dc3967b6ed61cdd0d0337cd175a4c56ee79d922bc3c204e675d8e6a047148e39

Analysis

max time kernel
97s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto Net 2019 v1.4.2 CompuDoctor Soluciones/KMSAuto Net.exe
Size

8.6MB
MD5

311f3baa9bfa5b2364fea8b254d15eb9
SHA1

992585b81acaccdb5c89361cdd1c1fd25e0c5ca1
SHA256

bea219f0f08ed083677a0b869e658ba09785f470668eadc659db2885fa89f3b9
SHA512

c65e86f8d241de3efe29b4d58fc50f84a8cb900242c23c7f33311210f7b7062625ad49225f6a7e23cd6c9c0d4fb2355f5dcc7f6546902ed18bb51c9d1e2eeb55
SSDEEP

196608:OwywCAfywOwe/3ywuywQywTyw3ywsywsywPbywgsywZywtywRywZywBywFywUywO:owCAqwUqwjwNw2wiwxwxwPewgxwUwQwN

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1120	Netsh.exe
4948	Netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\ProgramData\\KMSAuto\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	KMSAuto Net.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 14 IoCs

pid	Process
4928	wzt.dat
1360	certmgr.exe
1644	certmgr.exe
2228	bin.dat
4788	AESDecoder.exe
2752	bin_x64.dat
180	KMSSS.exe
2240	FakeClient.exe
4372	FakeClient.exe
1824	FakeClient.exe
4188	FakeClient.exe
1868	FakeClient.exe
1076	FakeClient.exe
976	FakeClient.exe

Loads dropped DLL 14 IoCs

pid	Process
2240	FakeClient.exe
2240	FakeClient.exe
4372	FakeClient.exe
4372	FakeClient.exe
1824	FakeClient.exe
1824	FakeClient.exe
4188	FakeClient.exe
4188	FakeClient.exe
1868	FakeClient.exe
1868	FakeClient.exe
1076	FakeClient.exe
1076	FakeClient.exe
976	FakeClient.exe
976	FakeClient.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3900	sc.exe
960	sc.exe
3864	sc.exe
3320	sc.exe
2296	sc.exe
3712	sc.exe
1772	sc.exe
2152	sc.exe
3504	sc.exe
4028	sc.exe
4796	sc.exe
1712	sc.exe
2808	sc.exe
1204	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4844	NETSTAT.EXE

