Analysis
-
max time kernel
840s -
max time network
847s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 18:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://keygenninja.net
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
http://keygenninja.net
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
http://keygenninja.net
Resource
win10v2004-en-20220113
General
-
Target
http://keygenninja.net
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 7 IoCs
Processes:
KMSpico_setup.exeKMSpico_setup.tmpKMSAuto Net.exebin.datAESDecoder.exebin_x64.datKMSSS.exepid process 2136 KMSpico_setup.exe 1660 KMSpico_setup.tmp 1756 KMSAuto Net.exe 1376 bin.dat 1640 AESDecoder.exe 1724 bin_x64.dat 2456 KMSSS.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 3 IoCs
Processes:
KMSpico_setup.exeKMSpico_setup.tmppid process 2136 KMSpico_setup.exe 1660 KMSpico_setup.tmp 1660 KMSpico_setup.tmp -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1932 NETSTAT.EXE -
Modifies registry class 2 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache firefox.exe -
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\kmspico.zip:Zone.Identifier firefox.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
Processes:
bin.datAESDecoder.exebin_x64.datpid process 1376 bin.dat 1640 AESDecoder.exe 1724 bin_x64.dat -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
firefox.exeAUDIODG.EXE7zG.exe7zG.exe7zG.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 308 firefox.exe Token: 33 2876 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2876 AUDIODG.EXE Token: 33 2876 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2876 AUDIODG.EXE Token: SeDebugPrivilege 308 firefox.exe Token: SeRestorePrivilege 2752 7zG.exe Token: 35 2752 7zG.exe Token: SeSecurityPrivilege 2752 7zG.exe Token: SeSecurityPrivilege 2752 7zG.exe Token: SeRestorePrivilege 2352 7zG.exe Token: 35 2352 7zG.exe Token: SeSecurityPrivilege 2352 7zG.exe Token: SeSecurityPrivilege 2352 7zG.exe Token: SeRestorePrivilege 2144 7zG.exe Token: 35 2144 7zG.exe Token: SeSecurityPrivilege 2144 7zG.exe Token: SeSecurityPrivilege 2144 7zG.exe Token: SeDebugPrivilege 1932 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
firefox.exe7zG.exe7zG.exe7zG.exepid process 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 2752 7zG.exe 2352 7zG.exe 2144 7zG.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 308 firefox.exe 308 firefox.exe 308 firefox.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
firefox.exepid process 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe 308 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 840 wrote to memory of 308 840 firefox.exe firefox.exe PID 308 wrote to memory of 364 308 firefox.exe firefox.exe PID 308 wrote to memory of 364 308 firefox.exe firefox.exe PID 308 wrote to memory of 364 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1492 308 firefox.exe firefox.exe PID 308 wrote to memory of 1740 308 firefox.exe firefox.exe PID 308 wrote to memory of 1740 308 firefox.exe firefox.exe PID 308 wrote to memory of 1740 308 firefox.exe firefox.exe PID 308 wrote to memory of 1740 308 firefox.exe firefox.exe PID 308 wrote to memory of 1740 308 firefox.exe firefox.exe PID 308 wrote to memory of 1740 308 firefox.exe firefox.exe PID 308 wrote to memory of 1740 308 firefox.exe firefox.exe
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://keygenninja.net1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://keygenninja.net2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.0.822689118\1966570420" -parentBuildID 20200403170909 -prefsHandle 1180 -prefMapHandle 1172 -prefsLen 1 -prefMapSize 219799 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 1280 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.3.1222573183\813548288" -childID 1 -isForBrowser -prefsHandle 1808 -prefMapHandle 1804 -prefsLen 156 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 1648 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.13.2109433713\926855469" -childID 