388739f45ac12e135430de2351554ada5cdf2e3680116a25f0b1d23b7ae880c8

Analysis

max time kernel
297s
max time network
259s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_Suite.v9.3.EN.bat
Size

356KB
MD5

2542dfefdc35cb2477961289977c36bc
SHA1

4b60f654960c3d7b8a4a6cb78f23764d4d7abebd
SHA256

1094061c601cb82c12e4b10ce566c096029c0f62214f21481c2753a10c812742
SHA512

10f3325807adb849137d64ca82a5499f6ba7307b71573609614129b59aa0d75ac69cba9288568548af21ce3676992fdc6f0437f763bd58c520019cc809600740
SSDEEP

6144:RFV4shBoEszHlE4iGaXacKg3WSCj8cq7TRbSSVVVYunQd2LpNI8MwIt:l3MfJtaq/2SC7UuQdgNIt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
572	center.exe
1172	DisableX.exe
1204	center.exe
1052	DisableX.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File created	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\x86.dll	xcopy.exe
File created	C:\Windows\KMS\KMSInject.bat	cmd.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File created	C:\Windows\KMS\bin\x86.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\KMSInject.bat	cmd.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\KMS\bin	xcopy.exe
File created	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File created	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File created	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1964	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1768	taskkill.exe
188	taskkill.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
572	center.exe
1204	center.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2024	powershell.exe
968	powershell.exe
1308	powershell.exe
1620	powershell.exe
1700	powershell.exe
1548	powershell.exe
1044	powershell.exe
1320	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: 33	1428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1428	AUDIODG.EXE
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	188	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1172	DisableX.exe
1052	DisableX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1072	1736	cmd.exe	28
PID 1736 wrote to memory of 1072	1736	cmd.exe	28
PID 1736 wrote to memory of 1072	1736	cmd.exe	28
PID 1072 wrote to memory of 932	1072	net.exe	29
PID 1072 wrote to memory of 932	1072	net.exe	29
PID 1072 wrote to memory of 932	1072	net.exe	29
PID 1736 wrote to memory of 1168	1736	cmd.exe	30
PID 1736 wrote to memory of 1168	1736	cmd.exe	30
PID 1736 wrote to memory of 1168	1736	cmd.exe	30
PID 1736 wrote to memory of 2024	1736	cmd.exe	31
PID 1736 wrote to memory of 2024	1736	cmd.exe	31
PID 1736 wrote to memory of 2024	1736	cmd.exe	31
PID 2024 wrote to memory of 1388	2024	powershell.exe	32
PID 2024 wrote to memory of 1388	2024	powershell.exe	32
PID 2024 wrote to memory of 1388	2024	powershell.exe	32
PID 1388 wrote to memory of 1448	1388	csc.exe	33
PID 1388 wrote to memory of 1448	1388	csc.exe	33
PID 1388 wrote to memory of 1448	1388	csc.exe	33
PID 2024 wrote to memory of 1704	2024	powershell.exe	34
PID 2024 wrote to memory of 1704	2024	powershell.exe	34
PID 2024 wrote to memory of 1704	2024	powershell.exe	34
PID 1736 wrote to memory of 1768	1736	cmd.exe	35
PID 1736 wrote to memory of 1768	1736	cmd.exe	35
PID 1736 wrote to memory of 1768	1736	cmd.exe	35
PID 1736 wrote to memory of 1560	1736	cmd.exe	36
PID 1736 wrote to memory of 1560	1736	cmd.exe	36
PID 1736 wrote to memory of 1560	1736	cmd.exe	36
PID 1560 wrote to memory of 1016	1560	cmd.exe	37
PID 1560 wrote to memory of 1016	1560	cmd.exe	37
PID 1560 wrote to memory of 1016	1560	cmd.exe	37
PID 1560 wrote to memory of 1652	1560	cmd.exe	38
PID 1560 wrote to memory of 1652	1560	cmd.exe	38
PID 1560 wrote to memory of 1652	1560	cmd.exe	38
PID 1560 wrote to memory of 968	1560	cmd.exe	39
PID 1560 wrote to memory of 968	1560	cmd.exe	39
PID 1560 wrote to memory of 968	1560	cmd.exe	39
PID 1560 wrote to memory of 1320	1560	cmd.exe	40
PID 1560 wrote to memory of 1320	1560	cmd.exe	40
PID 1560 wrote to memory of 1320	1560	cmd.exe	40
PID 1560 wrote to memory of 1988	1560	cmd.exe	41
PID 1560 wrote to memory of 1988	1560	cmd.exe	41
PID 1560 wrote to memory of 1988	1560	cmd.exe	41
PID 1560 wrote to memory of 572	1560	cmd.exe	42
PID 1560 wrote to memory of 572	1560	cmd.exe	42
PID 1560 wrote to memory of 572	1560	cmd.exe	42
PID 1560 wrote to memory of 572	1560	cmd.exe	42
PID 1560 wrote to memory of 1964	1560	cmd.exe	43
PID 1560 wrote to memory of 1964	1560	cmd.exe	43
PID 1560 wrote to memory of 1964	1560	cmd.exe	43
PID 1964 wrote to memory of 1172	1964	WScript.exe	44
PID 1964 wrote to memory of 1172	1964	WScript.exe	44
PID 1964 wrote to memory of 1172	1964	WScript.exe	44
PID 1964 wrote to memory of 1172	1964	WScript.exe	44
PID 1560 wrote to memory of 1508	1560	cmd.exe	45
PID 1560 wrote to memory of 1508	1560	cmd.exe	45
PID 1560 wrote to memory of 1508	1560	cmd.exe	45
PID 1508 wrote to memory of 1552	1508	cmd.exe	46
PID 1508 wrote to memory of 1552	1508	cmd.exe	46
PID 1508 wrote to memory of 1552	1508	cmd.exe	46
PID 1560 wrote to memory of 1980	1560	cmd.exe	47
PID 1560 wrote to memory of 1980	1560	cmd.exe	47
PID 1560 wrote to memory of 1980	1560	cmd.exe	47
PID 1980 wrote to memory of 1308	1980	cmd.exe	48
PID 1980 wrote to memory of 1308	1980	cmd.exe	48

