Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 20:07
Behavioral task
behavioral1
Sample
Activador 2019/KMSTools.exe
Resource
win10v2004-20231215-en
General
-
Target
Activador 2019/KMSTools.exe
-
Size
34.5MB
-
MD5
7dcc580b7546be2871f978db8d313905
-
SHA1
60d9b7541c661e83664d043f2b7f99a62b10ee84
-
SHA256
5c2819ebc600adc7fcad0002e6056e824e1af35d1e16334e16199712850a208f
-
SHA512
dcba8d146e8c30d61828074ceac99dfcc73d52390975df7a29aca9f277fb56ddb8d2f2b02eb99ea328cca15ef24c907f5b03fb5690f5c788e29df7581849b4af
-
SSDEEP
786432:VMh6YzBjJ7AxVM4Hh0CBS3sHPGtHilqNngktysVidq6igVVRoVl:Kh66PAxV/Hh+3sGilqlToyiU6igQ
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\W10 Digital Activation Program v1.3.4 Portable\W10DigitalActivation.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\W10 Digital Activation Program v1.3.4 Portable\W10DigitalActivation.exe aspack_v212_v242 -
Executes dropped EXE 6 IoCs
Processes:
fver.exefver.exefver.exe7zaxxx.exeW10DigitalActivation.exegatherosstate.exepid process 4360 fver.exe 1804 fver.exe 3764 fver.exe 4856 7zaxxx.exe 3136 W10DigitalActivation.exe 4984 gatherosstate.exe -
Loads dropped DLL 2 IoCs
Processes:
gatherosstate.exepid process 4984 gatherosstate.exe 4984 gatherosstate.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exepid process 1804 sc.exe 1772 sc.exe 4040 sc.exe 4432 sc.exe 4328 sc.exe 1308 sc.exe -
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
gatherosstate.exeClipUp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 gatherosstate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs ClipUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 ClipUp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID ClipUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 ClipUp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID ClipUp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs ClipUp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 gatherosstate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags gatherosstate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID gatherosstate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags gatherosstate.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 876 WINWORD.EXE 876 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
KMSTools.exeW10DigitalActivation.exepid process 2332 KMSTools.exe 3136 W10DigitalActivation.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
AUDIODG.EXE7zaxxx.exedescription pid process Token: 33 1468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1468 AUDIODG.EXE Token: SeRestorePrivilege 4856 7zaxxx.exe Token: 35 4856 7zaxxx.exe Token: SeSecurityPrivilege 4856 7zaxxx.exe Token: SeSecurityPrivilege 4856 7zaxxx.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
KMSTools.exeW10DigitalActivation.exepid process 2332 KMSTools.exe 2332 KMSTools.exe 2332 KMSTools.exe 2332 KMSTools.exe 2332 KMSTools.exe 3136 W10DigitalActivation.exe 3136 W10DigitalActivation.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
KMSTools.exepid process 2332 KMSTools.exe 2332 KMSTools.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEpid process 876 WINWORD.EXE 876 WINWORD.EXE 876 WINWORD.EXE 876 WINWORD.EXE 876 WINWORD.EXE 876 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KMSTools.exeW10DigitalActivation.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2332 wrote to memory of 4360 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 4360 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 4360 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 1804 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 1804 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 1804 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 3764 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 3764 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 3764 2332 KMSTools.exe fver.exe PID 2332 wrote to memory of 4832 2332 KMSTools.exe cmd.exe PID 2332 wrote to memory of 4832 2332 KMSTools.exe cmd.exe PID 2332 wrote to memory of 4856 2332 KMSTools.exe 7zaxxx.exe PID 2332 wrote to memory of 4856 2332 KMSTools.exe 7zaxxx.exe PID 2332 wrote to memory of 4856 2332 KMSTools.exe 7zaxxx.exe PID 2332 wrote to memory of 3136 2332 KMSTools.exe W10DigitalActivation.exe PID 2332 wrote to memory of 3136 2332 KMSTools.exe W10DigitalActivation.exe PID 2332 wrote to memory of 3136 2332 KMSTools.exe W10DigitalActivation.exe PID 3136 wrote to memory of 3440 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 3440 3136 W10DigitalActivation.exe cmd.exe PID 3440 wrote to memory of 4964 3440 cmd.exe cscript.exe PID 3440 wrote to memory of 4964 3440 cmd.exe cscript.exe PID 3136 wrote to memory of 1116 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 1116 3136 W10DigitalActivation.exe cmd.exe PID 1116 wrote to memory of 2256 1116 cmd.exe cscript.exe