Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
235s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2022, 21:28
Static task
static1
Behavioral task
behavioral1
Sample
KMS_Suite.v9.3.EN.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
KMS_Suite.v9.3.EN.bat
Resource
win10v2004-20220812-en
General
-
Target
KMS_Suite.v9.3.EN.bat
-
Size
356KB
-
MD5
2542dfefdc35cb2477961289977c36bc
-
SHA1
4b60f654960c3d7b8a4a6cb78f23764d4d7abebd
-
SHA256
1094061c601cb82c12e4b10ce566c096029c0f62214f21481c2753a10c812742
-
SHA512
10f3325807adb849137d64ca82a5499f6ba7307b71573609614129b59aa0d75ac69cba9288568548af21ce3676992fdc6f0437f763bd58c520019cc809600740
-
SSDEEP
6144:RFV4shBoEszHlE4iGaXacKg3WSCj8cq7TRbSSVVVYunQd2LpNI8MwIt:l3MfJtaq/2SC7UuQdgNIt
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 4036 center.exe 2268 DisableX.exe 3912 center.exe 428 DisableX.exe 1892 dismhost.exe 4092 gatherosstatemodified.exe 4448 center.exe 1900 DisableX.exe 5112 center.exe 4664 DisableX.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 22 IoCs
pid Process 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1892 dismhost.exe 1956 rundll32.exe 4092 gatherosstatemodified.exe 4092 gatherosstatemodified.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File created C:\Windows\KMS\bin\x64.dll xcopy.exe File opened for modification C:\Windows\KMS\bin\x86.dll xcopy.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\KMS\bin xcopy.exe File created C:\Windows\KMS\bin\cleanosppx64.exe xcopy.exe File opened for modification C:\Windows\KMS\bin\KMS.xml xcopy.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\KMS\bin\A64.dll xcopy.exe File opened for modification C:\Windows\KMS\bin\cleanosppx86.exe xcopy.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File created C:\Windows\KMS\bin\x86.dll xcopy.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File created C:\Windows\KMS\bin\A64.dll xcopy.exe File opened for modification C:\Windows\KMS\bin\cleanosppx64.exe xcopy.exe File created C:\Windows\KMS\bin\KMS.xml xcopy.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File created C:\Windows\KMS\bin\cleanosppx86.exe xcopy.exe File opened for modification C:\Windows\KMS\bin\x64.dll xcopy.exe File created C:\Windows\KMS\KMSInject.bat cmd.exe File opened for modification C:\Windows\KMS\KMSInject.bat cmd.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3600 sc.exe 3600 sc.exe 3344 sc.exe 3896 sc.exe 3400 sc.exe 3792 sc.exe 4936 sc.exe 4080 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 clipup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID gatherosstatemodified.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 gatherosstatemodified.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags gatherosstatemodified.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID clipup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs clipup.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 720 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3656 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 4380 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4208 powershell.exe 4208 powershell.exe 4240 powershell.exe 4240 powershell.exe 1220 powershell.exe 1220 powershell.exe 3340 powershell.exe 3340 powershell.exe 712 powershell.exe 712 powershell.exe 2228 powershell.exe 2228 powershell.exe 5052 powershell.exe 5052 powershell.exe 2056 powershell.exe 2056 powershell.exe 4364 powershell.exe 4364 powershell.exe 1244 powershell.exe 1244 powershell.exe 4560 powershell.exe 4560 powershell.exe 1524 powershell.exe 1524 powershell.exe 3544 powershell.exe 3544 powershell.exe 3064 powershell.exe 3064 powershell.exe 1696 powershell.exe 1696 powershell.exe 3064 powershell.exe 3064 powershell.exe 5012 powershell.exe 5012 powershell.exe 3460 powershell.exe 3460 powershell.exe 2972 powershell.exe 2972 powershell.exe 3476 powershell.exe 3476 powershell.exe 3992 powershell.exe 3992 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2268 DisableX.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeDebugPrivilege 712 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeIncreaseQuotaPrivilege 4184 WMIC.exe Token: SeSecurityPrivilege 4184 WMIC.exe Token: SeTakeOwnershipPrivilege 4184 WMIC.exe Token: SeLoadDriverPrivilege 4184 WMIC.exe Token: SeSystemProfilePrivilege 4184 WMIC.exe Token: SeSystemtimePrivilege 4184 WMIC.exe Token: SeProfSingleProcessPrivilege 4184 WMIC.exe Token: SeIncBasePriorityPrivilege 4184 WMIC.exe Token: SeCreatePagefilePrivilege 4184 WMIC.exe Token: SeBackupPrivilege 4184 WMIC.exe Token: SeRestorePrivilege 4184 WMIC.exe Token: SeShutdownPrivilege 4184 WMIC.exe Token: SeDebugPrivilege 4184 WMIC.exe Token: SeSystemEnvironmentPrivilege 4184 WMIC.exe Token: SeRemoteShutdownPrivilege 4184 WMIC.exe Token: SeUndockPrivilege 4184 WMIC.exe Token: SeManageVolumePrivilege 4184 WMIC.exe Token: 33 4184 WMIC.exe Token: 34 4184 WMIC.exe Token: 35 4184 WMIC.exe Token: 36 4184 WMIC.exe Token: SeIncreaseQuotaPrivilege 4184 WMIC.exe Token: SeSecurityPrivilege 4184 WMIC.exe Token: SeTakeOwnershipPrivilege 4184 WMIC.exe Token: SeLoadDriverPrivilege 4184 WMIC.exe Token: SeSystemProfilePrivilege 4184 WMIC.exe Token: SeSystemtimePrivilege 4184 WMIC.exe Token: SeProfSingleProcessPrivilege 4184 WMIC.exe Token: SeIncBasePriorityPrivilege 4184 WMIC.exe Token: SeCreatePagefilePrivilege 4184 WMIC.exe Token: SeBackupPrivilege 4184 WMIC.exe Token: SeRestorePrivilege 4184 WMIC.exe Token: SeShutdownPrivilege 4184 WMIC.exe Token: SeDebugPrivilege 4184 WMIC.exe Token: SeSystemEnvironmentPrivilege 4184 WMIC.exe Token: SeRemoteShutdownPrivilege 4184 WMIC.exe Token: SeUndockPrivilege 4184 WMIC.exe Token: SeManageVolumePrivilege 4184 WMIC.exe Token: 33 4184 WMIC.exe Token: 34 4184 WMIC.exe Token: 35 4184 WMIC.exe Token: 36 4184 WMIC.exe Token: SeIncreaseQuotaPrivilege 4160 WMIC.exe Token: SeSecurityPrivilege 4160 WMIC.exe Token: SeTakeOwnershipPrivilege 4160 WMIC.exe Token: SeLoadDriverPrivilege 4160 WMIC.exe Token: SeSystemProfilePrivilege 4160 WMIC.exe Token: SeSystemtimePrivilege 4160 WMIC.exe Token: SeProfSingleProcessPrivilege 4160 WMIC.exe Token: SeIncBasePriorityPrivilege 4160 WMIC.exe Token: SeCreatePagefilePrivilege 4160 WMIC.exe Token: SeBackupPrivilege 4160 WMIC.exe Token: SeRestorePrivilege 4160 WMIC.exe Token: SeShutdownPrivilege 4160 WMIC.exe Token: SeDebugPrivilege 4160 WMIC.exe Token: SeSystemEnvironmentPrivilege 4160 WMIC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2268 DisableX.exe 428 DisableX.exe 1900 DisableX.exe 4664 DisableX.