hxxps://mega[.]nz/file/QzpA0YST#JeDPGBmNphunJg6cW3nMZe6DQgtorQm1SP5Ev98rX3o

Analysis

max time kernel
624s
max time network
804s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/QzpA0YST#JeDPGBmNphunJg6cW3nMZe6DQgtorQm1SP5Ev98rX3o

Score

10^/10

evasion upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i640.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i641033.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i640.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i641033.cab

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
188	2244	powershell.exe
189	1896	powershell.exe
190	4232	powershell.exe
204	216	powershell.exe
205	2244	powershell.exe
206	1868	powershell.exe
207	4684	powershell.exe
208	2692	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
4160	ChromeRecovery.exe
1684	KMSAuto++.exe
4760	signtool.exe
776	OInstallLite.exe
2192	files.dat
4332	OfficeClickToRun.exe
384	OfficeClickToRun.exe
2960	OInstallLite.exe
1628	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
4596	KMSAuto++.exe
5112	files.dat

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001da44-139.dat	upx
behavioral2/files/0x000600000001da44-143.dat	upx
behavioral2/files/0x000600000001da44-144.dat	upx
behavioral2/memory/1684-148-0x0000000000400000-0x0000000001713000-memory.dmp	upx
behavioral2/files/0x0008000000022f25-160.dat	upx
behavioral2/files/0x0008000000022f25-161.dat	upx
behavioral2/memory/776-165-0x0000000000400000-0x0000000001608000-memory.dmp	upx
behavioral2/memory/1684-172-0x0000000000400000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/776-181-0x0000000000400000-0x0000000001608000-memory.dmp	upx
behavioral2/memory/2960-225-0x0000000000400000-0x0000000001608000-memory.dmp	upx
behavioral2/memory/2960-235-0x0000000000400000-0x0000000001608000-memory.dmp	upx
behavioral2/memory/2960-254-0x0000000000400000-0x0000000001608000-memory.dmp	upx
behavioral2/memory/4596-255-0x0000000000400000-0x0000000001713000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Loads dropped DLL 51 IoCs

pid	Process
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
384	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
2448	OfficeClickToRun.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	OfficeClickToRun.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	OInstallLite.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	OInstallLite.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\b77c262c92b9df4b9a0f2df933b6346d.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\de67fc23d2478341984d930c814f974e.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\AppVFileSystemMetadata.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.el-gr.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\9d4294499325864bbabf7a9d838ce340.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\ClientEventLogMessages.man	expand.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4596_251634051\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll	OInstallLite.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\f7c0e24662386242a1d7faec87d8a108.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\5344d1bdfcd90949bd36aa0ffc9a753b.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\2cf1a0a9fa7f1b469f357eb0c0399d1d.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2R64.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\OfficeClickToRun.exe	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\04729445bd9ca94fb458ba1386d5b050.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	OInstallLite.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.et-ee.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.hr-hr.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\c21a93358ce5794e916ba4f633a372cf.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\d3cad60bb8a727438388fec660e25d98.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\{99713D3E-CA68-4B65-A92A-A2E8C203FDC9}	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\6c68f0c68ac7174bae663e5699b416df.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\appvcleaner.exe	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\889b98e8766bf84bb50bc960c70cb85b.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.ro-ro.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\vcruntime140_1.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\vcruntime140.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll	OInstallLite.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll	OInstallLite.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\0c2a2514bd092044b8d5b9c367201801.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\49678b295fa7e640866020edc978f62d.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\c89ce5a19a8b4c408cea9e674ea759e1.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.ko-kr.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\3b2af6c927b47b4ea09a759e30cc7ee0.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\AppVShNotify.exe	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\c7a89ddadfbc5b479a4b487c0254b11c.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.zh-cn.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2R32.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.de-de.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\506ec135acac8d4d9407767ce3ee5880.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll	OInstallLite.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\244ddd696e64fc41b1c5077a627e44b9.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\9a1626837b4bde4b823cb6a74872e08b.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\AppVIsvVirtualization.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2R32.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\SharedPerformance.man	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.cs-cz.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.en-us.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.lv-lv.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\9ba0241359d8ed4fb6d78147e2886d69.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll	OInstallLite.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\8840af66e43b5e4d88b27e88759e5dad.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\InspectorOfficeGadget.exe	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\35f537dd1d02c14a8e3789f7557b8494.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\6ffdedaf257b4a1bba28862ad76810b9$dpx$.tmp\9c8869b36defb5428e471106da743148.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.vi-vn.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\0627a2a83d6f48218525568e902b71fd$dpx$.tmp\619df8544eaa6d4d9d1de9ecba4382b3.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.sk-sk.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.tr-tr.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\2b223ad7a4d24cef8c1f60348e81fa3e$dpx$.tmp\job.xml	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll	OInstallLite.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll	expand.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4924	sc.exe
2372	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1496	taskkill.exe
4828	taskkill.exe
3080	taskkill.exe
320	taskkill.exe
1916	taskkill.exe
2588	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0 = 4d736f3a3a436865636b73756d52656769737472793a3a446174617c75696e7436345f747c2d36363535353930343335323135383536333b456373436f6e666967526573706f6e7365446174617c7b202256657222203a2022696e7433325f747c30222c2022436f6e6649647322203a20227374643a3a77737472696e677c502d522d35343930332d312d332c502d522d32363134362d372d31352c502d442d32393633352d312d312c502d442d32373038372d312d392c502d522d37393638382d312d332c502d522d39323833322d31342d31332c502d522d3131313735322d362d372c502d522d313030393835352d31322d31342c502d522d31383531332d312d33302c502d522d35303539362d342d382c502d522d31393236322d312d31322c502d522d38313732302d312d322c502d522d35383430362d312d352c502d442d35303639372d322d342c502d442d32393731392d312d312c502d442d32393731382d312d312c502d442d32393539332d312d34222c2022434322203a20227374643a3a77737472696e677c5553222c2022446566436f6e667322203a20227374643a3a77737472696e677c222c202245787054696d6522203a2022696e7436345f747c31363634373739343739222c20224554616722203a20227374643a3a77737472696e677c5c22776a4d6f513139654d52772b46796a373238702b3653594145676c7a7a6143674c554b466e4957725135673d5c22222c202246434d617022203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e4361636865457870697279496e4d696e222c20225622203a2022696e7433325f747c37323022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e436f6e666967496444656c696d69746572496e4c6f67222c20225622203a20227374643a3a77737472696e677c3b22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e44697361626c65436f6e6669674c6f67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e456e61626c65536d61727445546167222c20225622203a2022696e7433325f747c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4368616e6765476174652e46697265436f6175746853746174654368616e676564466f724e6f6e6533222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e4368616e6765476174652e456e61626c6553534f466f72536f7665726569676e4163636f756e74735573696e6757414d222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4d616e6167656162696c6974792e436c6f7564506f6c6963792e4e6f6e5075626c6963436c6f7564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4d616e6167656162696c6974792e54656e616e744173736f63696174696f6e4b65792e4e6f6e5075626c6963436c6f7564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4e616e63794f66666963655465616d2e7a686574616e34313232303231222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e436c6f7564222c20225622203a20227374643a3a77737472696e677c5075626c696322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e46617374465445222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e4f584f416c6c222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e50657270657475616c4c6963656e7365222c20225622203a20227374643a3a77737472696e677c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e5365676d656e74222c20225622203a20227374643a3a77737472696e677c4e4f4e4652444322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e56657273696f6e506172746974696f6e222c20225622203a20227374643a3a77737472696e677c57696e3332416e64726f6964486f7422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4372634261736564556964222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e457874656e736962696c697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22436174616c6f675c22203a207b205c224576656e74735c22203a207b205c2245786368616e67654765744c6173745570646174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22547279446973636f76657245777355726c735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e57686174734e65772e454353446174614c6f61646564222c20225622203a2022626f6f6c7c3122207d205d207d	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSessionUpgradeCandidate	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t\|0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.6	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.1	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.13	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.3	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.8	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.6	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.9	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.3	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.7	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.13	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun\BuildNumber = "16.0.14332"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring\|\"wjMoQ19eMRw+Fyj728p+6SYAEglzzaCgLUKFnIWrQ5g=\""	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.12	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.12	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C006439AA8AC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000025662c7ee776704fb644fc2c115fb05e000000000200000000001066000000010000200000002be98f6d16140a0cf4ab4f211d1e0fb98f53c92412dd44630e210cb77c3163ef000000000e80000000020000200000005368936f9286a0c105f2af1338b5ce2ee3b4f0db6a5b2bbf59810ecf7472be7d80000000e07209165d5ca54a7663e43be768473043798f26731200093e82e2bb76efcd14f2b5a04a01a662847c7e2ac7882fd8b53c6350d839d7cc34ea1ef0e00b7eccb8a51e93834ed2f08ec5073d27d634dbf9c1dc940187911d08dd60ccb7cbc1476c8d7da747f68ab734c16d352daa15842baf958e4ad141ed742c323cbe246346c74000000099cb8ba26c55a53805d2be415ccf9d5fb697ad6a0861b8f0ada6b5999410ecf0b2f6e868c49fce5b55725b815ef89dc0bf464767c97916e0f13bc623e2c1bb5c	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSessionUpgradeCandidate\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSessionUpgradeCandidate\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.11	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.2	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.7	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.4	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.1	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\DeferredConfigs = "std::wstring\|"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5104	reg.exe
4992	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	signtool.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	signtool.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4204	chrome.exe
4204	chrome.exe
2604	chrome.exe
2604	chrome.exe
3112	chrome.exe
3112	chrome.exe
4080	chrome.exe
4080	chrome.exe
4212	chrome.exe
4212	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
4024	chrome.exe
4024	chrome.exe
2244	powershell.exe
2244	powershell.exe
2784	powershell.exe
2784	powershell.exe
1896	powershell.exe
1896	powershell.exe
4232	powershell.exe
4232	powershell.exe
216	powershell.exe
216	powershell.exe
4344	powershell.exe
4344	powershell.exe
2244	powershell.exe
2244	powershell.exe
1532	powershell.exe
1532	powershell.exe
1868	powershell.exe
1868	powershell.exe
1488	powershell.exe
1488	powershell.exe
4684	powershell.exe
4684	powershell.exe
2692	powershell.exe
2692	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
776	OInstallLite.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3284	AUDIODG.EXE
Token: SeRestorePrivilege	2140	7zG.exe
Token: 35	2140	7zG.exe
Token: SeSecurityPrivilege	2140	7zG.exe
Token: SeSecurityPrivilege	2140	7zG.exe
Token: SeRestorePrivilege	4448	7zG.exe
Token: 35	4448	7zG.exe
Token: SeSecurityPrivilege	4448	7zG.exe
Token: SeSecurityPrivilege	4448	7zG.exe
Token: SeRestorePrivilege	2608	7zG.exe
Token: 35	2608	7zG.exe
Token: SeSecurityPrivilege	2608	7zG.exe
Token: SeSecurityPrivilege	2608	7zG.exe
Token: SeRestorePrivilege	836	7zG.exe
Token: 35	836	7zG.exe
Token: SeSecurityPrivilege	836	7zG.exe
Token: SeSecurityPrivilege	836	7zG.exe
Token: SeRestorePrivilege	1164	7zG.exe
Token: 35	1164	7zG.exe
Token: SeSecurityPrivilege	1164	7zG.exe
Token: SeSecurityPrivilege	1164	7zG.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe
Token: SeSystemProfilePrivilege	1324	WMIC.exe
Token: SeSystemtimePrivilege	1324	WMIC.exe
Token: SeProfSingleProcessPrivilege	1324	WMIC.exe
Token: SeIncBasePriorityPrivilege	1324	WMIC.exe
Token: SeCreatePagefilePrivilege	1324	WMIC.exe
Token: SeBackupPrivilege	1324	WMIC.exe
Token: SeRestorePrivilege	1324	WMIC.exe
Token: SeShutdownPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	1324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1324	WMIC.exe
Token: SeRemoteShutdownPrivilege	1324	WMIC.exe
Token: SeUndockPrivilege	1324	WMIC.exe
Token: SeManageVolumePrivilege	1324	WMIC.exe
Token: 33	1324	WMIC.exe
Token: 34	1324	WMIC.exe
Token: 35	1324	WMIC.exe
Token: 36	1324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe
Token: SeSystemProfilePrivilege	1324	WMIC.exe
Token: SeSystemtimePrivilege	1324	WMIC.exe
Token: SeProfSingleProcessPrivilege	1324	WMIC.exe
Token: SeIncBasePriorityPrivilege	1324	WMIC.exe
Token: SeCreatePagefilePrivilege	1324	WMIC.exe
Token: SeBackupPrivilege	1324	WMIC.exe
Token: SeRestorePrivilege	1324	WMIC.exe
Token: SeShutdownPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	1324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1324	WMIC.exe
Token: SeRemoteShutdownPrivilege	1324	WMIC.exe
Token: SeUndockPrivilege	1324	WMIC.exe
Token: SeManageVolumePrivilege	1324	WMIC.exe
Token: 33	1324	WMIC.exe
Token: 34	1324	WMIC.exe
Token: 35	1324	WMIC.exe
Token: 36	1324	WMIC.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2140	7zG.exe
4448	7zG.exe
2608	7zG.exe
836	7zG.exe
1164	7zG.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
776	OInstallLite.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4668	OpenWith.exe
4668	OpenWith.exe
4668	OpenWith.exe
4668	OpenWith.exe
4668	OpenWith.exe
1684	KMSAuto++.exe
4760	signtool.exe
776	OInstallLite.exe
2192	files.dat
4332	OfficeClickToRun.exe
4332	OfficeClickToRun.exe
384	OfficeClickToRun.exe
2960	OInstallLite.exe
1628	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
2448	OfficeClickToRun.exe
4596	KMSAuto++.exe
5112	files.dat

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1480	2604	chrome.exe	81
PID 2604 wrote to memory of 1480	2604	chrome.exe	81
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4100	2604	chrome.exe	83
PID 2604 wrote to memory of 4204	2604	chrome.exe	84
PID 2604 wrote to memory of 4204	2604	chrome.exe	84
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86
PID 2604 wrote to memory of 392	2604	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/QzpA0YST#JeDPGBmNphunJg6cW3nMZe6DQgtorQm1SP5Ev98rX3o
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1d054f50,0x7ffe1d054f60,0x7ffe1d054f70
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4184 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=904 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,1292882540735306670,2751224726954693149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  PID:1468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4596
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4596_251634051\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4596_251634051\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={2ef422a0-3372-49be-bfd9-64d66ce9ea84} --system
  2⤵
  - Executes dropped EXE
  PID:4160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1608

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\" -spe -an -ai#7zMap17277:136:7zEvent29182
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
PID:3452

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9054:136:7zEvent14386
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4448

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\" -spe -an -ai#7zMap2909:136:7zEvent1765
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2608

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\" -spe -an -ai#7zMap15238:136:7zEvent14308
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:836

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\" -spe -an -ai#7zMap14350:136:7zEvent5117
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1164

C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe
"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe"
  2⤵
  PID:1084
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\signtool.exe
  "C:\Users\Admin\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:4760
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files"
  2⤵
  PID:2696
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto_Files"
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
  2⤵
  PID:4064
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
    3⤵
    PID:3084
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
  2⤵
  PID:4404
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
    3⤵
    PID:3476
- C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe
  "C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe" /x=100 /y=100
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:776
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe"
    3⤵
    PID:4580
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe"
      4⤵
      PID:3424
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files"
    3⤵
    PID:220
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files"
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
    3⤵
    PID:4800
  - - C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files\files.dat
      files.dat -y -pkmsauto
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2192
- - C:\Windows\system32\reg.exe
    "C:\Windows\Sysnative\reg.exe" add HKLM\Software\Policies\Microsoft\Office\16.0\Common\OfficeUpdate /v UpdateBranch /d PerpetualVL2021 /f
    3⤵
    - Modifies registry key
    PID:5104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over665200\v32.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over665200
    3⤵
    - Drops file in Windows directory
    PID:1168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over665200\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2784
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop ClickToRunSvc
    3⤵
    PID:1660
  - - C:\Windows\System32\sc.exe
      sc.exe stop ClickToRunSvc
      4⤵
      Launches sc.exe
      PID:4924
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM OfficeClickToRun.exe
    3⤵
    - Kills process with taskkill
    PID:1496
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM IntegratedOffice.exe
    3⤵
    - Kills process with taskkill
    PID:4828
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM OfficeC2RClient.exe
    3⤵
    - Kills process with taskkill
    PID:3080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i640.cab', 'C:\Users\Admin\AppData\Local\Temp\over665200\i640.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- - C:\Windows\SysWOW64\expand.exe
    "expand" i640.cab -F:* "C:\Program Files\Common Files\microsoft Shared\ClickToRun"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i641033.cab', 'C:\Users\Admin\AppData\Local\Temp\over665200\i641033.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:4232
- - C:\Windows\SysWOW64\expand.exe
    "expand" i641033.cab -F:* "C:\Program Files\Common Files\microsoft Shared\ClickToRun"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1724
- - C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe" deliverymechanism=5030841d-c919-4594-8d2d-84ae4f96e58e platform=x86 productreleaseid=none culture=en-us defaultplatform=False lcid=1033 b= storeid= forceupgrade=True piniconstotaskbar=False pidkeys=KDX7X-BNVR8-TXXGX-4Q7Y8-78VT3,J2JDC-NJCYY-9RGQ4-YXWMH-T3D4T,MJVNY-BYWPY-CWV6J-2RKRT-4M8QG forceappshutdown=True autoactivate=1 productstoadd=Standard2021Volume.16_en-us_x-none|ProjectStd2021Volume.16_en-us_x-none|VisioStd2021Volume.16_en-us_x-none scenario=unknown updatesenabled.16=True acceptalleulas.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e version.16=16.0.14332.20375 mediatype.16=CDN baseurl.16=http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e sourcetype.16=CDN displaylevel=True uninstallpreviousversion=True Standard2021Volume.excludedapps.16=onedrive,teams ProjectStd2021Volume.excludedapps.16=onedrive,teams VisioStd2021Volume.excludedapps.16=onedrive,teams
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4332
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:1532
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:2696
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:396
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:1628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:4484
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:724
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
    3⤵
    PID:4980
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
      4⤵
      PID:4524
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:5080
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over481166\v32.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:216
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over481166
    3⤵
    - Drops file in Windows directory
    PID:2888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over481166\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over843015\v32.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Windows\system32\reg.exe
    "C:\Windows\Sysnative\reg.exe" add HKLM\Software\Policies\Microsoft\Office\16.0\Common\OfficeUpdate /v UpdateBranch /d PerpetualVL2021 /f
    3⤵
    - Modifies registry key
    PID:4992
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over843015
    3⤵
    - Drops file in Windows directory
    PID:2668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over843015\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over413749\v32.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- - C:\Windows\SysWOW64\expand.exe
    "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over413749
    3⤵
    - Drops file in Windows directory
    PID:724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over413749\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop ClickToRunSvc
    3⤵
    PID:4880
  - - C:\Windows\System32\sc.exe
      sc.exe stop ClickToRunSvc
      4⤵
      Launches sc.exe
      PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM OfficeClickToRun.exe
    3⤵
    - Kills process with taskkill
    PID:320
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM IntegratedOffice.exe
    3⤵
    - Kills process with taskkill
    PID:1916
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /t /f /IM OfficeC2RClient.exe
    3⤵
    - Kills process with taskkill
    PID:2588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i640.cab', 'C:\Users\Admin\AppData\Local\Temp\over413749\i640.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Windows\SysWOW64\expand.exe
    "expand" i640.cab -F:* "C:\Program Files\Common Files\microsoft Shared\ClickToRun"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20375/i641033.cab', 'C:\Users\Admin\AppData\Local\Temp\over413749\i641033.cab') }"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:2692
- - C:\Windows\SysWOW64\expand.exe
    "expand" i641033.cab -F:* "C:\Program Files\Common Files\microsoft Shared\ClickToRun"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:424
- - C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe" deliverymechanism=5030841d-c919-4594-8d2d-84ae4f96e58e platform=x86 productreleaseid=none culture=en-us defaultplatform=False lcid=1033 b= storeid= forceupgrade=True piniconstotaskbar=False pidkeys=KDX7X-BNVR8-TXXGX-4Q7Y8-78VT3,J2JDC-NJCYY-9RGQ4-YXWMH-T3D4T,MJVNY-BYWPY-CWV6J-2RKRT-4M8QG forceappshutdown=True autoactivate=1 productstoadd=Standard2021Volume.16_en-us_x-none|ProjectStd2021Volume.16_en-us_x-none|VisioStd2021Volume.16_en-us_x-none scenario=unknown updatesenabled.16=True acceptalleulas.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e version.16=16.0.14332.20375 mediatype.16=CDN baseurl.16=http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e sourcetype.16=CDN displaylevel=True uninstallpreviousversion=True Standard2021Volume.excludedapps.16=onedrive,teams ProjectStd2021Volume.excludedapps.16=onedrive,teams VisioStd2021Volume.excludedapps.16=onedrive,teams
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:1036
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:3968
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:2520
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:4600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:4932
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:3200
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
    3⤵
    PID:4800
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
    3⤵
    PID:5104
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e
      4⤵
      PID:2272
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
    3⤵
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\files\files.dat
      files.dat -y -pkmsauto
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5112
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c "cscript.exe //NoLogo" OffScrub_O15msi.vbs ALL /NoCancel /Force /OSE 2>&1
    3⤵
    PID:1836
  - - C:\Windows\system32\cscript.exe
      cscript.exe //NoLogo OffScrub_O15msi.vbs ALL /NoCancel /Force /OSE
      4⤵
      PID:1084
    - - C:\Users\Admin\AppData\Local\Temp\files\x64\CleanOSPP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\files\x64\CleanOSPP.exe"
        5⤵
        
        PID:4744
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c "cscript.exe //NoLogo" OffScrub_O16msi.vbs ALL /NoCancel /Force /OSE 2>&1
    3⤵
    PID:1460
  - - C:\Windows\system32\cscript.exe
      cscript.exe //NoLogo OffScrub_O16msi.vbs ALL /NoCancel /Force /OSE
      4⤵
      PID:1028
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /D /c "cscript.exe //NoLogo" OffScrubC2R.vbs ALL /NoCancel /OSE 2>&1
    3⤵
    PID:3264
  - - C:\Windows\system32\cscript.exe
      cscript.exe //NoLogo OffScrubC2R.vbs ALL /NoCancel /OSE
      4⤵
      PID:3648
    - - C:\Users\Admin\AppData\Local\Temp\files\x64\CleanOSPP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\files\x64\CleanOSPP.exe"
        5⤵
        
        PID:3424
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN FF_INTEGRATEDstreamSchedule /F
        5⤵
        
        PID:3760
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN FF_INTEGRATEDUPDATEDETECTION /F
        5⤵
        
        PID:2912
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN C2RAppVLoggingStart /F
        5⤵
        
        PID:216
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "Office 15 Subscription Heartbeat" /F
        5⤵
        
        PID:1932
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "Microsoft Office 15 Sync Maintenance for {d068b555-9700-40b8-992c-f866287b06c1}" /F
        5⤵
        
        PID:4060
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "\Microsoft\Office\OfficeInventoryAgentFallBack" /F
        5⤵
        
        PID:1788
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "\Microsoft\Office\OfficeTelemetryAgentFallBack" /F
        5⤵
        
        PID:2032
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "\Microsoft\Office\OfficeInventoryAgentLogOn" /F
        5⤵
        
        PID:2580
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "\Microsoft\Office\OfficeTelemetryAgentLogOn" /F
        5⤵
        
        PID:660
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "Office Background Streaming" /F
        5⤵
        
        PID:224
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "\Microsoft\Office\Office Automatic Updates" /F
        5⤵
        
        PID:3084
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "\Microsoft\Office\Office ClickToRun Service Monitor" /F
        5⤵
        
        PID:440
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "Office Subscription Maintenance" /F
        5⤵
        
        PID:3992
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Database Compare.lnk"
        5⤵
        
        PID:2716
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language Preferences.lnk"
        5⤵
        
        PID:1320
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Upload Center.lnk"
        5⤵
        
        PID:460
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Spreadsheet Compare.lnk"
        5⤵
        
        PID:2764
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Telemetry Dashboard for Office.lnk"
        5⤵
        
        PID:4636
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Telemetry Log for Office.lnk"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk"
        5⤵
        
        PID:3052
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\files\OffScrubC2R.vbs" "UNPINSC" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk"
        5⤵
        
        PID:2844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
1⤵
PID:2180

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:384

C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe
"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe"
  2⤵
  PID:2668
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe"
    3⤵
    PID:1084
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files"
  2⤵
  PID:2892
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files"
    3⤵
    PID:4064

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe
"C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4976

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

Filesize
229KB

MD5
cc2b3930ea10d482dfa35233adb38bce

SHA1
d7243b76955e18f0b43632fdce3e3fdb21226d85

SHA256
d97d46b602bc3b9187a3aa80e13ce7c1ca6cdd6d3ad9e5f8c56448681055b46e

SHA512
ee5dc4ad9d2168964b8e61eaa7edbeac6cef83d24e00fb5af9e783607c56186ac161907cffb1ad2c3e0d1a24b2cd81421bb12e2a647f93ce087253ff7897b739

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

Filesize
229KB

MD5
cc2b3930ea10d482dfa35233adb38bce

SHA1
d7243b76955e18f0b43632fdce3e3fdb21226d85

SHA256
d97d46b602bc3b9187a3aa80e13ce7c1ca6cdd6d3ad9e5f8c56448681055b46e

SHA512
ee5dc4ad9d2168964b8e61eaa7edbeac6cef83d24e00fb5af9e783607c56186ac161907cffb1ad2c3e0d1a24b2cd81421bb12e2a647f93ce087253ff7897b739

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MSVCP140.dll

Filesize
550KB

MD5
c15a199252046e54b2447ac8a23a4f5f

SHA1
f9d6fc729ff7f03494a5f1f51b9693a7df689a7b

SHA256
18bc3e55806b676abbc598d1a4331b80ef4a7931101683b5080d0194a47e67cf

SHA512
0505ec128700604ed48c8bd385eb5e158d58ddc0e5f85f31424e96ac101e163bf3f344a8f1c3820bf63e63b18ee9cf0899f50c0b41b2dfd53e5d227a7aa4e855

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
8.8MB

MD5
62effe622ecad06cec8ed9a90d0477c5

SHA1
1246f3122a01ccfd53874c25c81a154fa0d4ec6b

SHA256
ad74241b36b7a5fcf853fe516cc5fad6bed469818a47b46fcbd75203551396e2

SHA512
e212f59080c2d1ec887bc6cd5f624f25182688d04e21c49837a02dbdd274bcf801b121dd8113ab30e2038532acd443bfc82bb07454bd9b11288792827517b040

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
8.8MB

MD5
62effe622ecad06cec8ed9a90d0477c5

SHA1
1246f3122a01ccfd53874c25c81a154fa0d4ec6b

SHA256
ad74241b36b7a5fcf853fe516cc5fad6bed469818a47b46fcbd75203551396e2

SHA512
e212f59080c2d1ec887bc6cd5f624f25182688d04e21c49837a02dbdd274bcf801b121dd8113ab30e2038532acd443bfc82bb07454bd9b11288792827517b040

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\VCRUNTIME140.dll

Filesize
93KB

MD5
845a3a6471fb853d0d218518e4c48f8c

SHA1
ab4bad2575ab028b0cba13bb445e3c6dd965fb13

SHA256
48140e727d1f2438f4fab1e08632ba9c5c928b6c1a4584758391a4fe9d7d978d

SHA512
f0a13125a1e1904a9c2483295bd770106485dc1f31bbdb7d3f11ed48d9f7e8282ab46a070f57c82ef19c933608ce29abf6ef5744a61ed608b6026504194ce19f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\VCRUNTIME140_1.dll

Filesize
35KB

MD5
6feeb6ba00dfee9cf3a2e4c6905af7f1

SHA1
5f7a7a74f9a7de8a344299bf966c0723da26a056

SHA256
092e91d8b179ce00c2a139afed85fc478632841e906e44b7ec2fb67268f5aef5

SHA512
a008c0df0796067fac98cf04dd2c2ef7e7b0c7248f92f6fb7c346ad77b72d45c60347f7cb974a81fd311408ba74822230f9b1a248ab1b4b06c54c13372d2bb4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll

Filesize
550KB

MD5
c15a199252046e54b2447ac8a23a4f5f

SHA1
f9d6fc729ff7f03494a5f1f51b9693a7df689a7b

SHA256
18bc3e55806b676abbc598d1a4331b80ef4a7931101683b5080d0194a47e67cf

SHA512
0505ec128700604ed48c8bd385eb5e158d58ddc0e5f85f31424e96ac101e163bf3f344a8f1c3820bf63e63b18ee9cf0899f50c0b41b2dfd53e5d227a7aa4e855

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll

Filesize
93KB

MD5
845a3a6471fb853d0d218518e4c48f8c

SHA1
ab4bad2575ab028b0cba13bb445e3c6dd965fb13

SHA256
48140e727d1f2438f4fab1e08632ba9c5c928b6c1a4584758391a4fe9d7d978d

SHA512
f0a13125a1e1904a9c2483295bd770106485dc1f31bbdb7d3f11ed48d9f7e8282ab46a070f57c82ef19c933608ce29abf6ef5744a61ed608b6026504194ce19f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140_1.dll

Filesize
35KB

MD5
6feeb6ba00dfee9cf3a2e4c6905af7f1

SHA1
5f7a7a74f9a7de8a344299bf966c0723da26a056

SHA256
092e91d8b179ce00c2a139afed85fc478632841e906e44b7ec2fb67268f5aef5

SHA512
a008c0df0796067fac98cf04dd2c2ef7e7b0c7248f92f6fb7c346ad77b72d45c60347f7cb974a81fd311408ba74822230f9b1a248ab1b4b06c54c13372d2bb4b

Download Submit
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4596_251634051\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
fe1942551b84694694eaf543a17a3501

SHA1
eecf880a3c2da7bc498f689ae06219384a085e2c

SHA256
0522300e8be4a842ee84de922cc53a183227ea8f8e25a9da3d0c3483bce27622

SHA512
d4cf186beca061de6608134e82c36910d2e68ccf3207d071673b0d1a91dc921465edd4ce024f6f04b9cd552eba708230dbb372bf9c080cd1fa21e383167f0346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
7aa2c4b5c167eb7794e63d6fa79e8810

SHA1
debc7f1b3ec62fe5572628e1b4f9851f5ec69fc5

SHA256
48952aca30241b7f07ac07f6ed06738806aecbe015ea4e4e00a52bb95824ca88

SHA512
3240870f93427e5c231de656ebd63506d2d45f2c6d40cbae4770e5a903665cacc94afcd49a9134a77638ead0161cea8492e219749ef0dd0952869d5459719165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
2b02dad384d7833622f04632fcc736ca

SHA1
39b2235056cc98c3f6f18be3eb6eaa2425e7d094

SHA256
ff3da6de7f0a09c8d81fbdddeb2eac5efd88b3f779c9bdf57c82016d1d7646c4

SHA512
df03459b78de808da0f461ad4124c33d1eef663b6284232a889184e79b08bccf953bbf9c7130a281163ed6f94c830746d6213fb549a76ee30a5d1de4b5c808e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\over665200\VersionDescriptor.xml

Filesize
12KB

MD5
d6e031ee427af186cbe367e9f5164b2c

SHA1
d524f161fbd250b30354bf335c290135888c3c5a

SHA256
97d80903fc6dc43d42b31d4d64f271f4edb90c18a7ddbf685ec83d1fa969d90f

SHA512
40a3622abf5b6e6b31a0b93995e893a111bffce8869223042c968165d0f65f9f06ec8daa73e638158187eebce7ddb6eae5af8775a3542c542db483d79ede52ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\over665200\i640.cab

Filesize
28.5MB

MD5
9172378cac15c3de48fa9b49e1d64796

SHA1
a2e8e3436e23f8e98b7decf5ffd6949306b6083b

SHA256
53fe05870d33bf0dd7d942518a9586710e7061888d948a15ba1ebb320ed9dd69

SHA512
f4b99c4d7096c38cc3f4f73a69d59d1336309855e6d1124a4e65670765140b96c9cbab1ac878f4a2057b695bde9f63333377e7c2d48585e2d5e058122f25933f

Download Submit
C:\Users\Admin\AppData\Local\Temp\over665200\i641033.cab

Filesize
9KB

MD5
ab0e96f0b018ee91480462236583dcad

SHA1
1099f62f4dc86d90184307fab86b141b212988f3

SHA256
9b7db89ac421b1ed353b7967d24a84a5d989dd9c4f52309e552a52076e9f8b52

SHA512
595771955fa41d5773998911da0a6d8f85ba3509c4e9d6cedd1155bbad2be72dc641099b672abca8e193e21435e5002ee17b2c3c2fc6399c90d57759768abd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\over665200\v32.cab

Filesize
10KB

MD5
7193ea30414408c495f5ad2d56977025

SHA1
e67d21df802645037ea611ca93bd08adb07e93ad

SHA256
fdf7cb7ca84ee4ca16e88f70c264e1ac6b456c1b3816deab6b9c040cc1d1822b

SHA512
978470d094781ba6799d4e869e2b4075cda6a67054477a4c6a8bac4124f5a35072ef117e5d027ebdf4cac37ff13b59f883404269242e9068b3ddade038c43476

Download Submit
C:\Users\Admin\AppData\Local\Temp\over665200\v32.txt

Filesize
12KB

MD5
169da22c074e8841c7d6ae922ebfec72

SHA1
14d118cb286c6a218c5e96ce515be4b25055a528

SHA256
48bc681d89c0eb10a15bd27575318637f7e6298277bdb8961a1275242db0ebe1

SHA512
ce8de867d205e23f3881509f5fc49a5d25bf85da3aeaf449eb1f5229ba76f8fac58eb49e6387cfdc023fe2e57ec94f782ac693fd532199b501e42300bd655e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\signtool.exe

Filesize
323KB

MD5
05624e6d27eaef0db0673ae627bd6027

SHA1
b155c76bf59992a8d75d0e3a59dc94f24aff2591

SHA256
962a92821f54a1e706aa989973130fdc1072c7bd8b9e6d11ea1050b46eb9d313

SHA512
233304669aefeec9ad5d19bd2dd5bb19ea35ce31da0b3aabe5ab859259608a58725fac5993637c9635e5912138d3eb477773351f0ee81cc3ce756d713163cf31

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual.zip

Filesize
16.7MB

MD5
2a457a91fdc9215f244356a9f789d2c9

SHA1
4044671f85a3d62078823f94c03a562bfb89bc98

SHA256
04f8e7b6cc83f41b78b1259f9406e8e8287efec1b0512a88a768e3125960b536

SHA512
cb87819b766aed902dd45db31dbeac657a5f6d03f4784281865aa72016028acb50a645c537b0f1bb1405bcb85ff7ed86e3feb364e4c17a5d90a9acb68a60fdef

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe

Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe

Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.exe

Filesize
17.2MB

MD5
f047284bfddc942292d93ed86fdb20fd

SHA1
56dc945674cf4f941cf17a9ac9c1c9718cf9d18e

SHA256
793731bcfd6cc4faf4244e2353d6d068a0720c601117e464f28c6e6e88de5c46

SHA512
2ec58f32b4fc810c41a014415997c35740eea7f901e367494025045c7c4a9ce1b83efbde2143c0566b66f1065bf39b712d4c9dbaa33ce922eb8d8f9f38da4513

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.ini

Filesize
1KB

MD5
9d6166a1f176a87eecc5402f16a7c01b

SHA1
97b56815dc0fa855c279f88c91631a859bd7f3cd

SHA256
4c5eed44e3574f70bb4007523c49fc0328ba8944bc127c41817907d25c4d69d0

SHA512
99db8eca4bd27eb48b5b833a70aee78e57a2875d08b37705b8ae656e50547243ecbcb4d08a3af943e6aefe780ff39a858733506bda835b71eaa3dbce1e3daaa3

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\KMSAuto++.ini

Filesize
1KB

MD5
9d6166a1f176a87eecc5402f16a7c01b

SHA1
97b56815dc0fa855c279f88c91631a859bd7f3cd

SHA256
4c5eed44e3574f70bb4007523c49fc0328ba8944bc127c41817907d25c4d69d0

SHA512
99db8eca4bd27eb48b5b833a70aee78e57a2875d08b37705b8ae656e50547243ecbcb4d08a3af943e6aefe780ff39a858733506bda835b71eaa3dbce1e3daaa3

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe

Filesize
7.5MB

MD5
0280c72602dbb522ca250f27d060539a

SHA1
116253233d3cc138ec81b38c20e8b8ece0d96216

SHA256
c6685f23561e02f3e68fdb17d837369e8ea2bcdaa7cc7ea3080848367caf9c25

SHA512
3cf982a3cac5f6dd25f43e00d889c26f3b624a279b9d69863fe10d854147ebe44658aeeea1f573ab65788f58f3972057be90b96a9a0233320dfb58582a075e61

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\OInstallLite.exe

Filesize
7.5MB

MD5
0280c72602dbb522ca250f27d060539a

SHA1
116253233d3cc138ec81b38c20e8b8ece0d96216

SHA256
c6685f23561e02f3e68fdb17d837369e8ea2bcdaa7cc7ea3080848367caf9c25

SHA512
3cf982a3cac5f6dd25f43e00d889c26f3b624a279b9d69863fe10d854147ebe44658aeeea1f573ab65788f58f3972057be90b96a9a0233320dfb58582a075e61

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files\configure.xml

Filesize
860B

MD5
a15059b5f40abbc01ad97ed11770baeb

SHA1
28283c602467223afcea24fa037da5503eb9ed22

SHA256
63e92bdb3f44204b4e1dd1a1df93dee2de9fd8efd493e87065dad03311936a7e

SHA512
0481c5533d6abc813364a7bf576e13941b50a17f7737fe1b6cfa0761c72417f3043bb87a34521f30f2bbfa643125eab3a8bbcc2d1f636a644bc2e94debb71d32

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\readme_en.txt

Filesize
6KB

MD5
7a4fb804af171ad041c65e3e46fd00b2

SHA1
9beb5c6be92ab6129c8577efb1bda567b5f67006

SHA256
c7a2d7fa7dcf9a08a5179720f81b947221f0e94bc797878352ecae52d923c939

SHA512
e67221d43349a57baa48b7631eaa2fe6863d444dbe84a231392de42d6c0386de04fb700cde79cd42eadc4b059d6e5e82aa063932777601db0d05d3dbe0688965

Download Submit
C:\Users\Admin\Downloads\KMSAuto++ 1.6.4 Portable Multilingual\readme_ru.txt

Filesize
7KB

MD5
89921ebfdac4677b4ecc8972b2880fa8

SHA1
2d6e48ae17d780772290a51cec312ea29cf8cd71

SHA256
f82e3b77099baf8c31f2c6f81f511b049ec5d08d3848834076afd401fab143db

SHA512
83965139761a25b452c038dec38b95cda4e242e2f9fbdb8f9e9b0e7d49715459737f809321344bc0c637a350e2c765a8f86e7e7d6aa69f9dc758f7b7a56eef22

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
168KB

MD5
29ea9a54f7fb14f7849b0405f2dd4da1

SHA1
1ff3921410cd436836ae4ff9d25dc8c955c19832

SHA256
99f1d6074916fefd11d1eff4bb40eb48ef3b4cd32de63fe8df537a99c6f99862

SHA512
6e03f52daee7b723709744ba43652451112198301740b1a4f46ae5d7909defdbbd884f9957f0998c4d5d02c5cf9d122f130c7cfd8080fca87b4cf30578f7db76

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
170KB

MD5
8b5a27d1a34711a52307ebafab0818a4

SHA1
543d94fa3b97115896073e0f0cb22790dead5776

SHA256
fd2e3d06b214f5c2bb3ab43473bbdde085b20669d0d1c2001b74d5b335711941

SHA512
5be18e718217489ca45e341a66e5322e75145adb4928c4f201f949a237537393b18efa458602d6646bf5dacde22689ad93f608eecb8641eea9e56debc2cc2d8c

Download Submit
memory/776-165-0x0000000000400000-0x0000000001608000-memory.dmp

Filesize
18.0MB

Download
memory/776-181-0x0000000000400000-0x0000000001608000-memory.dmp

Filesize
18.0MB

Download
memory/1684-172-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/1684-148-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download
memory/2244-179-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/2244-182-0x0000000007130000-0x00000000077AA000-memory.dmp

Filesize
6.5MB

Download
memory/2244-178-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/2244-183-0x0000000005FC0000-0x0000000005FDA000-memory.dmp

Filesize
104KB

Download
memory/2244-180-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

Filesize
120KB

Download
memory/2244-177-0x0000000004B00000-0x0000000004B22000-memory.dmp

Filesize
136KB

Download
memory/2244-176-0x0000000004B90000-0x00000000051B8000-memory.dmp

Filesize
6.2MB

Download
memory/2244-175-0x0000000004520000-0x0000000004556000-memory.dmp

Filesize
216KB

Download
memory/2784-189-0x0000000006CF0000-0x0000000006D86000-memory.dmp

Filesize
600KB

Download
memory/2784-191-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/2784-190-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/2960-225-0x0000000000400000-0x0000000001608000-memory.dmp

Filesize
18.0MB

Download
memory/2960-254-0x0000000000400000-0x0000000001608000-memory.dmp

Filesize
18.0MB

Download
memory/2960-235-0x0000000000400000-0x0000000001608000-memory.dmp

Filesize
18.0MB

Download
memory/4596-255-0x0000000000400000-0x0000000001713000-memory.dmp

Filesize
19.1MB

Download