Kills process with taskkill 6 IoCs

evasion

pid	Process
4372	taskkill.exe
1824	taskkill.exe
2856	taskkill.exe
4620	taskkill.exe
3800	taskkill.exe
1740	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob = 030000000100000014000000f81f111d0e5ab58d396f7bf525577fd30fdc95aa2000000001000000e8010000308201e43082014da003020102021008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d0101040500300e310c300a06035504031303575a54301e170d3135313130383038313534395a170d3339313233313233353935395a300e310c300a06035504031303575a5430819f300d06092a864886f70d010101050003818d0030818902818100a3b38e6e8cd01f282d0872986d29bf5f0eaad61a32c045d9b23db1c221c3679770c401de98695e88cad621b319730dcabedf4c4709eebe8126dd567a9ab387dab7ea13b3665166464d1b8efffed8bc4225515a9aaa170e595eb348a496309110c8eb66d0490f113a3c79a508058448b0398be6f9d34f84c60e694c472c72f9b70203010001a3433041303f0603551d01043830368010e4e11038d29fc50f20a0c1914bbeff0ba110300e310c300a06035504031303575a54821008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d01010405000381810054c251e1b9cdca11ade10887278347c178233bffb85a6d692ca235d68afe76d59f2113e7c3016ac0347e7131d590047a877083536f61d90fcb2bf95856952abd4f63daccfccc840950667cc68f7513f8ae72dc7676e94b61fa169158457ea2b8531a593671e79d886743e24eddf7141e0443e22f1f6b16b0a76d720466e4b8e8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob = 030000000100000014000000f81f111d0e5ab58d396f7bf525577fd30fdc95aa2000000001000000e8010000308201e43082014da003020102021008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d0101040500300e310c300a06035504031303575a54301e170d3135313130383038313534395a170d3339313233313233353935395a300e310c300a06035504031303575a5430819f300d06092a864886f70d010101050003818d0030818902818100a3b38e6e8cd01f282d0872986d29bf5f0eaad61a32c045d9b23db1c221c3679770c401de98695e88cad621b319730dcabedf4c4709eebe8126dd567a9ab387dab7ea13b3665166464d1b8efffed8bc4225515a9aaa170e595eb348a496309110c8eb66d0490f113a3c79a508058448b0398be6f9d34f84c60e694c472c72f9b70203010001a3433041303f0603551d01043830368010e4e11038d29fc50f20a0c1914bbeff0ba110300e310c300a06035504031303575a54821008a8e826950f1a9940262589fcaf0b8f300d06092a864886f70d01010405000381810054c251e1b9cdca11ade10887278347c178233bffb85a6d692ca235d68afe76d59f2113e7c3016ac0347e7131d590047a877083536f61d90fcb2bf95856952abd4f63daccfccc840950667cc68f7513f8ae72dc7676e94b61fa169158457ea2b8531a593671e79d886743e24eddf7141e0443e22f1f6b16b0a76d720466e4b8e8	certmgr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3252	KMSAuto Net.exe
3252	KMSAuto Net.exe
3252	KMSAuto Net.exe
3252	KMSAuto Net.exe
3252	KMSAuto Net.exe
3252	KMSAuto Net.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	4016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4016	AUDIODG.EXE
Token: SeDebugPrivilege	4844	NETSTAT.EXE
Token: SeDebugPrivilege	3252	KMSAuto Net.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 928	3252	KMSAuto Net.exe	84
PID 3252 wrote to memory of 928	3252	KMSAuto Net.exe	84
PID 3252 wrote to memory of 928	3252	KMSAuto Net.exe	84
PID 3252 wrote to memory of 1060	3252	KMSAuto Net.exe	86
PID 3252 wrote to memory of 1060	3252	KMSAuto Net.exe	86
PID 3252 wrote to memory of 1060	3252	KMSAuto Net.exe	86
PID 3252 wrote to memory of 4796	3252	KMSAuto Net.exe	88
PID 3252 wrote to memory of 4796	3252	KMSAuto Net.exe	88
PID 3252 wrote to memory of 3764	3252	KMSAuto Net.exe	96
PID 3252 wrote to memory of 3764	3252	KMSAuto Net.exe	96
PID 3252 wrote to memory of 3764	3252	KMSAuto Net.exe	96
PID 3252 wrote to memory of 3800	3252	KMSAuto Net.exe	100
PID 3252 wrote to memory of 3800	3252	KMSAuto Net.exe	100
PID 3252 wrote to memory of 4140	3252	KMSAuto Net.exe	102
PID 3252 wrote to memory of 4140	3252	KMSAuto Net.exe	102
PID 4140 wrote to memory of 4928	4140	cmd.exe	104
PID 4140 wrote to memory of 4928	4140	cmd.exe	104
PID 4140 wrote to memory of 4928	4140	cmd.exe	104
PID 3252 wrote to memory of 556	3252	KMSAuto Net.exe	105
PID 3252 wrote to memory of 556	3252	KMSAuto Net.exe	105
PID 3252 wrote to memory of 2240	3252	KMSAuto Net.exe	108
PID 3252 wrote to memory of 2240	3252	KMSAuto Net.exe	108
PID 2240 wrote to memory of 1360	2240	cmd.exe	110
PID 2240 wrote to memory of 1360	2240	cmd.exe	110
PID 2240 wrote to memory of 1360	2240	cmd.exe	110
PID 3252 wrote to memory of 3344	3252	KMSAuto Net.exe	112
PID 3252 wrote to memory of 3344	3252	KMSAuto Net.exe	112
PID 3344 wrote to memory of 1644	3344	cmd.exe	113
PID 3344 wrote to memory of 1644	3344	cmd.exe	113
PID 3344 wrote to memory of 1644	3344	cmd.exe	113
PID 3252 wrote to memory of 2280	3252	KMSAuto Net.exe	114
PID 3252 wrote to memory of 2280	3252	KMSAuto Net.exe	114
PID 3252 wrote to memory of 4688	3252	KMSAuto Net.exe	116
PID 3252 wrote to memory of 4688	3252	KMSAuto Net.exe	116
PID 4688 wrote to memory of 2228	4688	cmd.exe	118
PID 4688 wrote to memory of 2228	4688	cmd.exe	118
PID 4688 wrote to memory of 2228	4688	cmd.exe	118
PID 3252 wrote to memory of 4792	3252	KMSAuto Net.exe	119
PID 3252 wrote to memory of 4792	3252	KMSAuto Net.exe	119
PID 3252 wrote to memory of 4680	3252	KMSAuto Net.exe	121
PID 3252 wrote to memory of 4680	3252	KMSAuto Net.exe	121
PID 4680 wrote to memory of 4788	4680	cmd.exe	123
PID 4680 wrote to memory of 4788	4680	cmd.exe	123
PID 4680 wrote to memory of 4788	4680	cmd.exe	123
PID 3252 wrote to memory of 220	3252	KMSAuto Net.exe	124
PID 3252 wrote to memory of 220	3252	KMSAuto Net.exe	124
PID 3252 wrote to memory of 2776	3252	KMSAuto Net.exe	126
PID 3252 wrote to memory of 2776	3252	KMSAuto Net.exe	126
PID 2776 wrote to memory of 2752	2776	cmd.exe	128
PID 2776 wrote to memory of 2752	2776	cmd.exe	128
PID 2776 wrote to memory of 2752	2776	cmd.exe	128
PID 3252 wrote to memory of 2028	3252	KMSAuto Net.exe	129
PID 3252 wrote to memory of 2028	3252	KMSAuto Net.exe	129
PID 3252 wrote to memory of 4272	3252	KMSAuto Net.exe	131
PID 3252 wrote to memory of 4272	3252	KMSAuto Net.exe	131
PID 4272 wrote to memory of 4464	4272	cmd.exe	133
PID 4272 wrote to memory of 4464	4272	cmd.exe	133
PID 4464 wrote to memory of 4844	4464	cmd.exe	134
PID 4464 wrote to memory of 4844	4464	cmd.exe	134
PID 4464 wrote to memory of 1528	4464	cmd.exe	135
PID 4464 wrote to memory of 1528	4464	cmd.exe	135
PID 3252 wrote to memory of 4948	3252	KMSAuto Net.exe	136
PID 3252 wrote to memory of 4948	3252	KMSAuto Net.exe	136
PID 3252 wrote to memory of 1120	3252	KMSAuto Net.exe	138