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3376 wrote to memory of 4744 3376 cmd.exe 83 PID 3376 wrote to memory of 4744 3376 cmd.exe 83 PID 4744 wrote to memory of 4916 4744 net.exe 84 PID 4744 wrote to memory of 4916 4744 net.exe 84 PID 3376 wrote to memory of 3772 3376 cmd.exe 85 PID 3376 wrote to memory of 3772 3376 cmd.exe 85 PID 3376 wrote to memory of 4208 3376 cmd.exe 86 PID 3376 wrote to memory of 4208 3376 cmd.exe 86 PID 4208 wrote to memory of 2068 4208 powershell.exe 87 PID 4208 wrote to memory of 2068 4208 powershell.exe 87 PID 2068 wrote to memory of 4312 2068 csc.exe 88 PID 2068 wrote to memory of 4312 2068 csc.exe 88 PID 4208 wrote to memory of 2768 4208 powershell.exe 89 PID 4208 wrote to memory of 2768 4208 powershell.exe 89 PID 3376 wrote to memory of 3324 3376 cmd.exe 90 PID 3376 wrote to memory of 3324 3376 cmd.exe 90 PID 3376 wrote to memory of 2320 3376 cmd.exe 91 PID 3376 wrote to memory of 2320 3376 cmd.exe 91 PID 2320 wrote to memory of 1628 2320 cmd.exe 92 PID 2320 wrote to memory of 1628 2320 cmd.exe 92 PID 2320 wrote to memory of 2608 2320 cmd.exe 93 PID 2320 wrote to memory of 2608 2320 cmd.exe 93 PID 2320 wrote to memory of 4240 2320 cmd.exe 94 PID 2320 wrote to memory of 4240 2320 cmd.exe 94 PID 2320 wrote to memory of 2656 2320 cmd.exe 97 PID 2320 wrote to memory of 2656 2320 cmd.exe 97 PID 2320 wrote to memory of 4756 2320 cmd.exe 98 PID 2320 wrote to memory of 4756 2320 cmd.exe 98 PID 2320 wrote to memory of 4036 2320 cmd.exe 99 PID 2320 wrote to memory of 4036 2320 cmd.exe 99 PID 2320 wrote to memory of 4036 2320 cmd.exe 99 PID 2320 wrote to memory of 2512 2320 cmd.exe 101 PID 2320 wrote to memory of 2512 2320 cmd.exe 101 PID 2512 wrote to memory of 2268 2512 WScript.exe 102 PID 2512 wrote to memory of 2268 2512 WScript.exe 102 PID 2512 wrote to memory of 2268 2512 WScript.exe 102 PID 2320 wrote to memory of 2972 2320 cmd.exe 104 PID 2320 wrote to memory of 2972 2320 cmd.exe 104 PID 2972 wrote to memory of 2196 2972 cmd.exe 105 PID 2972 wrote to memory of 2196 2972 cmd.exe 105 PID 2320 wrote to memory of 3804 2320 cmd.exe 106 PID 2320 wrote to memory of 3804 2320 cmd.exe 106 PID 3804 wrote to memory of 1220 3804 cmd.exe 107 PID 3804 wrote to memory of 1220 3804 cmd.exe 107 PID 2320 wrote to memory of 3656 2320 cmd.exe 108 PID 2320 wrote to memory of 3656 2320 cmd.exe 108 PID 2320 wrote to memory of 3408 2320 cmd.exe 109 PID 2320 wrote to memory of 3408 2320 cmd.exe 109 PID 2320 wrote to memory of 4164 2320 cmd.exe 110 PID 2320 wrote to memory of 4164 2320 cmd.exe 110 PID 2320 wrote to memory of 2228 2320 cmd.exe 111 PID 2320 wrote to memory of 2228 2320 cmd.exe 111 PID 2320 wrote to memory of 2980 2320 cmd.exe 112 PID 2320 wrote to memory of 2980 2320 cmd.exe 112 PID 2320 wrote to memory of 4804 2320 cmd.exe 113 PID 2320 wrote to memory of 4804 2320 cmd.exe 113 PID 2320 wrote to memory of 4144 2320 cmd.exe 114 PID 2320 wrote to memory of 4144 2320 cmd.exe 114 PID 2320 wrote to memory of 3924 2320 cmd.exe 115 PID 2320 wrote to memory of 3924 2320 cmd.exe 115 PID 2320 wrote to memory of 4644 2320 cmd.exe 116 PID 2320 wrote to memory of 4644 2320 cmd.exe 116 PID 2320 wrote to memory of 5112 2320 cmd.exe 117 PID 2320 wrote to memory of 5112 2320 cmd.exe 117
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.3.EN.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:4916
-
-
-
C:\Windows\system32\mode.commode con cols=78 lines=62⤵PID:3772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1)2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\urrsoopb\urrsoopb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7600.tmp" "c:\Users\Admin\AppData\Local\Temp\urrsoopb\CSC489DC6004F594320AE41F5DA9C2FB8BC.TMP"4⤵PID:4312
-
-
-
C:\Windows\system32\expand.exe"C:\Windows\system32\expand.exe" -R 1 -F:* .3⤵
- Drops file in Windows directory
PID:2768
-
-
-
C:\Windows\system32\xcopy.exexcopy /s /h KMS_Suite 12772⤵PID:3324
-
-
C:\Windows\system32\cmd.execmd.exe /c KMS_Suite.bat2⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\reg.exeREG QUERY HKU\S-1-5-19\Environment3⤵PID:1628
-
-
C:\Windows\system32\mode.commode con: cols=90 lines=403⤵PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:2656
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.execenter.exe kF5nJ4D92hfOpc83⤵
- Executes dropped EXE
PID:4036
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:3408
-
-
C:\Windows\system32\findstr.exefindstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul3⤵PID:4164
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul3⤵PID:2228
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul3⤵PID:2980
-
-
C:\Windows\system32\findstr.exefindstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul3⤵PID:4804
-
-
C:\Windows\system32\findstr.exefindstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul3⤵PID:4144
-
-
C:\Windows\system32\findstr.exefindstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul3⤵PID:3924
-
-
C:\Windows\system32\findstr.exefindstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul3⤵PID:4644
-
-
C:\Windows\system32\findstr.exefindstr /v /a:4 /R "^$" " [6] EXIT" nul3⤵PID:5112
