Analysis
-
max time kernel
1576s -
max time network
1581s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-03-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Resource
win7v20201028
General
-
Target
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
-
Size
36.2MB
-
MD5
865c79976b6a4688551d5be9437163aa
-
SHA1
3aa11e3924100cbb8c92c2b396eedd93279ef878
-
SHA256
c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61
-
SHA512
f728bf7eb0411c41f416b437e908e7727f3b25f91bdd1715964be37e16dfc7638e58c2874d910ef2d8c10d0c46ff39aede8e662b35f0161cd426e4b46efadb33
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 8 IoCs
Processes:
KMSAuto Net.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datKMSSS.exepid process 316 KMSAuto Net.exe 1720 wzt.dat 1400 certmgr.exe 1416 certmgr.exe 1660 bin.dat 188 AESDecoder.exe 1912 bin_x64.dat 1060 KMSSS.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 764 NETSTAT.EXE -
Processes:
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Processes:
certmgr.execertmgr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8 certmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TRUSTEDPUBLISHER\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98 certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TRUSTEDPUBLISHER\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8 certmgr.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
Processes:
wzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datpid process 1720 wzt.dat 1400 certmgr.exe 1416 certmgr.exe 1660 bin.dat 188 AESDecoder.exe 1912 bin_x64.dat -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exeKMSAuto Net.exepid process 2032 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe 316 KMSAuto Net.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXENETSTAT.EXEdescription pid process Token: 33 344 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 344 AUDIODG.EXE Token: 33 344 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 344 AUDIODG.EXE Token: SeDebugPrivilege 764 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exepid process 2032 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe 2032 Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSAuto Net.execmd.execmd.execmd.execmd.exedescription pid process target process PID 316 wrote to memory of 1636 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1636 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1636 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1636 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1120 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1120 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1120 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1120 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1020 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1020 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1020 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1020 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1924 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1924 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1924 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1924 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1108 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1108 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1108 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1108 316 KMSAuto Net.exe cmd.exe PID 1108 wrote to memory of 1720 1108 cmd.exe wzt.dat PID 1108 wrote to memory of 1720 1108 cmd.exe wzt.dat PID 1108 wrote to memory of 1720 1108 cmd.exe wzt.dat PID 1108 wrote to memory of 1720 1108 cmd.exe wzt.dat PID 316 wrote to memory of 1740 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1740 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1740 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1740 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1984 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1984 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1984 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1984 316 KMSAuto Net.exe cmd.exe PID 1984 wrote to memory of 1400 1984 cmd.exe certmgr.exe PID 1984 wrote to memory of 1400 1984 cmd.exe certmgr.exe PID 1984 wrote to memory of 1400 1984 cmd.exe certmgr.exe PID 1984 wrote to memory of 1400 1984 cmd.exe certmgr.exe PID 316 wrote to memory of 1808 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1808 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1808 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1808 316 KMSAuto Net.exe cmd.exe PID 1808 wrote to memory of 1416 1808 cmd.exe certmgr.exe PID 1808 wrote to memory of 1416 1808 cmd.exe certmgr.exe PID 1808 wrote to memory of 1416 1808 cmd.exe certmgr.exe PID 1808 wrote to memory of 1416 1808 