Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
17/10/2024, 16:30
General
-
Target
KMSAuto Lite x64 1.8.6.exe
-
Size
6.3MB
-
MD5
7b3563b8dae4dc736c16716eb88a3a37
-
SHA1
639455f16ad599cdaef71f906cea414ab73bb68b
-
SHA256
c085209c5b01d2a516a40e18cefdf5b4bdf5131f3a7f66bf91762cc151169a60
-
SHA512
b36a1d8698b8aaf21ec58212afd2b7ff41d3c6a4e2cb9e5f75cf84e6e58d37cb5b8c742f0f4d8ed487c8815d1db9f965dabf3ca83095df933d0baa78058f3ef0
-
SSDEEP
98304:vUfwPRIkF+DywzlCbj/TSYDExAdmcROSdT7RX1:vUfaRTFzwzehoAwI7h1
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
-
Modifies Windows Firewall 2 TTPs 6 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Indicator Removal: Clear Persistence 1 TTPs 2 IoCs
remove IFEO.
-
Drops file in System32 directory 1 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 13 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto Lite x64 1.8.6.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto Lite x64 1.8.6.exe"1⤵
- Sets service image path in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\signtool.exe"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\KMSAuto Lite x64 1.8.6.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Office%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\conv.exe"conv.exe" -y -pkmsauto2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_KMS_Client-ppd.xrm-ms"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_KMS_Client-ppd.xrm-ms"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_KMS_Client-ul-oob.xrm-ms"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_KMS_Client-ul-oob.xrm-ms"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_KMS_Client-ul.xrm-ms"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_KMS_Client-ul.xrm-ms"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-pl.xrm-ms"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-pl.xrm-ms"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-ppd.xrm-ms"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-ppd.xrm-ms"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-ul-oob.xrm-ms"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-ul-oob.xrm-ms"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-ul-phn.xrm-ms"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe "C:\Users\Admin\AppData\Local\Temp\lic16\OSPP.VBS" //NoLogo /inslic:"C:\Users\Admin\AppData\Local\Temp\lic16\ProPlusVL_MAK-ul-phn.xrm-ms"3⤵
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (PartialProductKey is Not NULL) get Description, ID, PartialProductKey /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path OfficeSoftwareProtectionProduct where (PartialProductKey is Not NULL) get Description, ID, PartialProductKey /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path OfficeSoftwareProtectionProduct where (Name LIKE 'Office%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Office%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService get Version /value /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where Version='10.0.22000.493' call InstallProductKey ProductKey="NMMKJ-6RK4F-KMJVX-8D9MJ-6MWKP"2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where Version='10.0.22000.493' call InstallProductKey ProductKey="XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99"2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path OfficeSoftwareProtectionProduct where (Name LIKE 'Office%%' And PartialProductKey is Not NULL) get Name, Description /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Office%%' And PartialProductKey is Not NULL) get Name, Description /FORMAT:List2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exetaskkill.exe /t /f /IM SppExtComObj.Exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"2⤵
-
C:\Windows\System32\reg.exereg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f2⤵
-
