Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 14:32

General

  • Target

    Activator/ActivatorOffice.cmd

  • Size

    1KB

  • MD5

    ebbf03821a2ea04ec5fb06f48675c239

  • SHA1

    154f3c4ab5bb3e46d22bbdc8f838328bdd787953

  • SHA256

    95c71bf19deb184b03124b3dbbcbbe0c98e9591eaaf249ace0eeec87ed9cb75a

  • SHA512

    6da1d2459e2428801c7405035dc5473a29b9246bec7373e92a7c96e26dcc6920359ea8b65fe7943413842c68e60750449ba5e4d6f67509e369e21dd21cde0f7d

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Activator\ActivatorOffice.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\system32\schtasks.exe
      schtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.xml" /TN "ActivationNextBoot"
      2⤵
      • Creates scheduled task(s)
      PID:1128
    • C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.EXE
      "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAuto.exe" /ofs=act /sched=ofs /ofsgvlk=inst /ofs=conv
      2⤵
      • Sets service image path in registry
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\system32\cmd.exe
        "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
        3⤵
          PID:4272
        • C:\Windows\system32\cmd.exe
          "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
          3⤵
            PID:2868
          • C:\Windows\system32\cmd.exe
            "C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /end /TN KMSAuto
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /end /TN KMSAuto
              4⤵
                PID:5032
            • C:\Windows\system32\cmd.exe
              "C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /delete /TN KMSAuto /F
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:464
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /delete /TN KMSAuto /F
                4⤵
                  PID:1396
              • C:\Windows\system32\cmd.exe
                "C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2060
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml
                  4⤵
                  • Creates scheduled task(s)
                  PID:3480
              • C:\Windows\system32\cmd.exe
                "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
                3⤵
                  PID:1520
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2972
                  • C:\Windows\system32\cscript.exe
                    cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS
                    4⤵
                      PID:2112
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2120
                    • C:\Windows\Temp\KMSAuto\bin.dat
                      bin.dat -y -pkmsauto
                      4⤵
                      • Executes dropped EXE
                      PID:4676
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4420
                    • C:\Windows\system32\netsh.exe
                      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                      4⤵
                      • Modifies Windows Firewall
                      PID:1192
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1920
                    • C:\Windows\system32\netsh.exe
                      Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
                      4⤵
                      • Modifies Windows Firewall
                      PID:2240
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2076
                    • C:\Windows\system32\sc.exe
                      sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
                      4⤵
                      • Launches sc.exe
                      PID:3356
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2284
                    • C:\Windows\system32\sc.exe
                      sc.exe start KMSEmulator
                      4⤵
                      • Launches sc.exe
                      PID:4416
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c bin_x64.dat -y -pkmsauto
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4744
                    • C:\Windows\Temp\KMSAuto\bin_x64.dat
                      bin_x64.dat -y -pkmsauto
                      4⤵
                      • Executes dropped EXE
                      PID:944
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c route.exe -p add 43.199.130.184 0.0.0.0 IF 1
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4896
                    • C:\Windows\system32\ROUTE.EXE
                      route.exe -p add 43.199.130.184 0.0.0.0 IF 1
                      4⤵
                        PID:3868
                    • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe
                      "FakeClient.exe" 43.199.130.184
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in Windows directory
                      PID:4460
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:43.199.130.184 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS
                      3⤵
                        PID:3572
                        • C:\Windows\system32\cscript.exe
                          cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:43.199.130.184 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS
                          4⤵
                            PID:2072
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
                          3⤵
                            PID:2768
                            • C:\Windows\system32\sc.exe
                              sc.exe stop KMSEmulator
                              4⤵
                              • Launches sc.exe
                              PID:972
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
                            3⤵
                              PID:4416
                              • C:\Windows\system32\sc.exe
                                sc.exe delete KMSEmulator
                                4⤵
                                • Launches sc.exe
                                PID:1048
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\Sysnative\cmd.exe" /c route delete 43.199.130.184 0.0.0.0
                              3⤵
                                PID:2232
                                • C:\Windows\system32\ROUTE.EXE
                                  route delete 43.199.130.184 0.0.0.0
                                  4⤵
                                    PID:4816
                                • C:\Windows\system32\cmd.exe
                                  "C:\Windows\Sysnative\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe
                                  3⤵
                                    PID:4316
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill.exe /t /f /IM FakeClient.exe
                                      4⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5036
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop WinDivert1.1
                                    3⤵
                                      PID:2484
                                      • C:\Windows\system32\sc.exe
                                        sc.exe stop WinDivert1.1
                                        4⤵
                                        • Launches sc.exe
                                        PID:4396
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete WinDivert1.1
                                      3⤵
                                        PID:3480
                                        • C:\Windows\system32\sc.exe
                                          sc.exe delete WinDivert1.1
                                          4⤵
                                          • Launches sc.exe
                                          PID:1624
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                        3⤵
                                          PID:684
                                          • C:\Windows\system32\netsh.exe
                                            Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                            4⤵
                                            • Modifies Windows Firewall
                                            PID:3584
                                        • C:\Windows\system32\cmd.exe
                                          "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
                                          3⤵
                                            PID:4836
                                            • C:\Windows\system32\netsh.exe
                                              Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
                                              4⤵
                                              • Modifies Windows Firewall
                                              PID:1488
                                        • C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3696
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAutoOffice.xml" /TN "KMSAuto"
                                          2⤵
                                          • Creates scheduled task(s)
                                          PID:1740
                                      • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe
                                        "C:\Windows\Temp\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin 05426-00206-471-254040-03-1049-14393.0000-2242016 -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Hwid DD279A0090B8D83E
                                        1⤵
                                        • Executes dropped EXE
                                        PID:1348

