e44229e925d7bcb00773fba75910ea74f5470627a68431f157b24413faae94c5

Analysis

max time kernel
282s
max time network
285s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
31/12/2022, 22:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MAS_1.4_AIO_CRC32_9A7B5B05.cmd
Size

2.3MB
MD5

35f17dcf189ff654276cbd3777c474c5
SHA1

d0106953bb6026d874ca5f09fdec59e57b483b36
SHA256

e44229e925d7bcb00773fba75910ea74f5470627a68431f157b24413faae94c5
SHA512

dfcccbe815da154d9059bed85dc1740b360a8196f7005e61655d0677e1341d930d60ed24f347dd65fbf97c0baca305303d75edd76be421d126db2ead3b6ba8aa
SSDEEP

49152:g+ay1I0JxlXsyZ6tmDbR56nAfl5P/r/SI:rp/eyZ6tmDlTfbX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	4404	powershell.exe
10	1332	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3832	cleanosppx64.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4892	sc.exe
3044	sc.exe
4460	sc.exe
3352	sc.exe
2216	sc.exe
748	sc.exe
3340	sc.exe
3360	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Integrator.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
2724	timeout.exe
1900	timeout.exe
2840	timeout.exe
4792	timeout.exe
4624	timeout.exe
3328	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Integrator.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry key 1 TTPs 26 IoCs