2 -isForBrowser -prefsHandle 2560 -prefMapHandle 2556 -prefsLen 7013 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 2576 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.20.1071875879\190878888" -childID 3 -isForBrowser -prefsHandle 3132 -prefMapHandle 3152 -prefsLen 7875 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 3416 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.27.347763080\1106597963" -childID 4 -isForBrowser -prefsHandle 1752 -prefMapHandle 1568 -prefsLen 8409 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 1092 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.34.1758617903\514560405" -childID 5 -isForBrowser -prefsHandle 7440 -prefMapHandle 7548 -prefsLen 8504 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7516 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.41.1449774691\1632075558" -childID 6 -isForBrowser -prefsHandle 7252 -prefMapHandle 7248 -prefsLen 8571 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7288 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.48.279558827\645288359" -childID 7 -isForBrowser -prefsHandle 7164 -prefMapHandle 7152 -prefsLen 10106 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7172 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.55.1055446466\1537564088" -childID 8 -isForBrowser -prefsHandle 7008 -prefMapHandle 2336 -prefsLen 11171 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 7052 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.62.955202421\835879923" -childID 9 -isForBrowser -prefsHandle 6444 -prefMapHandle 6600 -prefsLen 11845 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 6456 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="308.69.1469650015\1556999625" -childID 10 -isForBrowser -prefsHandle 6852 -prefMapHandle 7096 -prefsLen 11854 -prefMapSize 219799 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 308 "\\.\pipe\gecko-crash-server-pipe.308" 3712 tab3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\kmspico\" -spe -an -ai#7zMap20235:76:7zEvent144761⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\kmspico\KMSpico_setup\" -spe -an -ai#7zMap19002:104:7zEvent28121⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe"C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmp" /SL5="$A0120,2869954,69120,C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\kmspico\KMSAuto Net\" -spe -an -ai#7zMap15554:100:7zEvent310371⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exe"C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c echo test>>"C:\Users\Admin\Downloads\kmspico\test.test"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin.datbin.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe2⤵
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeAESDecoder.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto2⤵
-
C:\ProgramData\KMSAuto\bin_x64.datbin_x64.dat -y -pkmsauto3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind ":1688 "4⤵
-
C:\Windows\system32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\system32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=16882⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" start KMSEmulator2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f2⤵
-
C:\Windows\system32\reg.exeC:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" stop KMSEmulator2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" delete KMSEmulator2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f2⤵
-
C:\Windows\system32\reg.exereg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f3⤵
- Modifies registry key
-
C:\Windows\system32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\Netsh.exeC:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd /c schtasks.exe /end /TN KMSAutoNet2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /end /TN KMSAutoNet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd /c schtasks.exe /delete /TN KMSAutoNet /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /TN KMSAutoNet /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "kmsauto.ini"2⤵