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2019 v1.4.2 CompuDoctor Soluciones\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2019 v1.4.2 CompuDoctor Soluciones\KMSAuto Net.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo test>>"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2019 v1.4.2 CompuDoctor Soluciones\test.test"
  2⤵
  PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
  2⤵
  PID:4796
- C:\Windows\SysWOW64\cscript.exe
  "cscript.exe" /nologo C:\Windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\ProgramData\KMSAuto\wzt.dat
    wzt.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"
  2⤵
  PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzt.cer -n wzt -s -r localMachine ROOT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\ProgramData\KMSAuto\wzt\certmgr.exe
    certmgr.exe -add wzt.cer -n wzt -s -r localMachine ROOT
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzt.cer -n wzt -s -r localMachine TRUSTEDPUBLISHER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\ProgramData\KMSAuto\wzt\certmgr.exe
    certmgr.exe -add wzt.cer -n wzt -s -r localMachine TRUSTEDPUBLISHER
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1644
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\ProgramData\KMSAuto\bin.dat
    bin.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
  2⤵
  PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\ProgramData\KMSAuto\bin\AESDecoder.exe
    AESDecoder.exe
    3⤵
    - Executes dropped EXE
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
  2⤵
  PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\ProgramData\KMSAuto\bin_x64.dat
    bin_x64.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4844
  - - C:\Windows\system32\find.exe
      find ":1688 "
      4⤵
      PID:1528
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
  2⤵
  - Modifies Windows Firewall
  PID:4948
- C:\Windows\system32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
  2⤵
  - Modifies Windows Firewall
  PID:1120
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  - Launches sc.exe
  PID:3712
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" start KMSEmulator
  2⤵
  - Launches sc.exe
  PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:4188
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4520
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:5020
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:3900
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:1084
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:3472
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2204
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4796
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2776
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:3512
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:3324
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1712
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2848
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:3316
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2660
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2808
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:3864
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:4280
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:5096
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:1084
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:3504
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2124
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4360
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:4784
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:3756
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4900
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420 0x414
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\bin.dat

