a5a2cf98c2b3cfc7ff854aaf68e4090ead6ebbcb0f8a8702e7a310705fd1bf4c

Resubmissions

23/05/2024, 01:58

240523-cdy4xshf2y 7

23/05/2024, 01:54

240523-cbqprshe2w 7

29/03/2024, 02:04

240329-chhyhaeg7y 8

Analysis

max time kernel
594s
max time network
533s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe
Size

23.1MB
MD5

8732f7f7940028fed948bf5e0065a609
SHA1

430ff61efa0e21f942fd46db6706dd792b086f45
SHA256

5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f
SHA512

50c4035a08b455b06a85362a82cafb722a5f08dddc85876c3d28f0559d72d36373e273125c23a2e7951bc15a0ad0b8d117df0032797a8c527c40e1505205f271
SSDEEP

393216:WUyLY6aTqS6jd+y3PjYyaRlPofnk40RR12NW3oz6KSaAppfWfl9WMz3hzpf70ENI:PwCqXd3Pjpulg/k9R+Y3G1LaFWVz3xRS

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3852	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023390-748.dat	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	kms.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
1496	7za.exe
1568	kms.exe
2912	hstart.exe
3756	hstart.exe
4936	hstart.exe

Loads dropped DLL 1 IoCs

pid	Process
1568	kms.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1568-752-0x0000000010000000-0x000000001007E000-memory.dmp	upx
behavioral2/files/0x0007000000023390-748.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\km$\Bios\keymaps\pt-br	7za.exe
File created	C:\Windows\km$\office14win7\ospp.vbs	7za.exe
File created	C:\Windows\km$\kmscert2013\standard\LicenseSetData._B13AFB38_CD79_4AE5_9F7F_EED058D750CA.PPDLIC.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Bios\keymaps\ar	7za.exe
File opened for modification	C:\Windows\km$\KeyMngOf.cmd	7za.exe
File opened for modification	C:\Windows\km$\office15win7\reofen.cmd	7za.exe
File created	C:\Windows\km$\office14win8\reofen.cmd	7za.exe
File opened for modification	C:\Windows\km$\winofen.cmd	7za.exe
File opened for modification	C:\Windows\km$\office15win7\office14\slerror.xml	7za.exe
File created	C:\Windows\km$\kmscert2013\visio\LicenseSetData._3E4294DD_A765_49BC_8DBD_CF8B62A4BD3D.PL.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\office15win7\office14\cscript.exe	7za.exe
File created	C:\Windows\km$\Bios\bootsplash.bmp	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Standard2010Vol\license.reg	7za.exe
File created	C:\Windows\km$\kmscert2013\visio\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Standard2010Vol\LicenseSetData._9DA2A678_FB6B_4E67_AB84_60DD6A9C819A.RAC_Pub.xrm-ms	7za.exe
File created	C:\Windows\km$\office14win8\ospprearm.exe	7za.exe
File opened for modification	C:\Windows\KMSnano.7z	5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe
File created	C:\Windows\km$\StartQemu.cmd	7za.exe
File opened for modification	C:\Windows\km$\office2010vl\tokens.dat	7za.exe
File created	C:\Windows\km$\kmscert2013\project\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms	7za.exe
File created	C:\Windows\km$\Office2010Vol\Standard2010Vol\LicenseSetData._1F76E346_E0BE_49BC_9954_70EC53A4FCFE.PL.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Standard2010Vol\LicenseSetData._1F76E346_E0BE_49BC_9954_70EC53A4FCFE.PPDLIC.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\office15win7\OSPPREARM.EXE	7za.exe
File created	C:\Windows\km$\Bios\openbios-sparc32	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Standard2010Vol\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Standard2010Vol\Licenses.sl.RAC.GENERIC.PRIVATE.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Visio2010Vol\Licenses.sl.SPC.GENERIC.PRIVATE.xrm-ms	7za.exe
File created	C:\Windows\km$\Office2010Vol\Visio2010Vol\LicenseSetData._E558389C_83C3_4B29_ADFE_5E4D7F46C358.PL.xrm-ms	7za.exe
File created	C:\Windows\km$\ckof.cmd	7za.exe
File opened for modification	C:\Windows\km$\killen.cmd	7za.exe
File opened for modification	C:\Windows\km$\OSPP.VBS	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\ProjectPro2010Vol\license.reg	7za.exe
File created	C:\Windows\km$\Office2010Vol\Visio2010Vol\license.reg	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Visio2010Vol\Licenses.sl.ISSUANCE.CLIENT_WGALIC.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\LicenseSetData._6F327760_8C5C_417C_9B61_836A98287E0C.RAC_Priv.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Visio2010Vol\LicenseSetData._9ED833FF_4F92_4F36_B370_8683A4F13275.PL.xrm-ms	7za.exe
File created	C:\Windows\km$\Bios\keymaps\no	7za.exe
File opened for modification	C:\Windows\km$\office15win7\ckof.cmd	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\ProjectPro2010Vol\Licenses.sl.RAC.GENERIC.PRIVATE.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.RAC.GENERIC.PRIVATE.xrm-ms	7za.exe
File created	C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\LicenseSetData._191301D3_A579_428C_B0C7_D7988500F9E3.OOB.xrm-ms	7za.exe
File created	C:\Windows\km$\Bios\target-x86_64.conf	7za.exe
File created	C:\Windows\km$\Bios\keymaps\modifiers	7za.exe
