b37c37610df1b4f52388372e6df3cbe3bf6778124154f6d20815b0c3ad77bca0

Resubmissions

04/10/2024, 07:56

241004-js11dswhkd 8

04/10/2024, 07:52

241004-jqnx2swgjh 10

Analysis

max time kernel
316s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 07:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto++ x64.exe
Size

20.4MB
MD5

71482995b4b9c3201ee9f4e02a24f64b
SHA1

632f9ad511cc99e19081f0eb3b518160280ec497
SHA256

b37c37610df1b4f52388372e6df3cbe3bf6778124154f6d20815b0c3ad77bca0
SHA512

7f77ca4d61fc319c289cd9b5db64239785becda4cb00b47abfc3f75ac137efdcfb671e89bd1cd5ae2cef047618fe388904376c28476c0d5fa4ecbbb1817a4a43
SSDEEP

393216:fcj2yAVx5xdhO7bz5c4Qwk+WDuenw7DdP1mUEbCnmWljT8I91evmJA9EQY5Q/r6S:Uj2yAVx5nczVS+benw7DdEi/oqev+A9b

Score

8^/10

defense_evasion discovery evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\Debugger = "rundll32.exe SECOPatcher.dll,PatcherMain"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1228	netsh.exe
1440	netsh.exe
4588	netsh.exe
3416	netsh.exe
2636	netsh.exe
3656	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP저"	KMSAuto++ x64.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
2828	signtool.exe
3888	gatherosstate.exe
2176	gatherosstate.exe
4888	KMSSS.exe

Loads dropped DLL 6 IoCs

pid	Process
3888	gatherosstate.exe
3888	gatherosstate.exe
2176	gatherosstate.exe
2176	gatherosstate.exe
5112	rundll32.exe
3044	SppExtComObj.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4280	icacls.exe
1784	icacls.exe
3272	icacls.exe

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\Debugger	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\SECOPatcher.dll	cmd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-0-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-13-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-14-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-27-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-42-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-44-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-70-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-93-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-222-0x0000000140000000-0x0000000141620000-memory.dmp	upx
behavioral1/memory/2024-223-0x0000000140000000-0x0000000141620000-memory.dmp	upx