Filesize
469KB

MD5
bbced89c77ca4bf6393ce721c9529dd1

SHA1
f4b3396570cb6cbb37f91a04052b8bdab52eab7a

SHA256
6fb83e1130ee71a0a0cf588cb34e335474fe4af14cd67a7c845b707d7adcb32d

SHA512
2aa2a5d6e676b4e9da95cb1e68513f4b59fef19386ba126a415475fdb68d43cfb073ef4c69be31ab082e9f721b4026eb7d9fcb44eae32a06161b33405cd0b2c3

Download Submit
C:\ProgramData\KMSAuto\bin.dat

Filesize
469KB

MD5
bbced89c77ca4bf6393ce721c9529dd1

SHA1
f4b3396570cb6cbb37f91a04052b8bdab52eab7a

SHA256
6fb83e1130ee71a0a0cf588cb34e335474fe4af14cd67a7c845b707d7adcb32d

SHA512
2aa2a5d6e676b4e9da95cb1e68513f4b59fef19386ba126a415475fdb68d43cfb073ef4c69be31ab082e9f721b4026eb7d9fcb44eae32a06161b33405cd0b2c3

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
29KB

MD5
1e36eab615c49c9501932b5edf8d34d2

SHA1
58905e44bd83e47046c6d769a33cb9cc49487a50

SHA256
3cc0ad2c60c32153729c73366e1af1cc999afd3936bec5313dac511b6dd5f34e

SHA512
73397a9aa7628dc0e35ee7c8fd50cb994fbd3c441f18c4c0156b808a0350c730c3f322e993ba2e9335cdd071efd0593de568f793482137c91f1a57bfbd1de612

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe

Filesize
29KB

MD5
1e36eab615c49c9501932b5edf8d34d2

SHA1
58905e44bd83e47046c6d769a33cb9cc49487a50

SHA256
3cc0ad2c60c32153729c73366e1af1cc999afd3936bec5313dac511b6dd5f34e

SHA512
73397a9aa7628dc0e35ee7c8fd50cb994fbd3c441f18c4c0156b808a0350c730c3f322e993ba2e9335cdd071efd0593de568f793482137c91f1a57bfbd1de612

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
297KB

MD5
22fc15f2c2e2a77bc5a1186e5f55d7d3

SHA1
17f721a7833deb0b3d0e9ddc7bf6c0b0c40c2244

SHA256
4c8c3bed3d9e8f48800065e4ac024aef237861aaa37443d4b00b98569d83aeea

SHA512
72f70e611b7630e1ae2fcea98c278413e67b53acd09ab6bc74884d4c7ac5af16c4b3c1d32e801bc67a22d0cccebdac0438d090921b25bf53391d9a08cbdc433c

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
297KB

MD5
22fc15f2c2e2a77bc5a1186e5f55d7d3

SHA1
17f721a7833deb0b3d0e9ddc7bf6c0b0c40c2244

SHA256
4c8c3bed3d9e8f48800065e4ac024aef237861aaa37443d4b00b98569d83aeea

SHA512
72f70e611b7630e1ae2fcea98c278413e67b53acd09ab6bc74884d4c7ac5af16c4b3c1d32e801bc67a22d0cccebdac0438d090921b25bf53391d9a08cbdc433c

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aes

Filesize
297KB

MD5
61d01b472c1b2fb783aa45a317cc4bc4

SHA1
0f2fd321e9c845a135090550570c8fbe242d5c11

SHA256
cbd17860af5dd667c9cebf3fdbd96790b887cfcc7884282a254867d8cfce9853

SHA512
564826bc36f55e824d8c78617da2d86d5731cac4f597a55450a991df2c8fed633e348ab043ad31ef6bcbf563ff67b97d066c80910046798c4c282e34eaa45d3a

