d4230cae5c3e1b11fca61a711e7f3886088f6728858108a6811670aa3616a57b

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 18:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto Net 2016 1.4.9 Portable + 1.5.1/KMSAuto Net.exe
Size

8.4MB
MD5

2fb86be791b4bb4389e55df0fec04eb7
SHA1

375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256

b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA512

3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
SSDEEP

196608:wokKDywCAfywOweBzcyw3ywsywDywPbywgsywZywRywxywBywEyw4ywwywmIBywI:FywCAqwUBzBwiwxwGwPewgxwUwswMw84

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4452	Netsh.exe
1948	Netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\ProgramData\\KMSAuto\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP"	KMSAuto Net.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 10 IoCs

pid	Process
4660	bin.dat
3496	AESDecoder.exe
732	bin_x64.dat
4316	KMSSS.exe
5068	FakeClient.exe
2088	FakeClient.exe
488	FakeClient.exe
1224	FakeClient.exe
5036	FakeClient.exe
1000	FakeClient.exe

Loads dropped DLL 12 IoCs

pid	Process
5068	FakeClient.exe
5068	FakeClient.exe
2088	FakeClient.exe
2088	FakeClient.exe
488	FakeClient.exe
488	FakeClient.exe
1224	FakeClient.exe
1224	FakeClient.exe
5036	FakeClient.exe
5036	FakeClient.exe
1000	FakeClient.exe
1000	FakeClient.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3720	sc.exe
4896	sc.exe
1232	sc.exe
2104	sc.exe
1812	sc.exe
4664	sc.exe
2388	sc.exe
2056	sc.exe
4848	sc.exe
2192	sc.exe
4288	sc.exe
3500	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
348	NETSTAT.EXE

Kills process with taskkill 5 IoCs

evasion

pid	Process
4816	taskkill.exe
1308	taskkill.exe
4836	taskkill.exe
4440	taskkill.exe
2864	taskkill.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1188	KMSAuto Net.exe
1188	KMSAuto Net.exe
1188	KMSAuto Net.exe
1188	KMSAuto Net.exe
1188	KMSAuto Net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1188	KMSAuto Net.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	116	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	116	AUDIODG.EXE
Token: SeDebugPrivilege	348	NETSTAT.EXE
Token: SeDebugPrivilege	1188	KMSAuto Net.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1812	1188	KMSAuto Net.exe	79
PID 1188 wrote to memory of 1812	1188	KMSAuto Net.exe	79
PID 1188 wrote to memory of 1812	1188	KMSAuto Net.exe	79
PID 1188 wrote to memory of 2360	1188	KMSAuto Net.exe	81
PID 1188 wrote to memory of 2360	1188	KMSAuto Net.exe	81
PID 1188 wrote to memory of 2360	1188	KMSAuto Net.exe	81
PID 1188 wrote to memory of 1804	1188	KMSAuto Net.exe	83
PID 1188 wrote to memory of 1804	1188	KMSAuto Net.exe	83
PID 1188 wrote to memory of 2484	1188	KMSAuto Net.exe	87
PID 1188 wrote to memory of 2484	1188	KMSAuto Net.exe	87
PID 1188 wrote to memory of 2296	1188	KMSAuto Net.exe	89
PID 1188 wrote to memory of 2296	1188	KMSAuto Net.exe	89
PID 2296 wrote to memory of 4660	2296	cmd.exe	91
PID 2296 wrote to memory of 4660	2296	cmd.exe	91
PID 2296 wrote to memory of 4660	2296	cmd.exe	91
PID 1188 wrote to memory of 4248	1188	KMSAuto Net.exe	92
PID 1188 wrote to memory of 4248	1188	KMSAuto Net.exe	92
PID 1188 wrote to memory of 4776	1188	KMSAuto Net.exe	94
PID 1188 wrote to memory of 4776	1188	KMSAuto Net.exe	94
PID 4776 wrote to memory of 3496	4776	cmd.exe	96
PID 4776 wrote to memory of 3496	4776	cmd.exe	96
PID 4776 wrote to memory of 3496	4776	cmd.exe	96
PID 1188 wrote to memory of 3832	1188	KMSAuto Net.exe	97
PID 1188 wrote to memory of 3832	1188	KMSAuto Net.exe	97
PID 1188 wrote to memory of 4380	1188	KMSAuto Net.exe	99
PID 1188 wrote to memory of 4380	1188	KMSAuto Net.exe	99
PID 4380 wrote to memory of 732	4380	cmd.exe	101
PID 4380 wrote to memory of 732	4380	cmd.exe	101
PID 4380 wrote to memory of 732	4380	cmd.exe	101
PID 1188 wrote to memory of 2636	1188	KMSAuto Net.exe	102
PID 1188 wrote to memory of 2636	1188	KMSAuto Net.exe	102
PID 1188 wrote to memory of 2316	1188	KMSAuto Net.exe	104
PID 1188 wrote to memory of 2316	1188	KMSAuto Net.exe	104
PID 2316 wrote to memory of 4916	2316	cmd.exe	106
PID 2316 wrote to memory of 4916	2316	cmd.exe	106
PID 4916 wrote to memory of 348	4916	cmd.exe	107
PID 4916 wrote to memory of 348	4916	cmd.exe	107
PID 4916 wrote to memory of 1656	4916	cmd.exe	108
PID 4916 wrote to memory of 1656	4916	cmd.exe	108
PID 1188 wrote to memory of 4452	1188	KMSAuto Net.exe	109
PID 1188 wrote to memory of 4452	1188	KMSAuto Net.exe	109
PID 1188 wrote to memory of 1948	1188	KMSAuto Net.exe	111
PID 1188 wrote to memory of 1948	1188	KMSAuto Net.exe	111
PID 1188 wrote to memory of 3500	1188	KMSAuto Net.exe	113
PID 1188 wrote to memory of 3500	1188	KMSAuto Net.exe	113
PID 1188 wrote to memory of 3500	1188	KMSAuto Net.exe	113
PID 1188 wrote to memory of 4664	1188	KMSAuto Net.exe	115
PID 1188 wrote to memory of 4664	1188	KMSAuto Net.exe	115
PID 1188 wrote to memory of 4664	1188	KMSAuto Net.exe	115
PID 1188 wrote to memory of 3752	1188	KMSAuto Net.exe	118
PID 1188 wrote to memory of 3752	1188	KMSAuto Net.exe	118
PID 3752 wrote to memory of 3548	3752	cmd.exe	120
PID 3752 wrote to memory of 3548	3752	cmd.exe	120
PID 1188 wrote to memory of 3088	1188	KMSAuto Net.exe	121
PID 1188 wrote to memory of 3088	1188	KMSAuto Net.exe	121
PID 3088 wrote to memory of 5068	3088	cmd.exe	123
PID 3088 wrote to memory of 5068	3088	cmd.exe	123
PID 1188 wrote to memory of 3980	1188	KMSAuto Net.exe	124
PID 1188 wrote to memory of 3980	1188	KMSAuto Net.exe	124
PID 3980 wrote to memory of 3888	3980	cmd.exe	126
PID 3980 wrote to memory of 3888	3980	cmd.exe	126
PID 1188 wrote to memory of 4376	1188	KMSAuto Net.exe	127
PID 1188 wrote to memory of 4376	1188	KMSAuto Net.exe	127
PID 1188 wrote to memory of 4376	1188	KMSAuto Net.exe	127