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.3.EN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:932
- C:\Windows\system32\mode.com
  mode con cols=78 lines=6
  2⤵
  PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uf3hsurt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1373.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1372.tmp"
      4⤵
      PID:1448
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:1704
- C:\Windows\system32\xcopy.exe
  xcopy /s /h KMS_Suite 1277
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:1016
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:1320
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe
      "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1712
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:396
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:1672
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:1828
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:1768
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:1272
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:1524
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:2040
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:1468
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:808
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:472
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1620
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:964
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1416
- - C:\Windows\system32\xcopy.exe
    xcopy /cryi bin\* C:\Windows\KMS\bin
    3⤵
    - Drops file in Windows directory
    PID:1048
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "KMS_Activation" /xml "C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\KMS.xml" /f
    3⤵
    - Creates scheduled task(s)
    PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:1508
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:1740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1700
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1608
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1872
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DisableX.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbs"
    3⤵
    PID:756

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xd0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1608

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.3.EN.bat" "
1⤵
PID:1072
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:1080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1052
- C:\Windows\system32\mode.com
  mode con cols=78 lines=6
  2⤵
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uwpidzul.cmdline"
    3⤵
    PID:580
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1670.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC166F.tmp"
      4⤵
      PID:456
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:1140
- C:\Windows\system32\xcopy.exe
  xcopy /s /h KMS_Suite 2136
  2⤵
  PID:740
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:888
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:864
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\2136\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2136\bin\DisableX.vbs"
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\2136\bin\DisableX.exe
      "C:\Users\Admin\AppData\Local\Temp\2136\bin\DisableX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:984
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:1984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1320
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:888
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:1064
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:1956
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:1060
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:1620
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:1596
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:668
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:272
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:1132
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:1824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DisableX.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:188
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbs"
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ SUPPORT MICROSOFT PRUDUCTS