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror.exe.aes

Filesize
14KB

MD5
a59c42386e14d73ec83cc01a4af1551b

SHA1
b542c9277acb49c3518095d3064b8b458a94f3ec

SHA256
8751a3c6cf2e3a1cd8e9c7b63bb3cba177476319a67aa766f317151c9ca83aec

SHA512
ce6ba5247fd403d741655fcccb816bc137b266bee68e4b4963815f86c38a9911d78696f7566b6e83040d0ce8ca91b3ffe2b67d26358216c88c76205425cdb9bc

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aes

Filesize
14KB

MD5
dcdb16bb53846bbe61eeba0887e8d2f0

SHA1
403ea8f857ce41647e1b7c5eb5c4f26771042399

SHA256
b85899bb189b43367e5c4172bd345bfeea45db3086772c4d3b81db5c6e63db6c

SHA512
b464c86a53f6218dca1df586259ff12b99345f2944e819a0b536a3df382497caa6cb118d9535d666097e7e595234d5f21cdbf44774ec13a1e36730d78ab4b298

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
13KB

MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.inf

Filesize
151B

MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
273KB

MD5
200a90e767924a342c25662487d8c215

SHA1
aa48cbcdea041799f0153cbdc7726eeec1db9906

SHA256
184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84

SHA512
e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063

Download Submit
C:\ProgramData\KMSAuto\wzt.dat

Filesize
198KB

MD5
b41540f62bde758f2fbb8bd9372cc417

SHA1
b65ce1c31c6474e95c965c9ee7c441155869a89e

SHA256
21b5828e9b324690b1af6352b44c4f668621ee659ab22d525d9ad175f652cb8c

SHA512
519d1da834dd825002b237542ff0538173535c9c32788719c46f9c165fc7d164dbdefcc26c28f618bfd97d3c05c4fdd219c54eb35dd618471b7dedf9e2b97699

Download Submit
C:\ProgramData\KMSAuto\wzt.dat

Filesize
198KB

MD5
b41540f62bde758f2fbb8bd9372cc417

SHA1
b65ce1c31c6474e95c965c9ee7c441155869a89e

SHA256
21b5828e9b324690b1af6352b44c4f668621ee659ab22d525d9ad175f652cb8c

SHA512
519d1da834dd825002b237542ff0538173535c9c32788719c46f9c165fc7d164dbdefcc26c28f618bfd97d3c05c4fdd219c54eb35dd618471b7dedf9e2b97699

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe

Filesize
79KB

MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\wzt.cer

Filesize
488B

MD5
4bf5bfbb3caf16c6125df0e10ee60d18

SHA1
f81f111d0e5ab58d396f7bf525577fd30fdc95aa

SHA256
b3db601b90499d6d5d7cd954ca36a907abb6ae649b5439ab2bca93e2e026fe9f

SHA512
0e0cabb6135d50134c53c0f13a4dc242bf686163498318e88fc1f419b3858ac58abcb26f0fa1c476b2005551ae882d50f86acf71b5b0be914ae68dcb935ff765

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net 2019 v1.4.2 CompuDoctor Soluciones\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\Windows\setupact.log

Filesize
2KB

MD5
e8562c9ccc8107b62afa2fb1536c60d9

SHA1
3e16fa98ebf058739eee8dd72f73c615a77f7dac

SHA256
a6c86831f818d2c693c1e94624b3d2a88a3ec892fcfc07ffc0bc1398b1900bec

SHA512
7bfa26726150075230100083a0f9a8a342edca5c64beb55b3ef4fd552918f3cab689f36df6cc38cf4e8cebecfc1fd6421601cde5a1cc76295a71fbea5c344550

Download Submit
C:\Windows\setupact.log

Filesize
2KB

MD5
b450a51ac1fb179250a02af24ff94685

SHA1
3f2c369aed15816abe3c9d6c4e6d5ffbc8851590

SHA256
9328324da861d27f88ae0fb06aba3b6ce67ea319ac8d805e30873d5fa5b0ae51

SHA512
bbcc85b0adbba66f5bd1b5370b1f9c9175459d3b8d26f4b9e90328616a49abe7e87889cdb0528af418c10b2f6c7ca7e3dfec20fada88dd645536c27370c573b4

