hxxps://mega[.]nz/file/ljInCYKL#2vj1_USfuvEoPc7Gny1Q5OzYr8tKAuOpLhxz7E0x02A

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 16:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ljInCYKL#2vj1_USfuvEoPc7Gny1Q5OzYr8tKAuOpLhxz7E0x02A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3344	center.exe
3040	DisableX.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\ReadMe.txt	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\KMS_Suite.v9.3.EN.bat	chrome.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File created	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File created	C:\Windows\KMS\bin\x86.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File created	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File created	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe
File created	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe
File created	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\KMS\bin	xcopy.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\x86.dll	xcopy.exe
File created	C:\Windows\KMS\KMSInject.bat	cmd.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File created	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File opened for modification	C:\Windows\KMS\bin	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File created	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File created	C:\Windows\KMS\bin\x86.dll	xcopy.exe
File created	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File opened for modification	C:\Windows\KMS\KMSInject.bat	cmd.exe
File opened for modification	C:\Windows\KMS\bin\x86.dll	xcopy.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4608	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
824	schtasks.exe
4256	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4180	chrome.exe
4180	chrome.exe
4092	chrome.exe
4092	chrome.exe
2544	chrome.exe
2544	chrome.exe
4020	chrome.exe
4020	chrome.exe
4316	chrome.exe
4316	chrome.exe
3692	chrome.exe
3692	chrome.exe
516	chrome.exe
516	chrome.exe
5012	chrome.exe
5012	chrome.exe
4188	chrome.exe
4188	chrome.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
3116	powershell.exe
3116	powershell.exe
3116	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
3400	powershell.exe
3400	powershell.exe
3400	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
4856	powershell.exe
4856	powershell.exe
4856	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
848	powershell.exe
848	powershell.exe
848	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3604	AUDIODG.EXE
Token: SeRestorePrivilege	3908	7zG.exe
Token: 35	3908	7zG.exe
Token: SeSecurityPrivilege	3908	7zG.exe
Token: SeRestorePrivilege	1308	7zG.exe
Token: 35	1308	7zG.exe
Token: SeSecurityPrivilege	1308	7zG.exe
Token: SeSecurityPrivilege	1308	7zG.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeIncreaseQuotaPrivilege	4432	WMIC.exe
Token: SeSecurityPrivilege	4432	WMIC.exe
Token: SeTakeOwnershipPrivilege	4432	WMIC.exe
Token: SeLoadDriverPrivilege	4432	WMIC.exe
Token: SeSystemProfilePrivilege	4432	WMIC.exe
Token: SeSystemtimePrivilege	4432	WMIC.exe
Token: SeProfSingleProcessPrivilege	4432	WMIC.exe
Token: SeIncBasePriorityPrivilege	4432	WMIC.exe
Token: SeCreatePagefilePrivilege	4432	WMIC.exe
Token: SeBackupPrivilege	4432	WMIC.exe
Token: SeRestorePrivilege	4432	WMIC.exe
Token: SeShutdownPrivilege	4432	WMIC.exe
Token: SeDebugPrivilege	4432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4432	WMIC.exe
Token: SeRemoteShutdownPrivilege	4432	WMIC.exe
Token: SeUndockPrivilege	4432	WMIC.exe
Token: SeManageVolumePrivilege	4432	WMIC.exe
Token: 33	4432	WMIC.exe
Token: 34	4432	WMIC.exe
Token: 35	4432	WMIC.exe
Token: 36	4432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4432	WMIC.exe
Token: SeSecurityPrivilege	4432	WMIC.exe
Token: SeTakeOwnershipPrivilege	4432	WMIC.exe
Token: SeLoadDriverPrivilege	4432	WMIC.exe
Token: SeSystemProfilePrivilege	4432	WMIC.exe
Token: SeSystemtimePrivilege	4432	WMIC.exe
Token: SeProfSingleProcessPrivilege	4432	WMIC.exe
Token: SeIncBasePriorityPrivilege	4432	WMIC.exe
Token: SeCreatePagefilePrivilege	4432	WMIC.exe
Token: SeBackupPrivilege	4432	WMIC.exe
Token: SeRestorePrivilege	4432	WMIC.exe
Token: SeShutdownPrivilege	4432	WMIC.exe
Token: SeDebugPrivilege	4432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4432	WMIC.exe
Token: SeRemoteShutdownPrivilege	4432	WMIC.exe
Token: SeUndockPrivilege	4432	WMIC.exe
Token: SeManageVolumePrivilege	4432	WMIC.exe
Token: 33	4432	WMIC.exe
Token: 34	4432	WMIC.exe
Token: 35	4432	WMIC.exe
Token: 36	4432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4264	WMIC.exe
Token: SeSecurityPrivilege	4264	WMIC.exe
Token: SeTakeOwnershipPrivilege	4264	WMIC.exe
Token: SeLoadDriverPrivilege	4264	WMIC.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
3908	7zG.exe
1308	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	DisableX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 4304	4092	chrome.exe	84
PID 4092 wrote to memory of 4304	4092	chrome.exe	84
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 856	4092	chrome.exe	87
PID 4092 wrote to memory of 4180	4092	chrome.exe	88
PID 4092 wrote to memory of 4180	4092	chrome.exe	88
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90
PID 4092 wrote to memory of 3752	4092	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/ljInCYKL#2vj1_USfuvEoPc7Gny1Q5OzYr8tKAuOpLhxz7E0x02A
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f9d04f50,0x7ff8f9d04f60,0x7ff8f9d04f70
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  - Drops file in Program Files directory
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=960 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=900 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,14478426044835936439,790928065434049037,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMS-2038 & Digital & Online Activation Suite 9.3\" -ad -an -ai#7zMap23513:158:7zEvent11571
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3908

