09fd13bee5d66d0d680349b861f28c6b3f3fae59c355820b6042154ae429d4f1

Analysis

max time kernel
95s
max time network
103s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/02/2023, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto Net.exe
Size

6.6MB
MD5

4fd1df675fb17d1857fe5bb15125b86a
SHA1

00e7ac60500d114ef4e9d2c17caee033a883c95d
SHA256

09fd13bee5d66d0d680349b861f28c6b3f3fae59c355820b6042154ae429d4f1
SHA512

d5ddd749003d5569a3e832d7758d96f6631377c5225e2b22b23017ea9d8858895d7b63d7e61d6588c93397080c05be23db69fb9efcb9484b675e1c0d507cad58
SSDEEP

196608:ViywBGqyw1lT3ywuywQyw1ywlywaywTyw9lywfywEyw1ywHywwywmIBywyywNywl:BwBGnw1l+wjwNw4wIw3w2w9IwqwJw4wJ

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 10 IoCs

pid	Process
1484	bin.dat
2420	bin_x64.dat
4336	KMSSS.exe
4964	FakeClient.exe
2184	FakeClient.exe
1088	FakeClient.exe
1864	FakeClient.exe
4128	FakeClient.exe
1660	FakeClient.exe
4424	FakeClient.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4420	Netsh.exe
5068	Netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KMSEmulator\ImagePath = "\"C:\\ProgramData\\KMSAuto\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	KMSAuto Net.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 14 IoCs

pid	Process
4964	FakeClient.exe
4964	FakeClient.exe
2184	FakeClient.exe
2184	FakeClient.exe
1088	FakeClient.exe
1088	FakeClient.exe
1864	FakeClient.exe
1864	FakeClient.exe
4128	FakeClient.exe
4128	FakeClient.exe
1660	FakeClient.exe
1660	FakeClient.exe
4424	FakeClient.exe
4424	FakeClient.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4132	sc.exe
2856	sc.exe
3876	sc.exe
656	sc.exe
4268	sc.exe
1452	sc.exe
752	sc.exe
4836	sc.exe
3108	sc.exe
660	sc.exe
4172	sc.exe
4896	sc.exe
4312	sc.exe
4572	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
432	NETSTAT.EXE