C:\Windows\System32\reg.exereg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SECOPatcher.dll" /F /Q2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\SECOPatcher.dll" /reset2⤵
-
C:\Windows\System32\icacls.exeicacls "C:\Windows\System32\SECOPatcher.dll" /reset3⤵
- Modifies file permissions
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mklink "C:\Windows\System32\SECOPatcher.dll" "C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\driver\x64WDV\SECOPatcher.dll"2⤵
- Drops file in System32 directory
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\SECOPatcher.dll" /findsid *S-1-5-32-5452⤵
-
C:\Windows\System32\icacls.exeicacls "C:\Windows\System32\SECOPatcher.dll" /findsid *S-1-5-32-5453⤵
- Modifies file permissions
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\SECOPatcher.dll" /grant *S-1-5-32-545:RX2⤵
-
C:\Windows\System32\icacls.exeicacls "C:\Windows\System32\SECOPatcher.dll" /grant *S-1-5-32-545:RX3⤵
- Modifies file permissions
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "rundll32.exe SECOPatcher.dll,PatcherMain"2⤵
-
C:\Windows\System32\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "rundll32.exe SECOPatcher.dll,PatcherMain"3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP2⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16882⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP2⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16882⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16883⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto2⤵
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator2⤵
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path OfficeSoftwareProtectionService get Version, KeyManagementServiceMachine, KeyManagementServicePort /value /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService get Version, KeyManagementServiceMachine, KeyManagementServicePort /value /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Office%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where version='10.0.22000.493' call ClearKeyManagementServiceMachine2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where version='10.0.22000.493' call ClearKeyManagementServicePort2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where version='10.0.22000.493' call SetKeyManagementServiceMachine MachineName="10.3.0.20"2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where version='10.0.22000.493' call SetKeyManagementServicePort 16882⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where version='10.0.22000.493' call SetVLActivationTypeEnabled 22⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call ClearKeyManagementServiceMachine2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call ClearKeyManagementServicePort2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call SetKeyManagementServiceMachine MachineName="10.3.0.20"2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call SetKeyManagementServicePort 16882⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call Activate2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' call ClearKeyManagementServiceMachine2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' call ClearKeyManagementServicePort2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' call SetKeyManagementServiceMachine MachineName="10.3.0.20"2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' call SetKeyManagementServicePort 16882⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where ID='d450596f-894d-49e0-966a-fd39ed4c4c64' call Activate2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:322⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:323⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:322⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:323⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:642⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 10.3.0.20 /t REG_SZ /reg:643⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:642⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:643⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator2⤵