cmd.exe certmgr.exe PID 316 wrote to memory of 1436 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1436 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1436 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1436 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1564 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1564 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1564 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1564 316 KMSAuto Net.exe cmd.exe PID 1564 wrote to memory of 1660 1564 cmd.exe bin.dat PID 1564 wrote to memory of 1660 1564 cmd.exe bin.dat PID 1564 wrote to memory of 1660 1564 cmd.exe bin.dat PID 1564 wrote to memory of 1660 1564 cmd.exe bin.dat PID 316 wrote to memory of 1584 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1584 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1584 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1584 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1528 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1528 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1528 316 KMSAuto Net.exe cmd.exe PID 316 wrote to memory of 1528 316 KMSAuto Net.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\KMSAuto Net.exe"C:\Users\Admin\Desktop\KMSAuto Net.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\Desktop\test.test"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\wzt.datwzt.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\wzt\certmgr.execertmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\wzt\certmgr.execertmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\KMSAuto\bin.datbin.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe2⤵
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeAESDecoder.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":1688 "4⤵
-
C:\Windows\system32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\system32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=16882⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" start KMSEmulator2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop KMSEmulator2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete KMSEmulator2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f2⤵
-
C:\Windows\system32\reg.exereg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f3⤵
- Modifies registry key
-
C:\Windows\system32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5701⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\KMSAuto\bin\KMSSS.exe"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KMSAuto\KMSAUT~1.EXEMD5
f1fe671bcefd4630e5ed8b87c9283534
SHA19ff0546074213231e695e67324aba64e2e65d2c2
SHA25658d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
SHA512aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b
-
C:\ProgramData\KMSAuto\bin.datMD5
4d2e5affe6d1ccb42f6650fd57448a9b
SHA12d2e279036d777e59b729e58f0b0e41da559067a
SHA2563cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c
SHA512b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756
-
C:\ProgramData\KMSAuto\bin.datMD5
4d2e5affe6d1ccb42f6650fd57448a9b
SHA12d2e279036d777e59b729e58f0b0e41da559067a
SHA2563cbf7c0231b3266b4a6946dcf9aaa39c2bf077f6e459ca9ead39c516cbfce74c
SHA512b33c25cd2fbc257ed2d6b41c5591288e81aee478248193b53e87c8f844689fa8cb507f27f844a9a8330f244f0bdea610565df16f214b2c4efe33448ddeeec756
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeMD5
b90ed3e4dbb23a464723706f12c86065
SHA196aa9e1d2f2e51aaf094a268df19163cb94f623a
SHA2568391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7
SHA51292e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeMD5
b90ed3e4dbb23a464723706f12c86065
SHA196aa9e1d2f2e51aaf094a268df19163cb94f623a
SHA2568391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7
SHA51292e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992
-
C:\ProgramData\KMSAuto\bin\KMSSS.exeMD5
01a80aad5dabed1c1580f7e00213cf9d
SHA1174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec
SHA256fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d
SHA512f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b
-
C:\ProgramData\KMSAuto\bin\KMSSS.exeMD5
01a80aad5dabed1c1580f7e00213cf9d
SHA1174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec
SHA256fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d
SHA512f254dfc103f79093bbae02d03d5906aafab7a94fa946373037407c270e67f0eb7972f8524cf2d98129bf6af2b8ba50f4ba0fb2b31d9d7b4dcb45d79e689d325b
-
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aesMD5
41e0d8ab5104da2068739109ec3599f4
SHA131aeec9aa396a677f54218f7310d8e627446bdd8
SHA25638d1dbdc7c7a64253e6d4b52225b0bfd7716405c731a107f0c6ba9573a73a77f
SHA51254afe0804dfd8ca9381fbbd23043250346120792611b04cc11caf089942001bcc97aa5e2d4433e81debb99a85696f6e2c389badff2710d6a52f4717fcde3e0a0
-
C:\ProgramData\KMSAuto\bin\KMSSS.logMD5
f5cc5dc29a918b59d2e51d1316bc456a