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [6] EXIT

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
279KB

MD5
436d8d09dc86c53be0486371400bd951

SHA1
c50a173334aceb34ceebe878ce4e47dc8b206c95

SHA256
586aa43770695b63537a434ad7835fd5b10c8d513eb1743255cf5b68cb5586b2

SHA512
28bc2990348f2c2828accc1843570d9f3834eb2c4d94083d2e90ede87266b0c3c3a8ade15458177bfb184b94d985ac406bd1ce58477832e38564d1c88623b81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\KMS_Suite.bat

Filesize
142KB

MD5
f825dcc537d39befd3a38d3558af19ec

SHA1
98c581debf37d459149413f4e73ff247cb67ff67

SHA256
2a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b

SHA512
ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\DIGITA~1.BAT

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\OEM_DI~1\$OEM$\$$\Setup\Scripts\digi.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\GATHER~1.EXE

Filesize
330KB

MD5
15ce0753a16dd4f9b9f0f9926dd37c4e

SHA1
fabb5a0fc1e6a372219711152291339af36ed0b5

SHA256
028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d

SHA512
4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\slc.dll

Filesize
7KB

MD5
a3d60be84fb7fc1701f2518ad619bb19

SHA1
4937e478f33a1430a72f17fab2a6220bf9fde413

SHA256
653e61441d85cd74ba3fd4f50be204b47a32bce19a17451d87a2356bef87a321

SHA512
43abbf267c8326ca955bb9085d49f9ab108512c9cc8025ebc8523cab307cc1877f990f3174ab7a0498c38591eb1eee7fb04be91129ac7f9ab8422e271ca3f5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs

Filesize
189B

MD5
c2206c9c9b0c97f7c5db4f473e96e9a3

SHA1
77b32538358d64aff6d7e083bba358f0fe7b2789

SHA256
f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f

SHA512
67c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\KMSInject.bat

Filesize
140KB

MD5
d054f26c2659bdec0ccf6df418023d6e

SHA1
e98dac9b0a7801475d6e7f76269f463613a61a10

SHA256
4534138dbfa7b55f674612f8fb2c7caf727260e382611d1f5f6f90504d05955e

SHA512
e8e9cccead23a7eb655409fd8949f76a5660f071da360af20006622ab87baabf89172a2832e7b0dd6278a5907dc66a80c23dbe744c2a7e4325c10eab4c7ab6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\A64.dll

Filesize
21KB

MD5
886b4a107a2ede49c4c8a5bcba94f20f

SHA1
b5256ddc2b5fb8bd8d0272679043e03a0936d8a3

SHA256
24bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c

SHA512
28aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\KMS_Suite.bat

Filesize
142KB

MD5
f825dcc537d39befd3a38d3558af19ec

SHA1
98c581debf37d459149413f4e73ff247cb67ff67

SHA256
2a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b

SHA512
ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\Digital_KMS38.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
341B

MD5
d401c5effa22436e0382bdd71b145ed3

SHA1
b2632b7e74c21d9791d2a7202beab9fcb878c46b

SHA256
cb02f5670b0f7f13d87a4df29879d275c23adcdc15f3345dedbbe4ccc3ba0231

SHA512
22b7d96c9022dfe114f2997866f2e5a23e135d6d61708483eb9342b90d1b521d45618ff8dfc821b9a08c1740fda54aedd1f95f54c1d80c882cbabb8fac8cd517

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\digi.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\KMS38.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
343B