PID 1116 wrote to memory of 2256 1116 cmd.exe cscript.exe PID 3136 wrote to memory of 4616 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 4616 3136 W10DigitalActivation.exe cmd.exe PID 4616 wrote to memory of 4328 4616 cmd.exe sc.exe PID 4616 wrote to memory of 4328 4616 cmd.exe sc.exe PID 3136 wrote to memory of 4392 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 4392 3136 W10DigitalActivation.exe cmd.exe PID 4392 wrote to memory of 1308 4392 cmd.exe sc.exe PID 4392 wrote to memory of 1308 4392 cmd.exe sc.exe PID 3136 wrote to memory of 2024 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 2024 3136 W10DigitalActivation.exe cmd.exe PID 2024 wrote to memory of 1804 2024 cmd.exe sc.exe PID 2024 wrote to memory of 1804 2024 cmd.exe sc.exe PID 3136 wrote to memory of 3556 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 3556 3136 W10DigitalActivation.exe cmd.exe PID 3556 wrote to memory of 1772 3556 cmd.exe sc.exe PID 3556 wrote to memory of 1772 3556 cmd.exe sc.exe PID 3136 wrote to memory of 4944 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 4944 3136 W10DigitalActivation.exe cmd.exe PID 4944 wrote to memory of 4040 4944 cmd.exe sc.exe PID 4944 wrote to memory of 4040 4944 cmd.exe sc.exe PID 3136 wrote to memory of 2736 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 2736 3136 W10DigitalActivation.exe cmd.exe PID 2736 wrote to memory of 4432 2736 cmd.exe sc.exe PID 2736 wrote to memory of 4432 2736 cmd.exe sc.exe PID 3136 wrote to memory of 3824 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 3824 3136 W10DigitalActivation.exe cmd.exe PID 3824 wrote to memory of 2576 3824 cmd.exe reg.exe PID 3824 wrote to memory of 2576 3824 cmd.exe reg.exe PID 3136 wrote to memory of 3788 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 3788 3136 W10DigitalActivation.exe cmd.exe PID 3788 wrote to memory of 5112 3788 cmd.exe reg.exe PID 3788 wrote to memory of 5112 3788 cmd.exe reg.exe PID 3136 wrote to memory of 2848 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 2848 3136 W10DigitalActivation.exe cmd.exe PID 2848 wrote to memory of 3464 2848 cmd.exe reg.exe PID 2848 wrote to memory of 3464 2848 cmd.exe reg.exe PID 3136 wrote to memory of 3060 3136 W10DigitalActivation.exe cmd.exe PID 3136 wrote to memory of 3060 3136 W10DigitalActivation.exe cmd.exe PID 3060 wrote to memory of 4984 3060 cmd.exe gatherosstate.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activador 2019\KMSTools.exe"C:\Users\Admin\AppData\Local\Temp\Activador 2019\KMSTools.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\fver.exe"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\AAct v3.9.3 Portable\AAct.exe"2⤵
- Executes dropped EXE
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\fver.exe"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\KMSAuto Lite Portable v1.4.0\KMSAuto.exe"2⤵
- Executes dropped EXE
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\fver.exe"C:\Users\Admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\Office 2013-2019 C2R Install v6.4.5\OInstall.exe"2⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe"C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pkmstools -y -bsp1 -o"C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs" "W10 Digital Activation Program"*2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\W10 Digital Activation Program v1.3.4 Portable\W10DigitalActivation.exe"C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\W10 Digital Activation Program v1.3.4 Portable\W10DigitalActivation.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T3⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\System32\cscript.execscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T4⤵PID:4964
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /xpr3⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\System32\cscript.execscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /xpr4⤵PID:2256
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe qc licensemanager3⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe qc licensemanager4⤵
- Launches sc.exe
PID:4328 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe qc wuauserv3⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe qc wuauserv4⤵
- Launches sc.exe
PID:1308 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe qc wlidsvc3⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe qc wlidsvc4⤵
- Launches sc.exe
PID:1804 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe start licensemanager3⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe start licensemanager4⤵
- Launches sc.exe
PID:1772 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe start wuauserv3⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe start wuauserv4⤵
- Launches sc.exe