File created	C:\Windows\km$\office14win7\reof.cmd	7za.exe
File created	C:\Windows\km$\office15win7\reof.cmd	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Visio2010Vol\Licenses.sl.RAC.GENERIC.PUBLIC.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Visio2010Vol\LicenseSetData._9ED833FF_4F92_4F36_B370_8683A4F13275.RAC_Priv.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\IPAddressControlLib.dll	7za.exe
File opened for modification	C:\Windows\km$\libpng14-14.dll	7za.exe
File created	C:\Windows\km$\00-Start_Qemu_Manual.cmd	7za.exe
File opened for modification	C:\Windows\km$\office14win7\office14en.cmd	7za.exe
File created	C:\Windows\km$\kmscert2013\standard\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Visio2010Vol\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\kmscert2013\proplus\LicenseSetData._2B88C4F2_EA8F_43CD_805E_4D41346E18A7.PL.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\Bios\keymaps\en-us	7za.exe
File created	C:\Windows\km$\Bios\multiboot.bin	7za.exe
File created	C:\Windows\km$\Office2010Vol\ProjectPro2010Vol\LicenseSetData._1CF57A59_C532_4E56_9A7D_FFA2FE94B474.PL.xrm-ms	7za.exe
File created	C:\Windows\km$\office15win7\hstart.exe	7za.exe
File created	C:\Windows\km$\libpng12.dll	7za.exe
File opened for modification	C:\Windows\km$\Bios\keymaps\th	7za.exe
File opened for modification	C:\Windows\km$\Office2010Vol\Visio2010Vol\LicenseSetData._5980CF2B_E460_48AF_921E_0C2A79025D23.PPDLIC.xrm-ms	7za.exe
File created	C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\LicenseSetData._6F327760_8C5C_417C_9B61_836A98287E0C.OOB.xrm-ms	7za.exe
File created	C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\LicenseSetData._6F327760_8C5C_417C_9B61_836A98287E0C.PL.xrm-ms	7za.exe
File opened for modification	C:\Windows\km$\office14win7	7za.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3344	AUDIODG.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1496	1712	5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe	89
PID 1712 wrote to memory of 1496	1712	5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe	89
PID 1712 wrote to memory of 1496	1712	5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe	89
PID 1712 wrote to memory of 1568	1712	5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe	93
PID 1712 wrote to memory of 1568	1712	5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe	93
PID 1712 wrote to memory of 1568	1712	5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe	93
PID 1568 wrote to memory of 2912	1568	kms.exe	100
PID 1568 wrote to memory of 2912	1568	kms.exe	100
PID 1568 wrote to memory of 2912	1568	kms.exe	100
PID 2912 wrote to memory of 4580	2912	hstart.exe	101
PID 2912 wrote to memory of 4580	2912	hstart.exe	101
PID 2912 wrote to memory of 4580	2912	hstart.exe	101
PID 4580 wrote to memory of 5092	4580	cmd.exe	103
PID 4580 wrote to memory of 5092	4580	cmd.exe	103
PID 4580 wrote to memory of 5092	4580	cmd.exe	103
PID 4580 wrote to memory of 4196	4580	cmd.exe	104
PID 4580 wrote to memory of 4196	4580	cmd.exe	104
PID 4580 wrote to memory of 4196	4580	cmd.exe	104
PID 4580 wrote to memory of 4696	4580	cmd.exe	105
PID 4580 wrote to memory of 4696	4580	cmd.exe	105
PID 4580 wrote to memory of 4696	4580	cmd.exe	105
PID 4696 wrote to memory of 3852	4696	cmd.exe	107
PID 4696 wrote to memory of 3852	4696	cmd.exe	107
PID 4696 wrote to memory of 3852	4696	cmd.exe	107
PID 1568 wrote to memory of 1528	1568	kms.exe	109
PID 1568 wrote to memory of 1528	1568	kms.exe	109
PID 1568 wrote to memory of 1528	1568	kms.exe	109
PID 1528 wrote to memory of 1740	1528	cmd.exe	111
PID 1528 wrote to memory of 1740	1528	cmd.exe	111
PID 1528 wrote to memory of 1740	1528	cmd.exe	111
PID 1528 wrote to memory of 4444	1528	cmd.exe	112
PID 1528 wrote to memory of 4444	1528	cmd.exe	112
PID 1528 wrote to memory of 4444	1528	cmd.exe	112
PID 1568 wrote to memory of 3756	1568	kms.exe	113
PID 1568 wrote to memory of 3756	1568	kms.exe	113
PID 1568 wrote to memory of 3756	1568	kms.exe	113
PID 3756 wrote to memory of 2688	3756	hstart.exe	114
PID 3756 wrote to memory of 2688	3756	hstart.exe	114
PID 3756 wrote to memory of 2688	3756	hstart.exe	114
PID 2688 wrote to memory of 2920	2688	cmd.exe	116
PID 2688 wrote to memory of 2920	2688	cmd.exe	116
PID 2688 wrote to memory of 2920	2688	cmd.exe	116
PID 1568 wrote to memory of 4936	1568	kms.exe	118
PID 1568 wrote to memory of 4936	1568	kms.exe	118
PID 1568 wrote to memory of 4936	1568	kms.exe	118
PID 4936 wrote to memory of 2056	4936	hstart.exe	119
PID 4936 wrote to memory of 2056	4936	hstart.exe	119
PID 4936 wrote to memory of 2056	4936	hstart.exe	119
PID 2056 wrote to memory of 3428	2056	cmd.exe	121
PID 2056 wrote to memory of 3428	2056	cmd.exe	121
PID 2056 wrote to memory of 3428	2056	cmd.exe	121
PID 1568 wrote to memory of 3720	1568	kms.exe	122
PID 1568 wrote to memory of 3720	1568	kms.exe	122
PID 1568 wrote to memory of 3720	1568	kms.exe	122