Modify Registry

T1112

pid	Process
3212	reg.exe
816	reg.exe
3340	reg.exe
2216	reg.exe
2208	reg.exe
2372	reg.exe
4448	reg.exe
208	reg.exe
2240	reg.exe
4452	reg.exe
3456	reg.exe
1312	reg.exe
1600	reg.exe
3332	reg.exe
1636	reg.exe
1356	reg.exe
1492	reg.exe
4292	reg.exe
4116	reg.exe
1996	reg.exe
3580	reg.exe
796	reg.exe
1332	reg.exe
2960	reg.exe
4788	reg.exe
4312	reg.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
1896	notepad.exe
2412	notepad.exe
1680	notepad.exe
1808	notepad.exe
3384	notepad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
584	powershell.exe
584	powershell.exe
584	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
628	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe
Token: 36	2100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe
Token: 36	2100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	512	WMIC.exe
Token: SeSecurityPrivilege	512	WMIC.exe
Token: SeTakeOwnershipPrivilege	512	WMIC.exe
Token: SeLoadDriverPrivilege	512	WMIC.exe
Token: SeSystemProfilePrivilege	512	WMIC.exe
Token: SeSystemtimePrivilege	512	WMIC.exe
Token: SeProfSingleProcessPrivilege	512	WMIC.exe
Token: SeIncBasePriorityPrivilege	512	WMIC.exe
Token: SeCreatePagefilePrivilege	512	WMIC.exe
Token: SeBackupPrivilege	512	WMIC.exe
Token: SeRestorePrivilege	512	WMIC.exe
Token: SeShutdownPrivilege	512	WMIC.exe
Token: SeDebugPrivilege	512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	512	WMIC.exe
Token: SeRemoteShutdownPrivilege	512	WMIC.exe
Token: SeUndockPrivilege	512	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
512	Integrator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4396	4676	cmd.exe	68
PID 4676 wrote to memory of 4396	4676	cmd.exe	68
PID 4676 wrote to memory of 3404	4676	cmd.exe	69
PID 4676 wrote to memory of 3404	4676	cmd.exe	69
PID 4676 wrote to memory of 3396	4676	cmd.exe	70
PID 4676 wrote to memory of 3396	4676	cmd.exe	70
PID 4676 wrote to memory of 4728	4676	cmd.exe	71
PID 4676 wrote to memory of 4728	4676	cmd.exe	71
PID 4676 wrote to memory of 4732	4676	cmd.exe	72
PID 4676 wrote to memory of 4732	4676	cmd.exe	72
PID 4676 wrote to memory of 4752	4676	cmd.exe	73
PID 4676 wrote to memory of 4752	4676	cmd.exe	73
PID 4676 wrote to memory of 1760	4676	cmd.exe	74
PID 4676 wrote to memory of 1760	4676	cmd.exe	74
PID 4676 wrote to memory of 3796	4676	cmd.exe	75
PID 4676 wrote to memory of 3796	4676	cmd.exe	75
PID 4676 wrote to memory of 5000	4676	cmd.exe	76
PID 4676 wrote to memory of 5000	4676	cmd.exe	76
PID 4676 wrote to memory of 5080	4676	cmd.exe	77
PID 4676 wrote to memory of 5080	4676	cmd.exe	77
PID 4676 wrote to memory of 5104	4676	cmd.exe	78
PID 4676 wrote to memory of 5104	4676	cmd.exe	78
PID 5104 wrote to memory of 1340	5104	powershell.exe	79
PID 5104 wrote to memory of 1340	5104	powershell.exe	79
PID 1340 wrote to memory of 4208	1340	csc.exe	80
PID 1340 wrote to memory of 4208	1340	csc.exe	80
PID 5104 wrote to memory of 4100	5104	powershell.exe	81
PID 5104 wrote to memory of 4100	5104	powershell.exe	81
PID 4676 wrote to memory of 3520	4676	cmd.exe	82
PID 4676 wrote to memory of 3520	4676	cmd.exe	82
PID 4676 wrote to memory of 4848	4676	cmd.exe	83
PID 4676 wrote to memory of 4848	4676	cmd.exe	83
PID 4848 wrote to memory of 4968	4848	cmd.exe	84
PID 4848 wrote to memory of 4968	4848	cmd.exe	84
PID 4848 wrote to memory of 5044	4848	cmd.exe	85
PID 4848 wrote to memory of 5044	4848	cmd.exe	85
PID 4848 wrote to memory of 3388	4848	cmd.exe	86
PID 4848 wrote to memory of 3388	4848	cmd.exe	86
PID 4848 wrote to memory of 2656	4848	cmd.exe	87
PID 4848 wrote to memory of 2656	4848	cmd.exe	87
PID 4848 wrote to memory of 700	4848	cmd.exe	88
PID 4848 wrote to memory of 700	4848	cmd.exe	88
PID 700 wrote to memory of 3200	700	cmd.exe	89
PID 700 wrote to memory of 3200	700	cmd.exe	89
PID 4848 wrote to memory of 4560	4848	cmd.exe	90
PID 4848 wrote to memory of 4560	4848	cmd.exe	90
PID 4848 wrote to memory of 4404	4848	cmd.exe	91
PID 4848 wrote to memory of 4404	4848	cmd.exe	91
PID 4848 wrote to memory of 4432	4848	cmd.exe	92
PID 4848 wrote to memory of 4432	4848	cmd.exe	92
PID 4848 wrote to memory of 1332	4848	cmd.exe	93
PID 4848 wrote to memory of 1332	4848	cmd.exe	93
PID 4848 wrote to memory of 400	4848	cmd.exe	94
PID 4848 wrote to memory of 400	4848	cmd.exe	94
PID 4848 wrote to memory of 2112	4848	cmd.exe	95
PID 4848 wrote to memory of 2112	4848	cmd.exe	95
PID 4848 wrote to memory of 3328	4848	cmd.exe	96
PID 4848 wrote to memory of 3328	4848	cmd.exe	96
PID 4848 wrote to memory of 3352	4848	cmd.exe	97
PID 4848 wrote to memory of 3352	4848	cmd.exe	97
PID 4848 wrote to memory of 3316	4848	cmd.exe	98
PID 4848 wrote to memory of 3316	4848	cmd.exe	98
PID 4848 wrote to memory of 212	4848	cmd.exe	99
PID 4848 wrote to memory of 212	4848	cmd.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:3404
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:3396
- C:\Windows\system32\choice.exe
  choice /C:123456789 /N /M "> Enter Your Choice in the Keyboard [1,2,3,4,5,6,7,8,9] : "
  2⤵
  PID:4728
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:4732
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:4752
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:1760
- C:\Windows\system32\choice.exe
  choice /C:123456789 /N /M "> Enter Your Choice in the Keyboard [1,2,3,4,5,6,7,8,9] : "
  2⤵
  PID:3796
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:5000
- C:\Windows\system32\choice.exe
  choice /C:1234 /N /M "> Enter Your Choice [1,2,3,4] : "
  2⤵
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split ':cleanospp\:.*';iex ($f[1]);X 1;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chrvc3ef\chrvc3ef.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4D7.tmp" "c:\Users\Admin\AppData\Local\Temp\chrvc3ef\CSC1C61C69C8D240DB8754AA36F0EABB52.TMP"
      4⤵
      PID:4208
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1._ -F:* .
    3⤵
    - Drops file in Windows directory
    PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split \":KMStxt\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\_MAS\Activate.cmd',$f[1].Trim(),[System.Text.Encoding]::ASCII);"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Windows\Temp\_MAS\Activate.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:5044
- - C:\Windows\system32\mode.com
    mode con: cols=98 lines=30
    3⤵
    PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "&{$H=get-host;$W=$H.ui.rawui;$B=$W.buffersize;$B.height=150;$W.buffersize=$B;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "If([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}')).IsConnectedToInternet){Exit 0}Else{Exit 1}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms.loli.beer""", 1688)}catch{};$t.Connected"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:4432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms8.MSGuides.com""", 1688)}catch{};$t.Connected"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
    3⤵
    PID:3328
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:3352
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
    3⤵
    PID:3316
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /f /v NoGenTicket /t REG_DWORD /d 1
    3⤵
    PID:212
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:2216
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2320
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:1196
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:748
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:744
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d kms8.MSGuides.com
    3⤵
    PID:2408
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d 1688
    3⤵
    PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
    3⤵
    PID:1596
  - - C:\Windows\System32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:2984
  - - C:\Windows\System32\find.exe
      FIND /I "CurrentVersion"
      4⤵
      PID:3828
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-EducationEdition~31bf3856ad364e35~amd64~~10.0.15063.0" /v "CurrentState"
    3⤵
    PID:3848
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:3560
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-EnterpriseGEdition~31bf3856ad364e35~amd64~~10.0.15063.0" /v "CurrentState"
    3⤵
    PID:2828
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:3832
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.15063.0" /v "CurrentState"
    3⤵
    PID:4476
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.15063.0
    3⤵
    PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE" 2>nul
    3⤵
    PID:3396
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC PATH SoftwareLicensingProduct WHERE (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:2840
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Professional"
    3⤵
    PID:5088
- - C:\Windows\System32\findstr.exe
    findstr /I /E Eval
    3⤵
    PID:5096
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4292
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:3456
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:3808
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:4208
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:4828
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:4816
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2136
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:996
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    PID:3408
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
      4⤵
      Modifies registry key
      PID:3580
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3532
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3964
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3988
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3920
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3552
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3656
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3660
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3520
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3716
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4352
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2328
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4000
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3992
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3952
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1208
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4992
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2288
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4832
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4996
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3944
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3116
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3184
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2716
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3144
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4616
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4260
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4612
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3792
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4388
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4368
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4576
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4540
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3204
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4560
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4424
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4624
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3172
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1132
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1076
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1192
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1356
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:4448
- - C:\Windows\System32\findstr.exe
    findstr 2019
    3⤵
    PID:4452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%') get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- - C:\Windows\System32\find.exe
    find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:4408
- - C:\Windows\System32\find.exe
    find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:1204
- - C:\Windows\System32\find.exe
    find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:580
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%') get Name
    3⤵
    PID:4592
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2184
- - C:\Windows\System32\find.exe
    find /i "Office 19"
    3⤵
    PID:364
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:1896
- - C:\Windows\System32\find.exe
    find /i "Office 16"
    3⤵
    PID:4372
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:916
- - C:\Windows\System32\find.exe
    find /i "Office 15"
    3⤵
    PID:1344
- - C:\Windows\System32\sc.exe
    sc query ClickToRunSvc
    3⤵
    - Launches sc.exe
    PID:3340
- - C:\Windows\System32\sc.exe
    sc query OfficeSvc
    3⤵
    - Launches sc.exe
    PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
    3⤵
    PID:3324