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator2⤵
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe2⤵
-
C:\Windows\System32\taskkill.exetaskkill.exe /t /f /IM SppExtComObj.Exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"2⤵
-
C:\Windows\System32\reg.exereg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"3⤵
- Indicator Removal: Clear Persistence
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f2⤵
-
C:\Windows\System32\reg.exereg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Indicator Removal: Clear Persistence
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del "C:\Windows\System32\SECOPatcher.dll" /F /Q2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP2⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP2⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService get Version /value /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where Version='10.0.22000.493' call InstallProductKey ProductKey="2TDPW-NDQ7G-FMG99-DXQ7M-TX3T2"2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path OfficeSoftwareProtectionService get Version /value /FORMAT:List2⤵
-
-
C:\Windows\System32\slui.exe"C:\Windows\System32\slui.exe" 0x2a 0xC004E0162⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Office%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path OfficeSoftwareProtectionProduct where (Name LIKE 'Office%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Office%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService get Version /value /FORMAT:List2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where Version='10.0.22000.493' call InstallProductKey ProductKey="NMMKJ-6RK4F-KMJVX-8D9MJ-6MWKP"2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" path SoftwareLicensingService where Version='10.0.22000.493' call InstallProductKey ProductKey="XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99"2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe SECOPatcher.dll,PatcherMain C:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Loads dropped DLL
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent3⤵
-
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E01⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
665B
MD5b75e02f1629f277621d8a5ef8e42761e
SHA1292595bbf69cf90dcdc1539e96ecf7e45e4c5319
SHA2562c466d74b5db173200221abb27c69e1b0c493b9fb12299942c700b2e4c00acb4
SHA5128e745fd3a08668cc17347cbc3a6e6e58d7dd09c4c1c9c4d4b531e914c75a9d767beb43951ee8791be99f05e89ab630cef679eaa0ec7f1db8cfe26b63cb191d68
-
Filesize
1KB
MD5484010fd81dd59a962a649a4c3035026
SHA17517ab153fdcf700c513326e04f45c580c24c32b
SHA256d2332da7b844c57e1ff577f207795964a2f60871f3dc73d416828073dde3daa7
SHA5129ebf599268528bd4c73dbe193479a00d55654d6a16852490cf6e75890d4c19dadd224e2a7a1970d31eae11923fba2ba6350d9e1f7cc55d3448e06150cd3350cc
-
Filesize
1KB
MD551461c74694c21e404fdee0b530a0d0b
SHA1069da93c32d28484d39965046ae39c9ea75aba4b
SHA2564c273a3e2badb1976ec8e69c480ffd2f332adc8a133c47cbb28efc67ecb1c732
SHA5123348137270268069bfff63f51910283764d065ef83036614c1439aaa98a746ab80f63a2e3c71f2311835d05b2a1aa205ed5ee7ea65f740cbab1d90eee887219a
-
Filesize
2KB
MD56f658a456a1b2531b09021d63a3d7644
SHA160488187481c8e888de349af14e4c011e3b08963
SHA25617c0cf80f8c53b92ec2c51f3734e55f0f2a190a7e0e15ca1cfb3479185bc85af
SHA512601cdd3e064cac7b5e2a7427ce142f6e6f14373c24d9b825e6f7a5467238018f33ffeb854d004adb8a60ff7e24375a55b97658a067f69327a112af120eda6b31
-
Filesize
3KB
MD5cf28260cd2444d66b4bad20eae5076c8
SHA1f166294a7dba349d33e0bc853c24e9d8a6734034
SHA256c799a2d02efbe0df1dc49f353422af6bebdf9db55dc7ba11ec38d083e22bd900