SHA19f1572fd7502e77c763a7dc1c1fc7576372cd63a
SHA256de0f24a0026339a04ff1051c0fab2f6badd9e22e365e41dccf2c987de807bb1f
SHA512ad0e56ea3831d58759a1e9da5ed8ee9a2a571156e96d1e8a6c015c46a8b7e82c6b3ffd70de2898a884083602b499e82b49ba6d2ac00cdb7f9fe718c1d10ebb9e
-
C:\ProgramData\KMSAuto\bin\TUNMIR~1.EXEMD5
2ed9c12a91e795804b1b770958c647ac
SHA1abbe70214ed622ff52e0c72e75e5eab1b4c7529b
SHA256cb56c248a38292c234d1aabe5e33a671fe8ae8aed28e0c8c4fbe767e4e7b82f5
SHA5121d3b69cab261a97a7c8303edbb22133f66136cb738c456e22f495b5c574fd5e2da1360d0749bbbc99fe5cca2fc76bab37becc52535a5f71ad38db647992376b1
-
C:\ProgramData\KMSAuto\bin\TUNMIR~2.EXEMD5
3b33e3ab6e91806df4cae19405ab8846
SHA1766747faf6a370270909891912ed2c5b2e6b2881
SHA256d9cd47831faba4053225dac181709fd7ab9d066c3de6f541968fffeeee4a9bf9
SHA5125e2b0c2a32ed522d1dec9bf1ea986d993868a97df1802ecd12877434a74f10c45dd370abcddd405083ac0c427a383e195a1fade34a95a80fcddb29e03d4a516f
-
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aesMD5
a1a5afa53b578db6abf400a88548f487
SHA1b73ae3c93a43074afe54e611bad938da98eee385
SHA256a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a
SHA512c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c
-
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cerMD5
0041584e5f66762b1fa9be8910d0b92b
SHA18788377c653a5b79ef04c05c15d3ca52d6253469
SHA256bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc
SHA512fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.infMD5
87868193626dc756d10885f46d76f42e
SHA194a5ce8ed7633ed77531b6cb14ceb1927c5cae1f
SHA256b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41
SHA51279751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exeMD5
3904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.catMD5
c757503bc0c5a6679e07fe15b93324d6
SHA16a81aa87e4b07c7fea176c8adf1b27ddcdd44573
SHA25691ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e
SHA512efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\tap0901.sysMD5
d765f43cbea72d14c04af3d2b9c8e54b
SHA1daebe266073616e5fc931c319470fcf42a06867a
SHA25689c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
SHA512ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exeMD5
7f0c8f7b6f6d22ecd83013f2f26a71ae
SHA1dbda3a84c97777a5b47f87868aea2a7cd4c6739b
SHA256a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809
SHA512e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.catMD5
8dc91f1bf59f58554dc195c9ffcb59ec
SHA17f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f
SHA2560b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87
SHA5124b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.infMD5
61243cb103543ee3163bf16df69bcb54
SHA14ffbe472cc93ff8a827a12e63ff79fc48c684402
SHA2561652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1
SHA512419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sysMD5
927d0cdb3f96efc1e98fb1a2c9fb67ad
SHA19bbb2d28f2f9736d59b94ea260abd4ded7d7b5be
SHA25658f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c
SHA512a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FAKECL~1.EXEMD5
b85f4ce841f3ae1ebdf76835d2eadbef
SHA165c215dd7b7a3e8cb76003c252e13fa1e8e50c7c
SHA256ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79
SHA512c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WDFCOI~1.DLLMD5
be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.DLLMD5
3f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.INFMD5
a94d989905a248afca52bc3cbfcb248b
SHA1cbb7b37584a58060da6a3dd748f17334384647e7
SHA2566c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d
SHA512864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.SYSMD5
a0d15d8727d0780c51628df46b7268b3
SHA1c85f24ef961db67c829a676a941cbead24c62b21
SHA2565e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64
SHA512a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
b3600980e71c0c996df5b1221b188aa3
SHA13016c755998b43cbe15ff49c492fb48b4a4c06cf
SHA2568507a80748d27ba147535197ba043732df5686bcaa089a2ef99d698569d8c6dd
SHA5129481fef8499c4fd4ee1c2a16c4c4759c3618e955f08249955c9f87bc1d133080fc5456f219bce3499a405ffbd16d2221225d99cb69255aad3e28bc79451d80ec
-
C:\ProgramData\KMSAuto\wzt.datMD5
822da2319294f2b768bfe9ed4eebac15
SHA1f8bd453d2a982efd8e2640ef0e62e0e8fff49afc
SHA25617b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef
SHA512d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90
-
C:\ProgramData\KMSAuto\wzt.datMD5
822da2319294f2b768bfe9ed4eebac15
SHA1f8bd453d2a982efd8e2640ef0e62e0e8fff49afc
SHA25617b74d4ea905fac0ba6857f78f47ee1e940675af1bc27ded69fe2941318106ef
SHA512d98c00e1d093d848591a44b0e8ebd36a3f9f88a88096662720b110be1edc2a04f86c38c67d023c7f94b7b096c198882db12e2b7ab10d1ba0c8707e977910ff90
-
C:\ProgramData\KMSAuto\wzt\certmgr.exeMD5
9d4f1124b2d870583268d19317d564ae
SHA1720690b291b81aab6417547639c020027e5a4c39
SHA256ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d
SHA512c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5
-
C:\ProgramData\KMSAuto\wzt\certmgr.exeMD5
9d4f1124b2d870583268d19317d564ae
SHA1720690b291b81aab6417547639c020027e5a4c39
SHA256ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d
SHA512c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5
-
C:\ProgramData\KMSAuto\wzt\certmgr.exeMD5
9d4f1124b2d870583268d19317d564ae
SHA1720690b291b81aab6417547639c020027e5a4c39
SHA256ebad2237b3e7cdf65385ccce5099e82c7ec5080e737c97ce4e542cdbea8d418d
SHA512c2170f27e78a0d8f083d3e8ad0d12ba51cd3a30b8e8b919f714510431ecafc6d9c62e6138ec933ec797917a0a0f387d4f599a3b14a1b293f45f229b4423e24e5
-
C:\ProgramData\KMSAuto\wzt\wzteam.cerMD5
76b56d90e6f1da030a8b85e64579f25a
SHA1648384a4dee53d4c1c87e10d67cc99307ccc9c98
SHA256fd2d7df0220dd65ee23d0090299dfcc356f6f8f7167bae9adf7d08cefaf39d02
SHA5128085d85f49f0aa6a869dead4ed78db59c7ca4cb5a3d421a28e9a0d7878a6fd00ea1662422dc266ea0122c51d922663fce03d904c9bee43010cb4bb423acdac58
-
C:\Users\Admin\Desktop\KMSAuto Net.exeMD5
f1fe671bcefd4630e5ed8b87c9283534
SHA19ff0546074213231e695e67324aba64e2e65d2c2
SHA25658d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
SHA512aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b
-
C:\Users\Admin\Desktop\KMSAuto Net.exeMD5
f1fe671bcefd4630e5ed8b87c9283534
SHA19ff0546074213231e695e67324aba64e2e65d2c2
SHA25658d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681
SHA512aa2d1a01612aeaa71c19bdb852cdf24c290929ae68831035d9b0cbc1b548db87bf23aea521e19a0f51e369f463763178f2f6b094782fd5dfb00db961c705078b
-
C:\Users\Admin\Desktop\test.testMD5
9f06243abcb89c70e0c331c61d871fa7
SHA1fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4
SHA256837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b
SHA512b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86
-
memory/188-37-0x0000000000000000-mapping.dmp
-
memory/188-101-0x0000000000000000-mapping.dmp
-
memory/316-7-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/316-8-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/316-14-0x0000000005405000-0x0000000005416000-memory.dmpFilesize
68KB
-
memory/316-9-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/336-63-0x0000000000000000-mapping.dmp
-
memory/528-52-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/528-51-0x0000000000000000-mapping.dmp
-
memory/556-83-0x0000000000000000-mapping.dmp
-
memory/612-47-0x0000000000000000-mapping.dmp
-
memory/764-49-0x0000000000000000-mapping.dmp
-
memory/872-72-0x0000000000000000-mapping.dmp
-
memory/908-71-0x0000000000000000-mapping.dmp
-
memory/968-41-0x0000000000000000-mapping.dmp
-
memory/1020-13-0x0000000000000000-mapping.dmp
-
memory/1064-73-0x0000000000000000-mapping.dmp
-
memory/1072-74-0x0000000000000000-mapping.dmp
-
memory/1108-16-0x0000000000000000-mapping.dmp
-
memory/1120-66-0x0000000000000000-mapping.dmp
-
memory/1120-11-0x0000000000000000-mapping.dmp
-
memory/1192-69-0x0000000000000000-mapping.dmp
-
memory/1296-61-0x0000000000000000-mapping.dmp
-
memory/1372-62-0x0000000000000000-mapping.dmp
-
memory/1400-23-0x0000000000000000-mapping.dmp
-
memory/1416-27-0x0000000000000000-mapping.dmp
-
memory/1436-29-0x0000000000000000-mapping.dmp
-
memory/1472-88-0x0000000000000000-mapping.dmp
-
memory/1528-35-0x0000000000000000-mapping.dmp
-
memory/1532-67-0x0000000000000000-mapping.dmp
-
memory/1552-50-0x0000000000000000-mapping.dmp
-
memory/1564-30-0x0000000000000000-mapping.dmp
-
memory/1584-34-0x0000000000000000-mapping.dmp
-
memory/1604-70-0x0000000000000000-mapping.dmp
-
memory/1616-64-0x0000000000000000-mapping.dmp
-
memory/1632-59-0x0000000000000000-mapping.dmp
-
memory/1636-65-0x0000000000000000-mapping.dmp
-
memory/1636-10-0x0000000000000000-mapping.dmp
-
memory/1644-46-0x0000000000000000-mapping.dmp
-
memory/1660-32-0x0000000000000000-mapping.dmp
-
memory/1672-60-0x0000000000000000-mapping.dmp
-
memory/1720-18-0x0000000000000000-mapping.dmp
-
memory/1740-20-0x0000000000000000-mapping.dmp
-
memory/1756-42-0x0000000000000000-mapping.dmp
-
memory/1772-75-0x0000000000000000-mapping.dmp
-
memory/1800-99-0x0000000000000000-mapping.dmp
-
memory/1808-26-0x0000000000000000-mapping.dmp
-
memory/1832-56-0x0000000000000000-mapping.dmp
-
memory/1848-94-0x0000000000000000-mapping.dmp
-
memory/1912-44-0x0000000000000000-mapping.dmp
-
memory/1924-15-0x0000000000000000-mapping.dmp
-
memory/1960-53-0x0000000000000000-mapping.dmp
-
memory/1968-55-0x0000000000000000-mapping.dmp
-
memory/1972-3-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmpFilesize
2.5MB
-
memory/1980-48-0x0000000000000000-mapping.dmp
-
memory/1984-21-0x0000000000000000-mapping.dmp
-
memory/2016-68-0x0000000000000000-mapping.dmp
-
memory/2024-77-0x0000000000000000-mapping.dmp
-
memory/2032-2-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/2032-4-0x00000000021F0000-0x00000000021F1000-memory.dmpFilesize
4KB