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
      4⤵
      Modifies registry key
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
    3⤵
    PID:3316
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
      4⤵
      Modifies registry key
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
    3⤵
    PID:188
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
      4⤵
      Modifies registry key
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID" 2>nul
    3⤵
    PID:2320
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID
      4⤵
      Modifies registry key
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
    3⤵
    PID:984
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
      4⤵
      Modifies registry key
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration" 2>nul
    3⤵
    PID:1352
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration
      4⤵
      Modifies registry key
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:748
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2512
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get version /value" 2>nul
    3⤵
    PID:2408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get version /value
      4⤵
      PID:2980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseStatus='1' AND PartialProductKey<>NULL" get Description
    3⤵
    PID:3568
- - C:\Windows\System32\findstr.exe
    findstr /V /R "^$"
    3⤵
    PID:2988
- - C:\Windows\System32\find.exe
    find /i "RETAIL channel" "C:\Windows\Temp\crvRetail.txt"
    3⤵
    PID:3848
- - C:\Windows\System32\find.exe
    find /i "RETAIL(MAK) channel" "C:\Windows\Temp\crvRetail.txt"
    3⤵
    PID:2732
- - C:\Windows\System32\find.exe
    find /i "TIMEBASED_SUB channel" "C:\Windows\Temp\crvRetail.txt"
    3⤵
    PID:3824
- - C:\Windows\Temp\_MAS\bin\cleanosppx64.exe
    "C:\Windows\Temp\_MAS\bin\cleanosppx64.exe" -Licenses
    3⤵
    - Executes dropped EXE
    PID:3832
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily
    3⤵
    PID:4476
- - C:\Windows\System32\findstr.exe
    findstr /V /R "^$"
    3⤵
    PID:3432
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlus2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4744
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4320
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3396
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Standard2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:1808
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:5108
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:5088
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Access2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:5096
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4924
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Excel2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:2204
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Outlook2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:1284
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPoint2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:2316
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Publisher2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4228
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Word2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3808
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Professional2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4304
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:2820
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeStudent2019Retail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4804
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3384
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:976
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4800
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:2888
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4236
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:2344
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:996
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:5116
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3528
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3964
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3988
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3688
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4420
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3668
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4084
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4896
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3708
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365ProPlusRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4044
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:1732
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:2256
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3924
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3956
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlus2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3800
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4980
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3976
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Standard2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4984
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4288
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4496
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Access2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3932
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusiness2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4528
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Excel2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3636
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Outlook2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3048
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPoint2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:2880
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Publisher2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4484
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"Word2019Volume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4472
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4384
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3268
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4504
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:1984