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4344	sc.exe
1852	sc.exe
1960	sc.exe
2904	sc.exe
436	sc.exe
4988	sc.exe
4608	sc.exe
1484	sc.exe
5056	sc.exe
3956	sc.exe
4924	sc.exe
3428	sc.exe
3852	sc.exe
3068	sc.exe
4540	sc.exe
4944	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSSS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	KMSAuto++ x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	signtool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gatherosstate.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	ClipUp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	ClipUp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	ClipUp.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3472	taskkill.exe
4492	taskkill.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.3.0.20"	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT	SppExtComObj.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	signtool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	signtool.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2024	KMSAuto++ x64.exe
2024	KMSAuto++ x64.exe
2024	KMSAuto++ x64.exe
2024	KMSAuto++ x64.exe
5112	rundll32.exe
5112	rundll32.exe
5112	rundll32.exe
5112	rundll32.exe
5112	rundll32.exe
5112	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2024	KMSAuto++ x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: 36	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: 36	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4328	wmic.exe
Token: SeSecurityPrivilege	4328	wmic.exe
Token: SeTakeOwnershipPrivilege	4328	wmic.exe
Token: SeLoadDriverPrivilege	4328	wmic.exe
Token: SeSystemProfilePrivilege	4328	wmic.exe
Token: SeSystemtimePrivilege	4328	wmic.exe
Token: SeProfSingleProcessPrivilege	4328	wmic.exe
Token: SeIncBasePriorityPrivilege	4328	wmic.exe
Token: SeCreatePagefilePrivilege	4328	wmic.exe
Token: SeBackupPrivilege	4328	wmic.exe
Token: SeRestorePrivilege	4328	wmic.exe
Token: SeShutdownPrivilege	4328	wmic.exe
Token: SeDebugPrivilege	4328	wmic.exe
Token: SeSystemEnvironmentPrivilege	4328	wmic.exe
Token: SeRemoteShutdownPrivilege	4328	wmic.exe
Token: SeUndockPrivilege	4328	wmic.exe
Token: SeManageVolumePrivilege	4328	wmic.exe
Token: 33	4328	wmic.exe
Token: 34	4328	wmic.exe
Token: 35	4328	wmic.exe
Token: 36	4328	wmic.exe
Token: SeIncreaseQuotaPrivilege	4328	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2024	KMSAuto++ x64.exe
2024	KMSAuto++ x64.exe
2024	KMSAuto++ x64.exe
2024	KMSAuto++ x64.exe
2024	KMSAuto++ x64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2024	KMSAuto++ x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 4740	2024	KMSAuto++ x64.exe	82
PID 2024 wrote to memory of 4740	2024	KMSAuto++ x64.exe	82
PID 2024 wrote to memory of 4072	2024	KMSAuto++ x64.exe	83
PID 2024 wrote to memory of 4072	2024	KMSAuto++ x64.exe	83
PID 4072 wrote to memory of 1712	4072	cmd.exe	86
PID 4072 wrote to memory of 1712	4072	cmd.exe	86
PID 2024 wrote to memory of 2828	2024	KMSAuto++ x64.exe	87
PID 2024 wrote to memory of 2828	2024	KMSAuto++ x64.exe	87
PID 2024 wrote to memory of 2828	2024	KMSAuto++ x64.exe	87
PID 2024 wrote to memory of 4328	2024	KMSAuto++ x64.exe	89
PID 2024 wrote to memory of 4328	2024	KMSAuto++ x64.exe	89
PID 2024 wrote to memory of 1668	2024	KMSAuto++ x64.exe	93
PID 2024 wrote to memory of 1668	2024	KMSAuto++ x64.exe	93
PID 1668 wrote to memory of 2696	1668	cmd.exe	95
PID 1668 wrote to memory of 2696	1668	cmd.exe	95
PID 2024 wrote to memory of 2572	2024	KMSAuto++ x64.exe	96
PID 2024 wrote to memory of 2572	2024	KMSAuto++ x64.exe	96
PID 2572 wrote to memory of 3920	2572	cmd.exe	98
PID 2572 wrote to memory of 3920	2572	cmd.exe	98
PID 2024 wrote to memory of 3784	2024	KMSAuto++ x64.exe	99
PID 2024 wrote to memory of 3784	2024	KMSAuto++ x64.exe	99
PID 3784 wrote to memory of 2124	3784	cmd.exe	101
PID 3784 wrote to memory of 2124	3784	cmd.exe	101
PID 2024 wrote to memory of 4612	2024	KMSAuto++ x64.exe	108
PID 2024 wrote to memory of 4612	2024	KMSAuto++ x64.exe	108
PID 4612 wrote to memory of 4936	4612	cmd.exe	110
PID 4612 wrote to memory of 4936	4612	cmd.exe	110
PID 2024 wrote to memory of 4384	2024	KMSAuto++ x64.exe	111
PID 2024 wrote to memory of 4384	2024	KMSAuto++ x64.exe	111
PID 4384 wrote to memory of 384	4384	cmd.exe	113
PID 4384 wrote to memory of 384	4384	cmd.exe	113
PID 2024 wrote to memory of 4652	2024	KMSAuto++ x64.exe	115
PID 2024 wrote to memory of 4652	2024	KMSAuto++ x64.exe	115
PID 4652 wrote to memory of 3852	4652	cmd.exe	117
PID 4652 wrote to memory of 3852	4652	cmd.exe	117
PID 2024 wrote to memory of 5024	2024	KMSAuto++ x64.exe	118
PID 2024 wrote to memory of 5024	2024	KMSAuto++ x64.exe	118
PID 5024 wrote to memory of 3068	5024	cmd.exe	120
PID 5024 wrote to memory of 3068	5024	cmd.exe	120
PID 2024 wrote to memory of 1724	2024	KMSAuto++ x64.exe	121
PID 2024 wrote to memory of 1724	2024	KMSAuto++ x64.exe	121
PID 1724 wrote to memory of 4608	1724	cmd.exe	123
PID 1724 wrote to memory of 4608	1724	cmd.exe	123
PID 2024 wrote to memory of 1132	2024	KMSAuto++ x64.exe	124
PID 2024 wrote to memory of 1132	2024	KMSAuto++ x64.exe	124
PID 1132 wrote to memory of 1484	1132	cmd.exe	126
PID 1132 wrote to memory of 1484	1132	cmd.exe	126
PID 2024 wrote to memory of 4260	2024	KMSAuto++ x64.exe	127
PID 2024 wrote to memory of 4260	2024	KMSAuto++ x64.exe	127
PID 4260 wrote to memory of 4540	4260	cmd.exe	129
PID 4260 wrote to memory of 4540	4260	cmd.exe	129
PID 2024 wrote to memory of 3264	2024	KMSAuto++ x64.exe	130
PID 2024 wrote to memory of 3264	2024	KMSAuto++ x64.exe	130
PID 3264 wrote to memory of 4344	3264	cmd.exe	132
PID 3264 wrote to memory of 4344	3264	cmd.exe	132
PID 2024 wrote to memory of 4000	2024	KMSAuto++ x64.exe	133
PID 2024 wrote to memory of 4000	2024	KMSAuto++ x64.exe	133
PID 4000 wrote to memory of 2844	4000	cmd.exe	135
PID 4000 wrote to memory of 2844	4000	cmd.exe	135
PID 2024 wrote to memory of 2164	2024	KMSAuto++ x64.exe	136
PID 2024 wrote to memory of 2164	2024	KMSAuto++ x64.exe	136