Kills process with taskkill 6 IoCs

evasion

pid	Process
3204	taskkill.exe
2564	taskkill.exe
4976	taskkill.exe
2400	taskkill.exe
4800	taskkill.exe
1652	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5104	KMSAuto Net.exe
5104	KMSAuto Net.exe
5104	KMSAuto Net.exe
5104	KMSAuto Net.exe
5104	KMSAuto Net.exe
5104	KMSAuto Net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5104	KMSAuto Net.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2984	AUDIODG.EXE
Token: SeDebugPrivilege	432	NETSTAT.EXE
Token: SeDebugPrivilege	5104	KMSAuto Net.exe
Token: SeDebugPrivilege	3204	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5104	KMSAuto Net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 948	5104	KMSAuto Net.exe	67
PID 5104 wrote to memory of 948	5104	KMSAuto Net.exe	67
PID 5104 wrote to memory of 948	5104	KMSAuto Net.exe	67
PID 5104 wrote to memory of 3808	5104	KMSAuto Net.exe	69
PID 5104 wrote to memory of 3808	5104	KMSAuto Net.exe	69
PID 5104 wrote to memory of 3808	5104	KMSAuto Net.exe	69
PID 5104 wrote to memory of 3516	5104	KMSAuto Net.exe	71
PID 5104 wrote to memory of 3516	5104	KMSAuto Net.exe	71
PID 5104 wrote to memory of 3220	5104	KMSAuto Net.exe	74
PID 5104 wrote to memory of 3220	5104	KMSAuto Net.exe	74
PID 5104 wrote to memory of 3220	5104	KMSAuto Net.exe	74
PID 5104 wrote to memory of 1232	5104	KMSAuto Net.exe	78
PID 5104 wrote to memory of 1232	5104	KMSAuto Net.exe	78
PID 5104 wrote to memory of 820	5104	KMSAuto Net.exe	80
PID 5104 wrote to memory of 820	5104	KMSAuto Net.exe	80
PID 820 wrote to memory of 1484	820	cmd.exe	82
PID 820 wrote to memory of 1484	820	cmd.exe	82
PID 820 wrote to memory of 1484	820	cmd.exe	82
PID 5104 wrote to memory of 1852	5104	KMSAuto Net.exe	83
PID 5104 wrote to memory of 1852	5104	KMSAuto Net.exe	83
PID 5104 wrote to memory of 196	5104	KMSAuto Net.exe	85
PID 5104 wrote to memory of 196	5104	KMSAuto Net.exe	85
PID 196 wrote to memory of 2420	196	cmd.exe	87
PID 196 wrote to memory of 2420	196	cmd.exe	87
PID 196 wrote to memory of 2420	196	cmd.exe	87
PID 5104 wrote to memory of 2972	5104	KMSAuto Net.exe	88
PID 5104 wrote to memory of 2972	5104	KMSAuto Net.exe	88
PID 5104 wrote to memory of 2476	5104	KMSAuto Net.exe	90
PID 5104 wrote to memory of 2476	5104	KMSAuto Net.exe	90
PID 2476 wrote to memory of 3980	2476	cmd.exe	92
PID 2476 wrote to memory of 3980	2476	cmd.exe	92
PID 3980 wrote to memory of 432	3980	cmd.exe	93
PID 3980 wrote to memory of 432	3980	cmd.exe	93
PID 3980 wrote to memory of 5116	3980	cmd.exe	94
PID 3980 wrote to memory of 5116	3980	cmd.exe	94
PID 5104 wrote to memory of 4420	5104	KMSAuto Net.exe	95
PID 5104 wrote to memory of 4420	5104	KMSAuto Net.exe	95
PID 5104 wrote to memory of 5068	5104	KMSAuto Net.exe	97
PID 5104 wrote to memory of 5068	5104	KMSAuto Net.exe	97
PID 5104 wrote to memory of 4312	5104	KMSAuto Net.exe	99
PID 5104 wrote to memory of 4312	5104	KMSAuto Net.exe	99
PID 5104 wrote to memory of 4312	5104	KMSAuto Net.exe	99
PID 5104 wrote to memory of 4268	5104	KMSAuto Net.exe	101
PID 5104 wrote to memory of 4268	5104	KMSAuto Net.exe	101
PID 5104 wrote to memory of 4268	5104	KMSAuto Net.exe	101
PID 5104 wrote to memory of 4320	5104	KMSAuto Net.exe	104
PID 5104 wrote to memory of 4320	5104	KMSAuto Net.exe	104
PID 4320 wrote to memory of 4436	4320	cmd.exe	106
PID 4320 wrote to memory of 4436	4320	cmd.exe	106
PID 5104 wrote to memory of 4512	5104	KMSAuto Net.exe	107
PID 5104 wrote to memory of 4512	5104	KMSAuto Net.exe	107
PID 4512 wrote to memory of 4964	4512	cmd.exe	109
PID 4512 wrote to memory of 4964	4512	cmd.exe	109
PID 5104 wrote to memory of 3232	5104	KMSAuto Net.exe	110
PID 5104 wrote to memory of 3232	5104	KMSAuto Net.exe	110
PID 3232 wrote to memory of 3728	3232	cmd.exe	112
PID 3232 wrote to memory of 3728	3232	cmd.exe	112
PID 5104 wrote to memory of 5000	5104	KMSAuto Net.exe	113
PID 5104 wrote to memory of 5000	5104	KMSAuto Net.exe	113
PID 5104 wrote to memory of 5000	5104	KMSAuto Net.exe	113
PID 5000 wrote to memory of 3204	5000	cmd.exe	115
PID 5000 wrote to memory of 3204	5000	cmd.exe	115
PID 5000 wrote to memory of 3204	5000	cmd.exe	115
PID 5104 wrote to memory of 660	5104	KMSAuto Net.exe	117

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
  2⤵
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo test>>"C:\Users\Admin\AppData\Local\Temp\test.test"
  2⤵
  PID:3808
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c del /F /Q "test.test"
  2⤵
  PID:3516
- C:\Windows\SysWOW64\cscript.exe
  "cscript.exe" /nologo C:\Windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
  2⤵
  PID:3220
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c md "C:\ProgramData\KMSAuto"
  2⤵
  PID:1232
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c bin.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\ProgramData\KMSAuto\bin.dat
    bin.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:1484
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c del /F /Q "bin.dat"
  2⤵
  PID:1852
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c bin_x64.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:196
- - C:\ProgramData\KMSAuto\bin_x64.dat
    bin_x64.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:2420
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c del /F /Q "bin_x64.dat"
  2⤵
  PID:2972
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:432
  - - C:\Windows\system32\find.exe
      find ":1688 "
      4⤵
      PID:5116
- C:\Windows\System32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
  2⤵
  - Modifies Windows Firewall
  PID:4420
- C:\Windows\System32\Netsh.exe
  C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
  2⤵
  - Modifies Windows Firewall
  PID:5068
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
  2⤵
  - Launches sc.exe
  PID:4312
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" start KMSEmulator
  2⤵
  - Launches sc.exe
  PID:4268
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4436
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c FakeClient.exe 100.100.0.10
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4964
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route delete 100.100.0.10 0.0.0.0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:3728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:660
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:1452
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:1456
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3332
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c FakeClient.exe 100.100.0.10
  2⤵
  PID:1964
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2184
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:1660
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4132
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4172
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:4060
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:1080
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c FakeClient.exe 100.100.0.10
  2⤵
  PID:1264
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1088
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2904
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4572
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4896
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:4744
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:1616
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c FakeClient.exe 100.100.0.10
  2⤵
  PID:1228
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1864
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:600
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:2856
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:3876
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2332
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4108
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c FakeClient.exe 100.100.0.10
  2⤵
  PID:4752
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4128
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:4512
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:4612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:752
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:656
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2588
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:3344
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c FakeClient.exe 100.100.0.10
  2⤵
  PID:1056
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1660
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route delete 100.100.0.10 0.0.0.0
  2⤵
  PID:1064
- - C:\Windows\system32\ROUTE.EXE
    route delete 100.100.0.10 0.0.0.0
    3⤵
    PID:188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /t /f /IM FakeClient.exe
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /IM FakeClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:4836
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.1
  2⤵
  - Launches sc.exe
  PID:3108
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c route -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:4556
- - C:\Windows\system32\ROUTE.EXE
    route -p add 100.100.0.10 0.0.0.0 IF 1
    3⤵
    PID:4060
- C:\Windows\System32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c FakeClient.exe 100.100.0.10
  2⤵
  PID:3972
- - C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
    FakeClient.exe 100.100.0.10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMSAuto\bin.dat

Filesize
283KB

MD5
25f096b533e87afba34432f577e45013

SHA1
ba513e0d57a7971cc751a3827344217baa288363

SHA256
0b4af6d407e5adb4975ccb3d3b1a504f211dfc9e3307a36e8d40d8029a7d11fa

SHA512
bf5710895f85541bc0becffc1bc5843d9c05b9a97a360ab1ffeca4532dd5e7afc351ad92dd8c9adfe3fcc5f55676e09820a6663ee0004bff4c64cb223e26c1fc

Download Submit
C:\ProgramData\KMSAuto\bin.dat

Filesize
283KB

MD5
25f096b533e87afba34432f577e45013

SHA1
ba513e0d57a7971cc751a3827344217baa288363

SHA256
0b4af6d407e5adb4975ccb3d3b1a504f211dfc9e3307a36e8d40d8029a7d11fa

SHA512
bf5710895f85541bc0becffc1bc5843d9c05b9a97a360ab1ffeca4532dd5e7afc351ad92dd8c9adfe3fcc5f55676e09820a6663ee0004bff4c64cb223e26c1fc

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
294KB

MD5
0f03f72a92aef6d63eb74e73f8ac201d

SHA1
02b911129cdbf220e74baa4693135f1a06245471

SHA256
acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd

SHA512
488cd5519ea6377d8b4a8d83070a987b18b7bed9e683a76f667da6bbb5f5297d2dce6d3021b6980326c606d678e7901ddeef7c6076a2ebca59f15060ebc0bd0d

Download Submit
C:\ProgramData\KMSAuto\bin\KMSSS.exe

Filesize
294KB

MD5
0f03f72a92aef6d63eb74e73f8ac201d

SHA1
02b911129cdbf220e74baa4693135f1a06245471

SHA256
acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd

SHA512
488cd5519ea6377d8b4a8d83070a987b18b7bed9e683a76f667da6bbb5f5297d2dce6d3021b6980326c606d678e7901ddeef7c6076a2ebca59f15060ebc0bd0d

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe

Filesize
9KB

MD5
d25567c3c868a53a018a114c903e9932

SHA1
dfbd847aad5597b20427192417a3451dd8b5d094

SHA256
141ba0b04cbe778669f7bc9286e0f88fcad05120c296bff2f075e643ed5eb125

SHA512
c69a420e17a70e129d76b81321a936c0e262e7595ebb49e3c80683769d0679f0132b783a9e1c221799f554e887204c05ce64e949eac7c1e34fc9676911718c93

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
C:\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.inf

Filesize
151B

MD5
a94d989905a248afca52bc3cbfcb248b

SHA1
cbb7b37584a58060da6a3dd748f17334384647e7

SHA256
6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

SHA512
864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
269KB

MD5
0d42791e1447ddab3d145e4a9354acc3

SHA1
f442951d6e9d8bc821de72c7fd10e0e0ad025d68

SHA256
a374c877cfad58399cc7100da71d11fc81119e6940f62d0c98a4ff4034d8a653

SHA512
3916d5242af5affde6af2a00554d2d47b653fe7b98285ac554e2dbc81302415c3eafc4fe037f484ac199fe1fc4d6870c71dee0e8815f3e62a0faab7b8d0c26e6

Download Submit
C:\ProgramData\KMSAuto\bin_x64.dat

Filesize
269KB

MD5
0d42791e1447ddab3d145e4a9354acc3

SHA1
f442951d6e9d8bc821de72c7fd10e0e0ad025d68

SHA256
a374c877cfad58399cc7100da71d11fc81119e6940f62d0c98a4ff4034d8a653

SHA512
3916d5242af5affde6af2a00554d2d47b653fe7b98285ac554e2dbc81302415c3eafc4fe037f484ac199fe1fc4d6870c71dee0e8815f3e62a0faab7b8d0c26e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\Windows\setupact.log

Filesize
4KB

MD5
eca1cca09dec70663c06f4eae5dc117a

SHA1
2f48ccb37cba8742fafc5f6492309871fb9a7850

SHA256
280100891da801c91677dae8c93411db446766c92b6962374d74dca73968099d

SHA512
f89b197f6ba7e4eec74789cbbae607e705b552fd961423c2d6e8268bfb79d91b5002feaa9f123610a978ae37ee8c676fd4a7f4fa54d0519ed696c95caa5dab37

Download Submit
C:\Windows\setupact.log

Filesize
5KB

MD5
b9ac63b2a84d18796ed7e37710fd85d0

SHA1
a4f6b26abe725fcd5fff5f0c87124e6f239d23e6

SHA256
a4f9c12c3459b193ceb5e95ab1741e138f4b852e6375c2d83faf66331f019ec6

SHA512
ac27ddf715f0d1a14bde65f72eddfca04bfb1d98d0da3e24512ddc7afa3ca5f321a114c191560f3a8ef5b6c9357ba3ba32efb9a91b2920612e26f44360a6672c

Download Submit
C:\Windows\setupact.log

Filesize
5KB

MD5
5a86f9e9b71452a39ec53e1c1591ced1

SHA1
0995fbc22081933096dea59d9b0a1b949f344126

SHA256
7cdf755e75c12e1cbe28114f1f657e5778319436a1e6eed789e4ef94a9392794

SHA512
481a24a21223821724c823f0832883ec2ef3860def9ed09e3199e956adc58d94ac04bbad749ad21720c88daff1c6553d7bb9766ccac15aa50014314b5b187b2d

Download Submit
C:\Windows\setupact.log

Filesize
5KB

MD5
443a14a54504fa09758e8987ba5b2d47

SHA1
3a07e9630e876df4cf16ba9cedcb19880d34eed6

SHA256
787fbe735db4d746452d6f318d0386e91d56de0e7cfa2a8be932767272888d72

SHA512
102b854c7a97163de244a0f4d974e5cbaacc15ba391a38adf3264f3ffa763cf2eb0ba790d093d5bd309f2e6341e688517ba85d3745de388a7763d1e89fb39d44

Download Submit
C:\Windows\setupact.log

Filesize
6KB

MD5
eae98daddef7b8ac4439aef3eedef6f7

SHA1
1faae6c361fecb7b4424e83f3def7e32e65f0f2c

SHA256
24fc62b379f810f88e9d19205602c1625bf3856455bd9a035a776a9f03a741ea

SHA512
5c467a593caa8123466f1915e23eebf01dbf49830b2eda7724cfc0bb29afd15031d64298d56edf268684c399a1a61ab6da384f4a287d1f86e2a1a5380789d578

Download Submit
C:\Windows\setupact.log

Filesize
6KB

MD5
16f9e5084f9563a073e093e1b976374c

SHA1
b3edb75965f6132b39711be249e0dd2d2df3ac18

SHA256
6c8019e8d035218e62f06187fee16bf3faab3de90fbd2cd7f371401770ea81ca

SHA512
69b60ecd4c5d11b1bcaf787192e4453a75bb1a8ab1429fce6d4d876d49122ba2c738930b56a21177df033c7d27f6449eb7f28f3fbcb392bb1f6abd0e2ba9140a

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

Filesize
68KB

MD5
be566e174eaf5b93b0474593cd8f2715

SHA1
350ca8482be913dd9ca7a279fb5680a884402e26

SHA256
cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

SHA512
fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
\ProgramData\KMSAuto\bin\driver\x64WDV\WinDivert.dll

Filesize
16KB

MD5
3f0c03e5076c7e6b404f894ff4dc5bb1

SHA1
9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

SHA256
4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

SHA512
20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

Download Submit
memory/948-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/948-184-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/948-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-152-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/5104-115-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-162-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-157-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/5104-156-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-155-0x0000000005DD0000-0x00000000062CE000-memory.dmp

Filesize
5.0MB

Download
memory/5104-154-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-169-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/5104-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-170-0x0000000005A30000-0x0000000005A86000-memory.dmp

Filesize
344KB

Download
memory/5104-116-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-148-0x00000000008B0000-0x0000000000F58000-memory.dmp

Filesize
6.7MB

Download
memory/5104-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-163-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-124-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-122-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-120-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-119-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-118-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/5104-117-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download