c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61

Analysis

max time kernel
1576s
max time network
1581s
platform
windows7_x64
resource
win7v20201028
submitted
09-03-2021 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Size

36.2MB
MD5

865c79976b6a4688551d5be9437163aa
SHA1

3aa11e3924100cbb8c92c2b396eedd93279ef878
SHA256

c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61
SHA512

f728bf7eb0411c41f416b437e908e7727f3b25f91bdd1715964be37e16dfc7638e58c2874d910ef2d8c10d0c46ff39aede8e662b35f0161cd426e4b46efadb33

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 8 IoCs

Processes:

KMSAuto Net.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datKMSSS.exe

pid process

316 KMSAuto Net.exe
1720 wzt.dat
1400 certmgr.exe
1416 certmgr.exe
1660 bin.dat
188 AESDecoder.exe
1912 bin_x64.dat
1060 KMSSS.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

764 NETSTAT.EXE

pid	process
316	KMSAuto Net.exe
1720	wzt.dat
1400	certmgr.exe
1416	certmgr.exe
1660	bin.dat
188	AESDecoder.exe
1912	bin_x64.dat
1060	KMSSS.exe

pid	process
764	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1072 reg.exe

pid	process
1072	reg.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

certmgr.execertmgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TRUSTEDPUBLISHER\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TRUSTEDPUBLISHER\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs

Processes:

wzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.dat

pid process

1720 wzt.dat
1400 certmgr.exe
1416 certmgr.exe
1660 bin.dat
188 AESDecoder.exe
1912 bin_x64.dat
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exeKMSAuto Net.exe

pid process

2032 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
316 KMSAuto Net.exe

pid	process
1720	wzt.dat
1400	certmgr.exe
1416	certmgr.exe
1660	bin.dat
188	AESDecoder.exe
1912	bin_x64.dat

pid	process
2032	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
316	KMSAuto Net.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AUDIODG.EXENETSTAT.EXE

description	pid	process
Token: 33	344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	344	AUDIODG.EXE
Token: 33	344	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	344	AUDIODG.EXE
Token: SeDebugPrivilege	764	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

pid process

2032 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
2032 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

pid	process
2032	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
2032	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSAuto Net.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 316 wrote to memory of 1636	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1636	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1636	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1636	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1120	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1120	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1120	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1120	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1020	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1020	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1020	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1020	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1924	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1924	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1924	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1924	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1108	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1108	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1108	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1108	316	KMSAuto Net.exe	cmd.exe
PID 1108 wrote to memory of 1720	1108	cmd.exe	wzt.dat
PID 1108 wrote to memory of 1720	1108	cmd.exe	wzt.dat
PID 1108 wrote to memory of 1720	1108	cmd.exe	wzt.dat
PID 1108 wrote to memory of 1720	1108	cmd.exe	wzt.dat
PID 316 wrote to memory of 1740	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1740	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1740	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1740	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1984	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1984	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1984	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1984	316	KMSAuto Net.exe	cmd.exe
PID 1984 wrote to memory of 1400	1984	cmd.exe	certmgr.exe
PID 1984 wrote to memory of 1400	1984	cmd.exe	certmgr.exe
PID 1984 wrote to memory of 1400	1984	cmd.exe	certmgr.exe
PID 1984 wrote to memory of 1400	1984	cmd.exe	certmgr.exe
PID 316 wrote to memory of 1808	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1808	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1808	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1808	316	KMSAuto Net.exe	cmd.exe
PID 1808 wrote to memory of 1416	1808	cmd.exe	certmgr.exe
PID 1808 wrote to memory of 1416	1808	cmd.exe	certmgr.exe
PID 1808 wrote to memory of 1416	1808	cmd.exe	certmgr.exe
PID 1808 wrote to memory of 1416	1808	cmd.exe	certmgr.exe
PID 316 wrote to memory of 1436	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1436	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1436	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1436	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1564	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1564	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1564	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1564	316	KMSAuto Net.exe	cmd.exe
PID 1564 wrote to memory of 1660	1564	cmd.exe	bin.dat
PID 1564 wrote to memory of 1660	1564	cmd.exe	bin.dat
PID 1564 wrote to memory of 1660	1564	cmd.exe	bin.dat
PID 1564 wrote to memory of 1660	1564	cmd.exe	bin.dat
PID 316 wrote to memory of 1584	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1584	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1584	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1584	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1528	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1528	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1528	316	KMSAuto Net.exe	cmd.exe
PID 316 wrote to memory of 1528	316	KMSAuto Net.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
"C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Users\Admin\Desktop\KMSAuto Net.exe
"C:\Users\Admin\Desktop\KMSAuto Net.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
2⤵
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\Desktop\test.test"
2⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
2⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
2⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\ProgramData\KMSAuto\wzt.dat
wzt.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1416