C:\Users\Admin\AppData\Local\Temp\5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe
"C:\Users\Admin\AppData\Local\Temp\5cba18cec813dda56d285653b61653dc3df7e3ac24ca8d8d4e4d4fb7707dc37f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\7za.exe
  C:\Windows\7za.exe x C:\Windows\KMSnano.7z -y -oC:\Windows\km$\
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1496
- C:\Windows\km$\kms.exe
  C:\Windows\km$\kms.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\km$\hstart.exe
    "C:\Windows\km$\hstart.exe" /NOCONSOLE win.cmd
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c win.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
        5⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i 6.2
        5⤵
        
        PID:4196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K actwin7.cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Open Port 1688" dir=in action=allow protocol=TCP localport=1688
        6⤵
        Modifies Windows Firewall
        
        PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\km$\re2vl.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i 6.2
      4⤵
      PID:4444
- - C:\Windows\km$\hstart.exe
    "C:\Windows\km$\hstart.exe" /NOCONSOLE rewin.cmd
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c rewin.cmd
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" -rearm
        5⤵
        
        PID:2920
- - C:\Windows\km$\hstart.exe
    "C:\Windows\km$\hstart.exe" /NOCONSOLE rewin.cmd
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c rewin.cmd
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" -rearm
        5⤵
        
        PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\km$\KeyMngOf.cmd" "
    3⤵
    PID:3720

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\apm48FF.tmp

Filesize
146KB

MD5
3d4839228c7ee77e28832879eeb17340

SHA1
ebe4a6388c8c6831837e232b48b8f4266b7f711e

SHA256
5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

SHA512
f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut3CDA.tmp

Filesize
22.2MB

MD5
857c26b8ddfb21383551c90c28301334

SHA1
37e4ed11d887b3e3c49716d0e3eab9641d9966c7

SHA256
cafe5d51dba96696026bb6e9aff45e81fb6f9efaa6a43f5e48c8cfb91d7b3187

SHA512
d0a5f73403e1f71d0dbac13d0abdeb1d42386b3993e97cc7c6f74612e4c31eebacb410a54203462f765e51c13f9a34cfbff1d87b2b2337678cf6666a0856161e

Download Submit
C:\Windows\7za.exe

Filesize
491KB

MD5
29849e01bded09e70dd9ae1998437262

SHA1
3fd2ab128be6f2d14911f3cea958fee769a83008

SHA256
7fff51a6e365b6b011ea102e2cc3854f5b2af07e41c1ef1c20290c29af81737f

SHA512
201aa7e4bfc57e7c32501338c49c290315c9a86393cf47a602d3c166ce619e0341dafb3ae9260aa1a3ff2df913a7785d83deb762b9b0515ae27ae9c1be245f39

Download Submit
C:\Windows\km$\KeyMngOf.cmd

Filesize
4KB

MD5
c3d09fa54f39c6037c07c61d46de6de3

SHA1
0bebacba36075609c1b3bb94e2a7483f45a704a9

SHA256
8f91964459f72dfaf93510d75b051233085ba30659e1db59701bf087cd589054

SHA512
ac10295c0df8e0deffee053b8c59a2f04be31fdf102e79942097c1dbe6c62a2671485b9366be0877d9e9c2f8c1c2025206687017ce3218015e55188815d730c6

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_PKC.xrm-ms

Filesize
3KB

MD5
16160b11e331c8146fdd8fca7cf0587c

SHA1
ceba4e3e18f8aa0ff58ec08b775e284ad5691654

SHA256
a349f53d19f31fd126e7f83e88f2922539aae859ddb5815cd28ac83a2c01639a

SHA512
c5bfeb4c0c9703007af7370145472b71b993db8fffc93ef13cec7ede4fc69eb62f01f0b7d61bf2943f024eea619b6493dc412bab0320432883ec95946f7d321e

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_PLUGIN_MANIFEST.xrm-ms

Filesize
3KB

MD5
2a7ba824cd5514ff6fb49b750c41019b

SHA1
4f4a4a85d01310b1afcb13eeeac5bbce86de1af4

SHA256
ba84f19db9e7a11d1f2cf04e1d7fd26eb67f2ba3e91db97ce24be4b04898fb23

SHA512
1457fc60e93525785cbc85db86a1a7ec1c455428fef4fd642c77677987dc7ddba8272c19b6f308e8abc963c0c3e0860b170afa08c3976894db9e410e9cb8cec7

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_PPD.xrm-ms

Filesize
3KB

MD5
9962ad602ffe5ab617b2a7939f6226aa

SHA1
b6bd02f72f01c9a605814122840fae45ec7d6e86

SHA256
d64daf1078ec68bdadf750594173bb6049dd748729bb05026e73727b8de34dde

SHA512
02717288a48123a140d3d66593ef535d4fff3a8fa835d206c94edc09cccb0e9c9c32e27012dcb2439b96aa626197ee7846d4f4a0df1a5166e462ec35580b6855

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_RAC.xrm-ms

Filesize
7KB

MD5
f2cfda1f489a47d4682b7f5b7a7ee339

SHA1
27bb6cce1bffcfb5002ff12e449d08db0c44a904

SHA256
c757d6fc21d8a9b5112d1f23cbce7ba9c58bc162fcb45da8f7b9c56dcb14f2bc

SHA512
beef1cf33bb22a543a71febfdb9283395b7303db64f781d84652f64de6331ef91625d4369a739b5f2dd671713fac069fc64a019e1ad6b12277cca507ce6eb606

