cc331c94fd9e4584f405bd6b03fb99ecfbb5293017293fc0a37a9b1737d31722

Analysis

max time kernel
511s
max time network
476s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_Suite.v9.5.EN.bat
Size

348KB
MD5

af73bf925361348072469cff78890a4b
SHA1

dca20e41242d9398f474babb80c971e5fc27de69
SHA256

cc331c94fd9e4584f405bd6b03fb99ecfbb5293017293fc0a37a9b1737d31722
SHA512

6c7966852db9921338e6770b07190033ac1fb88035024388c8717c4d080e64587baffbbd99b6ac3657beec59d5ec8685acb4349953d92801a65089eb25253032
SSDEEP

6144:zaGyPc7/Tg7jc4zlw6PhVMt1pOb4RKsFx+GXtO9l0X0dgJ/pGntI/:zaXEDTg84z5pVM9O0lgz70kd0pEE

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2708	powershell.exe
8	2804	powershell.exe

Sets file execution options in registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDebug = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "KMS.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierFlags = "2147483648"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "43200"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "43200"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1444	center.exe
2080	center.exe
884	center.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2528	icacls.exe
2204	icacls.exe
2512	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\KMS.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1456	sc.exe
2632	sc.exe
1976	sc.exe
576	sc.exe
1204	sc.exe
1796	sc.exe
240	sc.exe
2732	sc.exe
1176	sc.exe
1320	sc.exe
2864	sc.exe
2372	sc.exe
396	sc.exe
2456	sc.exe
660	sc.exe
1480	sc.exe
1644	sc.exe
1096	sc.exe
2208	sc.exe
2388	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin\shell\runas\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin\shell\runas	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin\shell\runas\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin\shell\runas	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"	reg.exe

Modifies registry key 1 TTPs 24 IoCs

Modify Registry

T1112

pid	Process
2680	reg.exe
1004	reg.exe
2644	reg.exe
1348	reg.exe
2332	reg.exe
2704	reg.exe
2888	reg.exe
2588	reg.exe
992	reg.exe
772	reg.exe
2844	reg.exe
1084	reg.exe
2596	reg.exe
3020	reg.exe
2616	reg.exe
1992	reg.exe
1448	reg.exe
320	reg.exe
432	reg.exe
3068	reg.exe
2232	reg.exe
1692	reg.exe
564	reg.exe
2944	reg.exe

