e7ec8e39fdfb299ab485a701fa6b18853e5e5fced4360abe9a65037d3457c731

Analysis

max time kernel
271s
max time network
212s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-02-2023 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto.exe
Size

3.5MB
MD5

848874fbb3932941804e383c3a7df4c1
SHA1

9e0a0313e6b9850d5c38066193b41c6586660d4f
SHA256

ef46ed3faa5ef8cd58bdde77cc7d5547dca57e3216b7cf3d32d3b77a55c92a26
SHA512

299e90b574773044319a807050cbff3219d6362258129387d79da09391442b3480bd3c6a7917ad19d15ece000d32d11abcf56ac1e7d4b0b8a06cb895a440b701
SSDEEP

98304:DTgfYUkkf9GdLj1gsR7eYxSJe6KyvrFQnL39W7hSHUsNKiyzoxQyqoIEU:DTCRt+PxAe6VY39WqUssi3qa

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Modifies Windows Firewall 1 TTPs 6 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

268 netsh.exe
1424 netsh.exe
1412 netsh.exe
316 netsh.exe
1944 netsh.exe
1736 netsh.exe

pid	process
268	netsh.exe
1424	netsh.exe
1412	netsh.exe
316	netsh.exe
1944	netsh.exe
1736	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KMSAuto.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Windows\\Temp\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP"	KMSAuto.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

KMSSS.exe

pid process

1756 KMSSS.exe

pid	process
1756	KMSSS.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral9/memory/2024-54-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-55-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-57-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-58-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-60-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-65-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-100-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-103-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-104-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-108-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral9/memory/2024-111-0x0000000000400000-0x00000000008C5000-memory.dmp	upx

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2004 sc.exe
1128 sc.exe
1164 sc.exe
816 sc.exe

pid	process
2004	sc.exe
1128	sc.exe
1164	sc.exe
816	sc.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

KMSAuto.exe

pid process

2024 KMSAuto.exe
2024 KMSAuto.exe
2024 KMSAuto.exe
2024 KMSAuto.exe

pid	process
2024	KMSAuto.exe
2024	KMSAuto.exe
2024	KMSAuto.exe
2024	KMSAuto.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSAuto.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 1984	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 280	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 280	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 280	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 280	2024	KMSAuto.exe	cmd.exe
PID 280 wrote to memory of 1412	280	cmd.exe	netsh.exe
PID 280 wrote to memory of 1412	280	cmd.exe	netsh.exe
PID 280 wrote to memory of 1412	280	cmd.exe	netsh.exe
PID 2024 wrote to memory of 548	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 548	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 548	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 548	2024	KMSAuto.exe	cmd.exe
PID 548 wrote to memory of 316	548	cmd.exe	netsh.exe
PID 548 wrote to memory of 316	548	cmd.exe	netsh.exe
PID 548 wrote to memory of 316	548	cmd.exe	netsh.exe
PID 2024 wrote to memory of 1640	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1640	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1640	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1640	2024	KMSAuto.exe	cmd.exe
PID 1640 wrote to memory of 1944	1640	cmd.exe	netsh.exe
PID 1640 wrote to memory of 1944	1640	cmd.exe	netsh.exe
PID 1640 wrote to memory of 1944	1640	cmd.exe	netsh.exe
PID 2024 wrote to memory of 1644	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1644	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1644	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1644	2024	KMSAuto.exe	cmd.exe
PID 1644 wrote to memory of 1736	1644	cmd.exe	netsh.exe
PID 1644 wrote to memory of 1736	1644	cmd.exe	netsh.exe
PID 1644 wrote to memory of 1736	1644	cmd.exe	netsh.exe
PID 2024 wrote to memory of 1420	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1420	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1420	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1420	2024	KMSAuto.exe	cmd.exe
PID 1420 wrote to memory of 1164	1420	cmd.exe	sc.exe
PID 1420 wrote to memory of 1164	1420	cmd.exe	sc.exe
PID 1420 wrote to memory of 1164	1420	cmd.exe	sc.exe
PID 2024 wrote to memory of 928	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 928	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 928	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 928	2024	KMSAuto.exe	cmd.exe
PID 928 wrote to memory of 816	928	cmd.exe	sc.exe
PID 928 wrote to memory of 816	928	cmd.exe	sc.exe
PID 928 wrote to memory of 816	928	cmd.exe	sc.exe
PID 2024 wrote to memory of 1128	2024	KMSAuto.exe	reg.exe
PID 2024 wrote to memory of 1128	2024	KMSAuto.exe	reg.exe
PID 2024 wrote to memory of 1128	2024	KMSAuto.exe	reg.exe
PID 2024 wrote to memory of 1128	2024	KMSAuto.exe	reg.exe
PID 2024 wrote to memory of 268	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 268	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 268	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 268	2024	KMSAuto.exe	cmd.exe
PID 268 wrote to memory of 1184	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1184	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1184	268	cmd.exe	reg.exe
PID 2024 wrote to memory of 1492	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1492	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1492	2024	KMSAuto.exe	cmd.exe
PID 2024 wrote to memory of 1492	2024	KMSAuto.exe	cmd.exe
PID 1492 wrote to memory of 1496	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1496	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 1496	1492	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe
"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"
1⤵
- Sets service image path in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
2⤵
PID:1984