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q
2⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
2⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
2⤵
PID:1528

C:\ProgramData\KMSAuto\bin\AESDecoder.exe
AESDecoder.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:188

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1756

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
2⤵
PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
3⤵
PID:1980

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\find.exe
find ":1688 "
4⤵
PID:1552

C:\Windows\system32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:528

C:\Windows\system32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
2⤵
PID:1960

C:\Windows\SysWOW64\sc.exe
"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
PID:1968

C:\Windows\SysWOW64\sc.exe
"sc.exe" start KMSEmulator
2⤵
PID:1832

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:1632

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1672

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1296

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1372

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:336

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:1616

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:1636

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1120

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2016

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:1192

C:\Windows\system32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:1604

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop KMSEmulator
2⤵
PID:908

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete KMSEmulator
2⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
2⤵
PID:1064

C:\Windows\system32\reg.exe
reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
3⤵
- Modifies registry key
PID:1072

C:\Windows\system32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:1772

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:2024

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:556

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:1472

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:1848

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:1800

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:188

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\KMSAUT~1.EXE
MD5
f1fe671bcefd4630e5ed8b87c9283534

SHA1
9ff0546074213231e695e67324aba64e2e65d2c2

SHA256
58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

SHA512
aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b

Download Submit
C:\ProgramData\KMSAuto\bin.dat
MD5
4d2e5affe6d1ccb42f6650fd57448a9b

SHA1
2d2e279036d777e59b729e58f0b0e41da559067a

SHA256
3cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c

SHA512
b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756

Download Submit
C:\ProgramData\KMSAuto\bin.dat
MD5
4d2e5affe6d1ccb42f6650fd57448a9b

SHA1
2d2e279036d777e59b729e58f0b0e41da559067a

SHA256
3cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c

SHA512
b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe
MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\AESDecoder.exe
MD5
b90ed3e4dbb23a464723706f12c86065

SHA1
96aa9e1d2f2e51aaf094a268df19163cb94f623a

SHA256
8391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7

SHA512
92e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe
MD5
01a80aad5dabed1c1580f7e00213cf9d

SHA1
174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec

SHA256
fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d

SHA512
f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe
MD5
01a80aad5dabed1c1580f7e00213cf9d

SHA1
174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec

SHA256
fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d

SHA512
f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aes
MD5
41e0d8ab5104da2068739109ec3599f4

SHA1
31aeec9aa396a677f54218f7310d8e627446bdd8

SHA256
38d1dbdc7c7a64253e6d4b52225b0bfd7716405c731a107f0c6ba9573a73a77f

SHA512
54afe0804dfd8ca9381fbbd23043250346120792611b04cc11caf089942001bcc97aa5e2d4433e81debb99a85696f6e2c389badff2710d6a52f4717fcde3e0a0

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.log
MD5
f5cc5dc29a918b59d2e51d1316bc456a

SHA1
9f1572fd7502e77c763a7dc1c1fc7576372cd63a

SHA256
de0f24a0026339a04ff1051c0fab2f6badd9e22e365e41dccf2c987de807bb1f

SHA512
ad0e56ea3831d58759a1e9da5ed8ee9a2a571156e96d1e8a6c015c46a8b7e82c6b3ffd70de2898a884083602b499e82b49ba6d2ac00cdb7f9fe718c1d10ebb9e

Download Submit
C:\ProgramData\KMSAuto\bin\TUNMIR~1.EXE
MD5
2ed9c12a91e795804b1b770958c647ac

SHA1
abbe70214ed622ff52e0c72e75e5eab1b4c7529b

SHA256
cb56c248a38292c234d1aabe5e33a671fe8ae8aed28e0c8c4fbe767e4e7b82f5

SHA512
1d3b69cab261a97a7c8303edbb22133f66136cb738c456e22f495b5c574fd5e2da1360d0749bbbc99fe5cca2fc76bab37becc52535a5f71ad38db647992376b1

