Threat Database Hacktool PUP.HackKMS.C

PUP.HackKMS.C

Analysis Report

General information

Family Name: PUP.HackKMS.C
Signature status: No Signature

Known Samples

MD5: b84cf867ce503d36d355269bd970f5c3
SHA1: df6677b30b476459fbf0da74af22bd315b1f798e
File Size: 4.32 MB, 4319232 bytes
MD5: fe456be994c1b0025b633dc1cfc4b9e2
SHA1: 1eac7137f47ddba52ade28a8fb8eef901827e1a1
File Size: 1.28 MB, 1278464 bytes
MD5: b5a01df541b5778097a317cd162c3a01
SHA1: beb2ef1aaae2e9b07df05c7a6f592146ca87ef55
SHA256: 067AA0E4FF21B9A84EECB3EBD048A61B79DD5EB735F9AF1773FEBEF1EC3224A8
File Size: 9.14 MB, 9136640 bytes
MD5: e396bef06f9fd3feaa3c42ec1a3e5ea1
SHA1: 439a2e9108254437c45244cc1bd4bf8fe5199faf
SHA256: 4CB11913EF93B74474712ECCBD7AF566F662C0599DC15AD07205EC0E88A90C4E
File Size: 2.10 MB, 2096128 bytes
MD5: 06319ed36e7101565c61f8c431f22695
SHA1: 6b75d3e7893aed92608792e1fbeb7bc796da1f23
SHA256: 32F1CC992FCD6E3A1154953F9FA71EE548CFCDC1F5EB623A46D5B46A2F93900A
File Size: 5.66 MB, 5656064 bytes
Show More
MD5: 8ce252d911a7091556143cb61cb03d4b
SHA1: 8dfe4b05de4532c23423fd1d7b2174bef41bdc59
SHA256: D21366E331E939033D9DF908AF22E3A0C1758DC99372BADAD622F844D6E4F158
File Size: 5.06 MB, 5058560 bytes
MD5: ed25ef339c9910f2ef2a1bbbb6b3dff6
SHA1: 3ca1cf749fb1655d211fba39290e9076b59f6eeb
SHA256: 84D43824AC931DBBD6B8D50199F893B3527D3D6E67557BB7AD952C426E0537B5
File Size: 1.40 MB, 1396224 bytes
MD5: 8f0793cda48f027524feec137b8a5711
SHA1: 9c218ce5281d1b5a4ab36dbfb5533121f25e06d7
SHA256: 5C3FB21D12EB9A0F1B7F23FC0A89AC8F406D054F8AC08DEAE0D5B8374FD8F8D7
File Size: 3.32 MB, 3318784 bytes
MD5: f86543ff3f91e97995b5cd9c288e4cc6
SHA1: e2da04026cc7e8d27a283f7b7c366114b1e3fd77
SHA256: 78CA009187D896430FBF83E35D31F5569FA52109D0ACC902339EFD60163C9618
File Size: 7.64 MB, 7641088 bytes
MD5: b6dc85066bad010577e16633b2e555a8
SHA1: acdd068361d4772127be12fab9032346f25121ae
SHA256: 1AADF58F8434B5595F0D5070223D6E7378B21081E6BF59D3FB31891A7731C877
File Size: 8.04 MB, 8044032 bytes
MD5: f0d5db549e64e1184c31b7649d823f87
SHA1: 0497a187e9e014755da959b5fbafd54babfeb255
SHA256: AA1A0F38949B359DEBD3A50EA809F113A0A010581260DCD77B898729BC549727
File Size: 9.54 MB, 9541977 bytes
MD5: 6d9550cc33fb2a69d4a470f5dcd41967
SHA1: 262e341f45f5f10ae53bf86eb8abd183f5a659d6
SHA256: A9E7AC144AD0A94CAEE84C6C7A11D937E9B8A615386ACF807BAA5DCFF73E4863
File Size: 2.60 MB, 2595840 bytes
MD5: f39ffb58fb70b014c633e2d15b8d1bda
SHA1: b8cef4f5241d6ee6ca14b3489b743cb9fa7d1c1d
SHA256: D1FF4078DC78EF05A2917AEF0327D36BD7E26EAD24DFC2F7530AE948B272A5C2
File Size: 8.24 MB, 8244736 bytes
MD5: 20c4f8c40a0d31af2c5a6a4ed5d80fa4
SHA1: ccc5d57ee1b8601ba8f22e808a3ff79706ea6aef
SHA256: F33EE5B9ED3FEDF9DA591E3FB0BFD222E1C28759A0478F8786A1E615BE41EB59
File Size: 8.02 MB, 8023552 bytes
MD5: 7502abb062b76bdfe91a1118a61bd544
SHA1: f141bbe0f76709e220fed95d4695463a36006292
SHA256: 3EA1DE3AD5FCCFB9550558822683E1C5C3E7AF1FBE4F948A69F006FAE00C7314
File Size: 3.09 MB, 3087216 bytes
MD5: 38a7a72cb2222ad549b460d4c0e65dca
SHA1: 309bead683408e8e5253229cca1225be2f694ecb
SHA256: 7A6F89F621050DA818A601CBCBED2650F4B0D905A2FD5F02C2FD8B3C961D6EE7
File Size: 1.75 MB, 1747456 bytes
MD5: 097ed8061622f7258473052044bf2f9a
SHA1: 81714c41215c5d63d8fb2796e902052154452884
SHA256: 09E786CEBF68EC6A15EA37433AB88B871CC49D9ADF3232FAC88619BC6077DE32
File Size: 3.32 MB, 3322880 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Microsoft
File Description
  • AAct Network x64
  • AAct x64
File Version 1.00
Internal Name Win
Legal Copyright MSFree Inc., Ratiborus
Original Filename
  • ConsoleAct_x64.exe
  • Win.exe
Product Name Win
Product Version 1.00