MD5
0d2e7f7d3632f02a4f5f605ee9750f56

SHA1
b17e185829d03518be196fb37d801dfd8cc3f6af

SHA256
eeb96f5030386b06c8b11101f3beb740f2932e3e755f5e0f9da11d56d1cec69c

SHA512
4febee13af76e7f8adfbcb58470729d6b43870b5d94e8da28310c8546bd3c6eb6d769da2c0b07d61cd1ad16dc904dc75d48a80a394b029e09f79f02c19ebb10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\gatherosstate.exe

Filesize
330KB

MD5
15ce0753a16dd4f9b9f0f9926dd37c4e

SHA1
fabb5a0fc1e6a372219711152291339af36ed0b5

SHA256
028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d

SHA512
4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\slc.dll

Filesize
7KB

MD5
a3d60be84fb7fc1701f2518ad619bb19

SHA1
4937e478f33a1430a72f17fab2a6220bf9fde413

SHA256
653e61441d85cd74ba3fd4f50be204b47a32bce19a17451d87a2356bef87a321

SHA512
43abbf267c8326ca955bb9085d49f9ab108512c9cc8025ebc8523cab307cc1877f990f3174ab7a0498c38591eb1eee7fb04be91129ac7f9ab8422e271ca3f5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.vbs

Filesize
189B

MD5
c2206c9c9b0c97f7c5db4f473e96e9a3

SHA1
77b32538358d64aff6d7e083bba358f0fe7b2789

SHA256
f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f

SHA512
67c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
983B

MD5
d98118ac31e94e4d5f2a3baab1e4c777

SHA1
b5649576144d09fbb04bd616a9a1a78db1bad29b

SHA256
7c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5

SHA512
b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\run.bat

Filesize
140KB

MD5
27edcd6267f4c58c35db91cbbf934929

SHA1
297b1cd2a4833cb24cd5758fc2b73939a1111080

SHA256
eec4ab779b67dd195bb474e8b4c45a5859ae5129ae916b5d9dd4d46f46206430

SHA512
a068a29cce8a63eb540c964ecce95248231f3a556b11196403191d317df3f344d0de9982eabc376794314bc4f7ba1394a629ccfd88a52916c2fd3df333000e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\KMSInject.bat

Filesize
140KB

MD5
d054f26c2659bdec0ccf6df418023d6e

SHA1
e98dac9b0a7801475d6e7f76269f463613a61a10

SHA256
4534138dbfa7b55f674612f8fb2c7caf727260e382611d1f5f6f90504d05955e

SHA512
e8e9cccead23a7eb655409fd8949f76a5660f071da360af20006622ab87baabf89172a2832e7b0dd6278a5907dc66a80c23dbe744c2a7e4325c10eab4c7ab6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\A64.dll

Filesize
21KB

MD5
886b4a107a2ede49c4c8a5bcba94f20f

SHA1
b5256ddc2b5fb8bd8d0272679043e03a0936d8a3

SHA256
24bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c

SHA512
28aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1373.tmp

Filesize
1KB

MD5
45bf852f10a953a03b333dc6c895f7d0

SHA1
851f09a064cf688a3b86ecb95df03da12a0301d9

SHA256
340ac8b62178fe0916c855648fbcb296c24072542933d6be14fd8577cee6e83e

SHA512
8a196ffe8bf6e555c4b65192466f2775d1bb67da49d6519c3f746dbc150c069673c5335a1a28aef886573c613a571d7b6c54e3ceda290bab2f14ef98af761fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbs

Filesize
189B

MD5
3f38a65aa4c9dd1fdff0736123ccbfe8

SHA1
64550433f7e450194597c8e54bf98c7b6b4ec55b

SHA256
7c492e44d968575bdffa411f2410e71a2db0cb4bb0ec3de5d1b05d71fe87deab

SHA512
224c57c4271aab3bcf6837c252612e8fccbc6ce761f8751b25b5d1dfcb1061d84d159b17d1bd323884410dac78a90917835df03d8fec304d55cbfd3e6fbb7719

