4504	cmd.exe	121
PID 4504 wrote to memory of 3508	4504	cmd.exe	121
PID 1720 wrote to memory of 3564	1720	KMSAuto Net.exe	122
PID 1720 wrote to memory of 3564	1720	KMSAuto Net.exe	122
PID 1720 wrote to memory of 1728	1720	KMSAuto Net.exe	124
PID 1720 wrote to memory of 1728	1720	KMSAuto Net.exe	124
PID 1720 wrote to memory of 996	1720	KMSAuto Net.exe	126
PID 1720 wrote to memory of 996	1720	KMSAuto Net.exe	126
PID 1720 wrote to memory of 996	1720	KMSAuto Net.exe	126
PID 1720 wrote to memory of 2512	1720	KMSAuto Net.exe	128
PID 1720 wrote to memory of 2512	1720	KMSAuto Net.exe	128
PID 1720 wrote to memory of 2512	1720	KMSAuto Net.exe	128
PID 1720 wrote to memory of 4928	1720	KMSAuto Net.exe	131
PID 1720 wrote to memory of 4928	1720	KMSAuto Net.exe	131
PID 4928 wrote to memory of 2368	4928	cmd.exe	133
PID 4928 wrote to memory of 2368	4928	cmd.exe	133
PID 1720 wrote to memory of 3964	1720	KMSAuto Net.exe	134
PID 1720 wrote to memory of 3964	1720	KMSAuto Net.exe	134
PID 3964 wrote to memory of 1476	3964	cmd.exe	136
PID 3964 wrote to memory of 1476	3964	cmd.exe	136
PID 1720 wrote to memory of 1792	1720	KMSAuto Net.exe	137
PID 1720 wrote to memory of 1792	1720	KMSAuto Net.exe	137
PID 1792 wrote to memory of 4048	1792	cmd.exe	139
PID 1792 wrote to memory of 4048	1792	cmd.exe	139
PID 1720 wrote to memory of 3572	1720	KMSAuto Net.exe	140
PID 1720 wrote to memory of 3572	1720	KMSAuto Net.exe	140
PID 1720 wrote to memory of 3572	1720	KMSAuto Net.exe	140

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo test>>"C:\Users\Admin\AppData\Local\Temp\test.test"
  2⤵
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
  2⤵
  PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
  2⤵
  PID:384
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\ProgramData\KMSAuto\bin.dat
    bin.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
  2⤵
  PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\ProgramData\KMSAuto\bin\AESDecoder.exe
    AESDecoder.exe
    3⤵
    - Executes dropped EXE
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
  2⤵
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\ProgramData\KMSAuto\bin_x64.dat
    bin_x64.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
  2⤵
  PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\system32\find.exe
      find ":1688 "
      4⤵
      PID:3508
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
  2⤵
  - Modifies Windows Firewall
  PID:3564
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
  2⤵
  - Modifies Windows Firewall
  PID:1728
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  - Launches sc.exe
  PID:996
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" start KMSEmulator
  2⤵
  - Launches sc.exe
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:3572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1824
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:1736
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4972
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2068
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:828
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2040
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2084
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:3760
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2480
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4652
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2472
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4196
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:3140
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2476
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:1132
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4856
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:4584
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4820
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:616
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:3392
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2092
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:216
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:3848
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:1516
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\bin.dat

Filesize
240KB

MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin.dat

Filesize
240KB

MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
53KB

MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
53KB

MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
34KB

MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
34KB

MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aes

Filesize
34KB

MD5
9192d6947f2a3abf00084deda48a2c6f

SHA1
0da74fc0329bba4f951e0df2923bf2ab303044ce

SHA256
ded5e9e73b2ba3bd188c98a58335c65fe149d2082b88c3d91516ed25e5a379ee

SHA512
3e7ff017cd67820752c1adf2a3910c5187de4d0e3ab6ac8e2e1399bfa7e7499b88664aee6b62f49890e172ef44e18219b7a021ec3537ee71baa94f7021c7e2c8

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror.exe.aes

Filesize
14KB

MD5
6d6e295744d3750355227efd55824be1

SHA1
bd589d54c2578403bd9b58050ff33961a3fd9781

SHA256
f67f0232100f7cc7e469dc14079edf7d72ec25e48ca3b5ac9b40ed025f1ba0ef

SHA512
3cc436491433375fd23f2c204981d6489a412e5a62f7b92409080672a531019260366aca8df43b45d4d3dc538f76d883053ba8c4c9146bb4371305f2a27d9e7b