SHA5127633f97dc9ffc2785f93482618604631ab7996c78a767c9b0b715c519d58deb27e17fbc041a14a7d326b8f197bcf6588efd0664a021204492859088558167e70
-
Filesize
446KB
MD5366d7dbb0cdf9684d0df559d33d9bc64
SHA1e1a23c7590c4a6e32d63c32c3a958ba544b59a57
SHA256f1f441fe3f598808f1c7572056420eeea06d3d46aa92747edea944335de5f450
SHA512d8cb880578b9382539e452eccfd70ba789a02e89f6485284d475265524c2e410204d8435f2025213b43c9d2bfad698a318ae2e6907ed7fca0230e24b15411366
-
Filesize
25KB
MD56256d4aa826faa59e89ea93160fc82da
SHA1136fac36f645d9517b593dd43ab5a1e520c92eb5
SHA2561bea83f266637f8e61149f968007be67a63fe72736ec1833abd20d18a5639e5f
SHA512b1587b7bb3de848938251c90149ac29147b6c82860367d1f6c28d01dc49befe97170dfbe1d7f44bd8629086b055948094979a0bef9a71726578b3f69b5116d84
-
Filesize
11KB
MD52f513f2a1287be2713ed9e454a84da81
SHA16e14be77b50216c36da1a9c225f43c0194bee2c5
SHA256c7cdb5d53c090cc658428938d7ab488d24169e9899eccac0c8698969fd03291d
SHA512d2824cdb19400adc36cd793fc9050c12a613ad4012a45a29bd10879b894358ca8e067b6f26642e7238e23016155e424e2c3da22fb60ee6cf2d9712062bc8e5b1
-
Filesize
9KB
MD50aa3e8d4461bff6bd9c4a58c56c6710b
SHA186012782ef07b57feda62409174c72bd29f048c9
SHA256ddde6b5700fbfc6c0f6810a614a572e75d1f4b21823c40874708f9c35e10c603
SHA5124c8c791b954212fe366a8d863e18128b744a7cce79a30626e8a48858c56780443ff3e363fb3c503d90fc13f0d48193d9f6152318fcb375468bd788b89f46fcaa
-
Filesize
10KB
MD5e6ad1f20b5ccbb26dda712c27fadc320
SHA110ab9491bc584c260dc1c1bdf9a2b73f4291720e
SHA256089c15baaf7fe17d8d25f63c5f93a0a529b5dd694e400c8f85c0e1efc88a3987
SHA512a87e91475ea62f592267745498ff0542e2ffdd4a10ee81ccebb809877de0f8c9ead97d109ee90d229923e5b32b3a0a3f6773bb1ba162e218fa02575b76ef57c0
-
Filesize
25KB
MD5528fb51d1fd1e61e367b87ab168086e2
SHA11ffa96042f2d81fbd0f092acc6128be8f55198cd
SHA25660d8b24dd1452732864482d633816ed49fc55b8551d20c9f94c75feb3e2b2698
SHA51218e4a574a03c3f81fce8a3c8804638730257c8b85ecf7c2893276235fd86bdc5c5102fcdd14b77d0b976fac5047b43136597fc5769cf775f4b1c899e2980101c
-
Filesize
11KB
MD56b3d4137a7c9568b1f7277307c174f04
SHA1a27fdf723efd9a8338c4223a95192b1999fc4e13
SHA2561aeaeda84916086fd8dd81faadae1fcf06bffe377190a290f90c40f82f6b272a
SHA512f279250c889ae7d9fb334fddd36c29733b838b6a9cf4a3dd2c65ffdbde6b2b5d856f2b78c235599decb9eac57fe39651d3543dc31aa586813e1714bdc9e9b2a2
-
Filesize
19KB
MD5305bbe8ffacc7cf7594ee18d1580b73c
SHA14df0461658c3ad11a49a66353f82afb0245b9e26
SHA25627b1998b9b70b57dc9aef7aaf607c5e38f8f7c5d3794a9c3773e8e79eea8da08
SHA51244f4800a5264c8ce791e24f385dc4f7dd09732768766593cc84c4ab808d4e843c549e56834d8b5eb217cccd5c57f26f70335c5ed3439c1510e5533d7e4e4eef4
-
Filesize
25KB
MD590ce5b578bc792f1aaf58425ea6092a1
SHA1df6a35029bfdc51918d9d92fce9c4ad938581347
SHA25699c1e2d3e2bae4a67a41760f6d76451dc7434be27ec246028344f1b3872b960f
SHA512b24290b3bd8c401e8475a12782be27587846a02ee978b24a8a3053e9a0c86a8b1a8a450a109a98ef74b1812c3489e5bcc5e432212008c25bec908cc7514f6aac
-
Filesize
11KB
MD54e8fc98d44e3a29a4f491501f68f78d1
SHA17f4200719572bcc3fe4fecde743e97d732d69548
SHA256ca0067c54c96fc4d50a535fb492d551507af0515755d4486c8d3fda4f170584c
SHA5123f24fc57a0c55c579518683931d8e3df86e4f50f615bed43c6208910dac402b12f770d34ccf409a4deb1639450bf5fbc2f1ef92ea317b294916b05c202b27445
-
Filesize
9KB
MD5dc08e5808ae9fdffc79df9c5bfc9914c
SHA1fb83e83d0703dd80da79e1206a480b53fa99cbaf
SHA256bfe08054697c3703e27b6ab8a78ec0e453228d2aee3f551caabfa2ddf497794a
SHA5120118a3cbbea4a2b3d2bac32f60450934fdc5c308f428b924eeafb8e1ca5583458430150e230ca5f971aae9ec0433758b1734bda792794515e3fd09d6c0799c5c
-
Filesize
10KB
MD59eac2b30934ef4e76240f30b959df472
SHA1a9d182a1c6075fb4d95170717ba3a33e60c3a645
SHA256c83fcc37de81332959d4a075a6340b3997f625875c209fa49f4dadb90c2b4392
SHA5124569510aa9bbee53f97ce5c93e6244b3b6b9a18837b257542bda8a6f9d1f5528c7b2d36dff8def47ce3e97ea410642c2ee3a61fcb238b3c9904b090b1a9ebb95
-
Filesize
25KB
MD59e7ac00da8e3a75be4cf72010a34a859