PID:4040 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\sc.exe start wlidsvc3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\sc.exeC:\Windows\System32\sc.exe start wlidsvc4⤵
- Launches sc.exe
PID:4432 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail3⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f /v "Channel" /t REG_SZ /d Retail4⤵PID:2576
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 483⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Kernel-ProductInfo" /t REG_DWORD /d 484⤵PID:5112
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 13⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\Tokens\Kernel" /f /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 14⤵PID:3464
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c gatherosstate.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\Temp\BIN\gatherosstate.exegatherosstate.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:4984 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c C:\Windows\System32\ClipUp.exe -v -o -altto C:\Windows\Temp\BIN\3⤵PID:4960
-
C:\Windows\System32\ClipUp.exeC:\Windows\System32\ClipUp.exe -v -o -altto C:\Windows\Temp\BIN\4⤵PID:2496
-
C:\Windows\System32\ClipUp.exeC:\Windows\System32\ClipUp.exe -v -o -altto C:\Windows\Temp\BIN\ -ppl C:\Users\Admin\AppData\Local\Temp\tem7356.tmp5⤵
- Checks SCSI registry key(s)
PID:3152 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato3⤵PID:1276
-
C:\Windows\System32\cscript.execscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato4⤵PID:4564
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f3⤵PID:4168
-
C:\Windows\System32\reg.exereg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\Tokens" /f4⤵PID:4548
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /xpr3⤵PID:3980
-
C:\Windows\System32\cscript.execscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /xpr4⤵PID:1596
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x2f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
628KB
MD5ec79cabd55a14379e4d676bb17d9e3df
SHA115626d505da35bfdb33aea5c8f7831f616cabdba
SHA25644a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d
SHA51200bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47
-
C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\W10 Digital Activation Program v1.3.4 Portable\W10DigitalActivation.exe
Filesize448KB
MD563ac2ad565f07b7ec63326da49221cde
SHA11beb29477e1108e5df6d511209b2880001427da1
SHA256348edfea4e9f960a06d58d1b5addc941466233dfe05d1204ea4c4fb8e8f81a34
SHA5124c4b3729fdc561685a718a0c9ea0492ccc9c74fa8f5f5e8f094863461844c15fb4bdd6326a82f2e189ffbf371b3b0933382a46afc7f67a2e6926989d9acba363
-
C:\Users\Admin\AppData\Local\Temp\Activador 2019\Programs\W10 Digital Activation Program v1.3.4 Portable\W10DigitalActivation.exe
Filesize256KB
MD5d5e3bd98856dc6fa8c19926420e68668
SHA1f4cea4dfc924bc15be8c5c79a9791c7d7cc939c3
SHA2566fbdf1a93bda790b21a6a7196ff24a12ec4a76150f4024f38dbfa9bda43f515b
SHA5123c8aafc0c15ac829360957d0451f76f74d038a85e709a3b28f54dba83dca454f2910d1df3d333070fdfc505d8f6112fc6959f794e261ff6c3d6167551fae9684
-
Filesize
4.9MB
MD5aa329d96fa9b0d230d86a6b82495a610
SHA15af9ff1f833c64659d23f9c7dea919f77a0c251d
SHA25675edd068175bdb2f73b23d2bbcda55d2310afde80c7126541e68294d47a90423
SHA512cfaf2f2f6c205ea9e2603341b8c6883cd7b7564addac313ce2b6414d75cd3eab7c71a478d4c927596a54c6030fb23fcf354a31d883652e627248728bc783577e
-
Filesize
12KB
MD50e6c873a80940c9729bc8017ad67b2de
SHA1605b85c8908b29c98bb849e4aed5a3f22d0a5530
SHA2569f54832295773b42a75ca9c2e59491941554cafb77e4285dfeed2ddb4de2efe2
SHA51281a76c359e64d974e7fd4773a260ba18eb7f1ddb96b90e391bec98aa67f5b8b4ec175045864c2782f988649e2fa9b2e12b88b46655371adba2ba0f25b7031cd1
-
Filesize
582B
MD50e3230f91473765b3ff0d2c394502476
SHA1085982e15f27df0a5d9edeccc66544d6f2805fbb
SHA2565afcafbec69bb7ddde8c41cc490b3e675638af7413f23e9fbb670359e0cd6353
SHA512628891fffe60e9d36a99779c2d852d1ec48fe9d5160ed920307f6891031d283b6a3dfd8c307b37ce2b2030e1c5d92c013708d7f6da700f61b908727707f3739c
-
Filesize
1KB
MD56b8fee954f636622fd7a00026dcb8b72
SHA1c8c043670c5dc37040796270b56ed52e21bd11e7
SHA25639f8216277d79f1d7ba8137fcd8f5a3682fc575c674d7203ca879c46a12d3fb6
SHA512da328d6d42938ba52ff36bc4f64a8ec9d8dd8842c0e2e3a0005c1328c1aa8a0ad0fa1fe458c64cd0e0416f03cd85c490811838e36f817a26d726500a7fc3014c
-
Filesize
6KB
MD5e2840606372ab67b7107ce757d506c28
SHA187c1c645eba6d6a2aa695d4fd2ece5fc5e5568ef
SHA25637e20a504ade965184d92ed5ca415cde899090a6a20ea3abf8c85ff9648b66f4
SHA512cf7914a6a8c6d878caeb7f726f86fbdc77d2ea246d9ea600d82a0c66e4154ee0acdbd3ff5949523b35642735d741fde39d177e5d4aff83ea4475ef84e0188ab6
-
Filesize
1.3MB
MD5b13bc5b62f54607c334a6464d9b85cc8
SHA112721c69acbcb515f7adbee08ec42fc61192c187
SHA25651791625054b01802fd5aaa6c4a929827b369dfef7b2891b5f55e0fa61af0c7d
SHA51258a9c4e413992b8c225fd622934929382070cbe8c8999bdb93851a1f46a0129d674135eacce2b3f96a19dfbb7333e3b921b5e39b727339c9897de7a02d2ce3bf