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp

                                        Filesize

                                        3KB

                                        MD5

                                        7705817320930b4e3c062c5bc226d0c5

                                        SHA1

                                        c0b49652ad56c1d7f80136f2041d7c80bf2bf277

                                        SHA256

                                        f7235f8e72834034b858164c09e6bc941a132febae30466aa9dfd7b8cf325888

                                        SHA512

                                        0708942e6beb65ed800d4d6e01f57707381553d6417db3b0a4068200e074a8c6da915a07ca46018ca615c831972f321b11f160107d98d782a4c9e52deb441671

                                      • C:\Windows\KMSAuto.xml

                                        Filesize

                                        3KB

                                        MD5

                                        b1d1b96a65ea2720588fc42787287f0a

                                        SHA1

                                        c4f6ee33e424e8136aad018b13b154b35de4a52f

                                        SHA256

                                        0ec31708eb1cd663ceca69188f9e1df3538d424ec7bec05a17271faa49b7cccc

                                        SHA512

                                        f516dcc2b6ccd5ed0b7958080fec7560f6e8abd34a4a837b8c815325e01448f15ef1350a04c45d2d9712351ed969f7c2e8d77a900a9e0a8f605330577b88e1e2

                                      • C:\Windows\Temp\KMSAuto\bin.dat

                                        Filesize

                                        166KB

                                        MD5

                                        ca62d4125a24ea98f90b8d7b7c92801b

                                        SHA1

                                        72f50ecc667713b8f357a048a6f621664fd1e361

                                        SHA256

                                        9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

                                        SHA512

                                        ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

                                      • C:\Windows\Temp\KMSAuto\bin.dat

                                        Filesize

                                        166KB

                                        MD5

                                        ca62d4125a24ea98f90b8d7b7c92801b

                                        SHA1

                                        72f50ecc667713b8f357a048a6f621664fd1e361

                                        SHA256

                                        9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

                                        SHA512

                                        ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

                                      • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe

                                        Filesize

                                        34KB

                                        MD5

                                        be3f826075408b5d6ae7b66a55b4a520

                                        SHA1

                                        cb2f05c14c75e140dcf68de310be1e9527f8193d

                                        SHA256

                                        9dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418

                                        SHA512

                                        295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2

                                      • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe

                                        Filesize

                                        34KB

                                        MD5

                                        be3f826075408b5d6ae7b66a55b4a520

                                        SHA1

                                        cb2f05c14c75e140dcf68de310be1e9527f8193d

                                        SHA256

                                        9dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418

                                        SHA512

                                        295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2

                                      • C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs

                                        Filesize

                                        82KB

                                        MD5

                                        1e279e2ef92662bded2c7fd781306a73

                                        SHA1

                                        70da7979881b6a3b78c655b08de3c2aad8e60a10

                                        SHA256

                                        a5c143fa70977717f136327938f52d1ad0dab56b1bbecf0d49bd0a985dfad42a

                                        SHA512

                                        8afac7d4f591fe723d9602b54c508a74f15d6568ad4c01aef8eb9bee1862e5e55166f7f6f30468a0f4ed96031e6ecee67d2bb532e62a0b8c6bf8bf274d6c0fd1