Download Submit
C:\Windows\setupact.log

Filesize
3KB

MD5
32906af66c086e2d4799dc95b9ab89a0

SHA1
d30dd58e335dbb77325762dc662d399212dc0221

SHA256
912c9a92a486c5006d76015a630079f6c4b32cc2514954de69dd6b22430b6a99

SHA512
9f0b63cbf33b35bfece0677b788882ecce0983f46fc66e06a93f83ab78d9900d50dcda3ea8a9d20152464bf3545089782ab2e35eb5c83164d7d0ceb875c227ff

Download Submit
C:\Windows\setupact.log

Filesize
3KB

MD5
c5b4ce8ee88e63d25c2c4f80329a77d5

SHA1
b704a499bcaf8003e3a5288201fd41d43c8202c0

SHA256
b0b17871a9e78b6d6602652f3faf658fa05c87f59ec9f3c7cef307c9c7383d03

SHA512
19bacc085a013a6675c13535b39ed14c7db9e61aca20a58f4dd30180bfaac13bbeb3f1938206f82ee0f2f5cd460aa4a39f6d0e4de387f26b756506b4207806cb

Download Submit
C:\Windows\setupact.log

Filesize
4KB

MD5
2c71456e4b4cbaea5fbc382787432ba5

SHA1
f15ab3dc459d849f851d19b169f257fb49218754

SHA256
359a70881e7292445d7d93858da634876f152d595ac83d2181919809dc6b5315

SHA512
58fa75d410b6d1743e88adbab7ba484ff332a751dc3646a44dada7e4d9d0155885ee402125157207bd6cfd69b110bb4085ec78324ab21626390f86cb66187e63

Download Submit
C:\Windows\setupact.log

Filesize
4KB

MD5
1fe6f3c396d605dafc44d0776cff98d5

SHA1
226a3116e1c7119470323df9af0264b0c4f4640a

SHA256
eed22db98c9a919845a00fd1569008d73afa4ac74517023c38f6f469b289885c

SHA512
07478bfd37a118a8055f7eeb60407b3b3ca534b4c80e7255f9695fd2c7e413b7004050372a948f0dd9dc6717f6cab2116daa14d56b4ffe3238a3f964c36a12c9

Download Submit
C:\Windows\setupact.log

Filesize
4KB

MD5
1fe6f3c396d605dafc44d0776cff98d5

SHA1
226a3116e1c7119470323df9af0264b0c4f4640a

SHA256
eed22db98c9a919845a00fd1569008d73afa4ac74517023c38f6f469b289885c

SHA512
07478bfd37a118a8055f7eeb60407b3b3ca534b4c80e7255f9695fd2c7e413b7004050372a948f0dd9dc6717f6cab2116daa14d56b4ffe3238a3f964c36a12c9

Download Submit
memory/3252-4-0x0000000005F40000-0x0000000005FD2000-memory.dmp

Filesize
584KB

Download
memory/3252-5-0x0000000005F00000-0x0000000005F10000-memory.dmp

Filesize
64KB

Download
memory/3252-13-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3252-8-0x0000000005F00000-0x0000000005F10000-memory.dmp

Filesize
64KB

Download
memory/3252-14-0x0000000005F00000-0x0000000005F10000-memory.dmp

Filesize
64KB

Download
memory/3252-3-0x0000000006450000-0x00000000069F4000-memory.dmp

Filesize
5.6MB

Download
memory/3252-6-0x0000000005ED0000-0x0000000005EDA000-memory.dmp

Filesize
40KB

Download
memory/3252-2-0x0000000005E00000-0x0000000005E9C000-memory.dmp

Filesize
624KB

Download
memory/3252-15-0x0000000005F00000-0x0000000005F10000-memory.dmp

Filesize
64KB

Download
memory/3252-1-0x0000000000BA0000-0x000000000143E000-memory.dmp

Filesize
8.6MB

Download
memory/3252-7-0x0000000006140000-0x0000000006196000-memory.dmp

Filesize
344KB

Download
memory/3252-0-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download