Overview
overview
8Static
static
7Activador OFFICE.rar
windows7-x64
3Activador OFFICE.rar
windows10-2004-x64
3Activador ...le.chm
windows7-x64
1Activador ...le.chm
windows10-2004-x64
1Activador ...ls.exe
windows7-x64
8Activador ...ls.exe
windows10-2004-x64
8Activador ...64.exe
windows7-x64
8Activador ...64.exe
windows10-2004-x64
8Activador ...to.exe
windows7-x64
8Activador ...to.exe
windows10-2004-x64
7Activador ...ol.exe
windows7-x64
1Activador ...ol.exe
windows10-2004-x64
1Analysis
-
max time kernel
271s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-02-2023 09:28
Behavioral task
behavioral1
Sample
Activador OFFICE.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Activador OFFICE.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Activador Office 2019/KMS Tools Portable.chm
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Activador Office 2019/KMS Tools Portable.chm
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Activador Office 2019/KMSTools.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Activador Office 2019/KMSTools.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto x64.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Activador Office 2019/Programs/signtool.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Activador Office 2019/Programs/signtool.exe
Resource
win10v2004-20230220-en
General
-
Target
Activador Office 2019/Programs/KMSAuto Lite Portable v1.4.0/KMSAuto.exe
-
Size
3.5MB
-
MD5
848874fbb3932941804e383c3a7df4c1
-
SHA1
9e0a0313e6b9850d5c38066193b41c6586660d4f
-
SHA256
ef46ed3faa5ef8cd58bdde77cc7d5547dca57e3216b7cf3d32d3b77a55c92a26
-
SHA512
299e90b574773044319a807050cbff3219d6362258129387d79da09391442b3480bd3c6a7917ad19d15ece000d32d11abcf56ac1e7d4b0b8a06cb895a440b701
-
SSDEEP
98304:DTgfYUkkf9GdLj1gsR7eYxSJe6KyvrFQnL39W7hSHUsNKiyzoxQyqoIEU:DTCRt+PxAe6VY39WqUssi3qa
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 6 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 268 netsh.exe 1424 netsh.exe 1412 netsh.exe 316 netsh.exe 1944 netsh.exe 1736 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
KMSAuto.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KMSEmulator\ImagePath = "\"C:\\Windows\\Temp\\KMSAuto_Files\\bin\\KMSSS.exe\" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP" KMSAuto.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
KMSSS.exepid process 1756 KMSSS.exe -
Processes:
resource yara_rule behavioral9/memory/2024-54-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-55-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-57-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-58-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-60-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-65-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-100-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-103-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-104-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-108-0x0000000000400000-0x00000000008C5000-memory.dmp upx behavioral9/memory/2024-111-0x0000000000400000-0x00000000008C5000-memory.dmp upx -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2004 sc.exe 1128 sc.exe 1164 sc.exe 816 sc.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe Token: SeSecurityPrivilege 1624 WMIC.exe Token: SeTakeOwnershipPrivilege 1624 WMIC.exe Token: SeLoadDriverPrivilege 1624 WMIC.exe Token: SeSystemProfilePrivilege 1624 WMIC.exe Token: SeSystemtimePrivilege 1624 WMIC.exe Token: SeProfSingleProcessPrivilege 1624 WMIC.exe Token: SeIncBasePriorityPrivilege 1624 WMIC.exe Token: SeCreatePagefilePrivilege 1624 WMIC.exe Token: SeBackupPrivilege 1624 WMIC.exe Token: SeRestorePrivilege 1624 WMIC.exe Token: SeShutdownPrivilege 1624 WMIC.exe Token: SeDebugPrivilege 1624 WMIC.exe Token: SeSystemEnvironmentPrivilege 1624 WMIC.exe Token: SeRemoteShutdownPrivilege 1624 WMIC.exe Token: SeUndockPrivilege 1624 WMIC.exe Token: SeManageVolumePrivilege 1624 WMIC.exe Token: 33 1624 WMIC.exe Token: 34 1624 WMIC.exe Token: 35 1624 WMIC.exe Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe Token: SeSecurityPrivilege 1624 WMIC.exe Token: SeTakeOwnershipPrivilege 1624 WMIC.exe Token: SeLoadDriverPrivilege 1624 WMIC.exe Token: SeSystemProfilePrivilege 1624 WMIC.exe Token: SeSystemtimePrivilege 1624 WMIC.exe Token: SeProfSingleProcessPrivilege 1624 WMIC.exe Token: SeIncBasePriorityPrivilege 1624 WMIC.exe Token: SeCreatePagefilePrivilege 1624 WMIC.exe Token: SeBackupPrivilege 1624 WMIC.exe Token: SeRestorePrivilege 1624 WMIC.exe Token: SeShutdownPrivilege 1624 WMIC.exe Token: SeDebugPrivilege 1624 WMIC.exe Token: SeSystemEnvironmentPrivilege 1624 WMIC.exe Token: SeRemoteShutdownPrivilege 1624 WMIC.exe Token: SeUndockPrivilege 1624 WMIC.exe Token: SeManageVolumePrivilege 1624 WMIC.exe Token: 33 1624 WMIC.exe Token: 34 1624 WMIC.exe Token: 35 1624 WMIC.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