-
-
C:\Windows\system32\choice.exechoice /C:123456 /N /M "YOUR CHOICE :"3⤵PID:4228
-
-
C:\Windows\system32\reg.exeREG QUERY HKU\S-1-5-19\Environment3⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:3948
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:3500
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
-
C:\Windows\system32\mode.commode con:cols=84 lines=423⤵PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:1608
-
-
C:\Windows\system32\choice.exechoice /C:12345678 /N /M "YOUR CHOICE : "3⤵PID:1628
-
-
C:\Windows\system32\xcopy.exexcopy /cryi bin\* C:\Windows\KMS\bin3⤵
- Drops file in Windows directory
PID:3700
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "KMS_Activation" /xml "C:\Users\Admin\AppData\Local\Temp\1277\bin\Inject\bin\KMS.xml" /f3⤵
- Creates scheduled task(s)
PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:1468
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:2276
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
-
C:\Windows\system32\mode.commode con:cols=84 lines=423⤵PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:4280
-
-
C:\Windows\system32\choice.exechoice /C:12345678 /N /M "YOUR CHOICE : "3⤵PID:1176
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "KMS_Activation" /f3⤵PID:2104
-
-
C:\Windows\system32\cscript.execscript //nologo C:\Windows\System32\slmgr.vbs /ckms3⤵PID:3132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:4920
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:936
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\Windows\system32\mode.commode con:cols=84 lines=423⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:5008
-
-
C:\Windows\system32\choice.exechoice /C:12345678 /N /M "YOUR CHOICE : "3⤵PID:3736
-
-
C:\Windows\system32\xcopy.exexcopy $OEM$\* "C:"\$OEM$ /s /i /y3⤵PID:4644
-
-
C:\Windows\system32\xcopy.exexcopy /cryi bin\* "C:"\$OEM$\$$\Setup\Scripts\bin\3⤵PID:4364
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbS"3⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:4040
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:2352
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
-
C:\Windows\system32\mode.commode con:cols=84 lines=423⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:4976
-
-
C:\Windows\system32\choice.exechoice /C:12345678 /N /M "YOUR CHOICE : "3⤵PID:512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2q2cjetz\2q2cjetz.cmdline"4⤵PID:3380
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp" "c:\Users\Admin\AppData\Local\Temp\2q2cjetz\CSC5F7C3318858140D99897AB4AA2C1F112.TMP"5⤵PID:2768
-
-
-
C:\Windows\system32\expand.exe"C:\Windows\system32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
PID:4448
-
-
-
C:\Windows\system32\mode.commode con:cols=70 lines=553⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:4456
-
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:3568
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:4940
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:352
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:112
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:1392
-
-
C:\Windows\System32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:4080
-
-
C:\Windows\System32\net.exenet start sppsvc /y3⤵PID:1584
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:988
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:2608
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"3⤵PID:1828
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value4⤵PID:364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:4720
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:704
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:4104
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:1472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:1016
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:3752
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:4472
-
-
C:\Windows\System32\cmd.execmd /c exit /b 32215491423⤵PID:4112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:8
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:2196
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"3⤵PID:4628
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value4⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:4280
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:1504
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:1072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:1452
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:3784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:3132
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:3408
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:4920
-
-
C:\Windows\System32\cmd.execmd /c exit /b 32215491423⤵PID:2804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:4796
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:2140
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:4248
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:3440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
-
-
C:\Windows\system32\mode.commode con:cols=84 lines=423⤵PID:3848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:2144
-
-
C:\Windows\system32\choice.exechoice /C:12345678 /N /M "YOUR CHOICE : "3⤵PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e0uw5euz\e0uw5euz.cmdline"4⤵PID:3632
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE60.tmp" "c:\Users\Admin\AppData\Local\Temp\e0uw5euz\CSCA128E2BBC7EB4C448BB9A0195EF99E7C.TMP"5⤵PID:1476
-
-
-
C:\Windows\system32\expand.exe"C:\Windows\system32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
PID:3800
-
-
-
C:\Windows\system32\mode.commode con:cols=70 lines=553⤵PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:2188
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:628
-