PID 2164 wrote to memory of 2092	2164	cmd.exe	138
PID 2164 wrote to memory of 2092	2164	cmd.exe	138
PID 2024 wrote to memory of 372	2024	KMSAuto++ x64.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"
1⤵
- Sets service image path in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
  2⤵
  PID:4740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- C:\Users\Admin\AppData\Local\Temp\signtool.exe
  "C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\KMSAuto++ x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2828
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files"
    3⤵
    PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SECOPatcher.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SECOPatcher.dll"
    3⤵
    PID:3920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\dControl.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\dControl.exe"
    3⤵
    PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
    3⤵
    PID:4936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
    3⤵
    PID:384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc licensemanager
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc licensemanager
    3⤵
    - Launches sc.exe
    PID:3852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc wuauserv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc wuauserv
    3⤵
    - Launches sc.exe
    PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc wlidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc wlidsvc
    3⤵
    - Launches sc.exe
    PID:4608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start licensemanager
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start licensemanager
    3⤵
    - Launches sc.exe
    PID:1484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start wuauserv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start wuauserv
    3⤵
    - Launches sc.exe
    PID:4540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start wlidsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start wlidsvc
    3⤵
    - Launches sc.exe
    PID:4344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail
    3⤵
    PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 48
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 48
    3⤵
    PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1
  2⤵
  PID:372
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1
    3⤵
    PID:236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c gatherosstate.exe
  2⤵
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\BIN\gatherosstate.exe
    gatherosstate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:3888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\
  2⤵
  PID:3492
- - C:\Windows\System32\ClipUp.exe
    C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\
    3⤵
    PID:1852
  - - C:\Windows\System32\ClipUp.exe
      C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\ -ppl C:\Users\Admin\AppData\Local\Temp\tem13A2.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:3184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:4016
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:3544
- C:\Windows\System32\slui.exe
  "C:\Windows\System32\slui.exe" 0x2a 0x803F7001
  2⤵
  PID:1196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f
  2⤵
  PID:864
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f
    3⤵
    PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
  2⤵
  PID:4368
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
    3⤵
    PID:1056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
  2⤵
  PID:3208
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
    3⤵
    PID:732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
  2⤵
  PID:4656
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
    3⤵
    PID:2596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc licensemanager
  2⤵
  PID:2092
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc licensemanager
    3⤵
    - Launches sc.exe
    PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc wuauserv
  2⤵
  PID:5060
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc wuauserv
    3⤵
    - Launches sc.exe
    PID:5056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe qc wlidsvc
  2⤵
  PID:4208
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe qc wlidsvc
    3⤵
    - Launches sc.exe
    PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start licensemanager
  2⤵
  PID:4280
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start licensemanager
    3⤵
    - Launches sc.exe
    PID:3956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start wuauserv
  2⤵
  PID:4744
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start wuauserv
    3⤵
    - Launches sc.exe
    PID:4944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\sc.exe start wlidsvc
  2⤵
  PID:3784
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe start wlidsvc
    3⤵
    - Launches sc.exe
    PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail
  2⤵
  PID:1064
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail
    3⤵
    PID:3920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 48
  2⤵
  PID:1540
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 48
    3⤵
    PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1
  2⤵
  PID:1840
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1
    3⤵
    PID:912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c gatherosstate.exe
  2⤵
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\BIN\gatherosstate.exe
    gatherosstate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:2176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\
  2⤵
  PID:3644
- - C:\Windows\System32\ClipUp.exe
    C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\
    3⤵
    PID:3240
  - - C:\Windows\System32\ClipUp.exe