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\KMSAuto Net.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo test>>"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\test.test"
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\ProgramData\KMSAuto\bin.dat
    bin.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
  2⤵
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\ProgramData\KMSAuto\bin\AESDecoder.exe
    AESDecoder.exe
    3⤵
    - Executes dropped EXE
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\ProgramData\KMSAuto\bin_x64.dat
    bin_x64.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
  2⤵
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:348
  - - C:\Windows\system32\find.exe
      find ":1688 "
      4⤵
      PID:1656
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
  2⤵
  - Modifies Windows Firewall
  PID:4452
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
  2⤵
  - Modifies Windows Firewall
  PID:1948
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  - Launches sc.exe
  PID:3500
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" start KMSEmulator
  2⤵
  - Launches sc.exe
  PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:3888
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:3720
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2736
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4948
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2144
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2388
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2100
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4660
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2832
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1232
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2288
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:444
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:1628
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2192
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:4012
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:3040
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:548
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4288
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:4376
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:1212
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\bin.dat

Filesize
240KB

MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin.dat

Filesize
240KB

MD5
2a96e417738225fa806a6ef275443bc8

SHA1
3cb5cb736878623e490c9e53ca1c696e9ab49639

SHA256
839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b

SHA512
cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
53KB

MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
53KB

MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
34KB

MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
34KB

MD5
add80e5d9fad482705c3807bacfe1993

SHA1
c41c16d39994a4a8d7d0aeab64afd00ae634d013

SHA256
bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be

SHA512
3f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aes

Filesize
34KB

MD5
9192d6947f2a3abf00084deda48a2c6f

SHA1
0da74fc0329bba4f951e0df2923bf2ab303044ce

SHA256
ded5e9e73b2ba3bd188c98a58335c65fe149d2082b88c3d91516ed25e5a379ee

SHA512
3e7ff017cd67820752c1adf2a3910c5187de4d0e3ab6ac8e2e1399bfa7e7499b88664aee6b62f49890e172ef44e18219b7a021ec3537ee71baa94f7021c7e2c8