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:3892
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:3148
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:4844
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:4836
-
-
C:\Windows\System32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:3600
-
-
C:\Windows\System32\net.exenet start sppsvc /y3⤵PID:3344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:2136
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value3⤵PID:2152
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:3400
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value3⤵PID:352
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"3⤵PID:4080
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value4⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:1964
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:3932
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:3696
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:2940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:3820
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:748
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:4088
-
-
C:\Windows\System32\cmd.execmd /c exit /b 32215491423⤵PID:660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:704
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:3068
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"3⤵PID:4612
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value4⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:800
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:1984
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:1340
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:3456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:5016
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:4628
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:4468
-
-
C:\Windows\System32\cmd.execmd /c exit /b 32215491423⤵PID:2104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:2180
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:4280
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:4656
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:2804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
-
C:\Windows\system32\mode.commode con:cols=84 lines=423⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:912
-
-
C:\Windows\system32\choice.exechoice /C:12345678 /N /M "YOUR CHOICE : "3⤵PID:1652
-
-
C:\Windows\system32\reg.exeREG QUERY HKU\S-1-5-19\Environment3⤵PID:884
-
-
C:\Windows\system32\mode.commode con: cols=90 lines=403⤵PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:3348
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.execenter.exe kF5nJ4D92hfOpc83⤵
- Executes dropped EXE
PID:3912
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"3⤵
- Checks computer location settings
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:1784
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:4312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544
-
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:4576
-
-
C:\Windows\system32\findstr.exefindstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul3⤵PID:520
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul3⤵PID:380
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul3⤵PID:4688
-
-
C:\Windows\system32\findstr.exefindstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul3⤵PID:3976
-
-
C:\Windows\system32\findstr.exefindstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul3⤵PID:2552
-
-
C:\Windows\system32\findstr.exefindstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul3⤵PID:412
-
-
C:\Windows\system32\findstr.exefindstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul3⤵PID:5116
-
-
C:\Windows\system32\findstr.exefindstr /v /a:4 /R "^$" " [6] EXIT" nul3⤵PID:3440
-
-
C:\Windows\system32\choice.exechoice /C:123456 /N /M "YOUR CHOICE :"3⤵PID:4040
-
-
C:\Windows\system32\reg.exeREG QUERY HKU\S-1-5-19\Environment3⤵PID:4924
-
-
C:\Windows\system32\mode.commode con cols=70 lines=13⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:1384
-
-
C:\Windows\system32\mode.commode con cols=84 lines=413⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:4216
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:3476
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:3380
-
-
C:\Windows\system32\choice.exechoice /C:1234567 /N /M "YOUR CHOICE : "3⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc query ClipSVC3⤵PID:4836
-
C:\Windows\system32\sc.exesc query ClipSVC4⤵
- Launches sc.exe
PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc qc ClipSVC3⤵PID:1528
-
C:\Windows\system32\sc.exesc qc ClipSVC4⤵
- Launches sc.exe
PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc query sppsvc3⤵PID:4220
-
C:\Windows\system32\sc.exesc query sppsvc4⤵
- Launches sc.exe
PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc qc sppsvc3⤵PID:2676
-
C:\Windows\system32\sc.exesc qc sppsvc4⤵
- Launches sc.exe
PID:3400
-
-
-
C:\Windows\system32\mode.commode con cols=83 lines=333⤵PID:112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DISM /English /Online /Get-CurrentEdition 2>nul | FIND /I "Current Edition :"3⤵PID:2236
-
C:\Windows\system32\Dism.exeDISM /English /Online /Get-CurrentEdition4⤵
- Drops file in Windows directory
PID:352 -
C:\Users\Admin\AppData\Local\Temp\FF163764-6701-409E-92AC-9C9E1DB342F0\dismhost.exeC:\Users\Admin\AppData\Local\Temp\FF163764-6701-409E-92AC-9C9E1DB342F0\dismhost.exe {070382BB-E3DC-4BAA-926B-E2011C04FF71}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1892
-
-
-
C:\Windows\system32\find.exeFIND /I "Current Edition :"4⤵PID:3700
-
-
-
C:\Windows\system32\sc.exesc stop clipsvc3⤵
- Launches sc.exe
PID:3792
-
-
C:\Windows\system32\cscript.execscript /nologo C:\Windows\system32\slmgr.vbs -ckms3⤵PID:364
-
-