      C:\Windows\System32\ClipUp.exe -v -o -altto C:\Users\Admin\AppData\Local\Temp\BIN\ -ppl C:\Users\Admin\AppData\Local\Temp\tem7E62.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:5028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:4320
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:4340
- C:\Windows\System32\slui.exe
  "C:\Windows\System32\slui.exe" 0x2a 0x803FA069
  2⤵
  PID:5064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f
  2⤵
  PID:3288
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f
    3⤵
    PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
  2⤵
  PID:3464
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /xpr
    3⤵
    PID:4240
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List
  2⤵
  PID:2320
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingService get Version /value /FORMAT:List
  2⤵
  PID:324
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingService where Version='10.0.19041.1266' call InstallProductKey ProductKey="W269N-WFGWX-YVC9B-4J6C9-T83GX"
  2⤵
  PID:4736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
  2⤵
  PID:4376
- - C:\Windows\System32\taskkill.exe
    taskkill.exe /t /f /IM SppExtComObj.Exe
    3⤵
    - Kills process with taskkill
    PID:3472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
  2⤵
  PID:208
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
    3⤵
    PID:4256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
  2⤵
  PID:3652
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
    3⤵
    PID:3096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SECOPatcher.dll" /F /Q
  2⤵
  PID:4212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\SECOPatcher.dll" /reset
  2⤵
  PID:3204
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\SECOPatcher.dll" /reset
    3⤵
    - Modifies file permissions
    PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mklink "C:\Windows\System32\SECOPatcher.dll" "C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\driver\x64WDV\SECOPatcher.dll"
  2⤵
  - Drops file in System32 directory
  PID:1520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\SECOPatcher.dll" /findsid *S-1-5-32-545
  2⤵
  PID:5016
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\SECOPatcher.dll" /findsid *S-1-5-32-545
    3⤵
    - Modifies file permissions
    PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\SECOPatcher.dll" /grant *S-1-5-32-545:RX
  2⤵
  PID:1216
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\SECOPatcher.dll" /grant *S-1-5-32-545:RX
    3⤵
    - Modifies file permissions
    PID:3272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "rundll32.exe SECOPatcher.dll,PatcherMain"
  2⤵
  PID:2264
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "rundll32.exe SECOPatcher.dll,PatcherMain"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:3620
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
  2⤵
  PID:3680
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:1148
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
  2⤵
  PID:1140
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  PID:4396
- - C:\Windows\system32\sc.exe
    sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
    3⤵
    - Launches sc.exe
    PID:436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator
  2⤵
  PID:3048
- - C:\Windows\system32\sc.exe
    sc.exe start KMSEmulator
    3⤵
    - Launches sc.exe
    PID:4988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:32
  2⤵
  PID:1172
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:32
    3⤵
    PID:3224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:1192
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:64
  2⤵
  PID:4420
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:64
    3⤵
    PID:2372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:2616
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:1812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:32
  2⤵
  PID:3060
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:32
    3⤵
    PID:4640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
  2⤵
  PID:2104
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
    3⤵
    PID:388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:64
  2⤵
  PID:5040
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:64
    3⤵
    PID:4764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
  2⤵
  PID:4128
- - C:\Windows\System32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
    3⤵
    PID:3376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 10.3.0.20:1688
  2⤵
  PID:2108
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 10.3.0.20:1688
    3⤵
    PID:4352
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List
  2⤵
  PID:3608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
  2⤵
  PID:3708
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
    3⤵
    PID:1488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator
  2⤵
  PID:2184
- - C:\Windows\system32\sc.exe
    sc.exe stop KMSEmulator
    3⤵
    - Launches sc.exe
    PID:4924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator
  2⤵
  PID:4776
- - C:\Windows\system32\sc.exe
    sc.exe delete KMSEmulator
    3⤵
    - Launches sc.exe
    PID:3428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
  2⤵
  PID:2812
- - C:\Windows\System32\taskkill.exe
    taskkill.exe /t /f /IM SppExtComObj.Exe
    3⤵
    - Kills process with taskkill
    PID:4492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
  2⤵
  PID:3084
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
    3⤵
    - Indicator Removal: Clear Persistence
    PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
  2⤵
  PID:532
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Indicator Removal: Clear Persistence
    PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SECOPatcher.dll" /F /Q
  2⤵
  PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:5104
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
  2⤵
  PID:4916
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3656