File Traits

  • 2+ executable sections
  • HighEntropy
  • No Version Info
  • packed
  • x64

Block Information

Total Blocks: 1,051
Potentially Malicious Blocks: 129
Whitelisted Blocks: 873
Unknown Blocks: 49

Visual Map

? 0 0 x x x 0 x x 0 ? ? x x x 0 x ? ? 0 x ? x ? 0 0 ? 0 ? x 0 x x ? ? x ? ? x x x x ? 0 x x 0 x x x ? ? x ? x 0 x x 0 ? 0 0 x x ? 0 x x x 0 ? 0 x ? x ? x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 ? ? 0 x ? 0 x x x ? ? x x x x 0 x ? 0 0 x x x x 0 0 x x ? x x x x ? x x x x x x x 0 x x ? ? ? x x x x x 0 x 0 x x x 0 x 0 x x x x x 0 x x x 0 x x 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 1 x x 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • HackKMS.C
  • HackKMS.CB

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\files.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\files.dat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\oinstall_download.log Synchronize,Write Attributes
c:\users\user\downloads\309bead683408e8e5253229cca1225be2f694ecb_0001747456 Synchronize,Write Attributes
c:\users\user\downloads\aact.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\aact_network.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\acdd068361d4772127be12fab9032346f25121ae_0008044032 Synchronize,Write Attributes
c:\users\user\downloads\beb2ef1aaae2e9b07df05c7a6f592146ca87ef55_0009136640 Synchronize,Write Attributes
Show More
c:\users\user\downloads\ccc5d57ee1b8601ba8f22e808a3ff79706ea6aef_0008023552 Synchronize,Write Attributes
c:\users\user\downloads\e2da04026cc7e8d27a283f7b7c366114b1e3fd77_0007641088 Synchronize,Write Attributes
c:\users\user\downloads\kmsautolite.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\office installer+.ini Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䨖㦁ﮋǛ RegNtPreCreateKey
HKLM\software\microsoft\windows script host\settings::enabled  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䃍瑛ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ޮ瑛ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 栞⟝蕗ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 됬嘴褸ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䂷嘾褸ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ѵ畲솳ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⫼畹솳ǜ RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꒨盗솳ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 貏쳪쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 貏쳪쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쳬쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㦗촴쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 餪촵쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 﫸츂쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 婛츄쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ⿝칇쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 눃칊쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe Აﭖ컑ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꛝﭟ컑ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
Show More
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFlushBuffersFile
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryTimerResolution
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerResolution
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
  • win32u.dll!NtGdiAlphaBlend
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCombineRgn
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap

148 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Network Winsock2
  • WSAStartup
Keyboard Access
  • GetKeyState
Process Shell Execute
  • CreateProcess
  • WriteConsole
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
Other Suspicious
  • SetWindowsHookEx

Shell Command Execution

"C:\WINDOWS\System32\cmd.exe" /c files.dat -y -pkmsauto
C:\Users\Couokgng\AppData\Local\Temp\files.dat files.dat -y -pkmsauto
"reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 1 /f
WriteConsole: The operation co
"C:\WINDOWS\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\9c218ce5281d1b5a4ab36dbfb5533121f25e06d7_0003318784"
Show More
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\9c218ce5281d1b5a4ab36dbfb5533121f25e06d7_0003318784"
WriteConsole: Access is denied
"C:\WINDOWS\System32\cmd.exe" /c copy C:\WINDOWS\system32\Tasks\KMSAuto "C:\Users\Zxjeirjr\AppData\Local\Temp\KMSAuto.tmp" /Y
"C:\WINDOWS\System32\cmd.exe" /c copy C:\WINDOWS\system32\Tasks\KMSAuto "C:\Users\Ssztadnr\AppData\Local\Temp\KMSAuto.tmp" /Y
"C:\WINDOWS\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
C:\WINDOWS\System32\reg.exe REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
"C:\WINDOWS\System32\cmd.exe" /c REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
C:\WINDOWS\System32\reg.exe REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
"C:\WINDOWS\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\309bead683408e8e5253229cca1225be2f694ecb_0001747456"
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\309bead683408e8e5253229cca1225be2f694ecb_0001747456"
"\System32\cmd.exe" /c copy \System32\Tasks\ConsoleAct "\ConsoleAct.tmp" /Y 2>&1
WriteConsole:
WriteConsole: ================
WriteConsole: Windows and Of
WriteConsole: ----------------
WriteConsole: 1)
WriteConsole: Windows Informat
WriteConsole: 2)
WriteConsole: Office Informati
WriteConsole: W)
WriteConsole: Windows Activati
WriteConsole: O)
WriteConsole: Office Activatio
WriteConsole: A)
WriteConsole: Additional Menu
WriteConsole: Q)
WriteConsole: Exit
WriteConsole: > Select Option:
"C:\WINDOWS\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\KMSSS.exe"
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\KMSSS.exe"
"C:\WINDOWS\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="\System32\SppExtComObjPatcher.exe"
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="\System32\SppExtComObjPatcher.exe"
"C:\WINDOWS\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="\System32\SppExtComObjHook.dll"
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="\System32\SppExtComObjHook.dll"
"C:\WINDOWS\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\81714c41215c5d63d8fb2796e902052154452884_0003322880"
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="c:\users\user\downloads\81714c41215c5d63d8fb2796e902052154452884_0003322880"

Related Posts

Trending

Most Viewed

Loading...