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
2⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
- Modifies Windows Firewall
PID:1412

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
2⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
3⤵
- Modifies Windows Firewall
PID:316

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
- Modifies Windows Firewall
PID:1944

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=1688
3⤵
- Modifies Windows Firewall
PID:1736

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\sc.exe
sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
3⤵
- Launches sc.exe
PID:1164

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
2⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\sc.exe
sc.exe start KMSEmulator
3⤵
- Launches sc.exe
PID:816

C:\Windows\system32\reg.exe
"C:\Windows\Sysnative\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
2⤵
PID:1128

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:32
3⤵
PID:1184

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:32
3⤵
PID:1496

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
2⤵
PID:660

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:64
3⤵
PID:1372

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
2⤵
PID:820

C:\Windows\System32\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:64
3⤵
PID:1800

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
2⤵
PID:664

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:1688
3⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List
2⤵
PID:932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
2⤵
PID:1644

C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato
3⤵
PID:1320

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
2⤵
PID:1612

C:\Windows\system32\sc.exe
sc.exe stop KMSEmulator
3⤵
- Launches sc.exe
PID:2004

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
2⤵
PID:1352

C:\Windows\system32\sc.exe
sc.exe delete KMSEmulator
3⤵
- Launches sc.exe
PID:1128

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
2⤵
PID:1324

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
3⤵
- Modifies Windows Firewall
PID:268

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
2⤵
PID:1492

C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
3⤵
- Modifies Windows Firewall
PID:1424

C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe
"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP
1⤵
- Executes dropped EXE
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slmgr.vbs
Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe
Filesize
33KB

MD5
463c7ce8e2ec2c33536e9697c0eeba7d

SHA1
8aba9b67484c647a9a01cac8c7a7170f1e7fe0a5

SHA256
d3ed9d3b8dd6a6a8dfa0a9bb02374b079e8e0c33e600677ef15bfa19264c4f04

SHA512
4f175d6ac12e53b32e8baaad058eda33378c5c0ca67c06ae77b5d7b4a1344d70a2a8e932a71c510a038fb6b19e2c280921bcfc64ed62a7906264844f7f121c41

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.log
Filesize
773B

MD5
0b3e543a782b30fb03f78b3d32530fb6

SHA1
fb3e6c805e0c4c6e9496cf90fe2147233fe95845

SHA256
c01391354094ad042b03f8b9162a32f8f99f5364499f3817b935d5db7d3f55c9

SHA512
10b94ad045d0d7ff4a2c03a312d66a6bdd6216d252792599b2c3d5cc2d650d049b2c7a74dbd642990c1bf27ea1b7d8547ab18f968a4ef45a7bdf6100de0a3504

Download Submit
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.log
Filesize
773B

MD5
0b3e543a782b30fb03f78b3d32530fb6

SHA1
fb3e6c805e0c4c6e9496cf90fe2147233fe95845

SHA256
c01391354094ad042b03f8b9162a32f8f99f5364499f3817b935d5db7d3f55c9

SHA512
10b94ad045d0d7ff4a2c03a312d66a6bdd6216d252792599b2c3d5cc2d650d049b2c7a74dbd642990c1bf27ea1b7d8547ab18f968a4ef45a7bdf6100de0a3504

Download Submit
memory/2024-100-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-65-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-54-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-60-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-57-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-55-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-103-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-104-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-58-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-108-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-111-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download