C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888

C:\Windows\system32\rundll32.exe
rundll32.exe SECOPatcher.dll,PatcherMain C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5112
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:3044
- - C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    3⤵
    PID:1912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4b0
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BIN\GenuineTicket.xml

Filesize
1KB

MD5
d8f6ff9a4104620947f00a79d6b12658

SHA1
1e0ab3b0c132fc816f671a8052f2a779b7bae157

SHA256
99908af58e0d507fd3563b7f2d040d1515737bbc2824b18daf7b8fd78031077a

SHA512
19517cb797a0635a2773dde3611019b12393b1599923525441e3f1cadc1a0bd7470bf2705d12e277bda733cbee6be4abdf86daee962de910da1f023cda57f755

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIN\GenuineTicket.xml

Filesize
1KB

MD5
ef68d488ccbbcb128c16674bf45141e3

SHA1
6d5346fd58f8d50e9dd2b2f5df0ee3ed6f67fecf

SHA256
978acd4d6e20ea669aedf38d3efee3b53e899e18a3c8d658e1b3868db1bfc762

SHA512
cc50ddd78dcdb78bdda8e936d42bedbc77cd4cecddb3aeba2068d84139da80bc4998249f3aeec4eba715e543afe739473fa237bd5f40c108bc3ad7ddaeb911be

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIN\SLC.DLL

Filesize
13KB

MD5
31e221d3b930629a14ed2af067f777e3

SHA1
aae9a700c9bb97581f3e15ea133f754cc950b690

SHA256
32073d9d5706476785e3fbcb208b65dff56038c6ca9a8a2b15d2ab1590cc8e04

SHA512
0b6900bc5917908e6ef7ee9d5656b55132c4e2cccfde42eb375a58b81db2712ed0c6344f95b509b74f83bbaf91c0617e3649c597419ab90eedfcf924692f688f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIN\gatherosstate.exe

Filesize
1.3MB

MD5
b13bc5b62f54607c334a6464d9b85cc8

SHA1
12721c69acbcb515f7adbee08ec42fc61192c187

SHA256
51791625054b01802fd5aaa6c4a929827b369dfef7b2891b5f55e0fa61af0c7d

SHA512
58a9c4e413992b8c225fd622934929382070cbe8c8999bdb93851a1f46a0129d674135eacce2b3f96a19dfbb7333e3b921b5e39b727339c9897de7a02d2ce3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.exe

Filesize
34KB

MD5
db3269d74604e1020f73d94af27fe4b5

SHA1
ce200af62639a5ddc6e17b2a856f92584a706af8

SHA256
913afe3290094359b1345012b2022617c13a6bb5a28be8b468247f6b6adb704c

SHA512
c6f3a0fefc6e8bcc9ffe62a02e26a9f82d75676a6b3443890ea31eb4825fd50dbd557fa91b36eaea5314f87a4385a46c60472c44d48d5292a799b9f7ceca10ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.log

Filesize
773B

MD5
32602598ad95bb44d07124df57596e76

SHA1
ba058599ed4585d0d432a636945f6fb5ac49b57e

SHA256
161326a501dbaea2d482713e359c17473f256e72476feec8f0c753cd3853ffdd

SHA512
ee9b0aea4b864afb44710a1465259316d361d25fd147b6a70b3486f33e77fe0465aa2ffcfa3e19b3efab3dac7e9e1727ea7534955926a365fdcd49210f33a323

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.log

Filesize
1KB

MD5
3491f47901654affff5aaf7cac6e46b9

SHA1
c34a0e6f08540ea54e8ee5d11406f8e0b6f8d73b

SHA256
5fdf22031a0c7fc586d3ace42e2dcf152a8e39bea4350ba325334105db5d5e20

SHA512
b101ed911bdb5338b0443c113a96ae9f314fcdc045ac8d68442d5c6c145aa13555e994bbafc9f2cd1c5084e2b5c45d90cc75ee69784ea1c205e9e274746ccd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.log

Filesize
1KB

MD5
8de98df016fc09e2c485e48c252851b2

SHA1
0f46f03fb26d45705f4b133e3ac6819cf85cacfd

SHA256
9924db78ac8b7dba1bd3dd2e798f526ca371eaca8323cf4e61f28e1dc6fc97f6

SHA512
816ec5ef57465aa234200a54e80194ef47b8c7fb4edb237d091565cd284ed11e131c156432a707a754d42bb94a3dcb4f62871b3b75d1c4408c1cba7fa388c951