C:\Windows\system32\cscript.execscript /nologo C:\Windows\system32\slmgr.vbs -rearm-app 55c92734-d682-4d71-983e-d6ec3f16059f3⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from SoftwareLicensingProduct').Get()).ProductKeyID"3⤵PID:4056
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Caption from SoftwareLicensingProduct').Get()).ProductKeyID"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
-
-
C:\Windows\system32\cscript.execscript //nologo "C:\Windows\System32\slmgr.vbs" /rearm-sku3⤵PID:2512
-
-
C:\Windows\system32\cscript.execscript /nologo C:\Windows\system32\slmgr.vbs -ipk W269N-WFGWX-YVC9B-4J6C9-T83GX3⤵PID:4260
-
-
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\slc.dll",PatchGatherosstate3⤵PID:1176
-
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\slc.dll",PatchGatherosstate4⤵
- Loads dropped DLL
PID:1956
-
-
-
C:\Users\Admin\AppData\Local\Temp\1277\bin\Digital\bin\gatherosstatemodified.exegatherosstatemodified.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:4092
-
-
C:\Windows\system32\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:3656
-
-
C:\Windows\system32\ClipUp.execlipup -v -o -altto bin\3⤵PID:4172
-
C:\Windows\system32\clipup.execlipup -v -o -altto bin\ -ppl C:\Users\Admin\AppData\Local\Temp\temE72F.tmp4⤵
- Checks SCSI registry key(s)
PID:4452
-
-
-
C:\Windows\system32\cscript.execscript /nologo C:\Windows\system32\slmgr.vbs -ato3⤵PID:912
-
-
C:\Windows\system32\cscript.execscript /nologo C:\Windows\system32\slmgr.vbs -xpr3⤵PID:1384
-
-
C:\Windows\system32\mode.commode con cols=70 lines=13⤵PID:4216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:944
-
-
C:\Windows\system32\mode.commode con cols=84 lines=413⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:2352
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:2456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:1780
-
-
C:\Windows\system32\choice.exechoice /C:1234567 /N /M "YOUR CHOICE : "3⤵PID:3468
-
-
C:\Windows\system32\reg.exeREG QUERY HKU\S-1-5-19\Environment3⤵PID:5112
-
-
C:\Windows\system32\mode.commode con: cols=90 lines=403⤵PID:852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:5036
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.execenter.exe kF5nJ4D92hfOpc83⤵
- Executes dropped EXE
PID:4448
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"3⤵
- Checks computer location settings
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:3400
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:2208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:440
-
-
C:\Windows\system32\findstr.exefindstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul3⤵PID:740
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul3⤵PID:848
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul3⤵PID:364
-
-
C:\Windows\system32\findstr.exefindstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul3⤵PID:4380
-
-
C:\Windows\system32\findstr.exefindstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul3⤵PID:3068
-
-
C:\Windows\system32\findstr.exefindstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul3⤵PID:4364
-
-
C:\Windows\system32\findstr.exefindstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul3⤵PID:4612
-
-
C:\Windows\system32\findstr.exefindstr /v /a:4 /R "^$" " [6] EXIT" nul3⤵PID:3296
-
-
C:\Windows\system32\choice.exechoice /C:123456 /N /M "YOUR CHOICE :"3⤵PID:712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':bat2file\:.*';iex($f[1]); X(1)3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtehjicf\qtehjicf.cmdline"4⤵PID:2264
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D0A.tmp" "c:\Users\Admin\AppData\Local\Temp\qtehjicf\CSCB1CDD7FA4DEF48D9B028C0B3CD559F0.TMP"5⤵PID:3456
-
-
-
C:\Windows\system32\expand.exe"C:\Windows\system32\expand.exe" -R 1 -F:* .4⤵
- Drops file in Windows directory
PID:1480
-
-
-
C:\Windows\system32\mode.commode con:cols=70 lines=553⤵PID:4164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:1420
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:1072
-
-
C:\Windows\System32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:4092
-
-
C:\Windows\System32\reg.exereg query HKU\S-1-5-193⤵PID:2396
-
-
C:\Windows\System32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:5056
-
-
C:\Windows\System32\find.exefind /i "0x0"3⤵PID:4012
-
-
C:\Windows\System32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:4936
-
-
C:\Windows\System32\net.exenet start sppsvc /y3⤵PID:2692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:4656
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value3⤵PID:4920
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:4676
-
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value3⤵PID:2804
-
-
C:\Windows\System32\findstr.exefindstr /i ID3⤵PID:1396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value"3⤵PID:804
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is not null) get ID /value4⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:2760
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:1524
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:1036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:3284
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:4680
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Windows(R) Operating System, VOLUME_KMSCLIENT channel"3⤵PID:1572
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:2956
-
-
C:\Windows\System32\cmd.execmd /c exit /b 10740654723⤵PID:596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe //NoLogo //Job:XPDT "check.bat?.wsf" 80224603⤵PID:2580
-
C:\Windows\System32\cscript.execscript.exe //NoLogo //Job:XPDT "check.bat?.wsf" 80224604⤵PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:1824
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:1400
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value"3⤵PID:1388