SHA1fb9a015d73d80a1bbfa9a451f8a9473056787042
SHA256888832141c738d9cbc6844cd1b803927190fe4c78277ed339634dbc81860d3c3
SHA512fcc1ad59a642a591ed55f5526ba140d6e20fb1d1e096f1320f88b689f357443ec37d82762d3501bd4bfaffe9c8224795f82636f67211adac45d91a4fa7122a5c
-
Filesize
11KB
MD5ca0dbfcf02c439214b1c49243f38fbfe
SHA1040ecb53ebfcf8d4009c25f3fbbc1f614a98c8af
SHA256d1d353fd60021e35623457dce138d213f842501097e8e1b5e476acdde15084ca
SHA5127ae1da78c20b7adee6f1ea8692edec5195cbacde1ece1ede8cfa1eed9ce385ed66c5ecf13e36fdd0d393a27bfccc25a8dbd694819aa7adda590d0675286edc8c
-
Filesize
19KB
MD57a9f023a6985da925df2ada7f917d1dc
SHA125c2b402f0cfa9b28355e535f0e1927172cdda9a
SHA25636b7049b6750fb584d5a9ea9076a6e84873e7fc892dc237470a57e429d8e522d
SHA512bad98df46391572cacd8af7cb9b14d360c3d089e12fc031ddf16b9912980e63c6593f837a3a214a34e9852ba5fff50bf6ed00710e850ef25d2589390a2a45cbf
-
Filesize
7KB
MD5ea81f375dbf4359cb587dd1d1b9888d9
SHA1bcddb315420f21a2cd7663d4f93423dfeec28808
SHA256da3514705c933f1e7de4d60270516dae35527cdf62193a788aa382f9f7b3f54b
SHA512fdd2c415a2e10a6b61375878ec0ecb07d91acadf949127034227516e34f1728d8d6efe55019c7ced9b1e38afcb77ba6e2e214381e9d3ce06d62734534c3ba764
-
Filesize
11KB
MD552fa7a2ff7358691f89a02812296b47f
SHA1a68ddc4c3b756694fae6b3154b3b6e3930f62337
SHA2565eedc8c935c0331e5dd724b7408bc6b22510d8d49ac811f2a975386837e41d9f
SHA512bf227eafe7c913bc77ca209d339c56d3907d1fe4f5ac3a36e838e18948a91f229b31812aca35eed4802defe68101ca2bbf5d47b8ce8af51c48d7e25ae9ecff33
-
Filesize
9KB
MD585d68c704c262d9a186139ac3cde9f70
SHA16a695b43b8a0d41149c86739829f19a8a3de2c16
SHA256a401cd4ec1a3c02dc175797af4ee41427245dbe62f0a83586724926317c39642
SHA512032a94a1a3615ef88c305733e4788573f44c8696670cd19cdbd2f2e9e60db9b90e4fbd6705a852b207aa8a2cb73258f408d383fe028d0893bcd497b613737cab
-
Filesize
10KB
MD5bdad8bea53ecd5b489df5ce146e38698
SHA1a676380d1b16daf07f5488bef89ef48a38664037
SHA256e43d09a2d2b844a2072f246c947500d0fea4a0e29174874f6640812beb0631ac
SHA51215e9375714b1dc50eecfc54ff2ebb2a7a5f903abdba34f5a7d9f008f10dea03e43b5478f3d1ce79c8c00c5833570214827d8839f31933910ffd463eda8fabfd7
-
Filesize
7KB
MD58273bef1489eeebb5287558efa91b315
SHA1cd6b6621bcc9fd8bbf474ec7893f516729485e86
SHA256adf3b2b33ff9cfdb142cd5779879354b8fb35f96109fd38bfd0ca94e5dbc38db
SHA512cb84605d6134ebbf3b0161e345a7fca15d4a2731acae31d71699bbe1619a07ba3120214d8b378b69166f821da9a2bcbfc12d65412ebaf8c5fb9f0b53fd918ff6
-
Filesize
11KB
MD5e5faad80fbf96c2024726c0e184fa8af
SHA15163d31b691c6ca49b9b7c7ea9dfa2c088c38cc0
SHA2561c18c58f27a3ad746f61d2e6c84736a9e8dc8243487add527d2ffb17efaa380d
SHA512763737cd40c546e65ea326afbea4ea9d484b4ec3e6c2aa958c692b136db4f2d3cf5e0cbfee5668b5e5c3a2a827fad20e974a52bac11ec227630c7762857ffcc4
-
Filesize
19KB
MD5861753974b49cbfc773ca3d9945a141e
SHA17015131e45de7d138f0f16eb020e8d6ac1591965
SHA256444da0f2ed2607d2e973d558b5e99da0837eda0ad16301fd2032530f24202060
SHA51225e761561f2173cade274c9dd9cb952949e8bc1cddc8cb598db6a3d90f9b32ab9d47a105a2c921fb8a7439e2c9ca2d805255bf48378f60e1ca551ef454e09d02
-
Filesize
25KB
MD50e3ae5e7adf7a4d35b705cfe6d6208d0
SHA1d24948e7de9eca0dc420869df011a13c1b7d1991
SHA25633d37e1611aaf2136be291f81e0627d5560b6a0ae98725d93d3abfcc587917c9
SHA512dd3ecabcfd24e3d20135c23da82d1452da716a4af29c031c908ef7f5a3d0ecea12222632e7c88f284cbb2cc48b5bf1da6016157141a53f6ddb4ff534b5dc34f0
-
Filesize
11KB
MD5a18089d933a51ec99025856b179f120a
SHA17e8bdef2541e432d83ac7069b31bef2151729831
SHA256ea603cba7bb883c6e5d196d3d711179afac7685d8639e4cd7f8d307bd301d7d2
SHA51265bae491cdbfbe329575b9c69573c76244fe69909eb22ba8f01dea0dea522569c6ae2a193d021e52c259f1bb8a4c2ba177ce813ab1d7e30e850a70fd6a94b5df
-
Filesize
9KB
MD5c05417e3bf104b661d0cb0fdbd8e5eb4
SHA1e61db23b5cbb060d76ed133cab8e46db6bd3926d
SHA256dc2a73abe0bbc1ccb1b75529817d106163183663b32672ba3bb410ef8761f0be
SHA5123e1e70f88e014f8177f9f673e0bcc371a7b6fdea99c4909c0a8f8fcd9a170d06442d0a691bf85a172715d2aa125261d1d2e1d8e9bd391d878038bd8012531497