Download Submit
C:\Users\Admin\AppData\Local\Temp\uf3hsurt.dll

Filesize
4KB

MD5
3a9403270fe6b284488f967711e58888

SHA1
7d141919b797fbb3a3187dd258fb61bfa2ce7217

SHA256
5bd4f19f15ad447f423d0b5788874a14bc923871fe8cc356c06edd86f09d2aa7

SHA512
4fef15cfbb507abadced6fc8323485cf697a90e5c01ce8a4a43aa05f48f989f2fc3254ac9588a32bbfadf49918ab0a4835ebde1db43a0976e7a3e05384d50959

Download Submit
C:\Users\Admin\AppData\Local\Temp\uf3hsurt.pdb

Filesize
11KB

MD5
074a46b25e474449ed22f9dc8ffb2a32

SHA1
9d549550b7996c8fb304498da09387a4bbd61704

SHA256
6d652a299b1bb24df098ec418a3f436691d1dccdd761ec94125d0c13d43c0b19

SHA512
121193af06b8aa1f32a58b0a38d091a90033d6d978708d8ac424b38d622d5d565b50760e4fa325c2fa7ffa091bf0e6d738081bdafa91257831e9181486128f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a52930cad12451ad0cc48379c7ad566b

SHA1
40325999ae60adba87fdff4993d581e39de8d377

SHA256
f0689e874c56411a280849b165b66a7cb5e85694ecc454fadd5ca4c7c8a611b8

SHA512
403b511d226e9226d5d60d98c89814b3d359d1226377f6c4db48e1c17de1d73ae00b0f6a1088e3f58d22921a20959b3d6e48d4ca8304aee6e05815373606b678

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a52930cad12451ad0cc48379c7ad566b

SHA1
40325999ae60adba87fdff4993d581e39de8d377

SHA256
f0689e874c56411a280849b165b66a7cb5e85694ecc454fadd5ca4c7c8a611b8

SHA512
403b511d226e9226d5d60d98c89814b3d359d1226377f6c4db48e1c17de1d73ae00b0f6a1088e3f58d22921a20959b3d6e48d4ca8304aee6e05815373606b678

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a52930cad12451ad0cc48379c7ad566b

SHA1
40325999ae60adba87fdff4993d581e39de8d377

SHA256
f0689e874c56411a280849b165b66a7cb5e85694ecc454fadd5ca4c7c8a611b8

SHA512
403b511d226e9226d5d60d98c89814b3d359d1226377f6c4db48e1c17de1d73ae00b0f6a1088e3f58d22921a20959b3d6e48d4ca8304aee6e05815373606b678

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a52930cad12451ad0cc48379c7ad566b

SHA1
40325999ae60adba87fdff4993d581e39de8d377

SHA256
f0689e874c56411a280849b165b66a7cb5e85694ecc454fadd5ca4c7c8a611b8

SHA512
403b511d226e9226d5d60d98c89814b3d359d1226377f6c4db48e1c17de1d73ae00b0f6a1088e3f58d22921a20959b3d6e48d4ca8304aee6e05815373606b678

Download Submit
C:\Windows\KMS\bin\A64.dll

Filesize
21KB

MD5
886b4a107a2ede49c4c8a5bcba94f20f

SHA1
b5256ddc2b5fb8bd8d0272679043e03a0936d8a3

SHA256
24bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c

SHA512
28aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d

Download Submit
C:\Windows\KMS\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Windows\KMS\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Windows\KMS\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Windows\KMS\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1372.tmp

Filesize
652B

MD5
fef4fa84f0faada99cde9c690c460c13

SHA1
e970d9887e31a5c557097e94ce16af868fedae17

SHA256
d813e3bd3d9d2a1062e74274235de7784158e9bc83e82f105c84931fb0417362

SHA512
246c64fdabdcc6cd022d54ce650e16d71d0a4edd83617eae1e349655d6f710001ae03de445c035c04aefb97e8b6d769decbb2b719747716c2e16e49546c096bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uf3hsurt.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uf3hsurt.cmdline

Filesize
309B

MD5
302761b281ac750aa9f78cf06f4d481f

SHA1
8909fae6224d39d263ee15c8cf0d9c6788f3bfba

SHA256
17d7959161d429b369957ad8fa837dc4460c06ce7965594abe86cc4b3f10d540

SHA512
965912cd7ab0a0e471f0a04689ba8b2e7646cace11e1f4a11c9633f9c8270d49e3c6f0f0e71b18e1e9b921d9dbff53bda6bc5db14b6923229ab365a35503b7f5

Download Submit
memory/396-165-0x0000000000000000-mapping.dmp

Download
memory/436-225-0x0000000000000000-mapping.dmp

Download
memory/456-270-0x0000000000000000-mapping.dmp

Download
memory/472-184-0x0000000000000000-mapping.dmp

Download
memory/572-110-0x0000000000000000-mapping.dmp

Download
memory/572-112-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/580-269-0x0000000000000000-mapping.dmp

Download
memory/620-163-0x0000000000000000-mapping.dmp

Download
memory/740-275-0x0000000000000000-mapping.dmp

Download
memory/756-249-0x0000000000000000-mapping.dmp

Download
memory/808-181-0x0000000000000000-mapping.dmp

Download
memory/864-286-0x0000000000000000-mapping.dmp

Download
memory/888-277-0x0000000000000000-mapping.dmp

Download
memory/932-55-0x0000000000000000-mapping.dmp

Download
memory/964-199-0x0000000000000000-mapping.dmp

Download
memory/968-106-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/968-183-0x0000000000000000-mapping.dmp

Download
memory/968-100-0x0000000000000000-mapping.dmp

Download
memory/968-104-0x000007FEF3670000-0x000007FEF4093000-memory.dmp

Filesize
10.1MB

Download
memory/968-105-0x000007FEF2B10000-0x000007FEF366D000-memory.dmp

Filesize
11.4MB

Download
memory/1016-98-0x0000000000000000-mapping.dmp

Download
memory/1044-281-0x000007FEF3090000-0x000007FEF3AB3000-memory.dmp

Filesize
10.1MB

Download
memory/1044-285-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1044-283-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1044-284-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1044-282-0x000007FEED0E0000-0x000007FEEDC3D000-memory.dmp

Filesize
11.4MB

Download
memory/1044-279-0x0000000000000000-mapping.dmp

Download
memory/1048-201-0x0000000000000000-mapping.dmp

Download
memory/1052-261-0x0000000000000000-mapping.dmp

Download
memory/1072-54-0x0000000000000000-mapping.dmp

Download
memory/1080-260-0x0000000000000000-mapping.dmp

Download
memory/1140-271-0x0000000000000000-mapping.dmp

Download
memory/1168-56-0x0000000000000000-mapping.dmp

Download
memory/1172-147-0x0000000000000000-mapping.dmp

Download
memory/1272-173-0x0000000000000000-mapping.dmp

Download
memory/1308-161-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1308-157-0x000007FEF4010000-0x000007FEF4A33000-memory.dmp

Filesize
10.1MB

Download
memory/1308-159-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1308-154-0x0000000000000000-mapping.dmp

Download
memory/1308-160-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1308-162-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1308-158-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp

Filesize
11.4MB

Download
memory/1320-322-0x000007FEF3170000-0x000007FEF3B93000-memory.dmp

Filesize
10.1MB

Download
memory/1320-323-0x000007FEEDC40000-0x000007FEEE79D000-memory.dmp

Filesize
11.4MB

Download
memory/1320-324-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/1320-107-0x0000000000000000-mapping.dmp

Download
memory/1320-325-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/1320-326-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/1388-62-0x0000000000000000-mapping.dmp