KMSAuto.exepid process 2024 KMSAuto.exe 2024 KMSAuto.exe 2024 KMSAuto.exe 2024 KMSAuto.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSAuto.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 1984 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1984 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1984 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1984 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 280 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 280 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 280 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 280 2024 KMSAuto.exe cmd.exe PID 280 wrote to memory of 1412 280 cmd.exe netsh.exe PID 280 wrote to memory of 1412 280 cmd.exe netsh.exe PID 280 wrote to memory of 1412 280 cmd.exe netsh.exe PID 2024 wrote to memory of 548 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 548 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 548 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 548 2024 KMSAuto.exe cmd.exe PID 548 wrote to memory of 316 548 cmd.exe netsh.exe PID 548 wrote to memory of 316 548 cmd.exe netsh.exe PID 548 wrote to memory of 316 548 cmd.exe netsh.exe PID 2024 wrote to memory of 1640 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1640 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1640 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1640 2024 KMSAuto.exe cmd.exe PID 1640 wrote to memory of 1944 1640 cmd.exe netsh.exe PID 1640 wrote to memory of 1944 1640 cmd.exe netsh.exe PID 1640 wrote to memory of 1944 1640 cmd.exe netsh.exe PID 2024 wrote to memory of 1644 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1644 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1644 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1644 2024 KMSAuto.exe cmd.exe PID 1644 wrote to memory of 1736 1644 cmd.exe netsh.exe PID 1644 wrote to memory of 1736 1644 cmd.exe netsh.exe PID 1644 wrote to memory of 1736 1644 cmd.exe netsh.exe PID 2024 wrote to memory of 1420 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1420 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1420 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1420 2024 KMSAuto.exe cmd.exe PID 1420 wrote to memory of 1164 1420 cmd.exe sc.exe PID 1420 wrote to memory of 1164 1420 cmd.exe sc.exe PID 1420 wrote to memory of 1164 1420 cmd.exe sc.exe PID 2024 wrote to memory of 928 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 928 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 928 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 928 2024 KMSAuto.exe cmd.exe PID 928 wrote to memory of 816 928 cmd.exe sc.exe PID 928 wrote to memory of 816 928 cmd.exe sc.exe PID 928 wrote to memory of 816 928 cmd.exe sc.exe PID 2024 wrote to memory of 1128 2024 KMSAuto.exe reg.exe PID 2024 wrote to memory of 1128 2024 KMSAuto.exe reg.exe PID 2024 wrote to memory of 1128 2024 KMSAuto.exe reg.exe PID 2024 wrote to memory of 1128 2024 KMSAuto.exe reg.exe PID 2024 wrote to memory of 268 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 268 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 268 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 268 2024 KMSAuto.exe cmd.exe PID 268 wrote to memory of 1184 268 cmd.exe reg.exe PID 268 wrote to memory of 1184 268 cmd.exe reg.exe PID 268 wrote to memory of 1184 268 cmd.exe reg.exe PID 2024 wrote to memory of 1492 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1492 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1492 2024 KMSAuto.exe cmd.exe PID 2024 wrote to memory of 1492 2024 KMSAuto.exe cmd.exe PID 1492 wrote to memory of 1496 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1496 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1496 1492 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"C:\Users\Admin\AppData\Local\Temp\Activador Office 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"1⤵