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aes

Filesize
14KB

MD5
a1a5afa53b578db6abf400a88548f487

SHA1
b73ae3c93a43074afe54e611bad938da98eee385

SHA256
a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a

SHA512
c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.inf

Filesize
151B

MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\Windows\setupact.log

Filesize
2KB

MD5
5a6813dc35d04ad77d45cb0b71b5d015

SHA1
c6e1b0bd96cd2db499725dc3f1508900cd798f32

SHA256
df7325cfbc73468461747cd358be0c9bb303b998c891733f2f29cf5805a97778

SHA512
1bc4d089d50a3fa43a58899e8e7797c994b66db851e6af727324d097159a88ecb005387502775da78b012b4f1377f69115a6c9983a4982ee0b62a5a77d29b386

Download Submit
C:\Windows\setupact.log

Filesize
2KB

MD5
6f98e4e8de0852baa057e2e86bf2004b

SHA1
e4b0e5dabb22edbb355df957b182812a9b2341d8

SHA256
fcdb2d3d3ce619c8c93250c22bdfcda050973bc425ef042866af91e2795c2d74

SHA512
4ee427ac476b354bea7c00f7069efb722feea60609a033d3106c919b50c509b7aa5e407213ef0c52f26f287a389a90f32608ce4da67b79f00df015f54e06510c

Download Submit
C:\Windows\setupact.log

Filesize
3KB

MD5
1df7047fd666ad2d2ecd7dbfa1627ab0

SHA1
675ada94a355bd3a7a9ac18d61b79074fc09a5c0

SHA256
341acdce5a4c908de43d0e86660e380a5caa3937e66338c8662fb33597761f29

SHA512
f5833b11df65f623f93854314cbf2803609f84fced1a7289ab7cece0e8a0d721ab52b428623ab569896b7a0a4a73fcbd4cb00f9b7aea9a8d02e350e462cabe9c

Download Submit
C:\Windows\setupact.log

Filesize
3KB

MD5
44f5b34324a3a098f80ea15c1b983641

SHA1
67273736f9c2b3b787871de92d73e82894932e64

SHA256
33c18a5dc18cc8d9005e4a97971e976ff5958579bbedade4fc49f1c000ccbbc8

SHA512
43765fb1c0191cee876cbe17104e1447ba7434bea9a33237b193abc87f0fa87eea0874fcaee1d5fb8fc5b62e32354c5da2a0325a6e9eddca549fc7ec06dee39c

Download Submit
C:\Windows\setupact.log

Filesize
4KB

MD5
85612f8e6478778bfbdf2df86e0fcc18

SHA1
4795ba6b51f2b1269d009fda2ecfa15d8d631dac

SHA256
cef745b0cf99922addfe83097af8a551f2176ac3e6a0effa82d36eba787246fc

SHA512
44a6474ac5498b9ac02e1c98455079a701ce67c4fef11e3c1b55acfafd3395926b837eac5ba5ee64bba3b4b509f117dd5c52083f9a4454925a4fb20bd822eb21

Download Submit
C:\Windows\setupact.log

Filesize
4KB

MD5
e132d514b9f1fcb4220b20162b217ee7

SHA1
10e53fa59b46fa1d09382140aadb1f895a94b7c2

SHA256
e4d87acc83a01b00aebbcb797192c0d99ef615295a480345ea18fa6401e9e368

SHA512
2d96f3c627c1c06d9c498865898ea8a90c17d8073ad8ec554673eebb481be5aa77acdcdf8e70e5b0540df94f8e9d0a9e469a198df781404ec2bf550674a78f8a

Download Submit
memory/1720-135-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/1720-136-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/1720-132-0x0000000000970000-0x00000000011D0000-memory.dmp

Filesize
8.4MB

Download
memory/1720-137-0x0000000005CF0000-0x0000000005D46000-memory.dmp

Filesize
344KB

Download
memory/1720-134-0x00000000060B0000-0x0000000006654000-memory.dmp

Filesize
5.6MB

Download
memory/1720-133-0x0000000005A60000-0x0000000005AFC000-memory.dmp

Filesize
624KB

Download