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.log

Filesize
773B

MD5
9c6c33aed99966578d55f4284edf2a90

SHA1
573413f8618a13e7fa15b8eae025990627d811e4

SHA256
814ffde250ffc7d5d89f05240826fd3abc8ef2b1927d5574229af1bb95a95d0f

SHA512
0a131c54f4589a3201ec41e39deb1b0f854692d30f70ca5405f2e56d7deb27433a67791eb2ff2e02fe6073fdfb41d8f1246ddc23f97d0c8543818ec6bf04047e

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror.exe.aes

Filesize
14KB

MD5
6d6e295744d3750355227efd55824be1

SHA1
bd589d54c2578403bd9b58050ff33961a3fd9781

SHA256
f67f0232100f7cc7e469dc14079edf7d72ec25e48ca3b5ac9b40ed025f1ba0ef

SHA512
3cc436491433375fd23f2c204981d6489a412e5a62f7b92409080672a531019260366aca8df43b45d4d3dc538f76d883053ba8c4c9146bb4371305f2a27d9e7b

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aes

Filesize
14KB

MD5
a1a5afa53b578db6abf400a88548f487

SHA1
b73ae3c93a43074afe54e611bad938da98eee385

SHA256
a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a

SHA512
c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.inf

Filesize
151B

MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2016 1.4.9 Portable + 1.5.1\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\Windows\setupact.log

Filesize
2KB

MD5
a5704dbd6b4457c05ac7752f82453f2e

SHA1
0486bbcee30ce3f0ee882d6dc4d46527df17602a

SHA256
a24b8d1f017b940e47bcd984d21243ff7dfa650b69242da42e103ca82a6be351

SHA512
4380733b14443463286ee4c5386af2925b057239eb3867dc89a21bc50ec5a5f194937bbab41d9b3d8a4a5d6f286a4b5823990cec2b16312a83ec6443e9447592

Download Submit
C:\Windows\setupact.log

Filesize
2KB

MD5
3b760e16d6b60eb22d51cbed3de753c8

SHA1
ff513ef17f676eebdd1f45a8345de8af988401e8

SHA256
220659d267974bb52534a572df81a42fb157ce7d2c74dc224a8ff2eadbee1aa8

SHA512
1a01c92c4a2a50a849fc10f2d31e15ed8e64f93de0c7d9c327e7f742ed5bc18491403cdcccd2918d1569433332a230f5a82078f7f8542ef3bc2815a27ee68fb2

Download Submit
C:\Windows\setupact.log

Filesize
3KB

MD5
187ca5a2ac658415b743e1a6a3ff184f

SHA1
22a16f22da9c05c156ff982c516fc3d715cae2dd

SHA256
1e16acee83b5270c8e3a792b4d206d66a38a6980bba312974b3cd5df7dadfe96

SHA512
79a281a5cf0ddadd39b6bb20ab8b5a856ff62e3fca8c9ae9c23679e23fc5e1b5b03582adb111fd04aa9ee1f92ead7ce2f8d0c0549efeb434f5970c048dc93bf7

Download Submit
C:\Windows\setupact.log

Filesize
3KB

MD5
77f4c649b3bda7e757cac47e80cfe5a9

SHA1
c1f1fe8c014b966e4cb6061c486ea30de8158929

SHA256
908902d109c795c658e4b20c53b45fbb4528b123d1cd9ee195e33157be0f2169

SHA512
cfe28ba8a9e4eecde273c147c0e351ddfb9fc4531cec354048508a72400908a95c13c4abc344fcc5fc2b46d67f27d73edceddddb03d8f4f9e601e8409b0b372c

Download Submit
C:\Windows\setupact.log

Filesize
4KB

MD5
d328c79bcb63b78bba009293bfedcf77

SHA1
9cdb2fd3980a8167afd9f72ac02a4bfbe53eb35e

SHA256
604b0bf971204cd395ef144204d5b9bcfd366c958ef25e0e4f70672039145966

SHA512
603bef5bb3ba255d1c1538bbfd032cc1f981e2ab04ecaf46a44f6950610e0f1fca259e6deb16d25e13a354898b3176ec3dcfb3197fed63687b1168fc7ed5a309

Download Submit
memory/1188-136-0x0000000005BE0000-0x0000000005C72000-memory.dmp

Filesize
584KB

Download
memory/1188-140-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

Filesize
64KB

Download
memory/1188-137-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/1188-133-0x0000000000900000-0x0000000001160000-memory.dmp

Filesize
8.4MB

Download
memory/1188-145-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

Filesize
64KB

Download
memory/1188-138-0x0000000005CE0000-0x0000000005D36000-memory.dmp

Filesize
344KB

Download
memory/1188-135-0x0000000006190000-0x0000000006734000-memory.dmp

Filesize
5.6MB

Download
memory/1188-146-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

Filesize
64KB

Download
memory/1188-134-0x0000000005B40000-0x0000000005BDC000-memory.dmp

Filesize
624KB

Download
memory/1188-139-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

Filesize
64KB

Download