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMS-2038 & Digital & Online Activation Suite 9.3\" -spe -an -ai#7zMap3950:158:7zEvent5012
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\KMS-2038 & Digital & Online Activation Suite 9.3\KMS_Suite.v9.3.EN.bat" "
1⤵
PID:4508
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:3960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2280
- C:\Windows\system32\mode.com
  mode con cols=78 lines=6
  2⤵
  PID:4256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\md4u0kvm\md4u0kvm.cmdline"
    3⤵
    PID:1456
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECD1.tmp" "c:\Users\Admin\AppData\Local\Temp\md4u0kvm\CSC35584BC575AD462D97E6C638CE23EF8.TMP"
      4⤵
      PID:4948
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:3892
- C:\Windows\system32\xcopy.exe
  xcopy /s /h KMS_Suite 25860
  2⤵
  PID:4992
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Modifies registry class
  PID:2820
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:1732
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:2604
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\25860\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:3344
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25860\bin\DisableX.vbs"
    3⤵
    - Checks computer location settings
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\25860\bin\DisableX.exe
      "C:\Users\Admin\AppData\Local\Temp\25860\bin\DisableX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:5068
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2884
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:1468
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:4720
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:4452
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:4264
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:4256
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:1560
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:3344
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:4208
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:2404
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:2168
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:3908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3400
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:4316
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:3140
- - C:\Windows\system32\xcopy.exe
    xcopy /cryi bin\* C:\Windows\KMS\bin
    3⤵
    - Drops file in Windows directory
    PID:2604
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "KMS_Activation" /xml "C:\Users\Admin\AppData\Local\Temp\25860\bin\Inject\bin\KMS.xml" /f
    3⤵
    - Creates scheduled task(s)
    PID:4256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:1840
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:3020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:3556
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:4056
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "KMS_Activation" /f
    3⤵
    PID:1328
- - C:\Windows\system32\cscript.exe
    cscript //nologo C:\Windows\System32\slmgr.vbs /ckms
    3⤵
    PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:1572
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:3908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:1732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4856
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1588
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1728
- - C:\Windows\system32\xcopy.exe
    xcopy /cryi bin\* C:\Windows\KMS\bin
    3⤵
    - Drops file in Windows directory
    PID:4992
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "KMS_Activation" /xml "C:\Users\Admin\AppData\Local\Temp\25860\bin\Inject\bin\KMS.xml" /f
    3⤵
    - Creates scheduled task(s)
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:3988
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:1864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:3020
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1288
- - C:\Windows\system32\xcopy.exe
    xcopy $OEM$\* "C:"\$OEM$ /s /i /y
    3⤵
    PID:3176
- - C:\Windows\system32\xcopy.exe
    xcopy /cryi bin\* "C:"\$OEM$\$$\Setup\Scripts\bin\
    3⤵
    PID:4768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbS"
    3⤵
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:2404
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:4652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2876
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ynsgcpd\3ynsgcpd.cmdline"
      4⤵
      PID:3396
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE068.tmp" "c:\Users\Admin\AppData\Local\Temp\3ynsgcpd\CSC86124389E1984EF0A879F3355CA01B86.TMP"
        5⤵
        
        PID:3048
  - - C:\Windows\system32\expand.exe
      "C:\Windows\system32\expand.exe" -R 1 -F:* .
      4⤵
      Drops file in Windows directory
      PID:2884
- - C:\Windows\system32\mode.com
    mode con:cols=70 lines=55
    3⤵
    PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4720
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:4120
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:3748
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:3948
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:1808
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:3960
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:4608
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:1372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:684
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:3804
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:2980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
      4⤵
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:4208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:1796
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4680
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4428
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4084
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:4840
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 3221549142
    3⤵
    PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:2928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:4532
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
      4⤵
      PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:2404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:2320
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4148
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:2180
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4536
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:3632
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 1074065472
    3⤵
    PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cscript.exe //NoLogo //Job:XPDT "check.bat?.wsf" 214247
    3⤵
    PID:3936
  - - C:\Windows\System32\cscript.exe
      cscript.exe //NoLogo //Job:XPDT "check.bat?.wsf" 214247
      4⤵
      PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:4788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:4740
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3225fbc938bbe5975c90423ad93ad467

SHA1
e86ffea0c7dff2ef607b6823d733ea3aaad0fdfb

SHA256
ecca9c939e21c21de0125143c2b2c0fbf830984e2e0ce866498316eb18a046da

SHA512
5c1032f57015c6e6f95cf493e292d209dce7f276863a92c04c6a19182ca0ee3d274bf7891fefbaa8c078977d1e5173729731b0524bd6be0d3f7a696bde3bb8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f996b44e71bcf8e9d9bd5ef2a96a963

SHA1
61a10fcfb7bad1271f7132c7491982a916489af0

SHA256
78d612ffa268c2871faf8e656889f9ec6475890ff2763410dbf434a343ad9a0d

SHA512
84815d678a672aa99d4834fa4c0a42089bec36da593caabc337dc66180a8ebd0131e65fb68ba645d3d68e80a5e7808e0dcf5b0ff1cb2a46786d532b088b44515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ SUPPORT MICROSOFT PRUDUCTS

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
279KB

MD5
436d8d09dc86c53be0486371400bd951

SHA1
c50a173334aceb34ceebe878ce4e47dc8b206c95

SHA256
586aa43770695b63537a434ad7835fd5b10c8d513eb1743255cf5b68cb5586b2

SHA512
28bc2990348f2c2828accc1843570d9f3834eb2c4d94083d2e90ede87266b0c3c3a8ade15458177bfb184b94d985ac406bd1ce58477832e38564d1c88623b81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\25860\KMS_Suite.bat

Filesize
142KB

MD5
f825dcc537d39befd3a38d3558af19ec

SHA1
98c581debf37d459149413f4e73ff247cb67ff67

SHA256
2a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b

SHA512
ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25860\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\25860\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\25860\bin\DisableX.vbs

Filesize
189B

MD5
c2206c9c9b0c97f7c5db4f473e96e9a3

SHA1
77b32538358d64aff6d7e083bba358f0fe7b2789

SHA256
f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f

SHA512
67c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25860\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\25860\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\KMS_Suite.bat

Filesize
142KB

MD5
f825dcc537d39befd3a38d3558af19ec

SHA1
98c581debf37d459149413f4e73ff247cb67ff67

SHA256
2a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b

SHA512
ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\Digital_KMS38.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
341B

MD5
d401c5effa22436e0382bdd71b145ed3

SHA1
b2632b7e74c21d9791d2a7202beab9fcb878c46b

SHA256
cb02f5670b0f7f13d87a4df29879d275c23adcdc15f3345dedbbe4ccc3ba0231

SHA512
22b7d96c9022dfe114f2997866f2e5a23e135d6d61708483eb9342b90d1b521d45618ff8dfc821b9a08c1740fda54aedd1f95f54c1d80c882cbabb8fac8cd517

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\digi.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\KMS38.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
343B

MD5
0d2e7f7d3632f02a4f5f605ee9750f56

SHA1
b17e185829d03518be196fb37d801dfd8cc3f6af

SHA256
eeb96f5030386b06c8b11101f3beb740f2932e3e755f5e0f9da11d56d1cec69c

SHA512
4febee13af76e7f8adfbcb58470729d6b43870b5d94e8da28310c8546bd3c6eb6d769da2c0b07d61cd1ad16dc904dc75d48a80a394b029e09f79f02c19ebb10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\gatherosstate.exe

Filesize
330KB

MD5
15ce0753a16dd4f9b9f0f9926dd37c4e

SHA1
fabb5a0fc1e6a372219711152291339af36ed0b5

SHA256
028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d

SHA512
4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\slc.dll

Filesize
7KB

MD5
a3d60be84fb7fc1701f2518ad619bb19

SHA1
4937e478f33a1430a72f17fab2a6220bf9fde413

SHA256
653e61441d85cd74ba3fd4f50be204b47a32bce19a17451d87a2356bef87a321

SHA512
43abbf267c8326ca955bb9085d49f9ab108512c9cc8025ebc8523cab307cc1877f990f3174ab7a0498c38591eb1eee7fb04be91129ac7f9ab8422e271ca3f5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.vbs

Filesize
189B

MD5
c2206c9c9b0c97f7c5db4f473e96e9a3

SHA1
77b32538358d64aff6d7e083bba358f0fe7b2789

SHA256
f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f

SHA512
67c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
983B

MD5
d98118ac31e94e4d5f2a3baab1e4c777

SHA1
b5649576144d09fbb04bd616a9a1a78db1bad29b

SHA256
7c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5

SHA512
b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\run.bat

Filesize
140KB

MD5
27edcd6267f4c58c35db91cbbf934929

SHA1
297b1cd2a4833cb24cd5758fc2b73939a1111080

SHA256
eec4ab779b67dd195bb474e8b4c45a5859ae5129ae916b5d9dd4d46f46206430

SHA512
a068a29cce8a63eb540c964ecce95248231f3a556b11196403191d317df3f344d0de9982eabc376794314bc4f7ba1394a629ccfd88a52916c2fd3df333000e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\KMSInject.bat

Filesize
140KB

MD5
d054f26c2659bdec0ccf6df418023d6e

SHA1
e98dac9b0a7801475d6e7f76269f463613a61a10

SHA256
4534138dbfa7b55f674612f8fb2c7caf727260e382611d1f5f6f90504d05955e

SHA512
e8e9cccead23a7eb655409fd8949f76a5660f071da360af20006622ab87baabf89172a2832e7b0dd6278a5907dc66a80c23dbe744c2a7e4325c10eab4c7ab6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\A64.dll

Filesize
21KB

MD5
886b4a107a2ede49c4c8a5bcba94f20f

SHA1
b5256ddc2b5fb8bd8d0272679043e03a0936d8a3

SHA256
24bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c

SHA512
28aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESECD1.tmp

Filesize
1KB

MD5
983f62576357fa430c557058cde42ea7

SHA1
a5fad62076a8e785c3c9600c3e443668e32cf32f

SHA256
cb9d5e705313a3ed4cb420c32d82cb8449acc73bd924f43d04cdf835c2081453

SHA512
000cbefc2c97f86b40222c40eb5ca9bd694db80bdb3e38bd801b069016e05e34cd44e8b4efe680bb9d7db43c77e55feb243828ca02e7eb86491972a5d311df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\md4u0kvm\md4u0kvm.dll

Filesize
3KB

MD5
e109980f9fda1229a73a14b5a0a0c9e0

SHA1
cc9c0d8e9b2353bc0e33d77c675f30baa886a0ce

SHA256
72428eacfa562230823e9e40fd53fd82abbcdfc1f177c2facadf15e566909c4e

SHA512
884234a8d7dd36ca71121704c5002fbd3f5910a1429f06b07b76a4011cf2e228762fcfed0f102aa1378da4be72fa23f43e23e75a7580104c0488308a6103375b

Download Submit
C:\Users\Admin\Downloads\KMS-2038 & Digital & Online Activation Suite 9.3.rar

Filesize
382KB

MD5
0fadb5a3cc1d4258ddc13e6e6c12fa3c

SHA1
c5a0a7a95990c8526687c6444f51a86d5b7acc8b

SHA256
388739f45ac12e135430de2351554ada5cdf2e3680116a25f0b1d23b7ae880c8

SHA512
2602a20563544a58e63c47f2631d6866d228785a164f5fd0f7ed8cbca739b49887675bf439a3e241330ee813e3d42833b4ed6a2869a5595b5adc0c3368717524

Download Submit
C:\Users\Admin\Downloads\KMS-2038 & Digital & Online Activation Suite 9.3\KMS_Suite.v9.3.EN.bat

Filesize
356KB

MD5
2542dfefdc35cb2477961289977c36bc

SHA1
4b60f654960c3d7b8a4a6cb78f23764d4d7abebd

SHA256
1094061c601cb82c12e4b10ce566c096029c0f62214f21481c2753a10c812742

SHA512
10f3325807adb849137d64ca82a5499f6ba7307b71573609614129b59aa0d75ac69cba9288568548af21ce3676992fdc6f0437f763bd58c520019cc809600740

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md4u0kvm\CSC35584BC575AD462D97E6C638CE23EF8.TMP

Filesize
652B

MD5
5471434ace3f7b51c6e55aedeaddb516

SHA1
472891ceb79ab33da0865d3e7f2d52df8029169f

SHA256
30c366675a14f47cff6aeab801752b758ff89a801cffe250d64df8b570424cef

SHA512
f0c164886b19ad9631fd396bf9bba945bf470ea1d588fb68cb311252ac66ed7dcd38c11991edc00f5f5bc0a033aaf7dbd4eb47fb3482ee3fccf91b152490f92e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md4u0kvm\md4u0kvm.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md4u0kvm\md4u0kvm.cmdline

Filesize
369B

MD5
804cc71081e796898e8396a1e0fea91c

SHA1
65ec45f7771bbcfb2f7139c477428ec445903d83

SHA256
713e70d6c43035c4efc6fc07586b8dfb7566eb1eb8f0f19752d435c4cf9ec8fc

SHA512
6edfd6361c098c14c31aef7825e2ed198d63e9e20618bcb9ec8ab3b90fc6cdf3ea5ecf4d116c69310eb5c5d7368d837d0f40d4dc979f577219963818a542d708

Download Submit
memory/404-199-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/848-256-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1840-254-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-234-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-233-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2772-255-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-181-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-180-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-223-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3400-222-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-151-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-141-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-140-0x00000271BE380000-0x00000271BE3A2000-memory.dmp

Filesize
136KB

Download
memory/4856-244-0x00007FF8F50F0000-0x00007FF8F5BB1000-memory.dmp

Filesize
10.8MB

Download