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and PartialProductKey is not null) get ID /value4⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value" | findstr =3⤵PID:504
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' get Description, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, EvaluationEndDate, GracePeriodRemaining, ID, KeyManagementServiceMachine, KeyManagementServicePort, KeyManagementServiceProductKeyID, LicenseStatus, LicenseStatusReason, Name, PartialProductKey, ProductKeyID, VLActivationInterval, VLRenewalInterval, KeyManagementServiceLookupDomain, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineIpAddress, ProductKeyChannel /value4⤵PID:1020
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:3680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:3976
-
-
C:\Windows\System32\findstr.exefindstr /i VOLUME_KMSCLIENT3⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:412
-
-
C:\Windows\System32\findstr.exefindstr /i TIMEBASED_3⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Office 19, VOLUME_KMSCLIENT channel"3⤵PID:3440
-
-
C:\Windows\System32\findstr.exefindstr /i VIRTUAL_MACHINE_ACTIVATION3⤵PID:3520
-
-
C:\Windows\System32\cmd.execmd /c exit /b 32215491423⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value" | findstr =3⤵PID:3528
-
C:\Windows\System32\Wbem\WMIC.exewmic path SoftwareLicensingService get ClientMachineID, KeyManagementServiceHostCaching /value4⤵PID:2032
-
-
C:\Windows\System32\findstr.exefindstr =4⤵PID:5008
-
-
-
C:\Windows\system32\mode.commode con: cols=90 lines=403⤵PID:3148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:2404
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\1277\bin\center.execenter.exe kF5nJ4D92hfOpc83⤵
- Executes dropped EXE
PID:5112
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.vbs"3⤵
- Checks computer location settings
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"C:\Users\Admin\AppData\Local\Temp\1277\bin\DisableX.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵PID:4608
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"3⤵PID:3444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3992
-
-
-
C:\Windows\system32\mode.commode con cols=92 lines=353⤵PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:4476
-
-
C:\Windows\system32\findstr.exefindstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com" nul3⤵PID:2256
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul3⤵PID:3092
-
-
C:\Windows\system32\findstr.exefindstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul3⤵PID:2876
-
-
C:\Windows\system32\findstr.exefindstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul3⤵PID:3200
-
-
C:\Windows\system32\findstr.exefindstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul3⤵PID:1808
-
-
C:\Windows\system32\findstr.exefindstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul3⤵PID:4264
-
-
C:\Windows\system32\findstr.exefindstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIJITAL & ONLINE ACTIVATION VISIT WEBSITE" nul3⤵PID:3960
-
-
C:\Windows\system32\findstr.exefindstr /v /a:4 /R "^$" " [6] EXIT" nul3⤵PID:4088
-
-
C:\Windows\system32\choice.exechoice /C:123456 /N /M "YOUR CHOICE :"3⤵PID:3588
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im DisableX.exe3⤵
- Kills process with taskkill
PID:4380
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbs"3⤵PID:4612
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5162ab955cb2f002a73c1530aa796477f
SHA1d30a0e4e5911d3ca705617d17225372731c770e2
SHA2565ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e
SHA512e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e
-
Filesize
17KB
MD55fd363d52d04ac200cd24f3bcc903200
SHA139ed8659e7ca16aaccb86def94ce6cec4c847dd6
SHA2563fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9
SHA512f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
Filesize
1KB
MD51bad2704664b4c1a190586ec492be65f
SHA11c98e6645c66774152c184d23f7a3178ce522e7b
SHA2565950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e
SHA512668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0
-
Filesize
64B
MD50ff7e1af4cc86e108eef582452b35523
SHA1c2ccf2811d56c3a3a58dced2b07f95076c6b5b96
SHA25662ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0
SHA512374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.3 - mephistooo2 - www.TNCTR.com
Filesize3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
Filesize
3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
Filesize
3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
C:\Users\Admin\AppData\Local\Temp\ [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)
Filesize3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
C:\Users\Admin\AppData\Local\Temp\ [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)
Filesize3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
Filesize
3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
Filesize
3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
Filesize
3B
MD5df66fa563a2fafdb93cc559deb0a38c4
SHA1e6666cf8574b0f7a9ae5bccee572f965c2aec9cb
SHA2563e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351
SHA51234ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18
-
Filesize
279KB
MD5436d8d09dc86c53be0486371400bd951
SHA1c50a173334aceb34ceebe878ce4e47dc8b206c95
SHA256586aa43770695b63537a434ad7835fd5b10c8d513eb1743255cf5b68cb5586b2
SHA51228bc2990348f2c2828accc1843570d9f3834eb2c4d94083d2e90ede87266b0c3c3a8ade15458177bfb184b94d985ac406bd1ce58477832e38564d1c88623b81f
-
Filesize
142KB
MD5f825dcc537d39befd3a38d3558af19ec
SHA198c581debf37d459149413f4e73ff247cb67ff67
SHA2562a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b
SHA512ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1
-
Filesize
16KB
MD500c9837407663587c69df18793248d52
SHA1db8c290e81aba4712febba5f43ef6fa3ec319f61