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
139KB

MD5
3903bcab32a4a853dfa54962112d4d02

SHA1
ba6433fba48797cd43463441358004ac81b76a8b

SHA256
95fc646d222d324db46f603a7f675c329fe59a567ed27fdaed2a572a19206816

SHA512
db27b16ec8f8139c44c433d51350fbda6c8f8113e2e8178ff53298b4dace5ef93d65d7cc422f5a2d544d053471c36392da4acd2b7da8af38bb42344db70dbe0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem13A2.tmp

Filesize
582B

MD5
1f5b9604f081c49b1f7561403a612de7

SHA1
7d8a7c612e542fd95388446ac69ffa533eb2425d

SHA256
688b74f72a5d3fe88ea047b2bbda50f0b2a630b34f6bafe93d3ccc90c7615bed

SHA512
f1fb1075993a4f605466f977e28bf75391102178745e31155225fd8cc7f03caa82001d2790a50587e29e767c4843015b38b7aaf20df05cd5bd3b04c71658681e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem7E62.tmp

Filesize
582B

MD5
c88ade43b6323e821259c7b8c1c7212f

SHA1
40e1fdb1dde2e502bef0e5b8eda8391f660a8e30

SHA256
78c5d173b43003250a7a9d99bd2db4b128e978484e836de2e04db4e402b4eff2

SHA512
75b2a2a1377878abe8b84301fbca8e6475d6cf89cdcd3beaeb951df94efa1d24cda0557c7d50c445aaa64b7311e9cd187f1eb3083ce2c2a3978c9a6c46d384db

Download Submit
C:\Windows\System32\SECOPatcher.dll

Filesize
5KB

MD5
8998be879286d69a2522109650fec7b8

SHA1
92c280dba4d7dfd2e7827daecc76ff5e22ca1083

SHA256
03b9136fb9414eba54d0890d9efad1cc0e40abd55ebe2a5bd5554ea7bcc6d2be

SHA512
1c414de081c1bee6f2ec953738bb5203532b3f9987c14dd2598f1d4e8e6a397f8fd111d811ab65774f46e1a6daef19637a803c5e9a5f9f5d3ce75a43d67c5185

Download Submit
memory/1852-32-0x000001F118530000-0x000001F118540000-memory.dmp

Filesize
64KB

Download
memory/1852-33-0x000001F118530000-0x000001F118540000-memory.dmp

Filesize
64KB

Download
memory/1852-41-0x000001F118530000-0x000001F118540000-memory.dmp

Filesize
64KB

Download
memory/2024-222-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-93-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-14-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-27-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-70-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-223-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-42-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-44-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-0-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2024-13-0x0000000140000000-0x0000000141620000-memory.dmp

Filesize
22.1MB

Download
memory/2176-50-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/2176-56-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/2176-57-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/2176-49-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/2176-51-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/3044-219-0x0000000066DC0000-0x0000000066DC5000-memory.dmp

Filesize
20KB

Download
memory/3184-34-0x0000023082E40000-0x0000023082E50000-memory.dmp

Filesize
64KB

Download
memory/3184-35-0x0000023082E40000-0x0000023082E50000-memory.dmp

Filesize
64KB

Download
memory/3184-39-0x0000023082E40000-0x0000023082E50000-memory.dmp

Filesize
64KB

Download
memory/3240-60-0x0000027B5C340000-0x0000027B5C350000-memory.dmp

Filesize
64KB

Download
memory/3240-59-0x0000027B5C340000-0x0000027B5C350000-memory.dmp

Filesize
64KB

Download
memory/3240-68-0x0000027B5C340000-0x0000027B5C350000-memory.dmp

Filesize
64KB

Download
memory/3888-29-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/3888-31-0x0000000063780000-0x0000000063799000-memory.dmp

Filesize
100KB

Download
memory/3888-30-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/3888-21-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/3888-22-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/3888-23-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/5028-66-0x000001A012210000-0x000001A012220000-memory.dmp

Filesize
64KB

Download
memory/5028-61-0x000001A012210000-0x000001A012220000-memory.dmp

Filesize
64KB

Download
memory/5028-62-0x000001A012210000-0x000001A012220000-memory.dmp

Filesize
64KB

Download
memory/5112-220-0x0000000066DC0000-0x0000000066DC5000-memory.dmp

Filesize
20KB

Download