Download Submit
C:\ProgramData\KMSAuto\bin\TUNMIR~2.EXE
MD5
3b33e3ab6e91806df4cae19405ab8846

SHA1
766747faf6a370270909891912ed2c5b2e6b2881

SHA256
d9cd47831faba4053225dac181709fd7ab9d066c3de6f541968fffeeee4a9bf9

SHA512
5e2b0c2a32ed522d1dec9bf1ea986d993868a97df1802ecd12877434a74f10c45dd370abcddd405083ac0c427a383e195a1fade34a95a80fcddb29e03d4a516f

Download Submit
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aes
MD5
a1a5afa53b578db6abf400a88548f487

SHA1
b73ae3c93a43074afe54e611bad938da98eee385

SHA256
a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a

SHA512
c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c

Download Submit
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cer
MD5
0041584e5f66762b1fa9be8910d0b92b

SHA1
8788377c653a5b79ef04c05c15d3ca52d6253469

SHA256
bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc

SHA512
fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.inf
MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exe
MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.cat
MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.sys
MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exe
MD5
7f0c8f7b6f6d22ecd83013f2f26a71ae

SHA1
dbda3a84c97777a5b47f87868aea2a7cd4c6739b

SHA256
a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809

SHA512
e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.cat
MD5
8dc91f1bf59f58554dc195c9ffcb59ec

SHA1
7f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f

SHA256
0b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87

SHA512
4b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.inf
MD5
61243cb103543ee3163bf16df69bcb54

SHA1
4ffbe472cc93ff8a827a12e63ff79fc48c684402

SHA256
1652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1

SHA512
419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sys
MD5
927d0cdb3f96efc1e98fb1a2c9fb67ad

SHA1
9bbb2d28f2f9736d59b94ea260abd4ded7d7b5be

SHA256
58f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c

SHA512
a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FAKECL~1.EXE
MD5
b85f4ce841f3ae1ebdf76835d2eadbef

SHA1
65c215dd7b7a3e8cb76003c252e13fa1e8e50c7c

SHA256
ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79

SHA512
c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WDFCOI~1.DLL
MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.DLL
MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.INF
MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.SYS
MD5
a0d15d8727d0780c51628df46b7268b3

SHA1
c85f24ef961db67c829a676a941cbead24c62b21

SHA256
5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

SHA512
a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat
MD5
b3600980e71c0c996df5b1221b188aa3

SHA1
3016c755998b43cbe15ff49c492fb48b4a4c06cf

SHA256
8507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd

SHA512
9481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec

Download Submit
C:\ProgramData\KMSAuto\wzt.dat
MD5
822da2319294f2b768bfe9ed4eebac15

SHA1
f8bd453d2a982efd8e2640ef0e62e0e8fff49afc

SHA256
17b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef

SHA512
d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90

Download Submit
C:\ProgramData\KMSAuto\wzt.dat
MD5
822da2319294f2b768bfe9ed4eebac15

SHA1
f8bd453d2a982efd8e2640ef0e62e0e8fff49afc

SHA256
17b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef

SHA512
d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe
MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe
MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\certmgr.exe
MD5
9d4f1124b2d870583268d19317d564ae

SHA1
720690b291b81aab6417547639c020027e5a4c39

SHA256
ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d

SHA512
c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5

Download Submit
C:\ProgramData\KMSAuto\wzt\wzteam.cer
MD5
76b56d90e6f1da030a8b85e64579f25a

SHA1
648384a4dee53d4c1c87e10d67cc99307ccc9c98

SHA256
fd2d7df0220dd65ee23d0090299dfcc356f6f8f7167bae9adf7d08cefaf39d02

SHA512
8085d85f49f0aa6a869dead4ed78db59c7ca4cb5a3d421a28e9a0d7878a6fd00ea1662422dc266ea0122c51d922663fce03d904c9bee43010cb4bb423acdac58

Download Submit
C:\Users\Admin\Desktop\KMSAuto Net.exe
MD5
f1fe671bcefd4630e5ed8b87c9283534

SHA1
9ff0546074213231e695e67324aba64e2e65d2c2

SHA256
58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

SHA512
aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b

Download Submit
C:\Users\Admin\Desktop\KMSAuto Net.exe
MD5
f1fe671bcefd4630e5ed8b87c9283534