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1444	center.exe
2080	center.exe
884	center.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2728	powershell.exe
1944	powershell.exe
2088	powershell.exe
836	powershell.exe
2448	powershell.exe
1656	powershell.exe
2524	powershell.exe
2060	powershell.exe
2100	powershell.exe
672	powershell.exe
2284	powershell.exe
2544	powershell.exe
1956	powershell.exe
2624	powershell.exe
2708	powershell.exe
1972	powershell.exe
2804	powershell.exe
1952	powershell.exe
2528	powershell.exe
2456	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 35	1392	cmd.exe
Token: SeIncreaseQuotaPrivilege	1160	WMIC.exe
Token: SeSecurityPrivilege	1160	WMIC.exe
Token: SeTakeOwnershipPrivilege	1160	WMIC.exe
Token: SeLoadDriverPrivilege	1160	WMIC.exe
Token: SeSystemProfilePrivilege	1160	WMIC.exe
Token: SeSystemtimePrivilege	1160	WMIC.exe
Token: SeProfSingleProcessPrivilege	1160	WMIC.exe
Token: SeIncBasePriorityPrivilege	1160	WMIC.exe
Token: SeCreatePagefilePrivilege	1160	WMIC.exe
Token: SeBackupPrivilege	1160	WMIC.exe
Token: SeRestorePrivilege	1160	WMIC.exe
Token: SeShutdownPrivilege	1160	WMIC.exe
Token: SeDebugPrivilege	1160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1160	WMIC.exe
Token: SeRemoteShutdownPrivilege	1160	WMIC.exe
Token: SeUndockPrivilege	1160	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2912	2296	cmd.exe	29
PID 2296 wrote to memory of 2912	2296	cmd.exe	29
PID 2296 wrote to memory of 2912	2296	cmd.exe	29
PID 2296 wrote to memory of 2680	2296	cmd.exe	30
PID 2296 wrote to memory of 2680	2296	cmd.exe	30
PID 2296 wrote to memory of 2680	2296	cmd.exe	30
PID 2296 wrote to memory of 2368	2296	cmd.exe	31
PID 2296 wrote to memory of 2368	2296	cmd.exe	31
PID 2296 wrote to memory of 2368	2296	cmd.exe	31
PID 2296 wrote to memory of 2332	2296	cmd.exe	32
PID 2296 wrote to memory of 2332	2296	cmd.exe	32
PID 2296 wrote to memory of 2332	2296	cmd.exe	32
PID 2296 wrote to memory of 2728	2296	cmd.exe	33
PID 2296 wrote to memory of 2728	2296	cmd.exe	33
PID 2296 wrote to memory of 2728	2296	cmd.exe	33
PID 2728 wrote to memory of 2748	2728	powershell.exe	34
PID 2728 wrote to memory of 2748	2728	powershell.exe	34
PID 2728 wrote to memory of 2748	2728	powershell.exe	34
PID 2748 wrote to memory of 1920	2748	csc.exe	35
PID 2748 wrote to memory of 1920	2748	csc.exe	35
PID 2748 wrote to memory of 1920	2748	csc.exe	35
PID 2728 wrote to memory of 2636	2728	powershell.exe	36
PID 2728 wrote to memory of 2636	2728	powershell.exe	36
PID 2728 wrote to memory of 2636	2728	powershell.exe	36
PID 2296 wrote to memory of 1876	2296	cmd.exe	37
PID 2296 wrote to memory of 1876	2296	cmd.exe	37
PID 2296 wrote to memory of 1876	2296	cmd.exe	37
PID 2296 wrote to memory of 1392	2296	cmd.exe	38
PID 2296 wrote to memory of 1392	2296	cmd.exe	38
PID 2296 wrote to memory of 1392	2296	cmd.exe	38
PID 1392 wrote to memory of 1776	1392	cmd.exe	39
PID 1392 wrote to memory of 1776	1392	cmd.exe	39
PID 1392 wrote to memory of 1776	1392	cmd.exe	39
PID 1392 wrote to memory of 1944	1392	cmd.exe	40
PID 1392 wrote to memory of 1944	1392	cmd.exe	40
PID 1392 wrote to memory of 1944	1392	cmd.exe	40
PID 1944 wrote to memory of 3068	1944	powershell.exe	41
PID 1944 wrote to memory of 3068	1944	powershell.exe	41
PID 1944 wrote to memory of 3068	1944	powershell.exe	41
PID 3068 wrote to memory of 2104	3068	csc.exe	42
PID 3068 wrote to memory of 2104	3068	csc.exe	42
PID 3068 wrote to memory of 2104	3068	csc.exe	42
PID 1392 wrote to memory of 1188	1392	cmd.exe	43
PID 1392 wrote to memory of 1188	1392	cmd.exe	43
PID 1392 wrote to memory of 1188	1392	cmd.exe	43
PID 1392 wrote to memory of 2088	1392	cmd.exe	44
PID 1392 wrote to memory of 2088	1392	cmd.exe	44
PID 1392 wrote to memory of 2088	1392	cmd.exe	44
PID 1392 wrote to memory of 2040	1392	cmd.exe	45
PID 1392 wrote to memory of 2040	1392	cmd.exe	45
PID 1392 wrote to memory of 2040	1392	cmd.exe	45
PID 1392 wrote to memory of 2056	1392	cmd.exe	46
PID 1392 wrote to memory of 2056	1392	cmd.exe	46
PID 1392 wrote to memory of 2056	1392	cmd.exe	46
PID 1392 wrote to memory of 1444	1392	cmd.exe	47
PID 1392 wrote to memory of 1444	1392	cmd.exe	47
PID 1392 wrote to memory of 1444	1392	cmd.exe	47
PID 1392 wrote to memory of 1444	1392	cmd.exe	47
PID 1392 wrote to memory of 1068	1392	cmd.exe	48
PID 1392 wrote to memory of 1068	1392	cmd.exe	48
PID 1392 wrote to memory of 1068	1392	cmd.exe	48
PID 1068 wrote to memory of 836	1068	cmd.exe	49
PID 1068 wrote to memory of 836	1068	cmd.exe	49
PID 1068 wrote to memory of 836	1068	cmd.exe	49