- Sets service image path in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16882⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=16883⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16882⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS2 dir=out action=allow protocol=TCP localport=16883⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc.exe create KMSEmulator binpath= temp.exe type= own start= auto3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc.exe start KMSEmulator3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exe"C:\Windows\Sysnative\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:642⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:322⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:323⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:322⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:323⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:642⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /d 127.0.0.2 /t REG_SZ /reg:643⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:642⤵
-
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /d 1688 /t REG_SZ /reg:643⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:16882⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /skms 127.0.0.2:16883⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (Name LIKE 'Windows%%' And PartialProductKey is Not NULL) get Name /FORMAT:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato2⤵
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\slmgr.vbs" /ato3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator2⤵
-
C:\Windows\system32\sc.exesc.exe stop KMSEmulator3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator2⤵
-
C:\Windows\system32\sc.exesc.exe delete KMSEmulator3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP2⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP2⤵
-
C:\Windows\system32\netsh.exeNetsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP3⤵
- Modifies Windows Firewall
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe"C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\slmgr.vbsFilesize
110KB
MD538482a5013d8ab40df0fb15eae022c57
SHA15a4a7f261307721656c11b5cc097cde1cf791073
SHA256ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8
SHA51229c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.exeFilesize
33KB
MD5463c7ce8e2ec2c33536e9697c0eeba7d
SHA18aba9b67484c647a9a01cac8c7a7170f1e7fe0a5
SHA256d3ed9d3b8dd6a6a8dfa0a9bb02374b079e8e0c33e600677ef15bfa19264c4f04
SHA5124f175d6ac12e53b32e8baaad058eda33378c5c0ca67c06ae77b5d7b4a1344d70a2a8e932a71c510a038fb6b19e2c280921bcfc64ed62a7906264844f7f121c41
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.logFilesize
773B
MD50b3e543a782b30fb03f78b3d32530fb6
SHA1fb3e6c805e0c4c6e9496cf90fe2147233fe95845
SHA256c01391354094ad042b03f8b9162a32f8f99f5364499f3817b935d5db7d3f55c9
SHA51210b94ad045d0d7ff4a2c03a312d66a6bdd6216d252792599b2c3d5cc2d650d049b2c7a74dbd642990c1bf27ea1b7d8547ab18f968a4ef45a7bdf6100de0a3504
-
C:\Windows\Temp\KMSAuto_Files\bin\KMSSS.logFilesize
773B
MD50b3e543a782b30fb03f78b3d32530fb6
SHA1fb3e6c805e0c4c6e9496cf90fe2147233fe95845
SHA256c01391354094ad042b03f8b9162a32f8f99f5364499f3817b935d5db7d3f55c9
SHA51210b94ad045d0d7ff4a2c03a312d66a6bdd6216d252792599b2c3d5cc2d650d049b2c7a74dbd642990c1bf27ea1b7d8547ab18f968a4ef45a7bdf6100de0a3504
-
memory/2024-100-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-65-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-54-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-60-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-57-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-55-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-103-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-104-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-58-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-108-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB
-
memory/2024-111-0x0000000000400000-0x00000000008C5000-memory.dmpFilesize
4.8MB