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                        Filesize

                                        13KB

                                        MD5

                                        91b75bcf59b2de235214ed47be8a99a5

                                        SHA1

                                        03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                        SHA256

                                        b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                        SHA512

                                        85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                        Filesize

                                        13KB

                                        MD5

                                        91b75bcf59b2de235214ed47be8a99a5

                                        SHA1

                                        03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                        SHA256

                                        b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                        SHA512

                                        85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

                                        Filesize

                                        68KB

                                        MD5

                                        be566e174eaf5b93b0474593cd8f2715

                                        SHA1

                                        350ca8482be913dd9ca7a279fb5680a884402e26

                                        SHA256

                                        cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

                                        SHA512

                                        fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

                                        Filesize

                                        68KB

                                        MD5

                                        be566e174eaf5b93b0474593cd8f2715

                                        SHA1

                                        350ca8482be913dd9ca7a279fb5680a884402e26

                                        SHA256

                                        cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

                                        SHA512

                                        fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.dll

                                        Filesize

                                        16KB

                                        MD5

                                        3f0c03e5076c7e6b404f894ff4dc5bb1

                                        SHA1

                                        9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

                                        SHA256

                                        4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

                                        SHA512

                                        20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.dll

                                        Filesize

                                        16KB

                                        MD5

                                        3f0c03e5076c7e6b404f894ff4dc5bb1

                                        SHA1

                                        9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

                                        SHA256

                                        4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

                                        SHA512

                                        20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.inf

                                        Filesize

                                        151B

                                        MD5

                                        a94d989905a248afca52bc3cbfcb248b

                                        SHA1

                                        cbb7b37584a58060da6a3dd748f17334384647e7

                                        SHA256

                                        6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

                                        SHA512

                                        864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

                                      • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.sys

                                        Filesize

                                        34KB

                                        MD5

                                        a0d15d8727d0780c51628df46b7268b3

                                        SHA1

                                        c85f24ef961db67c829a676a941cbead24c62b21

                                        SHA256

                                        5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

                                        SHA512

                                        a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

                                      • C:\Windows\Temp\KMSAuto\bin_x64.dat

                                        Filesize

                                        197KB

                                        MD5

                                        b539aa381715ed2bdec01e33867b1a67

                                        SHA1

                                        7f71f9adddb2cd532cc311ec2738cced4702c4d5

                                        SHA256

                                        2d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9

                                        SHA512

                                        fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6

                                      • C:\Windows\Temp\KMSAuto\bin_x64.dat

                                        Filesize

                                        197KB

                                        MD5

                                        b539aa381715ed2bdec01e33867b1a67

                                        SHA1

                                        7f71f9adddb2cd532cc311ec2738cced4702c4d5

                                        SHA256

                                        2d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9

                                        SHA512

                                        fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6

                                      • memory/3696-18-0x0000000000400000-0x00000000004C2000-memory.dmp

                                        Filesize

                                        776KB

                                      • memory/3696-19-0x0000000000400000-0x00000000004C2000-memory.dmp

                                        Filesize

                                        776KB

                                      • memory/3696-2-0x0000000000400000-0x00000000004C2000-memory.dmp

                                        Filesize

                                        776KB

                                      • memory/3696-44-0x0000000000400000-0x00000000004C2000-memory.dmp

                                        Filesize

                                        776KB

                                      • memory/3696-47-0x0000000000400000-0x00000000004C2000-memory.dmp

                                        Filesize

                                        776KB

                                      • memory/3696-49-0x0000000000400000-0x00000000004C2000-memory.dmp

                                        Filesize

                                        776KB

                                      • memory/3696-51-0x0000000000400000-0x00000000004C2000-memory.dmp

                                        Filesize

                                        776KB