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.5.EN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\system32\mode.com
  mode con cols=78 lines=5
  2⤵
  PID:2912
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:2680
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg delete hkcu\software\classes\.Admin\ /f
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\93agv9y-.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4358.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4357.tmp"
      4⤵
      PID:1920
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:2636
- C:\Windows\system32\xcopy.exe
  xcopy /s /h KMS_Suite 2594
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat -suite
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File disablex.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vx-izxdz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55BF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC55BE.tmp"
        5⤵
        
        PID:2104
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:1188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:2040
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\2594\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2448
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1504
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:1996
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:1380
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:2268
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:3040
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:1624
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:1684
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:2680
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:2332
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:2820
- - C:\Windows\system32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:1640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2524
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=42
    3⤵
    PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1740
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:2684
- - C:\Windows\system32\choice.exe
    choice /C:WOA /N /M "YOUR CHOICE : "
    3⤵
    PID:2328
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
    3⤵
    - Modifies registry key
    PID:3068
- - C:\Windows\System32\find.exe
    find /i "0x4"
    3⤵
    PID:2372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\System32\find.exe
    find /i "ComputerSystem"
    3⤵
    PID:2140
- - C:\Windows\System32\cmd.exe
    cmd /v:on /c echo(^!param^!
    3⤵
    PID:2080
- - C:\Windows\System32\findstr.exe
    findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
    3⤵
    PID:2872
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:1952
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1320
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:2028
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2056
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:688
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
    3⤵
    PID:1444
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\channels
    3⤵
    PID:1608
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1204
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:968
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:1636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:964
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1796
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2412
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1456
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:836
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:240
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:804
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\KMS.dll" /findsid *S-1-5-32-545
    3⤵
    - Modifies file permissions
    PID:2528
- - C:\Windows\System32\find.exe
    find /i "KMS.dll"
    3⤵
    PID:2468
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\KMS.dll" /grant *S-1-5-32-545:RX
    3⤵
    - Modifies file permissions
    PID:2204
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
    3⤵
    PID:2252
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDlls /t REG_SZ /d "KMS.dll"
    3⤵
    - Sets file execution options in registry
    PID:2264
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDebug /t REG_DWORD /d 0x00000000
    3⤵
    - Sets file execution options in registry
    PID:1940
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierFlags /t REG_DWORD /d 0x80000000
    3⤵
    - Sets file execution options in registry
    PID:1292
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v GlobalFlag /t REG_DWORD /d 0x00000100
    3⤵
    - Sets file execution options in registry
    PID:2192
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_Emulation /t REG_DWORD /d 1
    3⤵
    - Sets file execution options in registry
    PID:2272
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 43200
    3⤵
    - Sets file execution options in registry
    PID:2532
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 43200
    3⤵
    - Sets file execution options in registry
    PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
    3⤵
    PID:904
  - - C:\Windows\System32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:2496
  - - C:\Windows\System32\find.exe
      FIND /I "CurrentVersion"
      4⤵
      PID:1504
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514" /v "CurrentState"
    3⤵
    PID:2344
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514
    3⤵
    PID:1348
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:2220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value" 2>nul
    3⤵
    PID:2280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1160
- - C:\Windows\System32\mode.com
    mode con:cols=92 lines=25
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:1968
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1084
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:2596
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:2232
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
    3⤵
    - Modifies registry key
    PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2348
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2876
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2880
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1924
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1920
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2748
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value
    3⤵
    PID:2660
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:2300
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:2632
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2552
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:1440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:1228
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:660
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1972
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1480
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1364
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1644
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:784
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\KMS.dll" /reset
    3⤵
    - Modifies file permissions
    PID:2512
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
    3⤵
    PID:340
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
    3⤵
    PID:2452
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe"
    3⤵
    PID:2960
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v Debugger /f
    3⤵
    PID:2920
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierDlls /f
    3⤵
    PID:1092
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierDebug /f
    3⤵
    PID:2804
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierFlags /f
    3⤵
    PID:2768
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v GlobalFlag /f
    3⤵
    PID:2916
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v KMS_Emulation /f
    3⤵
    PID:3000
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v KMS_ActivationInterval /f
    3⤵
    PID:3004
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v KMS_RenewalInterval /f
    3⤵
    PID:3024
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v Office2010 /f
    3⤵
    PID:3032
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v Office2013 /f
    3⤵
    PID:2176
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v Office2016 /f
    3⤵
    PID:1012
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v Office2019 /f
    3⤵
    PID:516
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
    3⤵
    PID:1716
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:908
- - C:\Windows\System32\sc.exe
    sc start sppsvc trigger=timer;sessionid=0
    3⤵
    - Launches sc.exe
    PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:2628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2100
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=42
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1580
- - C:\Windows\System32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:2600
- - C:\Windows\System32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File disablex.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:672
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axikghny.cmdline"
      4⤵
      PID:1648
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4B0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB4AF.tmp"
        5⤵
        