SHA1
9ff0546074213231e695e67324aba64e2e65d2c2

SHA256
58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

SHA512
aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b

Download Submit
C:\Users\Admin\Desktop\test.test
MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
memory/188-37-0x0000000000000000-mapping.dmp

Download
memory/188-101-0x0000000000000000-mapping.dmp

Download
memory/316-7-0x0000000074EE0000-0x00000000755CE000-memory.dmp

Filesize
6.9MB

Download
memory/316-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/316-14-0x0000000005405000-0x0000000005416000-memory.dmp

Filesize
68KB

Download
memory/316-9-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/336-63-0x0000000000000000-mapping.dmp

Download
memory/528-52-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/528-51-0x0000000000000000-mapping.dmp

Download
memory/556-83-0x0000000000000000-mapping.dmp

Download
memory/612-47-0x0000000000000000-mapping.dmp

Download
memory/764-49-0x0000000000000000-mapping.dmp

Download
memory/872-72-0x0000000000000000-mapping.dmp

Download
memory/908-71-0x0000000000000000-mapping.dmp

Download
memory/968-41-0x0000000000000000-mapping.dmp

Download
memory/1020-13-0x0000000000000000-mapping.dmp

Download
memory/1064-73-0x0000000000000000-mapping.dmp

Download
memory/1072-74-0x0000000000000000-mapping.dmp

Download
memory/1108-16-0x0000000000000000-mapping.dmp

Download
memory/1120-66-0x0000000000000000-mapping.dmp

Download
memory/1120-11-0x0000000000000000-mapping.dmp

Download
memory/1192-69-0x0000000000000000-mapping.dmp

Download
memory/1296-61-0x0000000000000000-mapping.dmp

Download
memory/1372-62-0x0000000000000000-mapping.dmp

Download
memory/1400-23-0x0000000000000000-mapping.dmp

Download
memory/1416-27-0x0000000000000000-mapping.dmp

Download
memory/1436-29-0x0000000000000000-mapping.dmp

Download
memory/1472-88-0x0000000000000000-mapping.dmp

Download
memory/1528-35-0x0000000000000000-mapping.dmp

Download
memory/1532-67-0x0000000000000000-mapping.dmp

Download
memory/1552-50-0x0000000000000000-mapping.dmp

Download
memory/1564-30-0x0000000000000000-mapping.dmp

Download
memory/1584-34-0x0000000000000000-mapping.dmp

Download
memory/1604-70-0x0000000000000000-mapping.dmp

Download
memory/1616-64-0x0000000000000000-mapping.dmp

Download
memory/1632-59-0x0000000000000000-mapping.dmp

Download
memory/1636-65-0x0000000000000000-mapping.dmp

Download
memory/1636-10-0x0000000000000000-mapping.dmp

Download
memory/1644-46-0x0000000000000000-mapping.dmp

Download
memory/1660-32-0x0000000000000000-mapping.dmp

Download
memory/1672-60-0x0000000000000000-mapping.dmp

Download
memory/1720-18-0x0000000000000000-mapping.dmp

Download
memory/1740-20-0x0000000000000000-mapping.dmp

Download
memory/1756-42-0x0000000000000000-mapping.dmp

Download
memory/1772-75-0x0000000000000000-mapping.dmp

Download
memory/1800-99-0x0000000000000000-mapping.dmp

Download
memory/1808-26-0x0000000000000000-mapping.dmp

Download
memory/1832-56-0x0000000000000000-mapping.dmp

Download
memory/1848-94-0x0000000000000000-mapping.dmp

Download
memory/1912-44-0x0000000000000000-mapping.dmp

Download
memory/1924-15-0x0000000000000000-mapping.dmp

Download
memory/1960-53-0x0000000000000000-mapping.dmp

Download
memory/1968-55-0x0000000000000000-mapping.dmp

Download
memory/1972-3-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmp

Filesize
2.5MB

Download
memory/1980-48-0x0000000000000000-mapping.dmp

Download
memory/1984-21-0x0000000000000000-mapping.dmp

Download
memory/2016-68-0x0000000000000000-mapping.dmp

Download
memory/2024-77-0x0000000000000000-mapping.dmp

Download
memory/2032-2-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/2032-4-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download