-
Filesize
10KB
MD5dc2d8c2ef7c93a771d2c514ed91867c2
SHA16b8b5050e9581361a47edcab8f40da40bc6ebda4
SHA256754128552354b2a81749be11bbaf9199f8bcb6e775e2f3f8ef1dba29f24baa7c
SHA512b7c44017140bfdbe040d11036cc89867c656ae26beb7d2a6017cee1e8c3e5c5fde19687631adfbce1df2eaad0dc7fe365d3fca573bd50280d8f3c911f54baa54
-
Filesize
25KB
MD5cf1f91e8e13bfc03258559705aa2bf76
SHA1a82ee2adfae6fbbcb439b1e4de097440621a1497
SHA2567d3d71cf2c4d47e18b03cfbc754ebc040eeb880e25caabf54d0393b162bcad70
SHA512dd05420690275709af4ca92ee4f0caec87008c042cd2a33bcd31b44413cd7a328ca362efac688092d576bb7eaf640a1b9349cf28978b0b39a8082dcdaef3f251
-
Filesize
11KB
MD5a452f7eb7e7d3bc9ae219cfa83f3808c
SHA1a98260f2414d77424bca139dc9e356bb8e071138
SHA256d3b3796ef30cecd437e19ae9a2f5de6d692ce1d67d6889c580605f497ae90c42
SHA512d144085cb70ed409c81b8e1318508855301973c10eb8ae27eb704810559e6fd356aa764f1c9eacff4513e96ce1dd25dacea8992706ab2c7d00a634cdeef7aedb
-
Filesize
19KB
MD5c454e758b66c176a325276bdf5c48ce0
SHA175ec522a5836a2aa68b4fbeddb027dfabcc3e614
SHA256e45ceeb8614a466a4c6eb3b563b135dd3a0ad225a60552f7d6be32c67432c67b
SHA512c74b0e694f3e0cdf676ab130cda2a38d077f05e60456831ceaf4bc4a3171a21d002317f90262942730f6d4b3ed8c4a988e0a838583ddbca8ffc3df84cdaa66f6
-
Filesize
25KB
MD54e13adb5f5f6330137bbc9c9670c65e3
SHA11c73454ad0912c571eb7f91ae2a39aa10ebdc532
SHA2568a1b326585e8b700e72cd6d6ac07789bb97aaeefa8fb640d656838a297c739b8
SHA512e8509dcdd0095a82f9089d25769f9d4691869d4333cd49445095cda7a5e7d49559c8b364ff37f079cef01079259dae8e468ff2b5f2bfc71552b9270951d65458
-
Filesize
11KB
MD5f621f3132fd86e17d09e9f415bd3f93c
SHA1035e47841656b39e393949631da98da682dc1908
SHA25614b38a45108ac1697da29ceece72cb2b0abecc81422aa112c4438a11587eeb5e
SHA51261a94a491ae1114d29ab10e8f7b587982486b1ba1f7c9ccdbdda6f56eb627af01e34bd179c7a6d714fc7b74cc9d4370980c6e6650a9d9c938be292ae7bafdd61
-
Filesize
9KB
MD53cc2cde49a86b47226530261ab6f6e94
SHA1a45ca2f285115e0c308e76fa4ae4c84f086597d4
SHA256ed315e9ebf245efe09aa7cf202339f6312783e980c43d23b8a87e374b71fa913
SHA5125cf6a81dd28ff17c2fcaed4c08464204ba24038e55cb1917632ad59074a15be2cee685ec9feb7cdfa0a3042e427e293ee71cf22660ce353ab9b4dcef852bc723
-
Filesize
10KB
MD59070d4d60297888f8760a0425e1b0922
SHA10ae840966b1f6c0464efb1e1ba24b9de0210c6cd
SHA25687572b28d09ff71ee938769a5d307bd9246b21cb23420eea120e4ae6cfec98b5
SHA512b81bff4685c06aa46544ec8add6cbc51f8e277f7037248b9dbd5d8fa8bac97d26af7f2a87c8ca46c415c2cc76f3e031ecc63db00f25893290ca811c84fac0675
-
Filesize
25KB
MD599aafbeab1ac81dd79c0bbb1f499762d
SHA11191551cd568c52d1e5f9286c5972985e17fae7d
SHA2566af5041e6fb5ef516ee427d1ae9238748884b01500ec052f1046cb40102175a7
SHA51243b7994f09f3a2851a1d8886e201caf0f09f72117524f9f4e01face823615f20f977cdf3bd32033a0afc7ff8a89ffa5b86cf723feeb9249193d56f796b32df88
-
Filesize
11KB
MD50cd33e14470eda6832f5bc09bdc0893e
SHA11691b070b4c0bead31ff69aea88ee218cb351f3b
SHA256d099612d06e3bb765c9014d6241d57bbd9231acf32d4ae375ee632d8f7f12f57
SHA51212445e7e5aabeaec1f616e55f6658aae63aec4721e9daa857f0bf716835a1b931e98c75f5542256eb062e086a4a38111030316c15b35bd2b5364cfac81125cba
-
Filesize
19KB
MD509eebdfbb9734fac2218f9f425f8299a
SHA1e3151341edeefdd85ec216afd6e881d88c91b36d
SHA25608f4e238ea7cae425ed5b88eeaa69b7ead479addcc5148e3f4617b8749297c67
SHA512647bce6ea728e538f01f16566260fad64000d21c434f6c7b7061526cd5d5bafdcb212c21181798ed641767df29fd0727e79c3c209130ee6ea7da40374ce95dae
-
Filesize
7KB
MD512fbc86709c6a0947e6145bfa149b79e
SHA182cdc5a039c6f0ab029e3129f2c27511b0f1d6ea
SHA2568702617c66b834c0429f849b667f2d41e9b403aa45bde5b2140917dc235cb5c7
SHA512862a09c54820ff3bf32380cb0c2a25f36cb6b81a712185d03801f725f0ce103f78a29ae024b229fdb4308e4cbae51a9f12972e94166d5f5d480b8bf138842366
-
Filesize
11KB
MD5ce090939c1291ed9878a9160383f49f2
SHA1c7c1791fd0de2f861dd59c0d381e0318adfe17b0
SHA2562092d920113ec7870b31d5f6eb2feeca6268e4bbc8df84ebda718603adb17ed0