        PID:772
- - C:\Windows\System32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:1176
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2140
- - C:\Users\Admin\AppData\Local\Temp\2594\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:1764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1956
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:844
- - C:\Windows\System32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:2528
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:556
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:2248
- - C:\Windows\System32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:2264
- - C:\Windows\System32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:2516
- - C:\Windows\System32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:2192
- - C:\Windows\System32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:2324
- - C:\Windows\System32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:2448
- - C:\Windows\System32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:2496
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:904
- - C:\Windows\System32\choice.exe
    choice /C:WOAM /N /M "YOUR CHOICE : "
    3⤵
    PID:2344
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
    3⤵
    - Modifies registry key
    PID:1348
- - C:\Windows\System32\find.exe
    find /i "0x4"
    3⤵
    PID:2112
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    PID:1380
- - C:\Windows\System32\find.exe
    find /i "ComputerSystem"
    3⤵
    PID:2680
- - C:\Windows\System32\cmd.exe
    cmd /v:on /c echo(^!param^!
    3⤵
    PID:2896
- - C:\Windows\System32\findstr.exe
    findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
    3⤵
    PID:2740
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2720
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:3056
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:2712
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:1948
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:3052
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -nologo "If([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}')).IsConnectedToInternet){Exit 0}Else{Exit 1}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms.cangshui.net""", 1688)}catch{};$t.Connected"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:2708
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms8.MSGuides.comkms.srv.crsoo.com""", 1688)}catch{};$t.Connected"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms9.MSGuides.com""", 1688)}catch{};$t.Connected"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:2804
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
    3⤵
    PID:1696
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\channels
    3⤵
    PID:2216
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2956
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:2032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:1604
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1976
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2860
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:2388
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2824
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:2732
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2792
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "kms9.MSGuides.com"
    3⤵
    PID:2576
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
    3⤵
    PID:280
  - - C:\Windows\System32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:2640
  - - C:\Windows\System32\find.exe
      FIND /I "CurrentVersion"
      4⤵
      PID:2976
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514" /v "CurrentState"
    3⤵
    PID:1656
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514
    3⤵
    PID:736
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:2676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value" 2>nul
    3⤵
    PID:1616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value
      4⤵
      PID:2688
- - C:\Windows\System32\mode.com
    mode con:cols=92 lines=25
    3⤵
    PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:2836
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2948
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1692
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1992
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:992
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
    3⤵
    - Modifies registry key
    PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2936
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1648
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2116
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2236
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1296
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1892
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value
    3⤵
    PID:780
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:1484
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:2372
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1904
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:2144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:180
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:576
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1108
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1176
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2140
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:1320
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2028
- - C:\Windows\System32\sc.exe
    sc start sppsvc trigger=timer;sessionid=0
    3⤵
    - Launches sc.exe
    PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File disablex.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d8v-b3-p.cmdline"
      4⤵
      PID:240
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB53D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB53C.tmp"
        5⤵
        