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms

Filesize
2KB

MD5
f203820c48088f3cacd241b43e79b47e

SHA1
cdee7ecb8b14772915dcd8bbc494d970123d5660

SHA256
9cc3d41e7a331715425a7b6fa0d99994a00b4e5883bea13b3a51f515509dd34a

SHA512
fa734ce1cc6af41be274bbf17ec910c558790e7f8d32d07a14264d8da0f60e887807b4ec24e42e0c1e1967ffbcd013153c609c982b328a826757619054ef2732

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_SPC.xrm-ms

Filesize
5KB

MD5
73656b92801d94775e7d12d242b72b8b

SHA1
fbb681adffb5e22b9728ade963331ac1f1d3072e

SHA256
7e16a6a470e27199fee311d50e915b1f2c1cd0cfe0ee0cb12fc9b4d40a6a3cfa

SHA512
dc03b6f35bae2796e40101651cb94ff8d8a0b7622e46c0e5d5c438fa0159ad5805c3f916c97f2d25e77aec907fdac445439253554dc15d158c165618a0eba015

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms

Filesize
3KB

MD5
b8638efc87f8d178d9a4a439af4adc08

SHA1
871035a18768d27a95189e1e9a5cd42e64034dd1

SHA256
9d43dcae4792656f4a1cf2dd23ac722fd03e53855c69e8312084c3225c44985d

SHA512
936d3beefe53fa4f70ea5792dbb008a8788280ab914ecc9bbf23650219efa09b2428a1638ebc0663b831d806ff5b50a8acea2fe39f085d622a555624aaa17e1e

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms

Filesize
4KB

MD5
b39a47dd5a4e50a5128c186fb0429400

SHA1
e1108cf92f80f5c12f998d7da5c395c9690c99ab

SHA256
66d612fec7a3025368cfea080eb64faaeb05388f9ed79c4d885925836cf0fce0

SHA512
08e9877e3ed8619b7739cdc3c7dbe83457f630f621ab8cf667dcdb74f372cacdc6fd1b4395c49fd5d0217242bdfc791210fa902bd26faa67c864035c970e91d5

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_UL_OEM.xrm-ms

Filesize
4KB

MD5
479fa11ac2c111f742203763afb2a407

SHA1
191566b12f6d717c96c3ebd5dc7af62fd93cd19c

SHA256
7f0815547e125883af54339bd80b3f40650afe882e33d837828083fe0281de24

SHA512
07cee04157842038b71ad7ae3bc8571175b2d167e279c7f8c028be19c0f5258d37e9cf9ec16e6c689dd91b52f53e11ccc1431fee82dc03b10038fc1ca3f1f4e2

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms

Filesize
4KB

MD5
0bd83b2ef42e280f931cb89519325254

SHA1
3a64055cb0589304b96b8fcdffc94ee197a32445

SHA256
db110c4b16e198b4fdea14262eb90a00ad003ca4f776b86860eef0b0f5c3b098

SHA512
6c4ad24a3692d374f17b815569122f44bd071dd631315627a5db8668e52cf5ed0f5bd09dec54d12cb25b2fadf3fc217491856ce8164eb5d1ea8ca8d083e54945

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_UL_PHN.xrm-ms

Filesize
4KB

MD5
c339cb7935db10e768154802298bb93f

SHA1
ffad9978b20bbdc4b0b0270a864602dbd38fe414

SHA256
a278f59f638207e8bddf094766bd19784a0d5bd920371e178896f74b74778330

SHA512
80abc73363f0accded3f1fb8ff45be934f317532c9afc94dcd6ecf46e80990c9cb7fc0ffd04b08bb8db87bf453d9460622a8192e4a21682bf9c4cc531682e4c7

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.ISSUANCE.CLIENT_WGALIC.xrm-ms

Filesize
3KB

MD5
a0292874c76e22ea3a6db32ae310ba07

SHA1
2b67c3705be33d3d9c46746006266a6b57680923

SHA256
5183aa355dace1e22a47884efb106a4366f58d5de22efaf5255d35514ba6f1cd

SHA512
df227dde7179bf502038436b16612cc9cc67fa047caa0b67de78efd1cc37bad10f7184ac264a62b1693fbb2ff31bed7c780467a76800871b8e32dc5d864bc822