-
C:\ProgramData\KMSAuto\bin\KMSSS.exe"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP1⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" -dlv1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\KMSAuto\KMSAUT~1.EXEMD5
2fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
C:\ProgramData\KMSAuto\bin.datMD5
2a96e417738225fa806a6ef275443bc8
SHA13cb5cb736878623e490c9e53ca1c696e9ab49639
SHA256839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b
SHA512cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80
-
C:\ProgramData\KMSAuto\bin.datMD5
2a96e417738225fa806a6ef275443bc8
SHA13cb5cb736878623e490c9e53ca1c696e9ab49639
SHA256839d31305d8fa842c832e8ec0f61d6bc575734449eb774b7c8dd79669594e25b
SHA512cf32c908069970bd02aa87cefcfcb6aebc24843a15181a5a4d4c007aeba9aa822179f446d4902e2b1bd13e8fff35e678658455c53f4a467aa8dc11e3fcc64e80
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeMD5
b90ed3e4dbb23a464723706f12c86065
SHA196aa9e1d2f2e51aaf094a268df19163cb94f623a
SHA2568391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7
SHA51292e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992
-
C:\ProgramData\KMSAuto\bin\AESDecoder.exeMD5
b90ed3e4dbb23a464723706f12c86065
SHA196aa9e1d2f2e51aaf094a268df19163cb94f623a
SHA2568391d5b724d235ba52531d9a6d85e466382ce15cbd6ba97c4ad1278ed1f03bd7
SHA51292e0f414f1eca28788c885cb193e6baccf37641bcdc120f4db5a80849a61c6bd861987631753a0a93149c669d5814d7b7a79f1cd5087480fbb31465be53bb992
-
C:\ProgramData\KMSAuto\bin\KMSSS.exeMD5
add80e5d9fad482705c3807bacfe1993
SHA1c41c16d39994a4a8d7d0aeab64afd00ae634d013
SHA256bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be
SHA5123f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53
-
C:\ProgramData\KMSAuto\bin\KMSSS.exeMD5
add80e5d9fad482705c3807bacfe1993
SHA1c41c16d39994a4a8d7d0aeab64afd00ae634d013
SHA256bb3830b14df80838fb201c611abf0c1f3714c6b8b103ed084eafc170036631be
SHA5123f0cc9cbe1b518728eb09c6db8259e0768ac7d67d39d9055125e62ca8a76c00a0a613c7013698826d0b0e436d2dbc7d0f3ea9a993e0427cfd9a0ad8ffb836e53
-
C:\ProgramData\KMSAuto\bin\KMSSS.exe.aesMD5
9192d6947f2a3abf00084deda48a2c6f
SHA10da74fc0329bba4f951e0df2923bf2ab303044ce
SHA256ded5e9e73b2ba3bd188c98a58335c65fe149d2082b88c3d91516ed25e5a379ee
SHA5123e7ff017cd67820752c1adf2a3910c5187de4d0e3ab6ac8e2e1399bfa7e7499b88664aee6b62f49890e172ef44e18219b7a021ec3537ee71baa94f7021c7e2c8
-
C:\ProgramData\KMSAuto\bin\KMSSS.logMD5
cc137e754471f2b1bd4afd75db99b66d
SHA1eabb4484b129b7a494af37c146a9e21e179b14cf
SHA256c568a2d3c46a320aae13f276f17e0ce65617847661a52e375fb2b9e2a856cdbe
SHA51208edd477be7affba3fc7e84d538039dcf3e0ed6366f3d504237033979478a89c57c1d594f9b53361049c20e0e755f42e6e3948c1edbdc3e4ac0f7a44a0927073
-
C:\ProgramData\KMSAuto\bin\TUNMIR~1.EXEMD5
fb5f055633e4f7890004972e108a07cd
SHA1b5ab55db9d323c00541e61412a55f3e4bdbeb61d
SHA25602145c3f60e704df17919cd26cb79bd31a12b98d66b0b7fd1cf7ea894ad1f871
SHA512ea2bd32f7db116f0224d2f7055414601c066e0369ce04cbaf7f1aa2ee780b257d6cff1a78953cd623885d9ceda6f8bc6c65c4d8436a62dd0320a8e49597f92fb
-
C:\ProgramData\KMSAuto\bin\TUNMIR~2.EXEMD5
3b33e3ab6e91806df4cae19405ab8846
SHA1766747faf6a370270909891912ed2c5b2e6b2881
SHA256d9cd47831faba4053225dac181709fd7ab9d066c3de6f541968fffeeee4a9bf9
SHA5125e2b0c2a32ed522d1dec9bf1ea986d993868a97df1802ecd12877434a74f10c45dd370abcddd405083ac0c427a383e195a1fade34a95a80fcddb29e03d4a516f
-
C:\ProgramData\KMSAuto\bin\TunMirror.exe.aesMD5
6d6e295744d3750355227efd55824be1
SHA1bd589d54c2578403bd9b58050ff33961a3fd9781
SHA256f67f0232100f7cc7e469dc14079edf7d72ec25e48ca3b5ac9b40ed025f1ba0ef
SHA5123cc436491433375fd23f2c204981d6489a412e5a62f7b92409080672a531019260366aca8df43b45d4d3dc538f76d883053ba8c4c9146bb4371305f2a27d9e7b
-
C:\ProgramData\KMSAuto\bin\TunMirror2.exe.aesMD5
a1a5afa53b578db6abf400a88548f487
SHA1b73ae3c93a43074afe54e611bad938da98eee385
SHA256a9e76d637e0c0a65036d7f2d5c3d7b1c53218b94716554f4d9f6630dcff8c75a