        PID:2556
- - C:\Windows\System32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:896
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\2594\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2896
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2748
- - C:\Windows\System32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:1116
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:2608
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:2784
- - C:\Windows\System32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:2876
- - C:\Windows\System32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:2552
- - C:\Windows\System32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:1680
- - C:\Windows\System32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:2200
- - C:\Windows\System32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:1104
- - C:\Windows\System32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:1772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbs"
    3⤵
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
273KB

MD5
2b6d8e1e450072798b678f8f6a8d623f

SHA1
42eca47fc83a233d237a5d082dc0d3316e408fca

SHA256
0297edf9bfc2d0c9e0c479185812a95258cec5d3a04262f5ba7b89990b32c847

SHA512
a75fec4977c8538aa1dc0dbfefc7681ea6b67396de5bb70dd78152d267202b634ae3c0389d4affa89bfc41d6e5505ce6ba86d433201419de8e3d3df3522661e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\93agv9y-.dll

Filesize
4KB

MD5
a7888ebf4d2bf1cf69b88e6a2671357b

SHA1
0193f2c108ab871b9f9e0d4153893f338257c16f

SHA256
0eb8f1a06f575324c782eac567e0444c31a255013b21115a0bc556b1d294fd1a

SHA512
066057355a0282d9d687b8cd8fc936887e1252dc48f2814fdafc278d37dd9aeb8f7a42a41d15839f4ff919c78d48c8c5396399cd3b9758d2a8db88b7b7093f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\93agv9y-.pdb

Filesize
11KB

MD5
4282bec5156b29d1b64921f9c4e03d3f

SHA1
73c7d11b900e0ce9e25e4cfbbff8def185dd2f63

SHA256
1e6c49cadf0ec346c6a6f80600ba785604b620db6d492d8a98b70b33d9cb8370

SHA512
9f3a124ff7919e307a332b6a507912d31c1beef933f41e3102e9a6e65a1cd1ba36a8887ec9b88fdd896af414b52ba95d59fbde46e2687f1168eb6f689b6b739d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\KMS_Suite.bat

Filesize
138KB

MD5
1d011778610d37abea44c8539dfb7d94

SHA1
cc24087866d58aa6d93a0a4fe9b7d192796bec07

SHA256
1719b3e603da1985efa521038d8d730c884585136c2ec0e74af3ade7c2180aa4

SHA512
11643572c7b4e8fda7f0f5fbe05a058501811090b116ee51fcefea3f8d99cb72c0955ed6fb705bcf4eeb85c0f913627c8f9bd5a245affcd489fe1c5c781088b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
341B

MD5
d401c5effa22436e0382bdd71b145ed3

SHA1
b2632b7e74c21d9791d2a7202beab9fcb878c46b

SHA256
cb02f5670b0f7f13d87a4df29879d275c23adcdc15f3345dedbbe4ccc3ba0231

SHA512
22b7d96c9022dfe114f2997866f2e5a23e135d6d61708483eb9342b90d1b521d45618ff8dfc821b9a08c1740fda54aedd1f95f54c1d80c882cbabb8fac8cd517

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\digi.bat

Filesize
26KB

MD5
a9d3f449da7e990816be1d58417d4fe6

SHA1
9af0b5044a1d6d7d9c101dd73d34137512dde810

SHA256
11322fc30bc92eb4f1f6ea5ad6c2c9f2fe3204e017f8d7f4cdcfbf36e33e93ab

SHA512
b878f3543af1e1a4c66cff752be2b528c9e61c4fc7574b57abf869cc38de15a9b7736fd39c2c835b3bc6e74957771892b3e9b9a16335cf6be53434153be0d2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
343B

MD5
0d2e7f7d3632f02a4f5f605ee9750f56

SHA1
b17e185829d03518be196fb37d801dfd8cc3f6af

SHA256
eeb96f5030386b06c8b11101f3beb740f2932e3e755f5e0f9da11d56d1cec69c

SHA512
4febee13af76e7f8adfbcb58470729d6b43870b5d94e8da28310c8546bd3c6eb6d769da2c0b07d61cd1ad16dc904dc75d48a80a394b029e09f79f02c19ebb10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\gatherosstate.exe