SHA25609933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d
SHA5122035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304
-
Filesize
16KB
MD500c9837407663587c69df18793248d52
SHA1db8c290e81aba4712febba5f43ef6fa3ec319f61
SHA25609933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d
SHA5122035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304
-
Filesize
189B
MD5c2206c9c9b0c97f7c5db4f473e96e9a3
SHA177b32538358d64aff6d7e083bba358f0fe7b2789
SHA256f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f
SHA51267c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a
-
Filesize
983B
MD5d98118ac31e94e4d5f2a3baab1e4c777
SHA1b5649576144d09fbb04bd616a9a1a78db1bad29b
SHA2567c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5
SHA512b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031
-
Filesize
140KB
MD527edcd6267f4c58c35db91cbbf934929
SHA1297b1cd2a4833cb24cd5758fc2b73939a1111080
SHA256eec4ab779b67dd195bb474e8b4c45a5859ae5129ae916b5d9dd4d46f46206430
SHA512a068a29cce8a63eb540c964ecce95248231f3a556b11196403191d317df3f344d0de9982eabc376794314bc4f7ba1394a629ccfd88a52916c2fd3df333000e3c
-
Filesize
140KB
MD5d054f26c2659bdec0ccf6df418023d6e
SHA1e98dac9b0a7801475d6e7f76269f463613a61a10
SHA2564534138dbfa7b55f674612f8fb2c7caf727260e382611d1f5f6f90504d05955e
SHA512e8e9cccead23a7eb655409fd8949f76a5660f071da360af20006622ab87baabf89172a2832e7b0dd6278a5907dc66a80c23dbe744c2a7e4325c10eab4c7ab6ed
-
Filesize
21KB
MD5886b4a107a2ede49c4c8a5bcba94f20f
SHA1b5256ddc2b5fb8bd8d0272679043e03a0936d8a3
SHA25624bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c
SHA51228aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d
-
Filesize
3KB
MD5672791216f102bdb76fb550adb0ea923
SHA1e5fa7406143f7bb9aa28de777e62465ae55975bb
SHA2560cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a
SHA5129801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2
-
Filesize
19KB
MD5162ab955cb2f002a73c1530aa796477f
SHA1d30a0e4e5911d3ca705617d17225372731c770e2
SHA2565ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e
SHA512e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e
-
Filesize
17KB
MD55fd363d52d04ac200cd24f3bcc903200
SHA139ed8659e7ca16aaccb86def94ce6cec4c847dd6
SHA2563fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9
SHA512f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3
-
Filesize
20KB
MD5a8f669ab8fad00bd193a82b8f62e7660
SHA11925f6f7b904d0289da8cdc55e84875f7739b0b1
SHA256bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf
SHA5121adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897
-
Filesize
16KB
MD5fee7e8f5472041f6b2c0e5d8f8d0da45
SHA1063eeee055d4646e91e15ac6a785bd9c7bcaa10b
SHA256c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc
SHA512c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4
-
Filesize
72KB
MD50a847eafddc4529388e1a1b291354cf8
SHA1adddd1b79c64c7c1d0d440df847be31ee94e664d
SHA25669533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255
SHA5127b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710
-
Filesize
72KB
MD50a847eafddc4529388e1a1b291354cf8
SHA1adddd1b79c64c7c1d0d440df847be31ee94e664d
SHA25669533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255
SHA5127b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710
-
Filesize
142KB
MD5f825dcc537d39befd3a38d3558af19ec
SHA198c581debf37d459149413f4e73ff247cb67ff67
SHA2562a6a60cc19bde03d9ef004b0413ce9c73b1abb71bb21a7a14ebaa41636cb561b
SHA512ca293b76e89e10d5e35aea396498141dc962fdd24002e9638df19c68a6e619cf9b0a55edfab0e640e9d2a422d51943601a73f1102b7435a39cc05492f63de7d1
-
Filesize
30KB
MD5cd8967fb093c71a77b9a897a63849350
SHA1397e0d1537e5b914376558c685b2c0f85b8c3639
SHA2566079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0
SHA51287c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02
-
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat
Filesize341B
MD5d401c5effa22436e0382bdd71b145ed3
SHA1b2632b7e74c21d9791d2a7202beab9fcb878c46b
SHA256cb02f5670b0f7f13d87a4df29879d275c23adcdc15f3345dedbbe4ccc3ba0231
SHA51222b7d96c9022dfe114f2997866f2e5a23e135d6d61708483eb9342b90d1b521d45618ff8dfc821b9a08c1740fda54aedd1f95f54c1d80c882cbabb8fac8cd517
-
Filesize
30KB
MD5cd8967fb093c71a77b9a897a63849350
SHA1397e0d1537e5b914376558c685b2c0f85b8c3639
SHA2566079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0
SHA51287c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02
-
Filesize
30KB
MD5cd8967fb093c71a77b9a897a63849350
SHA1397e0d1537e5b914376558c685b2c0f85b8c3639
SHA2566079f56daea065542154b86cd33c17bce62b6d961fb432bf5c334f8864067cd0
SHA51287c6a8c97e4ecf4dc8e14bf1b522b654449d821b5912be0138a8accc0b9e363f2e7569c0517afd688c1d46c11269979055c32d65d8c69a26051271d6b7533a02
-
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat
Filesize343B
MD50d2e7f7d3632f02a4f5f605ee9750f56
SHA1b17e185829d03518be196fb37d801dfd8cc3f6af
SHA256eeb96f5030386b06c8b11101f3beb740f2932e3e755f5e0f9da11d56d1cec69c
SHA5124febee13af76e7f8adfbcb58470729d6b43870b5d94e8da28310c8546bd3c6eb6d769da2c0b07d61cd1ad16dc904dc75d48a80a394b029e09f79f02c19ebb10a
-
Filesize
330KB
MD515ce0753a16dd4f9b9f0f9926dd37c4e
SHA1fabb5a0fc1e6a372219711152291339af36ed0b5
SHA256028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d
SHA5124e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226
-
Filesize
7KB
MD5a3d60be84fb7fc1701f2518ad619bb19
SHA14937e478f33a1430a72f17fab2a6220bf9fde413
SHA256653e61441d85cd74ba3fd4f50be204b47a32bce19a17451d87a2356bef87a321
SHA51243abbf267c8326ca955bb9085d49f9ab108512c9cc8025ebc8523cab307cc1877f990f3174ab7a0498c38591eb1eee7fb04be91129ac7f9ab8422e271ca3f5ce
-
Filesize
16KB
MD500c9837407663587c69df18793248d52
SHA1db8c290e81aba4712febba5f43ef6fa3ec319f61
SHA25609933212238bc7d0cce57469f9927c0325d5670b21fc7787428574c4a52e5f6d
SHA5122035a69398202385c327cf1970565855852275807e587f4b804e3c475b0a259a27052f14d791dfc5967d5e3114266b971670a78160832d8d46304b573d31b304
-
Filesize
189B