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms

Filesize
699KB

MD5
3dcff1dcdeb1b837ec8f13351c8a92ac

SHA1
110132bd71af7ef15fd8fabcb5baa16085148d2e

SHA256
edfb49cd35fe352a1d29db39baa949ac23b06795c31f417816185b0c04c82f07

SHA512
795d7c2b7f11e80f290269d8b11e7803ad99fff6b09771efb5f04c016d7f7c15f0f9c3e8a8bbf135c6c21d08aeb6eefc6453da12c047dd26543eb7af473fc87e

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.RAC.GENERIC.PRIVATE.xrm-ms

Filesize
4KB

MD5
b1742cdb3142ac07faed0dfc04bc81ba

SHA1
fd480b5fef6d412a3b68d5b73ceaf6ad944e31bb

SHA256
1bf0d632813d277d655487bc93a5e1e1fb84284329d888c3eddc613be8a1aec9

SHA512
ceb2f6652553393b44594537def21faf4e526b387f8e34445613bf2ba5a52476b07d14f6feb3395586c5bf7723b236133a81fe303a0a8a478bcf04650d91d4e4

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.RAC.GENERIC.PUBLIC.xrm-ms

Filesize
3KB

MD5
653b3962d1d939daa3819528a9b89cde

SHA1
56549658393d62da41683411591f4d1e519bdcc0

SHA256
22b0cbabe42ef512ee6f79d9ac8c7fe6b140424e3f82af6d3e04ecb710abafc2

SHA512
6fb4dcb9f2ee4fe562cdae5b8f03671373316e1dbef0c2cd43258f4c228361f06d44fc3c1ec8ff40c9285fdd1c788195b26948c0fea6ac45d1cea3c9422e4fc8

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.SPC.GENERIC.PRIVATE.xrm-ms

Filesize
5KB

MD5
6c54498c5d3b0f572eeada6f4c278242

SHA1
0a6033f1794c3c2fed46397e05ccba414e6141d3

SHA256
a9181df090a9beb7ec15fffd1ca063e57ec3117a1ef185dd6448d7523406e07c

SHA512
fc908237d4b6f940f50664c481b5041ca42ccb01ca69983284f0432e1c62ffc24cb5c966e3022b7fb6e8c79af75c4930a2fa39eda9c7d272784286c12bfd89cc

Download Submit
C:\Windows\km$\Office2010Vol\OfficeProplus2010Vol\Licenses.sl.SPC.GENERIC.PUBLIC.xrm-ms

Filesize
2KB

MD5
a780af0575de3782bd64c28643b96584

SHA1
66f4ef951358c2cdec6b21ab7a8d10d2f19539a8

SHA256
7d94a86d54f67ed05835a967a80fb92939fba9acde08e7c97d671062b394baa9

SHA512
f0180caedd2314e1f455654aa31691fc44eb59e511dc121d1def09965664c08d657e78ff830ee02de4e13d19bbd81b9650adad17beab6485274af2683d7b015d

Download Submit
C:\Windows\km$\actwin7.cmd

Filesize
6KB

MD5
b9cd99c41e66bf2d4ecc4a6835cb0569

SHA1
0471713a302aabb5b620164b366c45b848463873

SHA256
83663e637c3e28d661efbc08074f40baf023cbd0a88c0a820a0df8b356487da9

SHA512
80412041ad67e3bad105e1d82a103e41453f512d1939cf695a965a08248a2e90c37a6078bb88373ef0305041951090e67b583cc9ae7ecb4a84e197a42fb928a5

Download Submit
C:\Windows\km$\kms.apm

Filesize
229KB

MD5
8663759668c0e7a8556e782270f9154f

SHA1
0aed3e457263c5cd12c24121be19919742584789

SHA256
67a20df5797b34c3d4262a8e7a37e6fc40e1897e7887666ac2b8d05be78649ba

SHA512
501771ee1f0bfd9aa4cceeaaa48de429691c135d07d802395ffc00f80b20b4cd72adf0a94117f41aa64bfd3f87d7497734759025a20767ee059f02460aa7c7d8