Filesize
330KB

MD5
15ce0753a16dd4f9b9f0f9926dd37c4e

SHA1
fabb5a0fc1e6a372219711152291339af36ed0b5

SHA256
028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d

SHA512
4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\slc.dll

Filesize
7KB

MD5
f18dd5b638590be87ccd56fe338bed10

SHA1
da1afd97d92dd6026e7095ee7442a2144f78ed0b

SHA256
e7eca8c7476df70ef525ae55a0d8ccc715f22a727165a05fd4c380032cf763a9

SHA512
a3b3bbcdc3a3f83776793fd5b02578d59d38998f19a653467422e61127f063ad317d19857cd21e2723870cd1fdb6b0fe8dd436e07f2b93a7c9b4497f7e986662

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
983B

MD5
d98118ac31e94e4d5f2a3baab1e4c777

SHA1
b5649576144d09fbb04bd616a9a1a78db1bad29b

SHA256
7c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5

SHA512
b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\run.bat

Filesize
136KB

MD5
53cb484e0b83961bdbf49435d8ece712

SHA1
5ef9d58a676eaf640e278c6482f782df5c1e5367

SHA256
9e9950ddf841b475bc81d4bcf7b621a07269c433361ecf5d8c2a959414f6fe04

SHA512
4fa8feb0aa516aef89ac6b1e543cfe6cade7d6aa07c044b90a646cfaabac7d82c100b6164b63253ba09f544b8ed18605b12be5942d0ad58dc2a42c995bd41a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\A64.dll

Filesize
21KB

MD5
9d1554f10bf9eebc408a84400c75e6c0

SHA1
134d39e422f15922feae4081a6faeb2fc8b82be8

SHA256
9e25370c8cd4949689d33f9c67f65ea77349e2999a45bc9e5df33f5005ec1409

SHA512
727b332c6b2357f507db784f3cbdac945fa333ed1caaff7833271fdb82984673b4e46ac09071397ccddb75f1563f8c3374e86388ff70555893df3831a2f35a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\disableX.ps1

Filesize
1KB

MD5
522c0e01b280581a62954cf1e7971eaa

SHA1
4b8a66cd6839d05a3bd2732124a4441797940075

SHA256
2d2e271131e130688218b369cada1444807a0a65120df942a98e7887bdfe7201

SHA512
c9299b176f3279f1f37a9744d6361009daafe815a8e8b96e3d9dd0865ef9f938e3c33773fde3dac93f5d3cebc6b1d2952c02e0816a9b0ca5c8d0c6f19f3f1950

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4358.tmp

Filesize
1KB

MD5
715c43df24fcdad81ac2b8aeb5f924b6

SHA1
73fed44741ca3e2dbc74000d9248c24868422323

SHA256
b667768d0f0013025d2ef3d56d0977f8ba10dd73e6efa949ef1116b64b74d53e

SHA512
de941584b8f8709401702420d3413714901d70a33d048a1224eaf1896ac2822d33f01c72281f892bb23b31c445de32c7f5270c6cf948444ae3dc7210190c4c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES55BF.tmp

Filesize
1KB

MD5
55c11204546c130b8501058dab745691

SHA1
32a965cf807fa325c75d1fa44a880a56ea585647

SHA256
ef44491a864bf763a7845f98af86e567c332ee14c54b27f5e52be0c1f1369f55

SHA512
8413ddbb7fb78eab602f26fc73675ef439882704bd17cb32f7b0c93a5e9f9e8ed394f66e2a421e90b79ca882d9dbef2966656ab21b1d12c76b53a096023bdb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB4B0.tmp

Filesize
1KB

MD5
ba06c28a88a0c614c75fe7f6083bf260

SHA1
037d85017b23730227f548f74afce5dd64c2fe39

SHA256
9f572b3bdda0752056df0f8fe92adf82117d7deb34a9f174ee11c5c2583365a1

SHA512
ac3f2eb792cf60ca144d6ea6c6a288e6530d9cff3f90907ae6359b3a711dea69c6765e1f490d16c7c336efd1bcd80e0b37f708e85bbf941aef813b622ec0539a

Download Submit
C:\Users\Admin\AppData\Local\Temp\axikghny.dll

Filesize
4KB

MD5
a97ba2045e347c4c3301758084fa7f2d

SHA1
a4c5b769d8a59c9c04192f508296a337f0710455

SHA256
0af4a2276db5c8e0f7e6f1a49126ee5b5e34995df045fbb337b2efab6f40669e

SHA512
9fda71159a1389b1351c272a2b570ba064797438c9c49abe3a66656d164bfe33ff09946a48408b2ffa8a0c6274bc2e8418f2a96b2a7f7d6e9c8207ad4cdd8ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\axikghny.pdb

Filesize
11KB

MD5
da18f830194e9d4986248b7955596192

SHA1
44c5a5d48e9856e06e46fb985ade06646559177d

SHA256
894012b45c5d3a68046aa000cab38c4f37f15e435f216b28605c3bb4bd08d9de

SHA512
81e6653b07e11799d4c30bfda7f46cfbf88b6c81debbcbc59fed7c766455569fb335916f661cdec0e7c0d30b0ba27b99f6465d62d7fef4e23c8a09c98886414e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vx-izxdz.dll

Filesize
4KB

MD5
2febc412dfca5d8f24e865cfa7d59267

SHA1
ea2036861d9471804df3f71cf0a47808ab0ae79e

SHA256
bde33954392859c37b5021878851a3964d46ef83a046dca1ed61f66004744909

SHA512
c767e10cad4b97c94bb3ac35a14fb6f129ccc9920bdf94c802df8d1b20364b77eb96f43121e59f0ee7c6077f49ffccef72378e4d85b7a945fc8566f3fc9efc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\vx-izxdz.pdb

Filesize
11KB

MD5
09400f36c6d33b63491e58c174298321

SHA1
0ae12639666d7f4b8bac7852330e6ccdc56579fb

SHA256
89fc0d6028778a9c01d74698eefdb7f8518ef6d7467e4200473dc9ea44ad5cff

SHA512
56da41903697984ca05752514a2e4ff6012bb481be6a29a4355458294f442a7d337ae4fd557c99091dad02d713a29bd3b05c3c4270b8c01efa3c94ac530dbab5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a7ba655e04bd1f3a1a7110401fb899c5

SHA1
20ebf3304c79639a21e50bb8015670feda536801

SHA256
ccf2aefa14d3698f60b9adf5b76512348e2408fcaef4785498e15580cbe93774

SHA512
223558dd6f9823b8227d911f52caaabc585e27788d3ac6607edc7150cbc5da325d65aef9af56e4ecbf8162818accd623529be6751d46aaccc29a4bc757716b86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9160d15e91eedff1653aac156f174fa8

SHA1
3b3e6ac920697e673e32cfe1c55368827fd7e755

SHA256
13c859cc869cd09afe1c9996b4aaacd159160d3ac40d2f17c0a1fef6e336e977

SHA512
a897967e5e8d700072762889e376ba56a84b7c8d9f0467240b38d969e850e1463f6d26bfb17edbce4413def81344d2b0b6ee2e20b2e7cc0e38fec9be77789ab8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14e25703f0951105f63160e44d6913f2

SHA1
7ba522be819d030dd5ef396a32f6bde9985cac2e

SHA256
b53a0524a2a863b37fe1aeecd2bd09f3a63c0f65836696cf1873487a46c41731

SHA512
31959e46fa8ac3ee7e0d0c3c73c1b99a7489594375eb880764647bf07665f936620d8b43c12b922c8cb0f05c311b6d1d7b11b086fe9a84ff631b7ac153da3000

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\93agv9y-.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\93agv9y-.cmdline

Filesize
309B

MD5
da0869258f394374e5771d84c7a69a21

SHA1
7c160f9f9b947c8ede0b245afc6ff129923143ad

SHA256
46d210c058e3ef0d2890df8c03cec2ce11ec7d2676b03c3b05db678ba3cabcb6

SHA512
3ef974ba894b8e8647716d841882fa814825d15865c45831b6ab4ea77d7e4b9597232a7f39dd3ae172f6e3c26412c85af13900607a4591059eb92a730ec86fd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4357.tmp

Filesize
652B

MD5
92865759020c2fac01a07d291e72699e

SHA1
16b751be26d3eba8438e79fb999b726497f1290a

SHA256
37568116b9bf25925922f9a055c02ae13befa1a037dda7cc56653b054519ae3a

SHA512
5fb2f63e1e7ca69fde5121257ad3ce365aef6e7198d74028ca023996afb75970e314c2f58f047ceed8906101de73c2b40ec6adf7759d72bb8592909976a28080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC55BE.tmp

Filesize
652B

MD5
a4b44d65d4a94e74b0d3165bfa74c8b1

SHA1
c07708f6c22376e0203f5eb8fb19997a5776c27b

SHA256
1852c88be62a29afc6304d0f9234269eba155f56e6b9267c2feda7eab56ac627

SHA512
93ef7aea38a250b2cdbd8e760a49bac56ebcba5a34d89f452c4df9f41daf8793d1503904d8164376e3f2861fe574be33d10b7d22b7f2d54cdf17c1c47912da59

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB4AF.tmp

Filesize
652B

MD5
14a856e968c0ffdf9e3c1da2e083dbbd

SHA1
26c14b8feeddc5078f854195abad00837f44984d

SHA256
53e7efcf2f25db979060fd2419fe2c38d953adc3884dcfeebc0a1e16f6f58942

SHA512
2e6623b5e00cc8d485f4f6397a590a92e828f8459f052d945b975e45e4fc8ff3cb5ce8e7f9ecb0399e5c5e7817c291b1e6a097e70b09005713914bf67603a352

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axikghny.cmdline

Filesize
309B

MD5
704cda06a42683514af4d63414bd7ae5

SHA1
82c69fc92defe6bf9ec121dff6c3246124195635

SHA256
831915a47c320c51d106638aa86c1da4634d88215f1624a14c76dfb9d55af47b

SHA512
5e02daeae4e7ef0fe8e86f909bb00ba1124870aafd73c77098001e35617b22a98416f7fe2e89d60eb9bb9a415792db06e46f9f6c69b5e47c9df77392035eef5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vx-izxdz.0.cs

Filesize
1KB

MD5
810a30d3e12a7bb7b78a5ec70fec88ee

SHA1
921dc2985f892a800c2bb00e9166d232e78accf4

SHA256
86a49c1dfe76226db0daa8be63437e41d76c379f6c8a80d77930b771a6780487

SHA512
6792ef5c81b717b90f2bd211973d52be6ff2677915e76c2bb21b44610b5803852bac0d90df32faf9a50636c67ebc516abf3a2ca4a37ceb411133527740d5543a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vx-izxdz.cmdline

Filesize
309B

MD5
4f3a7e44e4eb35d6dd190d200cbef816

SHA1
3a6c29bdaee6eedd16c37c6e8f659d01759cd420

SHA256
95957400554d33f74a62108d268a02a1225c7bfb054c87e233c63df756146076

SHA512
b6005d2d558152053b110f06cb0b519c667fe62ff9946644c8399e5e6455a8944868079bae13945f491d0cdc73cce1e655aa52e1f060c5be44de2edf394d243f

Download Submit
memory/836-220-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/836-215-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/836-216-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/836-217-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/836-218-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/836-219-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1656-260-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1656-255-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1656-261-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1656-259-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1656-258-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1656-257-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1656-256-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1944-171-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/1944-193-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/1944-196-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1944-177-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/1944-175-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1944-174-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/1944-173-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/1944-172-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1944-179-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/1944-176-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/2060-285-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2060-282-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2060-281-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-280-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2060-283-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-284-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2060-286-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2060-287-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-205-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-203-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-204-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2088-207-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-206-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2100-296-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-295-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/2100-294-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-293-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2100-297-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/2448-228-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2448-231-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2448-232-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-227-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-230-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2448-229-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-269-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-270-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/2524-273-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-267-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-272-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/2524-271-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/2524-268-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/2728-4-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2728-11-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2728-10-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2728-88-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-25-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2728-9-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2728-8-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-7-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2728-6-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-5-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download