MD5c2206c9c9b0c97f7c5db4f473e96e9a3
SHA177b32538358d64aff6d7e083bba358f0fe7b2789
SHA256f1cec878cd1db36ca4ccb68296cd47ce039054e2ece4cd22d9933b90c8625c1f
SHA51267c8d84c4a58aa6dcfcd1271b206c0ac36d1f05db3701d0f003357746daaf6d3328fd7002cc1e6c2d2f3d0388c519669ec94e2bd0d817589decc6ac04c5f444a
-
Filesize
983B
MD5d98118ac31e94e4d5f2a3baab1e4c777
SHA1b5649576144d09fbb04bd616a9a1a78db1bad29b
SHA2567c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5
SHA512b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031
-
Filesize
140KB
MD527edcd6267f4c58c35db91cbbf934929
SHA1297b1cd2a4833cb24cd5758fc2b73939a1111080
SHA256eec4ab779b67dd195bb474e8b4c45a5859ae5129ae916b5d9dd4d46f46206430
SHA512a068a29cce8a63eb540c964ecce95248231f3a556b11196403191d317df3f344d0de9982eabc376794314bc4f7ba1394a629ccfd88a52916c2fd3df333000e3c
-
Filesize
140KB
MD5d054f26c2659bdec0ccf6df418023d6e
SHA1e98dac9b0a7801475d6e7f76269f463613a61a10
SHA2564534138dbfa7b55f674612f8fb2c7caf727260e382611d1f5f6f90504d05955e
SHA512e8e9cccead23a7eb655409fd8949f76a5660f071da360af20006622ab87baabf89172a2832e7b0dd6278a5907dc66a80c23dbe744c2a7e4325c10eab4c7ab6ed
-
Filesize
21KB
MD5886b4a107a2ede49c4c8a5bcba94f20f
SHA1b5256ddc2b5fb8bd8d0272679043e03a0936d8a3
SHA25624bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c
SHA51228aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d
-
Filesize
3KB
MD5672791216f102bdb76fb550adb0ea923
SHA1e5fa7406143f7bb9aa28de777e62465ae55975bb
SHA2560cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a
SHA5129801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2
-
Filesize
19KB
MD5162ab955cb2f002a73c1530aa796477f
SHA1d30a0e4e5911d3ca705617d17225372731c770e2
SHA2565ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e
SHA512e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e
-
Filesize
17KB
MD55fd363d52d04ac200cd24f3bcc903200
SHA139ed8659e7ca16aaccb86def94ce6cec4c847dd6
SHA2563fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9
SHA512f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3
-
Filesize
20KB
MD5a8f669ab8fad00bd193a82b8f62e7660
SHA11925f6f7b904d0289da8cdc55e84875f7739b0b1
SHA256bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf
SHA5121adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897
-
Filesize
16KB
MD5fee7e8f5472041f6b2c0e5d8f8d0da45
SHA1063eeee055d4646e91e15ac6a785bd9c7bcaa10b
SHA256c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc
SHA512c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4
-
Filesize
72KB
MD50a847eafddc4529388e1a1b291354cf8
SHA1adddd1b79c64c7c1d0d440df847be31ee94e664d
SHA25669533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255
SHA5127b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710
-
Filesize
1KB
MD58ccdbbb3f892bb730a7b740ada760f6d
SHA156c9582479d324f8d771b7aeb0ee890e60fc1528
SHA2564158cf26b995ceead26ef9af620ba47c64744e1e869a134cdcd0e658dbeac879
SHA5127797422cd0c2706a7b1289b8e592a5cea9230a1d2f6b92803a565a9327673dbdff086ea9c942a2044e72a5cc0e856a948e45fe03b7127b3869fffc57f195cd1f
-
Filesize
49B
MD55aeaaf4251868f60bd501537f420b250
SHA1496e307cf2fc2cfcb5a2b2ffaca248bfaf8ab397
SHA25689b9f260617884ef2870d0c61efd6fd452a5698defe0c2f521fd1b6371abab06
SHA51279c8782dd3e5cd91639ba86f8f0a3151e1eba3bc533da3d2efecd9704a48f338f30b749f71f1a9b5298991d586ead96c652e0f116fcfa720d58a05ea5edbe7fb
-
Filesize
3KB
MD54b49f075a01e6060c2f09edfaeee4293
SHA1c0e259995ee2a5b7fd20b5b3a5d5794eba2a4488
SHA2565b2da36cd252ba8bd723dd3dbc1dd8df29f86b793f1e750d454c5f17f9045abf
SHA512af1b830d6c6940f6fbf343c56c73f1d4e0178368715794038c3c529a51b2918d75b463cd0853cb671b676f2c2ea400b4673139801ad49142d63aeb3e66431442
-
Filesize
21KB
MD5886b4a107a2ede49c4c8a5bcba94f20f
SHA1b5256ddc2b5fb8bd8d0272679043e03a0936d8a3
SHA25624bf5b777254334c384e02ced455d21470163569d33ffebad36e54f6afd5059c
SHA51228aa34d2dc065b14912d4813246fdd963a47e8c4a7d0134d22e63f80d9bff45cea150b8d4dc2d3ced9a8f337ec513e8214dba04c09130b24631cd48d9eb8f28d
-
Filesize
3KB
MD5672791216f102bdb76fb550adb0ea923
SHA1e5fa7406143f7bb9aa28de777e62465ae55975bb
SHA2560cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a
SHA5129801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2
-
Filesize
19KB
MD5162ab955cb2f002a73c1530aa796477f
SHA1d30a0e4e5911d3ca705617d17225372731c770e2
SHA2565ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e
SHA512e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e
-
Filesize
17KB
MD55fd363d52d04ac200cd24f3bcc903200
SHA139ed8659e7ca16aaccb86def94ce6cec4c847dd6
SHA2563fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9
SHA512f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3
-
Filesize
20KB
MD5a8f669ab8fad00bd193a82b8f62e7660
SHA11925f6f7b904d0289da8cdc55e84875f7739b0b1
SHA256bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf
SHA5121adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897
-
Filesize
16KB
MD5fee7e8f5472041f6b2c0e5d8f8d0da45
SHA1063eeee055d4646e91e15ac6a785bd9c7bcaa10b
SHA256c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc
SHA512c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4
-
Filesize
652B
MD56c3d1b1d250bc0a50f0dc45783056949
SHA11f9996535b14f35d3ac9d156db05ae3c703d8ee5
SHA2565838e152e8bcd3b2b027c3686c44214793c4631147f98d2b59261903089e15cd
SHA5125c720ef44acf973625a6ec58aaf0f4e5f298893a5d78870a8b3bea5398cc4bb1aee334f33337e29d58a44d79782e99dabf8c583005dfe2ae0e2be32ea807b1b4
-
Filesize
521B
MD5047f0cf592670e8fca358f12e4cd5a89
SHA10cd8cdde668e7e64adb49e388e75e1136429e5f6
SHA25632e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978
SHA512368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8
-
Filesize
369B
MD508ec660302dae4a0d4ad9eb1c2f8df7a
SHA1c67301afc4a880145dcca857341ae5fdb973f228
SHA25691da278b70ce8a6e9f2f520b8da787cfc3c9ba84a9c7da17c42cef8f8c7334ca
SHA5123d6790acae62c0215b7f6a3a39e20ef87eab4e158ac412a393abaad0206656f180704cba8b922733a5a4cf85dc533660c1243646c0470dcd845f5b1f91f55662