Download Submit
C:\Windows\km$\kms.exe

Filesize
1.4MB

MD5
90b742da4d61fda365237cd3e7fbc0b4

SHA1
1eefc932c7d8fdf5e480ee59b80bbaa55ba73ee7

SHA256
2eeef6f0125555256dd37f029f16c7056d7b6d4758795fccbd5c4e699461801d

SHA512
7803802f4e29b1e51fc3515443a9c2e376c8f3c28a1bbbc73fc0d7ca4544a6241beca2b8115ab26b672be525c59dd5a742db4653747b75f62572dae0958ab9aa

Download Submit
C:\Windows\km$\kmscert2013\visio\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms

Filesize
3KB

MD5
33c1695d278f5917f28067d27b4868ee

SHA1
55137aa9a24d6a622f05315dfbb65fb1a0c74e03

SHA256
65bccc008f5b44d2dbd880c0c33afcfff27c07dd24dc0cc7dda2b3bfa7e9ae74

SHA512
84389ef315ff2f9d86062470ea6033dcb409a3061b898ab677987aa881e2f6d4be1dacc4fad0c606dde6a301f04dfa2f1ff54af86e3a3767ab9bcf6ac368e2f2

Download Submit
C:\Windows\km$\kmscert2013\visio\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms

Filesize
3KB

MD5
9f3ef531d89e4208085e96150cfbbe16

SHA1
430dd2245a5d5c6e3bb4038b19127e599ec1d889

SHA256
3acae6e8f6680b3c66189f4fe78b492fa4a2ba472f0d34bd92a13a72ceaf60e1

SHA512
e0e8cc1c3e637260170e144cf910ddc150082246f9980fd1f642b0ef824efa73c41e4e789a9bf5aa057ced758b4a7c64478d8f94bbfca91fc7fd033d9b83b77e

Download Submit
C:\Windows\km$\kmscert2013\visio\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms

Filesize
3KB

MD5
6cd265f74e9042ba418f212c6e6b390e

SHA1
12168c357c14725104b7597f7273d503153a47b9

SHA256
e26e6bd36f54c8dec33070aecd9002e20815c8bc443a1a43e97bb7b83743918a

SHA512
deabe6e6bbafce6daa6bd87ecace41f3fadddd397fb376253d87339fdf9890009a650efc01f5741367d40eb2cde6248c36f36c6a501c781c4e383278d9053de3

Download Submit
C:\Windows\km$\kmscert2013\visio\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms

Filesize
3KB

MD5
f4e9cef1a484fcd9da8384551c063d03

SHA1
0eaaab4ca48f93d511c6c99ac658ce3ca5e961a4

SHA256
de16e707372f7576693262ff31592c9c4bd70e2887c23014d388afbbb959b0b2

SHA512
7735bf2b1af63696a8533a46f707c4b599222a545c047487f4122b1a2d904b9a5ffca19bac958986ab1b853a9f8a262426f721a43542c85787ca2e857426f450

Download Submit
C:\Windows\km$\kmscert2013\visio\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms

Filesize
4KB

MD5
35d84d2089fb9cc1e6ae40ddbacd4881

SHA1
2edc9e476c313373aac8cf66fed401fe1305b924

SHA256
df562c760f6508c14df7749a220215f1498d76a811e3510be65ff251b51b73a1

SHA512
3eeccc8de4fa0cdeaa78faed4526f56fc2de4b85162f0ffb851bcb91d789d2f5aac6ba98dd1d37a238659667a8b440145e0f2bf9fee955329f39eea43a737d27

Download Submit
C:\Windows\km$\kmscert2013\visio\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms

Filesize
4KB

MD5
2bdddff33b396016a034ea21e9d06a54

SHA1
c0d71f5d4c8f1469a7970619e1abd47ea519e972

SHA256
8ca125c11b020e60c226b27948cd6968d6d95a651230ee169403ec09c21a9f12

SHA512
d64faa9e076f51e225adf20e73e640c470c4bc5d0b177c2a968e0cc8ec4ea6ec72e9df80f544fa22b700f2cf12405ca3bf88b8c1a23d8092195eef14d71b70a7

Download Submit
C:\Windows\km$\kmscert2013\visio\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms

Filesize
469KB

MD5
22bb6d79ac6f5a39f95252e934fd6af9

SHA1
883bea18dbafdfbd1fd86806eb2b21d017bf5d96

SHA256
2bc8aa6ed6643fa7d9135453331c33b05f8733cebd4a8b2fd7bdd71775748e02

SHA512
9ba389e335a81e1740509ae8db6615f193bba9e94c06ffc93b0885502bcc60a6c8500f451eabb3bad9b5d4660d472e630a282db29f9f219951abf96507035945

Download Submit
C:\Windows\km$\office15win7\hstart.exe

Filesize
104KB

MD5
2614f5513a98857b82a9a5fab3d35834

SHA1
dce751fd7946a5ca2da4773df9e8c4ca1ea120a0

SHA256
7a07f4eb5cffd63504629414ece45527198948e2acdf3466b2c4ff3b113dec42

SHA512
c148f96355c6e2f4f86f5ea6b7b2eedc226c84ae6856d8f8661f5eb4f81a407eb402505a5ea050fa125520fce3d63157dfe5a436d8f4fde2b65b37e5217550f7

Download Submit
C:\Windows\km$\office15win7\office14\ospp.vbs

Filesize
48KB

MD5
572e9a87757ac96c7677fd1b1b113c55

SHA1
9c8b96971997cd2dc0ed14f19dd9bc56d3348c3a

SHA256
008cf05944053116a095ad466561d3fd4be8a7de79e5ada7c5daab492f730465

SHA512
bf670754942cfa839de4a31676a3ba2ac8cd1a00de6f1b70aff995e14a9c489e996e9a019898ec3470a11d02c14ab7a8fe4855a8f028d6b4ea987e51411d7be3

Download Submit
C:\Windows\km$\office15win7\office14\slerror.xml

Filesize
32KB

MD5
df1ef05879e06c5f09f3e1022f37b5cb

SHA1
23aaac40baec28397bb59cfa584e165062d18506

SHA256
d49adf2dabbbf6aa43ce4e336af4f768207df75302ebf568a94a5350aac988c5

SHA512
78f0d21538483d3bac9d8b409554ac89a98a4943666f0ff88207831ab3e1d264c2efa0ea0e4703375aa15516809353f9b7477561a0a4ffe0b930b3e39f8b7e07

Download Submit
C:\Windows\km$\re2vl.cmd

Filesize
6KB

MD5
8d8c5b2044ecd210f1c065724e75694c

SHA1
5d3e90bfbe8103c44558c7ca8979ca35069969b2

SHA256
af21af926698a8c3e7e0fdfbe2b33542620bc8c856ad7a27088b9277508a5266

SHA512
07a061f6fa4a76e31bd25d2b59b4a8db1d4abb0faa73180a1884979dd23fd9cf143110472f553ed01b41fd3b4b15af9a7a5c22396ece3877b17d0d67fa79dd14

Download Submit
C:\Windows\km$\rewin.cmd

Filesize
48B

MD5
4e45399a28e3d38ffd0a40295e584f6f

SHA1
a3bb3bfe2536e97ff91173950604f7f47c34dc20

SHA256
8f5b72e3a864f85d05e43dbe2e64225cbb81bbe85bd569e713dfecd7f04cfd3e

SHA512
63e495de73bce85d19530fdc463c7a628231f4fd0a3d6453313b6e4b02048aef05db4b616f46b13da52082cc8cb46c80b828b8c85db08ab18cb8e5001603d982

Download Submit
C:\Windows\km$\win.cmd

Filesize
762B

MD5
e6fe454c1f3456268d53be654370283d

SHA1
b72cc7837c4f494e5e33d2b9c409109741ad0926

SHA256
073ebfa20f56d94f0ada972a3847a78da476a2e8cc1708d823c0042d28f2a7b4

SHA512
85e4587a1d8947b2a115e4efbebce82f1e03ec142ad551c5b93311eed61043a3b618aa80f2cd36236d2dd43748082fc93f0c416b48c4263f120250ead6ae7186

Download Submit
memory/1568-751-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1568-752-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/1568-757-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/1568-766-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1568-768-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/1568-774-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/1568-777-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads