Overview
overview
8Static
static
7Activador OFFICE.rar
windows7-x64
3Activador OFFICE.rar
windows10-2004-x64
3Activador ...le.chm
windows7-x64
1Activador ...le.chm
windows10-2004-x64
1Activador ...ls.exe
windows7-x64
8Activador ...ls.exe
windows10-2004-x64
8Activador ...64.exe
windows7-x64
8Activador ...64.exe
windows10-2004-x64
8Activador ...to.exe
windows7-x64
8Activador ...to.exe
windows10-2004-x64
7Activador ...ol.exe
windows7-x64
1Activador ...ol.exe
windows10-2004-x64
1Analysis
-
max time kernel
270s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-02-2023 09:28
Behavioral task
behavioral1
Sample
Activador OFFICE.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Activador OFFICE.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Activador Office 2019/KMS Tools Portable.chm
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Activador Office 2019/KMS Tools Portable.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Activador Office 2019/KMSTools.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Activador Office 2019/KMSTools.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto x64.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Activador Office 2019/Programs/signtool.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Activador Office 2019/Programs/signtool.exe
Resource
win10v2004-20230220-en
General
-
Target
Activador Office 2019/KMSTools.exe
-
Size
34.5MB
-
MD5
7dcc580b7546be2871f978db8d313905
-
SHA1
60d9b7541c661e83664d043f2b7f99a62b10ee84
-
SHA256
5c2819ebc600adc7fcad0002e6056e824e1af35d1e16334e16199712850a208f
-
SHA512
dcba8d146e8c30d61828074ceac99dfcc73d52390975df7a29aca9f277fb56ddb8d2f2b02eb99ea328cca15ef24c907f5b03fb5690f5c788e29df7581849b4af
-
SSDEEP
786432:VMh6YzBjJ7AxVM4Hh0CBS3sHPGtHilqNngktysVidq6igVVRoVl:Kh66PAxV/Hh+3sGilqlToyiU6igQ
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 6 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 1672 netsh.exe 1744 netsh.exe 1536 netsh.exe 1644 netsh.exe 1560 netsh.exe 272 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
KMSAuto x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Windows\\Temp\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP" KMSAuto x64.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
fver.exe7zaxxx.exeAAct_x64.exeKMSSS.exepid process 940 fver.exe 936 7zaxxx.exe 1060 AAct_x64.exe 1656 KMSSS.exe -
Loads dropped DLL 5 IoCs
Processes:
KMSTools.exepid process 924 KMSTools.exe 924 KMSTools.exe 924 KMSTools.exe 924 KMSTools.exe 924 KMSTools.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe upx C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe upx behavioral5/memory/1060-87-0x0000000140000000-0x00000001402E4000-memory.dmp upx behavioral5/memory/1508-174-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral5/memory/1508-210-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral5/memory/1508-256-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral5/memory/1508-257-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral5/memory/1508-261-0x0000000140000000-0x000000014051A000-memory.dmp upx behavioral5/memory/1508-262-0x0000000140000000-0x000000014051A000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
solitaire.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini solitaire.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft Games\Solitaire\desktop.ini solitaire.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1752 sc.exe 1628 sc.exe 1216 sc.exe 1176 sc.exe -
Modifies registry class 8 IoCs
Processes:
solitaire.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF} solitaire.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings solitaire.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software solitaire.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft solitaire.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows solitaire.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX solitaire.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats solitaire.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0" solitaire.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
KMSTools.exeKMSAuto x64.exepid process 924 KMSTools.exe 1508 KMSAuto x64.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
AUDIODG.EXE7zaxxx.exedescription pid process Token: 33 1308 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1308 AUDIODG.EXE Token: 33 1308 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1308 AUDIODG.EXE Token: SeRestorePrivilege 936 7zaxxx.exe Token: 35 936 7zaxxx.exe Token: SeSecurityPrivilege 936 7zaxxx.exe Token: SeSecurityPrivilege 936 7zaxxx.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
KMSTools.exeKMSAuto x64.exepid process 924 KMSTools.exe 924 KMSTools.exe 924 KMSTools.exe 924 KMSTools.exe 924 KMSTools.exe 1508 KMSAuto x64.exe 1508 KMSAuto x64.exe 1508 KMSAuto x64.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
KMSTools.exepid process 924 KMSTools.exe 924 KMSTools.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSTools.exeKMSAuto x64.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 924 wrote to memory of 940 924 KMSTools.exe fver.exe PID 924 wrote to memory of 940 924 KMSTools.exe fver.exe PID 924 wrote to memory of 940 924 KMSTools.exe fver.exe PID 924 wrote to memory of 940 924 KMSTools.exe fver.exe PID 924 wrote to memory of 860 924 KMSTools.exe cmd.exe PID 924 wrote to memory of 860 924 KMSTools.exe cmd.exe PID 924 wrote to memory of 860 924 KMSTools.exe cmd.exe PID 924 wrote to memory of 860 924 KMSTools.exe cmd.exe PID 924 wrote to memory of 936 924 KMSTools.exe 7zaxxx.exe PID 924 wrote to memory of 936 924 KMSTools.exe 7zaxxx.exe PID 924 wrote to memory of 936 924 KMSTools.exe 7zaxxx.exe PID 924 wrote to memory of 936 924 KMSTools.exe 7zaxxx.exe PID 924 wrote to memory of 1060 924 KMSTools.exe AAct_x64.exe PID 924 wrote to memory of 1060 924 KMSTools.exe AAct_x64.exe PID 924 wrote to memory of 1060 924 KMSTools.exe AAct_x64.exe PID 924 wrote to memory of 1060 924 KMSTools.exe AAct_x64.exe PID 924 wrote to memory of 1628 924 KMSTools.exe signtool.exe PID 924 wrote to memory of 1628 924 KMSTools.exe signtool.exe PID 924 wrote to memory of 1628 924 KMSTools.exe signtool.exe PID 924 wrote to memory of 1628 924 KMSTools.exe signtool.exe PID 924 wrote to memory of 1508 924 KMSTools.exe KMSAuto x64.exe PID 924 wrote to memory of 1508 924 KMSTools.exe KMSAuto x64.exe PID 924 wrote to memory of 1508 924 KMSTools.exe KMSAuto x64.exe PID 924 wrote to memory of 1508 924 KMSTools.exe KMSAuto x64.exe PID 1508 wrote to memory of 1112 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1112 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1112 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1840 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1840 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1840 1508 KMSAuto x64.exe cmd.exe PID 1840 wrote to memory of 912 1840 cmd.exe reg.exe PID 1840 wrote to memory of 912 1840 cmd.exe reg.exe PID 1840 wrote to memory of 912 1840 cmd.exe reg.exe PID 1508 wrote to memory of 1884 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1884 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1884 1508 KMSAuto x64.exe cmd.exe PID 1884 wrote to memory of 1928 1884 cmd.exe reg.exe PID 1884 wrote to memory of 1928 1884 cmd.exe reg.exe PID 1884 wrote to memory of 1928 1884 cmd.exe reg.exe PID 1508 wrote to memory of 1600 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1600 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1600 1508 KMSAuto x64.exe cmd.exe PID 1600 wrote to memory of 1672 1600 cmd.exe netsh.exe PID 1600 wrote to memory of 1672 1600 cmd.exe netsh.exe PID 1600 wrote to memory of 1672 1600 cmd.exe netsh.exe PID 1508 wrote to memory of 1216 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1216 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1216 1508 KMSAuto x64.exe cmd.exe PID 1216 wrote to memory of 1744 1216 cmd.exe netsh.exe PID 1216 wrote to memory of 1744 1216 cmd.exe netsh.exe PID 1216 wrote to memory of 1744 1216 cmd.exe netsh.exe PID 1508 wrote to memory of 1844 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1844 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1844 1508 KMSAuto x64.exe cmd.exe PID 1844 wrote to memory of 1536 1844 cmd.exe netsh.exe PID 1844 wrote to memory of 1536 1844 cmd.exe netsh.exe PID 1844 wrote to memory of 1536 1844 cmd.exe netsh.exe PID 1508 wrote to memory of 1620 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1620 1508 KMSAuto x64.exe cmd.exe PID 1508 wrote to memory of 1620 1508 KMSAuto x64.exe cmd.exe PID 1620 wrote to memory of 1644 1620 cmd.exe netsh.exe PID 1620 wrote to memory of 1644 1620 cmd.exe netsh.exe PID 1620 wrote to memory of 1644 1620 cmd.exe netsh.exe PID 1508 wrote to memory of 1136 1508 KMSAuto x64.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\KMSTools.exe"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\KMSTools.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fver.exe"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pkmstools -y -bsp1 -o"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs" "AAct v"*2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\signtool.exe"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto x64.exe"2⤵
- Sets service image path in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeREG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:644⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeREG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path4⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16883⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16884⤵
- Modifies Windows Firewall
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto4⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe start KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator4⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /sethst:127.0.0.23⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /sethst:127.0.0.24⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /setprt:16883⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /setprt:16884⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /act3⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /act4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe stop KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator4⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc.exe delete KMSEmulator3⤵
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator4⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Games\solitaire\solitaire.exe"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}.gamestatsFilesize
2KB
MD5a338c1bb5704e723487ef4f8d5d592f5
SHA19b6e89c7fdf4ed588a98b673dcc3073f85eaea5d
SHA256c096f55238f36481b0e846e37004e813ea0b34ddbc7a94f0155fd64ed4dd5672
SHA512ab62aac5a5fb6f599616d0998cb8011ca18c0631e42451958af89bcaa8db2b6e179651cb14c94f3f6868b0c8632a4048f8c9e6ba7ea6a31abb168e1362188952
-
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exeFilesize
628KB
MD5ec79cabd55a14379e4d676bb17d9e3df
SHA115626d505da35bfdb33aea5c8f7831f616cabdba
SHA25644a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d
SHA51200bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47
-
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exeFilesize
628KB
MD5ec79cabd55a14379e4d676bb17d9e3df
SHA115626d505da35bfdb33aea5c8f7831f616cabdba
SHA25644a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d
SHA51200bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47
-
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exeFilesize
1.5MB
MD5c5a4ddda8b05571d055410b07d6233db
SHA1d703d38bb9e686ed8dfe6e0520776dcb41ccc0bf
SHA256cc645d2d65396777e08497b76c550659fd195da4ee3ce1cbf4a708ae81c709ad
SHA51265d5d945b49c6557898ed1f6525585aaac9e0ccbca1f301b0d7e7eec0224b027c48a5df924bfec5b719b3e0732694cfef57cc74d15f086a8fc0e26af7243ab5f
-
C:\Users\Admin\AppData\Local\Temp\Cab516D.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar51BE.tmpFilesize
161KB
MD573b4b714b42fc9a6aaefd0ae59adb009
SHA1efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA51273af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd
-
C:\Users\Admin\AppData\Local\Temp\data.pakFilesize
31.5MB
MD5a7915ec7148f37249e0beb7e5db9f2de
SHA19e8218811b994b604eb354703d46a61c37639d38
SHA256dfb38d53ae49686e2b44362b314c66d1bc799af30f3bc9e3af950086f7874156
SHA512d09ee71175e97a048ab97a7d10e9b26d6e16457d9bce124d8364f51fd85ccc9dd747aed1982ba5bad43fbc0e4a4ef84fa28a05a60428e125aca7bd04b091d583
-
C:\Users\Admin\AppData\Local\Temp\fver.exeFilesize
12KB
MD50e6c873a80940c9729bc8017ad67b2de
SHA1605b85c8908b29c98bb849e4aed5a3f22d0a5530
SHA2569f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2
SHA51281a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1
-
C:\Users\Admin\AppData\Local\Temp\fver.exeFilesize
12KB
MD50e6c873a80940c9729bc8017ad67b2de
SHA1605b85c8908b29c98bb849e4aed5a3f22d0a5530
SHA2569f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2
SHA51281a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exeFilesize
33KB
MD5463c7ce8e2ec2c33536e9697c0eeba7d
SHA18aba9b67484c647a9a01cac8c7a7170f1e7fe0a5
SHA256d3ed9d3b8dd6a6a8dfa0a9bb02374b079e8e0c33e600677ef15bfa19264c4f04
SHA5124f175d6ac12e53b32e8baaad058eda33378c5c0ca67c06ae77b5d7b4a1344d70a2a8e932a71c510a038fb6b19e2c280921bcfc64ed62a7906264844f7f121c41
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.logFilesize
773B
MD5ac1103a6a734aa83570ca8e9230f0eaf
SHA10dafc5c328c85e2d2ad8354da19b69b72fb1807d
SHA2568cfb334a6f006af21384afdc5064a82187272372ea99c85f2a3379d81618c062
SHA5128e85d17f0f3d2f887432204ec0017fb8b717c15c352fe9b6739df5f6801a53a47ba82a3d7377bb6440519121499df09724819ced0efb4787b22d61574c7ad3fd
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.logFilesize
1KB
MD5a4dc0897463a8ca11164a2f9a468badf
SHA17a03d252df05152ed8921be425ddfc667e8f3786
SHA256969905d090234f9ae5969486a3715ae824dc41b30a68bbc391512f50e310684c
SHA512316e63286723a1fef09a221e7ecb3a4d4a18b76343768026daf0e3bd32967f6884f0cb3b370fe87d644f4fa894db83973aaacb8273ffeac84ec8ad5dfdef970c
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.logFilesize
1KB
MD5a4dc0897463a8ca11164a2f9a468badf
SHA17a03d252df05152ed8921be425ddfc667e8f3786
SHA256969905d090234f9ae5969486a3715ae824dc41b30a68bbc391512f50e310684c
SHA512316e63286723a1fef09a221e7ecb3a4d4a18b76343768026daf0e3bd32967f6884f0cb3b370fe87d644f4fa894db83973aaacb8273ffeac84ec8ad5dfdef970c
-
\Users\Admin\AppData\Local\Temp\7zaxxx.exeFilesize
628KB
MD5ec79cabd55a14379e4d676bb17d9e3df
SHA115626d505da35bfdb33aea5c8f7831f616cabdba
SHA25644a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d
SHA51200bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47
-
\Users\Admin\AppData\Local\Temp\7zaxxx.exeFilesize
628KB
MD5ec79cabd55a14379e4d676bb17d9e3df
SHA115626d505da35bfdb33aea5c8f7831f616cabdba
SHA25644a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d
SHA51200bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47
-
\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\AAct v3.9.3 Portable\AAct_x64.exeFilesize
1.5MB
MD5c5a4ddda8b05571d055410b07d6233db
SHA1d703d38bb9e686ed8dfe6e0520776dcb41ccc0bf
SHA256cc645d2d65396777e08497b76c550659fd195da4ee3ce1cbf4a708ae81c709ad
SHA51265d5d945b49c6557898ed1f6525585aaac9e0ccbca1f301b0d7e7eec0224b027c48a5df924bfec5b719b3e0732694cfef57cc74d15f086a8fc0e26af7243ab5f
-
\Users\Admin\AppData\Local\Temp\fver.exeFilesize
12KB
MD50e6c873a80940c9729bc8017ad67b2de
SHA1605b85c8908b29c98bb849e4aed5a3f22d0a5530
SHA2569f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2
SHA51281a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1
-
\Users\Admin\AppData\Local\Temp\fver.exeFilesize
12KB
MD50e6c873a80940c9729bc8017ad67b2de
SHA1605b85c8908b29c98bb849e4aed5a3f22d0a5530
SHA2569f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2
SHA51281a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1
-
memory/924-173-0x0000000006580000-0x0000000006A9A000-memory.dmpFilesize
5.1MB
-
memory/924-255-0x0000000006580000-0x0000000006A9A000-memory.dmpFilesize
5.1MB
-
memory/924-88-0x0000000006580000-0x0000000006864000-memory.dmpFilesize
2.9MB
-
memory/1060-87-0x0000000140000000-0x00000001402E4000-memory.dmpFilesize
2.9MB
-
memory/1508-174-0x0000000140000000-0x000000014051A000-memory.dmpFilesize
5.1MB
-
memory/1508-262-0x0000000140000000-0x000000014051A000-memory.dmpFilesize
5.1MB
-
memory/1508-261-0x0000000140000000-0x000000014051A000-memory.dmpFilesize
5.1MB
-
memory/1508-257-0x0000000140000000-0x000000014051A000-memory.dmpFilesize
5.1MB
-
memory/1508-256-0x0000000140000000-0x000000014051A000-memory.dmpFilesize
5.1MB
-
memory/1508-210-0x0000000140000000-0x000000014051A000-memory.dmpFilesize
5.1MB
-
memory/1784-90-0x0000000001C70000-0x0000000001C7A000-memory.dmpFilesize
40KB
-
memory/1784-96-0x0000000001D50000-0x0000000001D5A000-memory.dmpFilesize
40KB
-
memory/1784-99-0x0000000001D50000-0x0000000001D5A000-memory.dmpFilesize
40KB
-
memory/1784-97-0x0000000001D50000-0x0000000001D5A000-memory.dmpFilesize
40KB
-
memory/1784-100-0x0000000001D50000-0x0000000001D5A000-memory.dmpFilesize
40KB
-
memory/1784-101-0x0000000001D50000-0x0000000001D5A000-memory.dmpFilesize
40KB
-
memory/1784-120-0x0000000001C70000-0x0000000001C76000-memory.dmpFilesize
24KB
-
memory/1784-98-0x0000000001D50000-0x0000000001D5A000-memory.dmpFilesize
40KB
-
memory/1784-89-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1784-95-0x0000000001C70000-0x0000000001C7A000-memory.dmpFilesize
40KB
-
memory/1784-91-0x0000000001C70000-0x0000000001C7A000-memory.dmpFilesize
40KB
-
memory/1784-92-0x0000000001C70000-0x0000000001C7A000-memory.dmpFilesize
40KB
-
memory/1784-93-0x0000000001C70000-0x0000000001C7A000-memory.dmpFilesize
40KB
-
memory/1784-94-0x0000000001C70000-0x0000000001C7A000-memory.dmpFilesize
40KB