SHA512c9cff93b807d0db06d8a67e4e1b2e934f84a509a5f9af4bd0f4ad84eaec6874412c0c094c034d8637cacd3219bb7c82723a25f35907cba5024293e46991d4e2c
-
C:\ProgramData\KMSAuto\bin\driver\oas_sert.cerMD5
0041584e5f66762b1fa9be8910d0b92b
SHA18788377c653a5b79ef04c05c15d3ca52d6253469
SHA256bb27684b569cbb72dec63ea6fdef8e5f410cdaeb73717eee1b36478dbcff94cc
SHA512fc32985bd3b626a1baa5353595a25d85339bc8aeb8f8d9fdd881e514d7f4cdd90fe5de273f702c9f673cd625a7e90cd3979d695d4daabe72fa952c8318f64b71
-
C:\ProgramData\KMSAuto\bin\driver\tap0901.cerMD5
3d5ffd53be77c32cbb147f32423c0a86
SHA1ec4f1d31686625ecc004993cd0e89a4136dd3344
SHA256669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c
SHA512bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\OemVista.infMD5
864625122184689b4854483b51bd4c09
SHA12f041412e1e24d2398af1a6c934979d7d8c2bebe
SHA2564a4cc81dd6655906e817ebaede1692871a79b7000a5f9188b30082c06c71894b
SHA5126f43d345a7351a89d0888c8a33c75b299d34a53f4d579579fb820fc792274e880a8a475811026ae801540b265ec42fe80b8408e74a02f70b02b97737fb085381
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\devcon.exeMD5
3904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\ptun0901.catMD5
28b3a205c15d9d722319d270b3500bd0
SHA1d5740e1b21b121914e379bba4105f8f520cc67b1
SHA256438b3cdb66a5e1ce7b659744b81a570eb7cb0c8b403738a17dd2629625b0c765
SHA5122e172aab51badc0331fbd8b96e58077e3dc3134ea8f125dc6e61679d2eda428c767f961ca241618eeddd02daa107be66f305799f732075463143124a2347bdf3
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP1\ptun0901.sysMD5
d8eb393983b644879de0546122cc16df
SHA1f179bbf33dad96131b823f07a0ec44856fd52534
SHA2564a11ddfb016b560e770660183af1ada4831d97daeaf560e60259f81f2727cbfc
SHA51209cd4fcf28fc55d9712d17fd633827781bfdce372602042cc6c76d7845e2120149180fb7719e4b923b1e45368da789d10015b6954c3d2e77be185845f9b4d661
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\devcon.exeMD5
7f0c8f7b6f6d22ecd83013f2f26a71ae
SHA1dbda3a84c97777a5b47f87868aea2a7cd4c6739b
SHA256a4e561f666c08353c2226e8e264555c406893b0ad1b74fd05f4f29655e128809
SHA512e9dea69961b1bb8ab41067870db9b0c661a42ecba633429d6ea6aaa19a10c60cbcd4acbf9e5e1545c86f1d836696eac5b5a445baae2499418c2eef76d1de6d5a
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.catMD5
8dc91f1bf59f58554dc195c9ffcb59ec
SHA17f73c23c96d4a326a07c5a1bf81b3ea98c6ab87f
SHA2560b42f01e4c8732d246260b6ba76a5e096e1da3047898dff6fb71eede68951c87
SHA5124b207802936d443f25b42e27030c28687f3a3d63bb8202a16dc5c74446f9ebdcdce3f753a4bfe5d62715ffc82063d0f187b1d27696743f890f30b8333630a8bf
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.infMD5
61243cb103543ee3163bf16df69bcb54
SHA14ffbe472cc93ff8a827a12e63ff79fc48c684402
SHA2561652b1de2f15eeacbd06e0ab14ada5a466316ffd3ab88d4a2a46cfcbd25fdfa1
SHA512419aa9fd6d3df2785353fe2efcffb5525d161d9b07e0284857065d6461fcc9e9932d7cca9b20a0ec46c8bebff9aa0d8e9d1a29face8cecff23c15e57fc7f430e
-
C:\ProgramData\KMSAuto\bin\driver\x64TAP2\tapoas.sysMD5
927d0cdb3f96efc1e98fb1a2c9fb67ad
SHA19bbb2d28f2f9736d59b94ea260abd4ded7d7b5be
SHA25658f14daa0ea21ea2f2a1d3d62c88bd8e5a0e0ef498b7b8d367beeade6a46843c
SHA512a3f977390e251cefbb9bad7e338cba23b8129907475d559bda187985aa552afbd2b14db1ee4e288e7ecb5fb9a23547bf4bbacf38049cd05152e635fd0d36af97
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FAKECL~1.EXEMD5
b85f4ce841f3ae1ebdf76835d2eadbef
SHA165c215dd7b7a3e8cb76003c252e13fa1e8e50c7c
SHA256ce28748f6ae7b54ab35fc31d825e80a26e143737cf4748fff523781e04c1ee79
SHA512c86326cf84b8ae8e72a5d49940a95a525db6f97ca859f15d90f6db9bc11b45a0c326bfe387c243c05f3578528ad2b2bfeea1db2950b331c71fac959fafab3d4f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WDFCOI~1.DLLMD5
be566e174eaf5b93b0474593cd8f2715
SHA1350ca8482be913dd9ca7a279fb5680a884402e26
SHA256cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330
SHA512fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.DLLMD5
3f0c03e5076c7e6b404f894ff4dc5bb1
SHA19cf99c875e6acd4b12e0eddd5fa51d296ea4998e
SHA2564e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3
SHA51220de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.INFMD5