Download
memory/1416-200-0x0000000000000000-mapping.dmp

Download
memory/1428-215-0x0000000000000000-mapping.dmp

Download
memory/1448-65-0x0000000000000000-mapping.dmp

Download
memory/1468-179-0x0000000000000000-mapping.dmp

Download
memory/1508-150-0x0000000000000000-mapping.dmp

Download
memory/1508-214-0x0000000000000000-mapping.dmp

Download
memory/1524-175-0x0000000000000000-mapping.dmp

Download
memory/1532-186-0x0000000000000000-mapping.dmp

Download
memory/1548-267-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1548-268-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1548-272-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1548-266-0x000007FEEDC40000-0x000007FEEE79D000-memory.dmp

Filesize
11.4MB

Download
memory/1548-265-0x000007FEF3100000-0x000007FEF3B23000-memory.dmp

Filesize
10.1MB

Download
memory/1548-263-0x0000000000000000-mapping.dmp

Download
memory/1548-273-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1548-274-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1552-151-0x0000000000000000-mapping.dmp

Download
memory/1560-96-0x0000000000000000-mapping.dmp

Download
memory/1608-226-0x0000000000000000-mapping.dmp

Download
memory/1612-278-0x0000000000000000-mapping.dmp

Download
memory/1620-197-0x000000000231B000-0x000000000233A000-memory.dmp

Filesize
124KB

Download
memory/1620-187-0x0000000000000000-mapping.dmp

Download
memory/1620-191-0x000007FEF3670000-0x000007FEF4093000-memory.dmp

Filesize
10.1MB

Download
memory/1620-192-0x000007FEF2B10000-0x000007FEF366D000-memory.dmp

Filesize
11.4MB

Download
memory/1620-193-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1620-194-0x0000000002314000-0x0000000002317000-memory.dmp

Filesize
12KB

Download
memory/1620-195-0x000000000231B000-0x000000000233A000-memory.dmp

Filesize
124KB

Download
memory/1620-196-0x0000000002314000-0x0000000002317000-memory.dmp

Filesize
12KB

Download
memory/1652-99-0x0000000000000000-mapping.dmp

Download
memory/1672-167-0x0000000000000000-mapping.dmp

Download
memory/1692-276-0x0000000000000000-mapping.dmp

Download
memory/1700-221-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp

Filesize
11.4MB

Download
memory/1700-220-0x000007FEF4010000-0x000007FEF4A33000-memory.dmp

Filesize
10.1MB

Download
memory/1700-223-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1700-224-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1700-217-0x0000000000000000-mapping.dmp

Download
memory/1700-222-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1704-70-0x0000000000000000-mapping.dmp

Download
memory/1712-164-0x0000000000000000-mapping.dmp

Download
memory/1740-216-0x0000000000000000-mapping.dmp

Download
memory/1768-171-0x0000000000000000-mapping.dmp

Download
memory/1768-228-0x0000000000000000-mapping.dmp

Download
memory/1768-75-0x0000000000000000-mapping.dmp

Download
memory/1828-169-0x0000000000000000-mapping.dmp

Download
memory/1872-227-0x0000000000000000-mapping.dmp

Download
memory/1936-198-0x0000000000000000-mapping.dmp

Download
memory/1944-262-0x0000000000000000-mapping.dmp

Download
memory/1964-141-0x0000000000000000-mapping.dmp

Download
memory/1964-208-0x0000000000000000-mapping.dmp

Download
memory/1980-153-0x0000000000000000-mapping.dmp

Download
memory/1988-185-0x0000000000000000-mapping.dmp

Download
memory/1988-108-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp

Filesize
11.4MB

Download
memory/2024-73-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2024-72-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download
memory/2024-61-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2024-58-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download
memory/2024-59-0x000007FEF4010000-0x000007FEF4A33000-memory.dmp

Filesize
10.1MB

Download
memory/2024-74-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/2040-177-0x0000000000000000-mapping.dmp

Download