SHA512b593936f225d3e8132f22e3bd3029bf55471ec3ddd31883fc6f6da47eca671909c03518e5145d645466111f6b1f75666faa2e727b6f3353e69c116c368b37e86
-
Filesize
9KB
MD541ca79009d4ff127ecc9320936f36f14
SHA14178dff39e1d8b7a4af9990cf398e1a2dd73dba2
SHA256317312a54e084dcfce13e02c45b980e59aebafc0c1ad2fe6738ff670f22e9d73
SHA512a513f6ddb27f7eb53c9d684eb5b0a5610a25f30f8525b6d98ad8f6135f94eddbaa64a2138f1c3dd87912eaff0cacdfe72d5c95eb977e9fac8a28611f29d05290
-
Filesize
10KB
MD57d498376a9fb4c441c8ddf08ff9f02b6
SHA1a773f89c2c8ebe794d5c6f44edf0cf6e94b52a0e
SHA256bfcdb92d7072ec99bcd61c13517cab8b1f5c8ed552e9e12514b661d3a24f6aa5
SHA512d717242f69a4b0fc8727ed6b176ddb502f6f0377ad9f482b1c2ff81286708aae00ef05925f9cefba10c7cfb581ec5c3263c1f279a2dfa4a52e1219bdbed08ee4
-
Filesize
7KB
MD540d73acfb19b6b8b784f73910dc73aca
SHA1cedce2f15e7290c14e99bb19663fec17490026e8
SHA256d1958cf687180b6684cf142d5fff34630590503bde399272bbeb494ef67ec1a7
SHA512a35944025b72dba1159b02ca4c0621485a432f652e12d65b1b057fe30bd17ef5fdc60effcd3ab8ed007287f7a493cb125a4cbd1a0486a7ce7cad858432dd503d
-
Filesize
11KB
MD5feb88ebd1234f66091d65fe26e7c07cb
SHA16d8fe810e026c70d84a9b65432df811fbb569f27
SHA256524d52c206d402b15411bff2ddb5c64c77de875c7e5ecf02fd78777c998b0b90
SHA51246cde813e138b09bb28ca9287c1aa8f8ab77d5f4c3576320f30a559c2a0220223a9b01992de103486b11bb2f9296a592dc1b3f4bbe58bbdeb3bc4d7ed838a0c3
-
Filesize
19KB
MD5f0ac6e3f1ef3b09f4c908832b3458f38
SHA12fe2ef0a602968f403fe52266662bf8eade8fa01
SHA25610ed9af7df471cf2e21bbf356bb802481bd766ac5e105b81506782c85174a1c9
SHA512ca2201379ac2245cb5c8b91b646904c79520b39d690e074fbf3b8c03da499f97c277b8219a7b1221ce7afc69a2938e850d36bb6a3b0e84a87ecc42f01088582c
-
Filesize
12KB
MD5218198a5a8f6375fcbcdc2e1634e5f8a
SHA1d707e8acddcfd3abae6cedb4916993cb745869a8
SHA25630b32fbc871105b3d637cba87fd4afb2d0a50a338798264743c6321d3db74531
SHA5125f5552ae33c31068b14a81b16044b3cc68bdcb1cf2d5fcf3fe51b2172559b3fba87dd20695e3a04bcd9f43444bdf4be691dcbd68c128d829cf01a1e6ccf153fc
-
Filesize
11KB
MD510db3614c9f63552727fd7fea6f20190
SHA1b9b0a5d8452663c5e36be8df845460471a466f21
SHA256f1914e8027fb0e8053b74ea9ded44f505178155e4eddb386583deb77b15da33c
SHA512665068700106e5a5cd76e43043050598b44f933e0a0e791510adb11b58fd2eab91c2a78acd392e7610949c52f3d0e581eed1c6038fef35e6adad7828be01d403
-
Filesize
9KB
MD536f8e02d68dfffd2de15cb48ac02aeb7
SHA1d6c7e89fb5f27d2b053628eb539ff48e16c13f64
SHA256b71c1909b06ae72fb7f985790d4336ff9d285f7f737a498be900978e7ad98ab4
SHA51217d0f27ae7865c2b77641c25c3d517ff6151976b70545ea33d54bb0cc6317339648c277dcbfc581f3dda8a33c9a3f13e3a39842ce657a9aa6c5724fd941348c7
-
Filesize
12KB
MD526598b2ef4300456c9acd369917a80de
SHA13bc4edfdc0a93c53067e7d69a1db6d1770e0ce13
SHA25618fe6b93e597ea9ef46f8f15788b9ba777ffcca253f0a78768bde5260e3e8311
SHA51211186a50d5b1d04515d158efacb2ef25da251a3eade236f4012dc0d00f347ac7d2794e9ec1b1257961b93b78121d190cca10915700cb8e03339c3900a4883cf3
-
Filesize
11KB
MD5af15e4c30fd30d6d866de676d16ffa96
SHA1241bc50b16fa7f5c5aedd37c33dd07e73f35b7cf
SHA25634eca581d72502973190e77650b6617663afea96d89c345d7dd9fef4b294a37f
SHA5126e278030a6d662b42d77016f82e1d7358889ee254e88db84e27758d1e39468c6f91baae7a56cfe0638456a9ec03a6d7b0258ba303160435cfdec20d83c0bdb02
-
Filesize
9KB
MD5d62a1eb6ee88c923006e4175041fd3ef
SHA1a219c175cc87ae2d6db86c221f7a3f6efc996423
SHA256f24bf29df996a92b8211adc9b4c03a770aa1810d6edb187c76a4315142f6494b
SHA5124936b34a0e663cb81e7677f7a4f6bff7dc9768fa177956134e6f4398dd889be07e78a61d3567d4c8c6899e868d33e13fb326a973bca83bddfe8d3e1aeb10a0a7
-
Filesize
10KB
MD51c9db5e0426293b2265c0828eb76367e
SHA1c8e168a13486b1ca99ccab22e7491c257beddc7f
SHA256427f4431abf10b90dd8ab64a550af602f61cdf3f3fbc90ad369bec4c5532bb16
SHA512bed982aed27dac99489b7cb6c40349695e9c2366f7a64a1538eee386fac6018ef44083427a6c332c9b4f20218bd64b994e16b3a6f28ac5350ef5779262f99f4c
-
Filesize
12KB
MD5ea0b1cc33d084a3c3ab18b38100fb938