a94d989905a248afca52bc3cbfcb248b
SHA1cbb7b37584a58060da6a3dd748f17334384647e7
SHA2566c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d
SHA512864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f
-
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WINDIV~1.SYSMD5
a0d15d8727d0780c51628df46b7268b3
SHA1c85f24ef961db67c829a676a941cbead24c62b21
SHA2565e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64
SHA512a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
200a90e767924a342c25662487d8c215
SHA1aa48cbcdea041799f0153cbdc7726eeec1db9906
SHA256184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84
SHA512e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063
-
C:\ProgramData\KMSAuto\bin_x64.datMD5
200a90e767924a342c25662487d8c215
SHA1aa48cbcdea041799f0153cbdc7726eeec1db9906
SHA256184b7a8be9204f9fefa3666cd3ccaf01bab26fdbc0e2a87320acf84792fdfa84
SHA512e2735cea38138db29f6666b00862911623ef0d3b0069322b890dea1b66c039da7f4f905010aa4d2c4c8663df4b36f788bc3cdbed228b54406cf4db379609a063
-
C:\Users\Admin\AppData\Local\MSfree Inc\kmsauto.iniMD5
af6a20fd7dfadcd582ccf2b1bfaaf82b
SHA1056b1de541d17a522f2595d107a2cb3aaa71a570
SHA2560bee97833a70aa9ba271e93226dace849836c64919fbfe15543d694e219d4af2
SHA51266510aa69c7f8d6ed34903e588949bdd2c74dc55d9c1192a7f335757a942b5b52ff2409114cef1e588f2e05d9c7e0b88bef396e51d57b704f9803b3acff76980
-
C:\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmpMD5
1778c1f66ff205875a6435a33229ab3c
SHA15b6189159b16c6f85feed66834af3e06c0277a19
SHA25695c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6
SHA5128844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0
-
C:\Users\Admin\Downloads\kmspico.zipMD5
60f10babded9030a8746dfe2741a75a0
SHA1c047713ad80cd242062f5ca3c14b8f0133621e7e
SHA2560c2fc39c8bbaca993a49c1088cc4e8a88b7a0eaa3ff020be69e02f624b26ad54
SHA51220e11ce33c213b78828bab93fc0c6a6e7fbe3684472cd1a42d7ab954c38e8ea3971f1d0cc82bb9e4a14a0e5d13d681993b9c6e06317915db41b4d2b14a26c363
-
C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exeMD5
2fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
C:\Users\Admin\Downloads\kmspico\KMSAuto Net.exeMD5
2fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exeMD5
fb7569d1c2c1fa36a97fdc732f51a637
SHA1791be97580fd001a065e7af87d5428dfaa071341
SHA2560be6bfda2deeb7607c9da6e00b5d4849bece939d6a0c75f822596d6d4436acb0
SHA5120ba40c32abab362846b04006ac4032d80884e524bfa6aa45fa091620b2a7ca3a06ad11186e3d22a009c347809cf1301b41e7f06fe891a88aa38d9f928308a92c
-
C:\Users\Admin\Downloads\kmspico\KMSpico_setup.exeMD5
fb7569d1c2c1fa36a97fdc732f51a637
SHA1791be97580fd001a065e7af87d5428dfaa071341
SHA2560be6bfda2deeb7607c9da6e00b5d4849bece939d6a0c75f822596d6d4436acb0
SHA5120ba40c32abab362846b04006ac4032d80884e524bfa6aa45fa091620b2a7ca3a06ad11186e3d22a009c347809cf1301b41e7f06fe891a88aa38d9f928308a92c
-
C:\Users\Admin\Downloads\kmspico\test.testMD5
9f06243abcb89c70e0c331c61d871fa7
SHA1fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4
SHA256837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b
SHA512b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86
-
\Users\Admin\AppData\Local\Temp\is-O5O58.tmp\KMSpico_setup.tmpMD5
1778c1f66ff205875a6435a33229ab3c
SHA15b6189159b16c6f85feed66834af3e06c0277a19
SHA25695c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6
SHA5128844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0
-
\Users\Admin\AppData\Local\Temp\is-SECUE.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-SECUE.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/1660-67-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1756-71-0x0000000000390000-0x0000000000BF0000-memory.dmpFilesize
8.4MB
-
memory/1756-73-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1756-75-0x00000000056B5000-0x00000000056C6000-memory.dmpFilesize
68KB
-
memory/2136-60-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2136-59-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB
-
memory/2752-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB