388739f45ac12e135430de2351554ada5cdf2e3680116a25f0b1d23b7ae880c8

Analysis

max time kernel
235s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_Suite.v9.3.EN.bat
Size

356KB
MD5

2542dfefdc35cb2477961289977c36bc
SHA1

4b60f654960c3d7b8a4a6cb78f23764d4d7abebd
SHA256

1094061c601cb82c12e4b10ce566c096029c0f62214f21481c2753a10c812742
SHA512

10f3325807adb849137d64ca82a5499f6ba7307b71573609614129b59aa0d75ac69cba9288568548af21ce3676992fdc6f0437f763bd58c520019cc809600740
SSDEEP

6144:RFV4shBoEszHlE4iGaXacKg3WSCj8cq7TRbSSVVVYunQd2LpNI8MwIt:l3MfJtaq/2SC7UuQdgNIt

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4036	center.exe
2268	DisableX.exe
3912	center.exe
428	DisableX.exe
1892	dismhost.exe
4092	gatherosstatemodified.exe
4448	center.exe
1900	DisableX.exe
5112	center.exe
4664	DisableX.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 22 IoCs

pid	Process
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1892	dismhost.exe
1956	rundll32.exe
4092	gatherosstatemodified.exe
4092	gatherosstatemodified.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\x86.dll	xcopy.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\KMS\bin	xcopy.exe
File created	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\KMS\bin\x86.dll	xcopy.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\KMS\bin\A64.dll	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\cleanosppx64.exe	xcopy.exe
File created	C:\Windows\KMS\bin\KMS.xml	xcopy.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\KMS\bin\cleanosppx86.exe	xcopy.exe
File opened for modification	C:\Windows\KMS\bin\x64.dll	xcopy.exe
File created	C:\Windows\KMS\KMSInject.bat	cmd.exe
File opened for modification	C:\Windows\KMS\KMSInject.bat	cmd.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3600	sc.exe
3600	sc.exe
3344	sc.exe
3896	sc.exe
3400	sc.exe
3792	sc.exe
4936	sc.exe
4080	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstatemodified.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	gatherosstatemodified.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstatemodified.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gatherosstatemodified.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gatherosstatemodified.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
720	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3656	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4380	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4208	powershell.exe
4208	powershell.exe
4240	powershell.exe
4240	powershell.exe
1220	powershell.exe
1220	powershell.exe
3340	powershell.exe
3340	powershell.exe
712	powershell.exe
712	powershell.exe
2228	powershell.exe
2228	powershell.exe
5052	powershell.exe
5052	powershell.exe
2056	powershell.exe
2056	powershell.exe
4364	powershell.exe
4364	powershell.exe
1244	powershell.exe
1244	powershell.exe
4560	powershell.exe
4560	powershell.exe
1524	powershell.exe
1524	powershell.exe
3544	powershell.exe
3544	powershell.exe
3064	powershell.exe
3064	powershell.exe
1696	powershell.exe
1696	powershell.exe
3064	powershell.exe
3064	powershell.exe
5012	powershell.exe
5012	powershell.exe
3460	powershell.exe
3460	powershell.exe
2972	powershell.exe
2972	powershell.exe
3476	powershell.exe
3476	powershell.exe
3992	powershell.exe
3992	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2268	DisableX.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeIncreaseQuotaPrivilege	4184	WMIC.exe
Token: SeSecurityPrivilege	4184	WMIC.exe
Token: SeTakeOwnershipPrivilege	4184	WMIC.exe
Token: SeLoadDriverPrivilege	4184	WMIC.exe
Token: SeSystemProfilePrivilege	4184	WMIC.exe
Token: SeSystemtimePrivilege	4184	WMIC.exe
Token: SeProfSingleProcessPrivilege	4184	WMIC.exe
Token: SeIncBasePriorityPrivilege	4184	WMIC.exe
Token: SeCreatePagefilePrivilege	4184	WMIC.exe
Token: SeBackupPrivilege	4184	WMIC.exe
Token: SeRestorePrivilege	4184	WMIC.exe
Token: SeShutdownPrivilege	4184	WMIC.exe
Token: SeDebugPrivilege	4184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4184	WMIC.exe
Token: SeRemoteShutdownPrivilege	4184	WMIC.exe
Token: SeUndockPrivilege	4184	WMIC.exe
Token: SeManageVolumePrivilege	4184	WMIC.exe
Token: 33	4184	WMIC.exe
Token: 34	4184	WMIC.exe
Token: 35	4184	WMIC.exe
Token: 36	4184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4184	WMIC.exe
Token: SeSecurityPrivilege	4184	WMIC.exe
Token: SeTakeOwnershipPrivilege	4184	WMIC.exe
Token: SeLoadDriverPrivilege	4184	WMIC.exe
Token: SeSystemProfilePrivilege	4184	WMIC.exe
Token: SeSystemtimePrivilege	4184	WMIC.exe
Token: SeProfSingleProcessPrivilege	4184	WMIC.exe
Token: SeIncBasePriorityPrivilege	4184	WMIC.exe
Token: SeCreatePagefilePrivilege	4184	WMIC.exe
Token: SeBackupPrivilege	4184	WMIC.exe
Token: SeRestorePrivilege	4184	WMIC.exe
Token: SeShutdownPrivilege	4184	WMIC.exe
Token: SeDebugPrivilege	4184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4184	WMIC.exe
Token: SeRemoteShutdownPrivilege	4184	WMIC.exe
Token: SeUndockPrivilege	4184	WMIC.exe
Token: SeManageVolumePrivilege	4184	WMIC.exe
Token: 33	4184	WMIC.exe
Token: 34	4184	WMIC.exe
Token: 35	4184	WMIC.exe
Token: 36	4184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2268	DisableX.exe
428	DisableX.exe
1900	DisableX.exe
4664	DisableX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 4744	3376	cmd.exe	83
PID 3376 wrote to memory of 4744	3376	cmd.exe	83
PID 4744 wrote to memory of 4916	4744	net.exe	84
PID 4744 wrote to memory of 4916	4744	net.exe	84
PID 3376 wrote to memory of 3772	3376	cmd.exe	85
PID 3376 wrote to memory of 3772	3376	cmd.exe	85
PID 3376 wrote to memory of 4208	3376	cmd.exe	86
PID 3376 wrote to memory of 4208	3376	cmd.exe	86
PID 4208 wrote to memory of 2068	4208	powershell.exe	87
PID 4208 wrote to memory of 2068	4208	powershell.exe	87
PID 2068 wrote to memory of 4312	2068	csc.exe	88
PID 2068 wrote to memory of 4312	2068	csc.exe	88
PID 4208 wrote to memory of 2768	4208	powershell.exe	89
PID 4208 wrote to memory of 2768	4208	powershell.exe	89
PID 3376 wrote to memory of 3324	3376	cmd.exe	90
PID 3376 wrote to memory of 3324	3376	cmd.exe	90
PID 3376 wrote to memory of 2320	3376	cmd.exe	91
PID 3376 wrote to memory of 2320	3376	cmd.exe	91
PID 2320 wrote to memory of 1628	2320	cmd.exe	92
PID 2320 wrote to memory of 1628	2320	cmd.exe	92
PID 2320 wrote to memory of 2608	2320	cmd.exe	93
PID 2320 wrote to memory of 2608	2320	cmd.exe	93
PID 2320 wrote to memory of 4240	2320	cmd.exe	94
PID 2320 wrote to memory of 4240	2320	cmd.exe	94
PID 2320 wrote to memory of 2656	2320	cmd.exe	97
PID 2320 wrote to memory of 2656	2320	cmd.exe	97
PID 2320 wrote to memory of 4756	2320	cmd.exe	98
PID 2320 wrote to memory of 4756	2320	cmd.exe	98
PID 2320 wrote to memory of 4036	2320	cmd.exe	99
PID 2320 wrote to memory of 4036	2320	cmd.exe	99
PID 2320 wrote to memory of 4036	2320	cmd.exe	99
PID 2320 wrote to memory of 2512	2320	cmd.exe	101
PID 2320 wrote to memory of 2512	2320	cmd.exe	101
PID 2512 wrote to memory of 2268	2512	WScript.exe	102
PID 2512 wrote to memory of 2268	2512	WScript.exe	102
PID 2512 wrote to memory of 2268	2512	WScript.exe	102
PID 2320 wrote to memory of 2972	2320	cmd.exe	104
PID 2320 wrote to memory of 2972	2320	cmd.exe	104
PID 2972 wrote to memory of 2196	2972	cmd.exe	105
PID 2972 wrote to memory of 2196	2972	cmd.exe	105
PID 2320 wrote to memory of 3804	2320	cmd.exe	106
PID 2320 wrote to memory of 3804	2320	cmd.exe	106
PID 3804 wrote to memory of 1220	3804	cmd.exe	107
PID 3804 wrote to memory of 1220	3804	cmd.exe	107
PID 2320 wrote to memory of 3656	2320	cmd.exe	108
PID 2320 wrote to memory of 3656	2320	cmd.exe	108
PID 2320 wrote to memory of 3408	2320	cmd.exe	109
PID 2320 wrote to memory of 3408	2320	cmd.exe	109
PID 2320 wrote to memory of 4164	2320	cmd.exe	110
PID 2320 wrote to memory of 4164	2320	cmd.exe	110
PID 2320 wrote to memory of 2228	2320	cmd.exe	111
PID 2320 wrote to memory of 2228	2320	cmd.exe	111
PID 2320 wrote to memory of 2980	2320	cmd.exe	112
PID 2320 wrote to memory of 2980	2320	cmd.exe	112
PID 2320 wrote to memory of 4804	2320	cmd.exe	113
PID 2320 wrote to memory of 4804	2320	cmd.exe	113
PID 2320 wrote to memory of 4144	2320	cmd.exe	114
PID 2320 wrote to memory of 4144	2320	cmd.exe	114
PID 2320 wrote to memory of 3924	2320	cmd.exe	115
PID 2320 wrote to memory of 3924	2320	cmd.exe	115
PID 2320 wrote to memory of 4644	2320	cmd.exe	116
PID 2320 wrote to memory of 4644	2320	cmd.exe	116
PID 2320 wrote to memory of 5112	2320	cmd.exe	117
PID 2320 wrote to memory of 5112	2320	cmd.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.3.EN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4916
- C:\Windows\system32\mode.com
  mode con cols=78 lines=6
  2⤵
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\urrsoopb\urrsoopb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7600.tmp" "c:\Users\Admin\AppData\Local\Temp\urrsoopb\CSC489DC6004F594320AE41F5DA9C2FB8BC.TMP"
      4⤵
      PID:4312
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:2768
- C:\Windows\system32\xcopy.exe
  xcopy /s /h KMS_Suite 1277
  2⤵
  PID:3324
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:1628
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:2656
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:4036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe
      "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:3408
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:4164
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:2228
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:2980
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:4804
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:4144
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:3924
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:4644
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:5112
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:4228
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:3948
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:3500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3340
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1608
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1628
- - C:\Windows\system32\xcopy.exe
    xcopy /cryi bin\* C:\Windows\KMS\bin
    3⤵
    - Drops file in Windows directory
    PID:3700
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "KMS_Activation" /xml "C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\KMS.xml" /f
    3⤵
    - Creates scheduled task(s)
    PID:720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:1468
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:712
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:4280
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1176
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "KMS_Activation" /f
    3⤵
    PID:2104
- - C:\Windows\system32\cscript.exe
    cscript //nologo C:\Windows\System32\slmgr.vbs /ckms
    3⤵
    PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:4920
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2228
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:5008
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:3736
- - C:\Windows\system32\xcopy.exe
    xcopy $OEM$\* "C:"\$OEM$ /s /i /y
    3⤵
    PID:4644
- - C:\Windows\system32\xcopy.exe
    xcopy /cryi bin\* "C:"\$OEM$\$$\Setup\Scripts\bin\
    3⤵
    PID:4364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbS"
    3⤵
    PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:4040
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:4976
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2q2cjetz\2q2cjetz.cmdline"
      4⤵
      PID:3380
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp" "c:\Users\Admin\AppData\Local\Temp\2q2cjetz\CSC5F7C3318858140D99897AB4AA2C1F112.TMP"
        5⤵
        
        PID:2768
  - - C:\Windows\system32\expand.exe
      "C:\Windows\system32\expand.exe" -R 1 -F:* .
      4⤵
      Drops file in Windows directory
      PID:4448
- - C:\Windows\system32\mode.com
    mode con:cols=70 lines=55
    3⤵
    PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4456
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:3568
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4940
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:352
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:112
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:1392
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:4080
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:1584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:988
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4184
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:2608
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:1828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
      4⤵
      PID:364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:4720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:704
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4104
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:1016
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3752
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:4472
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 3221549142
    3⤵
    PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:8
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:2196
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:4628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:4280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:1504
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:1452
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3132
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3408
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:4920
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 3221549142
    3⤵
    PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:4796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:2140
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:4248
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:3440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4364
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2144
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e0uw5euz\e0uw5euz.cmdline"
      4⤵
      PID:3632
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE60.tmp" "c:\Users\Admin\AppData\Local\Temp\e0uw5euz\CSCA128E2BBC7EB4C448BB9A0195EF99E7C.TMP"
        5⤵
        
        PID:1476
  - - C:\Windows\system32\expand.exe
      "C:\Windows\system32\expand.exe" -R 1 -F:* .
      4⤵
      Drops file in Windows directory
      PID:3800
- - C:\Windows\system32\mode.com
    mode con:cols=70 lines=55
    3⤵
    PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2188
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:628
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:3892
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:3148
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:4844
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4836
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:3600
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:3344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:2136
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
    3⤵
    PID:2152
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:3400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
    3⤵
    PID:352
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:4080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
      4⤵
      PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:1964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:3932
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3696
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3820
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:748
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:4088
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 3221549142
    3⤵
    PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:3068
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:4612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
      4⤵
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:1984
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:1340
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:5016
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:4856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4628
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:4468
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 3221549142
    3⤵
    PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:2180
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:4280
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:4656
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4560
- - C:\Windows\system32\mode.com
    mode con:cols=84 lines=42
    3⤵
    PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:912
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:884
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:1456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:3348
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:3984
- - C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:3912
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"
    3⤵
    - Checks computer location settings
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe
      "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:1784
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:4312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3544
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:4576
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:520
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:380
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:4688
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:3976
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:2552
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:412
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:5116
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:3440
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:4040
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:4924
- - C:\Windows\system32\mode.com
    mode con cols=70 lines=1
    3⤵
    PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1384
- - C:\Windows\system32\mode.com
    mode con cols=84 lines=41
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:4216
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:3476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:3380
- - C:\Windows\system32\choice.exe
    choice /C:1234567 /N /M "YOUR CHOICE : "
    3⤵
    PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query ClipSVC
    3⤵
    PID:4836
  - - C:\Windows\system32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc qc ClipSVC
    3⤵
    PID:1528
  - - C:\Windows\system32\sc.exe
      sc qc ClipSVC
      4⤵
      Launches sc.exe
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query sppsvc
    3⤵
    PID:4220
  - - C:\Windows\system32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc qc sppsvc
    3⤵
    PID:2676
  - - C:\Windows\system32\sc.exe
      sc qc sppsvc
      4⤵
      Launches sc.exe
      PID:3400
- - C:\Windows\system32\mode.com
    mode con cols=83 lines=33
    3⤵
    PID:112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c DISM /English /Online /Get-CurrentEdition 2>nul | FIND /I "Current Edition :"
    3⤵
    PID:2236
  - - C:\Windows\system32\Dism.exe
      DISM /English /Online /Get-CurrentEdition
      4⤵
      Drops file in Windows directory
      PID:352
    - - C:\Users\Admin\AppData\Local\Temp\FF163764-6701-409E-92AC-9C9E1DB342F0\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\FF163764-6701-409E-92AC-9C9E1DB342F0\dismhost.exe {070382BB-E3DC-4BAA-926B-E2011C04FF71}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1892
  - - C:\Windows\system32\find.exe
      FIND /I "Current Edition :"
      4⤵
      PID:3700
- - C:\Windows\system32\sc.exe
    sc stop clipsvc
    3⤵
    - Launches sc.exe
    PID:3792
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Windows\system32\slmgr.vbs -ckms
    3⤵
    PID:364
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Windows\system32\slmgr.vbs -rearm-app 55c92734-d682-4d71-983e-d6ec3f16059f
    3⤵
    PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from SoftwareLicensingProduct').Get()).ProductKeyID"
    3⤵
    PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from SoftwareLicensingProduct').Get()).ProductKeyID"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1696
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\Windows\System32\slmgr.vbs" /rearm-sku
    3⤵
    PID:2512
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Windows\system32\slmgr.vbs -ipk W269N-WFGWX-YVC9B-4J6C9-T83GX
    3⤵
    PID:4260
- - C:\Windows\system32\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\slc.dll",PatchGatherosstate
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 "C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\slc.dll",PatchGatherosstate
      4⤵
      Loads dropped DLL
      PID:1956
- - C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\gatherosstatemodified.exe
    gatherosstatemodified.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:4092
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:3656
- - C:\Windows\system32\ClipUp.exe
    clipup -v -o -altto bin\
    3⤵
    PID:4172
  - - C:\Windows\system32\clipup.exe
      clipup -v -o -altto bin\ -ppl C:\Users\Admin\AppData\Local\Temp\temE72F.tmp
      4⤵
      Checks SCSI registry key(s)
      PID:4452
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Windows\system32\slmgr.vbs -ato
    3⤵
    PID:912
- - C:\Windows\system32\cscript.exe
    cscript /nologo C:\Windows\system32\slmgr.vbs -xpr
    3⤵
    PID:1384
- - C:\Windows\system32\mode.com
    mode con cols=70 lines=1
    3⤵
    PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:944
- - C:\Windows\system32\mode.com
    mode con cols=84 lines=41
    3⤵
    PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:2352
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1780
- - C:\Windows\system32\choice.exe
    choice /C:1234567 /N /M "YOUR CHOICE : "
    3⤵
    PID:3468
- - C:\Windows\system32\reg.exe
    REG QUERY HKU\S-1-5-19\Environment
    3⤵
    PID:5112
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:5036
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:4448
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"
    3⤵
    - Checks computer location settings
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe
      "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:3400
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3460
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:440
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:740
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:848
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:364
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:4380
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:3068
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:4364
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:4612
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:3296
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtehjicf\qtehjicf.cmdline"
      4⤵
      PID:2264
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D0A.tmp" "c:\Users\Admin\AppData\Local\Temp\qtehjicf\CSCB1CDD7FA4DEF48D9B028C0B3CD559F0.TMP"
        5⤵
        
        PID:3456
  - - C:\Windows\system32\expand.exe
      "C:\Windows\system32\expand.exe" -R 1 -F:* .
      4⤵
      Drops file in Windows directory
      PID:1480
- - C:\Windows\system32\mode.com
    mode con:cols=70 lines=55
    3⤵
    PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:1420
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:1072
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:4092
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:2396
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:5056
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4012
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:4936
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:2692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:4656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
    3⤵
    PID:4920
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:4676
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
    3⤵
    PID:2804
- - C:\Windows\System32\findstr.exe
    findstr /i ID
    3⤵
    PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:2760
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:1524
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3284
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:4680
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"
    3⤵
    PID:1572
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:2956
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 1074065472
    3⤵
    PID:596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cscript.exe //NoLogo //Job:XPDT "check.bat?.wsf" 8022460
    3⤵
    PID:2580
  - - C:\Windows\System32\cscript.exe
      cscript.exe //NoLogo //Job:XPDT "check.bat?.wsf" 8022460
      4⤵
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:1824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:1400
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"
    3⤵
    PID:1388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value
      4⤵
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =
    3⤵
    PID:504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value
      4⤵
      PID:1020
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3976
- - C:\Windows\System32\findstr.exe
    findstr /i VOLUME_KMSCLIENT
    3⤵
    PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:412
- - C:\Windows\System32\findstr.exe
    findstr /i TIMEBASED_
    3⤵
    PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"
    3⤵
    PID:3440
- - C:\Windows\System32\findstr.exe
    findstr /i VIRTUAL_MACHINE_ACTIVATION
    3⤵
    PID:3520
- - C:\Windows\System32\cmd.exe
    cmd /c exit /b 3221549142
    3⤵
    PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =
    3⤵
    PID:3528
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value
      4⤵
      PID:2032
  - - C:\Windows\System32\findstr.exe
      findstr =
      4⤵
      PID:5008
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:3148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:2404
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:5112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"
    3⤵
    - Checks computer location settings
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe
      "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:4608
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:3444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3992
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:4476
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:2256
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:3092
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:2876
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:3200
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:1808
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:4264
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:3960
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:4088
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:3588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DisableX.exe
    3⤵
    - Kills process with taskkill
    PID:4380
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbs"
    3⤵
    PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$OEM$\$$\Setup\Scripts\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\$OEM$\$$\Setup\Scripts\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
331841fe482ffe8b1cc1509733d8ca67

SHA1
1e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8

SHA256
14112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f

SHA512
039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bad2704664b4c1a190586ec492be65f

SHA1
1c98e6645c66774152c184d23f7a3178ce522e7b

SHA256
5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

SHA512
668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0ff7e1af4cc86e108eef582452b35523

SHA1
c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

SHA256
62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

SHA512
374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ SUPPORT MICROSOFT PRUDUCTS

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ [6] EXIT

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
279KB

MD5
436d8d09dc86c53be0486371400bd951

SHA1
c50a173334aceb34ceebe878ce4e47dc8b206c95

SHA256
586aa43770695b63537a434ad7835fd5b10c8d513eb1743255cf5b68cb5586b2

SHA512
28bc2990348f2c2828accc1843570d9f3834eb2c4d94083d2e90ede87266b0c3c3a8ade15458177bfb184b94d985ac406bd1ce58477832e38564d1c88623b81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\KMS_Suite.bat

Filesize
142KB

MD5
f825dcc537d39befd3a38d3558af19ec

SHA1
98c581debf37d459149413f4e73ff247cb67ff67

SHA256
2a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b

SHA512
ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs

Filesize
189B

MD5
c2206c9c9b0c97f7c5db4f473e96e9a3

SHA1
77b32538358d64aff6d7e083bba358f0fe7b2789

SHA256
f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f

SHA512
67c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
983B

MD5
d98118ac31e94e4d5f2a3baab1e4c777

SHA1
b5649576144d09fbb04bd616a9a1a78db1bad29b

SHA256
7c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5

SHA512
b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\$OEM$\$$\Setup\Scripts\run.bat

Filesize
140KB

MD5
27edcd6267f4c58c35db91cbbf934929

SHA1
297b1cd2a4833cb24cd5758fc2b73939a1111080

SHA256
eec4ab779b67dd195bb474e8b4c45a5859ae5129ae916b5d9dd4d46f46206430

SHA512
a068a29cce8a63eb540c964ecce95248231f3a556b11196403191d317df3f344d0de9982eabc376794314bc4f7ba1394a629ccfd88a52916c2fd3df333000e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\KMSInject.bat

Filesize
140KB

MD5
d054f26c2659bdec0ccf6df418023d6e

SHA1
e98dac9b0a7801475d6e7f76269f463613a61a10

SHA256
4534138dbfa7b55f674612f8fb2c7caf727260e382611d1f5f6f90504d05955e

SHA512
e8e9cccead23a7eb655409fd8949f76a5660f071da360af20006622ab87baabf89172a2832e7b0dd6278a5907dc66a80c23dbe744c2a7e4325c10eab4c7ab6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\A64.dll

Filesize
21KB

MD5
886b4a107a2ede49c4c8a5bcba94f20f

SHA1
b5256ddc2b5fb8bd8d0272679043e03a0936d8a3

SHA256
24bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c

SHA512
28aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\KMS_Suite.bat

Filesize
142KB

MD5
f825dcc537d39befd3a38d3558af19ec

SHA1
98c581debf37d459149413f4e73ff247cb67ff67

SHA256
2a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b

SHA512
ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\Digital_KMS38.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
341B

MD5
d401c5effa22436e0382bdd71b145ed3

SHA1
b2632b7e74c21d9791d2a7202beab9fcb878c46b

SHA256
cb02f5670b0f7f13d87a4df29879d275c23adcdc15f3345dedbbe4ccc3ba0231

SHA512
22b7d96c9022dfe114f2997866f2e5a23e135d6d61708483eb9342b90d1b521d45618ff8dfc821b9a08c1740fda54aedd1f95f54c1d80c882cbabb8fac8cd517

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\digi.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\KMS38.bat

Filesize
30KB

MD5
cd8967fb093c71a77b9a897a63849350

SHA1
397e0d1537e5b914376558c685b2c0f85b8c3639

SHA256
6079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0

SHA512
87c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
343B

MD5
0d2e7f7d3632f02a4f5f605ee9750f56

SHA1
b17e185829d03518be196fb37d801dfd8cc3f6af

SHA256
eeb96f5030386b06c8b11101f3beb740f2932e3e755f5e0f9da11d56d1cec69c

SHA512
4febee13af76e7f8adfbcb58470729d6b43870b5d94e8da28310c8546bd3c6eb6d769da2c0b07d61cd1ad16dc904dc75d48a80a394b029e09f79f02c19ebb10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\gatherosstate.exe

Filesize
330KB

MD5
15ce0753a16dd4f9b9f0f9926dd37c4e

SHA1
fabb5a0fc1e6a372219711152291339af36ed0b5

SHA256
028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d

SHA512
4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\bin\slc.dll

Filesize
7KB

MD5
a3d60be84fb7fc1701f2518ad619bb19

SHA1
4937e478f33a1430a72f17fab2a6220bf9fde413

SHA256
653e61441d85cd74ba3fd4f50be204b47a32bce19a17451d87a2356bef87a321

SHA512
43abbf267c8326ca955bb9085d49f9ab108512c9cc8025ebc8523cab307cc1877f990f3174ab7a0498c38591eb1eee7fb04be91129ac7f9ab8422e271ca3f5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.exe

Filesize
16KB

MD5
00c9837407663587c69df18793248d52

SHA1
db8c290e81aba4712febba5f43ef6fa3ec319f61

SHA256
09933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d

SHA512
2035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\DisableX.vbs

Filesize
189B

MD5
c2206c9c9b0c97f7c5db4f473e96e9a3

SHA1
77b32538358d64aff6d7e083bba358f0fe7b2789

SHA256
f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f

SHA512
67c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
983B

MD5
d98118ac31e94e4d5f2a3baab1e4c777

SHA1
b5649576144d09fbb04bd616a9a1a78db1bad29b

SHA256
7c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5

SHA512
b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\run.bat

Filesize
140KB

MD5
27edcd6267f4c58c35db91cbbf934929

SHA1
297b1cd2a4833cb24cd5758fc2b73939a1111080

SHA256
eec4ab779b67dd195bb474e8b4c45a5859ae5129ae916b5d9dd4d46f46206430

SHA512
a068a29cce8a63eb540c964ecce95248231f3a556b11196403191d317df3f344d0de9982eabc376794314bc4f7ba1394a629ccfd88a52916c2fd3df333000e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\KMSInject.bat

Filesize
140KB

MD5
d054f26c2659bdec0ccf6df418023d6e

SHA1
e98dac9b0a7801475d6e7f76269f463613a61a10

SHA256
4534138dbfa7b55f674612f8fb2c7caf727260e382611d1f5f6f90504d05955e

SHA512
e8e9cccead23a7eb655409fd8949f76a5660f071da360af20006622ab87baabf89172a2832e7b0dd6278a5907dc66a80c23dbe744c2a7e4325c10eab4c7ab6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\A64.dll

Filesize
21KB

MD5
886b4a107a2ede49c4c8a5bcba94f20f

SHA1
b5256ddc2b5fb8bd8d0272679043e03a0936d8a3

SHA256
24bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c

SHA512
28aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7600.tmp

Filesize
1KB

MD5
8ccdbbb3f892bb730a7b740ada760f6d

SHA1
56c9582479d324f8d771b7aeb0ee890e60fc1528

SHA256
4158cf26b995ceead26ef9af620ba47c64744e1e869a134cdcd0e658dbeac879

SHA512
7797422cd0c2706a7b1289b8e592a5cea9230a1d2f6b92803a565a9327673dbdff086ea9c942a2044e72a5cc0e856a948e45fe03b7127b3869fffc57f195cd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbS

Filesize
49B

MD5
5aeaaf4251868f60bd501537f420b250

SHA1
496e307cf2fc2cfcb5a2b2ffaca248bfaf8ab397

SHA256
89b9f260617884ef2870d0c61efd6fd452a5698defe0c2f521fd1b6371abab06

SHA512
79c8782dd3e5cd91639ba86f8f0a3151e1eba3bc533da3d2efecd9704a48f338f30b749f71f1a9b5298991d586ead96c652e0f116fcfa720d58a05ea5edbe7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\urrsoopb\urrsoopb.dll

Filesize
3KB

MD5
4b49f075a01e6060c2f09edfaeee4293

SHA1
c0e259995ee2a5b7fd20b5b3a5d5794eba2a4488

SHA256
5b2da36cd252ba8bd723dd3dbc1dd8df29f86b793f1e750d454c5f17f9045abf

SHA512
af1b830d6c6940f6fbf343c56c73f1d4e0178368715794038c3c529a51b2918d75b463cd0853cb671b676f2c2ea400b4673139801ad49142d63aeb3e66431442

Download Submit
C:\Windows\KMS\bin\A64.dll

Filesize
21KB

MD5
886b4a107a2ede49c4c8a5bcba94f20f

SHA1
b5256ddc2b5fb8bd8d0272679043e03a0936d8a3

SHA256
24bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c

SHA512
28aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d

Download Submit
C:\Windows\KMS\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Windows\KMS\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Windows\KMS\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Windows\KMS\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Windows\KMS\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\urrsoopb\CSC489DC6004F594320AE41F5DA9C2FB8BC.TMP

Filesize
652B

MD5
6c3d1b1d250bc0a50f0dc45783056949

SHA1
1f9996535b14f35d3ac9d156db05ae3c703d8ee5

SHA256
5838e152e8bcd3b2b027c3686c44214793c4631147f98d2b59261903089e15cd

SHA512
5c720ef44acf973625a6ec58aaf0f4e5f298893a5d78870a8b3bea5398cc4bb1aee334f33337e29d58a44d79782e99dabf8c583005dfe2ae0e2be32ea807b1b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\urrsoopb\urrsoopb.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\urrsoopb\urrsoopb.cmdline

Filesize
369B

MD5
08ec660302dae4a0d4ad9eb1c2f8df7a

SHA1
c67301afc4a880145dcca857341ae5fdb973f228

SHA256
91da278b70ce8a6e9f2f520b8da787cfc3c9ba84a9c7da17c42cef8f8c7334ca

SHA512
3d6790acae62c0215b7f6a3a39e20ef87eab4e158ac412a393abaad0206656f180704cba8b922733a5a4cf85dc533660c1243646c0470dcd845f5b1f91f55662

Download Submit
memory/712-246-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/712-245-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/1220-214-0x00007FFC60950000-0x00007FFC61411000-memory.dmp

Filesize
10.8MB

Download
memory/1220-194-0x00007FFC60950000-0x00007FFC61411000-memory.dmp

Filesize
10.8MB

Download
memory/1244-278-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-279-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/1524-281-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/1696-287-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/1696-288-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/2056-276-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/2056-275-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-259-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-258-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/2972-306-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/2972-305-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-285-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-299-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-286-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/3340-223-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/3340-239-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-304-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/3476-308-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/3476-307-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-284-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-311-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-289-0x00000247646E0000-0x00000247646F0000-memory.dmp

Filesize
64KB

Download
memory/4172-290-0x00000247646E0000-0x00000247646F0000-memory.dmp

Filesize
64KB

Download
memory/4172-293-0x00000247646E0000-0x00000247646F0000-memory.dmp

Filesize
64KB

Download
memory/4172-297-0x00000247646E0000-0x00000247646F0000-memory.dmp

Filesize
64KB

Download
memory/4172-298-0x00000247646E0000-0x00000247646F0000-memory.dmp

Filesize
64KB

Download
memory/4208-137-0x00007FFC60E20000-0x00007FFC618E1000-memory.dmp

Filesize
10.8MB

Download
memory/4208-136-0x00000218AD6C0000-0x00000218AD6E2000-memory.dmp

Filesize
136KB

Download
memory/4208-147-0x00007FFC60E20000-0x00007FFC618E1000-memory.dmp

Filesize
10.8MB

Download
memory/4240-176-0x00007FFC60E20000-0x00007FFC618E1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-277-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-294-0x0000020084580000-0x00000200846D3000-memory.dmp

Filesize
1.3MB

Download
memory/4452-295-0x0000020084580000-0x00000200846D3000-memory.dmp

Filesize
1.3MB

Download
memory/4560-280-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-301-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-300-0x00007FFC605F0000-0x00007FFC610B1000-memory.dmp

Filesize
10.8MB

Download
memory/5052-274-0x00007FFC60A00000-0x00007FFC614C1000-memory.dmp

Filesize
10.8MB

Download