SHA1511ee19a592cf5b5e0bda28ba5b0ef894275f520
SHA256b97432076cd55e686758d3d6e11443aa2b0184106b1ce8d4c1fc445fcf9c136c
SHA512d30c1ea198e41038f63701dffb2a82ff863def91c7b18a15472b27aa9a833560003cedbb6c34658bf9a54493501f6b556c22ab597b881bec5f7086733439f715
-
Filesize
11KB
MD5e73d2b52f571a62bb7e453bf9c03cea6
SHA1a7cd118d59e35e6abf0fac142ed167cc83bdf06a
SHA256a2a80b58ece5722ca66b1086f2acfec04ee5ecb58de4322375cf18efb5fab72e
SHA5125528f93b4f4258ca5fa69780d89b7cd7f8c3a48e388f183623e3f9b31121ab652c902c46a803411cc11a0d61e95cad25f7b61d383c76b0cc6b68430eeb9e2973
-
Filesize
19KB
MD59110f9ecb8541c58789d56c82ebdbc1d
SHA1afc7d557055fe002b0fa54ea79627ab20defac4b
SHA256b03d1a231961a6f6f5e91075645471b9c76c7a29b02d74329f300a468c2f53f2
SHA5120bcca78c978c84fca9e84fcc042b84c727caa39b3722ed70249c4ed3fe790b86a49cb4169b1efb6da5ad84b35493fdf3a64b0da7f206edbab4c1c61a97a6258a
-
Filesize
102KB
MD5949fe20a90d317e70f13414c56f06b92
SHA16f5a901749b4268fd185e616f022fb0f83b8b35c
SHA256e12538e3879ef390d59c3ebc7f63510f1734edbc79b1dcc03e90ee2930189872
SHA512cbb7e8271d5493f0fe47bfe44659b9c59eaf967b292cc51e86f199cf9847a0c779d34f12c17c86866c615ca5fa158ceac1c98d32e1cb81aff03e77dba1e9029c
-
Filesize
7KB
MD52d44cb71eafff9ec6ad1c9b251fae707
SHA1b16cfecc3cae7bde5805f8cdc1f68f58c7beefa3
SHA256d243f453e6740eea1176797371ed5503501f1fdca820c0804f4212ff12d10ae0
SHA5129b7b996bae284be947b57d442c896ee3b143e4a23aeaa56b6d15b0ab1021a819282c5f0c97c1eb921301ff582ad16d88bd480994b8c874d26668b4621e1c356f
-
Filesize
323KB
MD505624e6d27eaef0db0673ae627bd6027
SHA1b155c76bf59992a8d75d0e3a59dc94f24aff2591
SHA256962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313
SHA512233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31
-
Filesize
10KB
MD588a8ece68209ab32fc606fcbd81e824c
SHA14e5de27d63f69035c18130c284333f5ef245b450
SHA2568f303351a27460cde6ff78b57b1f86e592c28f4e77b886f0f74fd63da75a3c7f
SHA512ae26c5a097f360cf005139564e27b8742dd73ca5beed59e03142b12a175f8e87bd4a8f0082f7aaebe619406454da81f08c1dd4d1ca5838246b96f04af8a449a4
-
Filesize
11KB
MD51c47d950435a91e3ed75dc5beb0140fa
SHA15d6b3b3da622b6671cb2385d69ddf7a172ed6d9d
SHA256d2d53e957da72c70320503a1bea644ddc852e0121f07c6925151e1fd9fc870b8
SHA512cc107bd708a8f221d77b31072aa5cd5659d29929f9ab66565abc604c661dfd51cd0d169ea415a2af18288e1c22df35529e47993a26ee8bafd49d3da42064f7a3
-
Filesize
9KB
MD5e41aa32e0ca479fb5cf923ddd540e2d2
SHA1b89bd0d7ac43260e18b2378f5bd7867810cdbf22
SHA256eb29a811e7379f10bd20384f1e47354de569e664594e45132f4a116fb4e93a73
SHA512eb9ad9afa50d2556d24f518acdfc1c4740f24442dda9789444a7bd3508a2671bc4b8c18e2fd3cd461d881bdb6888c9e1701325b608e03db3407ef81fc83d383e
-
Filesize
10KB
MD558af770293a4c25d833c971766533775
SHA1ff39e192aaa786a15f0845676298ce914093b59a
SHA256940bd40b30b1d6fa14ee9377322515ef2d5efc26ed144d533a6489c92c0022f7
SHA5129d686097d51316cf3e308ab2eecec677c9d822ff7eb07fdbca779f1d1791f791eb56eebdcb66d271c4f67b2ffca552797ac4703e64414b8e921356df593cd780
-
Filesize
10KB
MD5e1ba5f60d82af2d090310a3f6ac7b0b0
SHA139940f400dc2946e5714ce5266a8af4a9d327c8a
SHA2565743e5f314ba2a212a11c6c84c629e6d47636d2180ccecfa2960a298499410c4
SHA5126e5fedda0145c130fbbfe12ca66b027bae07be6b7d7e111ea095848e2ae389a239da819bde8cb34c55cd359285b58bc127f28bb95b350d0535e692b1c22253c8
-
Filesize
11KB
MD5f0348e7be6c1fa26f248eef2593e69c8
SHA1312980bad67fa679ba6ac1bbfc14f32330f0e6b9
SHA256024ab58520de13782b3da482247fd8f851f91f67f4fda6cc09bbbc075adf5b64
SHA5121811abf69192c12d2286c74074a5332023c878b86bf69633b18964ab0df67126582dfdb76070d479b002729f41a810b0d25f9e88c6d62891340efbfb161c1f3e
-
Filesize
19KB
MD59c89dcda14f7244ff8dc9fd2d6509041
SHA18af1547a4c92b71d91bbd6343676b9a8e2d538fe
SHA25692212a5796ce2de34d49350719bb72596ec8bce5f3508d9b35227794f1209d1a
SHA512a61b09130930bd52f6af38c877607c907f30e6990bd7164702be98d0912ebbcb4524586389a2a62821c0f2ce4f3fdedc4634614e1e09a194e557ce992fbfc5f6
-
Filesize
20KB
-
Filesize
20KB