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4704
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4540
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3204
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4560
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4424
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:4624
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3168
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:3172
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:1076
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\crvProductIds.txt"
    3⤵
    PID:1192
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\6FCE168E-7DC5-43EA-A0C4-63DD4FBAAB89\ProPlusRetail.16
    3⤵
    - Modifies registry key
    PID:1356
- - C:\Windows\System32\find.exe
    find /i "Office16ProPlusVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"
    3⤵
    PID:4416
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\6FCE168E-7DC5-43EA-A0C4-63DD4FBAAB89\ProPlusVolume.16
    3⤵
    - Modifies registry key
    PID:4452
- - C:\Windows\System32\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady
    3⤵
    - Modifies registry key
    PID:3212
- - C:\Program Files\Microsoft Office\root\integration\Integrator.exe
    "C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProPlus2019Volume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:512
- - C:\Windows\System32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady /t REG_SZ /d 1
    3⤵
    - Modifies registry key
    PID:1492
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:816
- - C:\Windows\System32\findstr.exe
    findstr /I "ProPlus2019Volume"
    3⤵
    PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    PID:916
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
      4⤵
      Modifies registry key
      PID:1332
- - C:\Windows\System32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds /t REG_SZ /d "ProPlusRetail,ProPlus2019Volume" /f
    3⤵
    - Modifies registry key
    PID:3340
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService where version='10.0.15063.0' call RefreshLicenseStatus
    3⤵
    PID:204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%') get Name
    3⤵
    PID:220
- - C:\Windows\System32\find.exe
    find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:208
- - C:\Windows\System32\find.exe
    find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:1388
- - C:\Windows\System32\find.exe
    find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%') get Name
    3⤵
    PID:1200
- - C:\Windows\System32\find.exe
    find /i "Office 19"
    3⤵
    PID:2240
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:2412
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:644
- - C:\Windows\System32\find.exe
    find /i "Office 16"
    3⤵
    PID:748
- - C:\Windows\System32\find.exe
    find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
    3⤵
    PID:1616
- - C:\Windows\System32\find.exe
    find /i "Office 15"
    3⤵
    PID:1712
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%') get Name
    3⤵
    PID:2848
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:2764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get Name
    3⤵
    PID:3828
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE" 2>nul
    3⤵
    PID:3928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /VALUE
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get Version /VALUE"
    3⤵
    PID:3404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get Version /VALUE
      4⤵
      PID:2828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService where version='10.0.15063.0' call SetKeyManagementServiceMachine MachineName="kms8.MSGuides.com"
    3⤵
    PID:4724
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService where version='10.0.15063.0' call SetKeyManagementServicePort 1688
    3⤵
    PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%') get ID /VALUE"
    3⤵
    PID:5000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%') get ID /VALUE
      4⤵
      PID:2840
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get LicenseStatus
    3⤵
    PID:4104
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:5088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID
    3⤵
    PID:3456
- - C:\Windows\System32\findstr.exe
    findstr /i "2de67392-b7a7-462a-b1ca-108dd189f588"
    3⤵
    PID:2204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call ClearKeyManagementServiceMachine
    3⤵
    PID:4116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call ClearKeyManagementServicePort
    3⤵
    PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Name /VALUE"
    3⤵
    PID:4824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get Name /VALUE
      4⤵
      PID:4828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
    3⤵
    PID:4816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService where version='10.0.15063.0' call RefreshLicenseStatus
    3⤵
    PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get GracePeriodRemaining /VALUE"
    3⤵
    PID:3372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' get GracePeriodRemaining /VALUE
      4⤵
      PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell write-host -back Black -fore Green Product Activation Successful
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4276
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee' get LicenseStatus
    3⤵
    PID:4044
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:3948
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID
    3⤵
    PID:2256
- - C:\Windows\System32\findstr.exe
    findstr /i "3f1afc82-f8ac-4f6c-8005-1d233e606eee"
    3⤵
    PID:4032
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:4960
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='73111121-5638-40f6-bc11-f1d7b0d64300' get LicenseStatus
    3⤵
    PID:4980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID
    3⤵
    PID:4496
- - C:\Windows\System32\findstr.exe
    findstr /i "73111121-5638-40f6-bc11-f1d7b0d64300"
    3⤵
    PID:3200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService where version='10.0.15063.0' call DisableKeyManagementServiceDnsPublishing 0
    3⤵
    PID:3636
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingService where version='10.0.15063.0' call DisableKeyManagementServiceHostCaching 0
    3⤵
    PID:2880
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:4892
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:3792
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:4576
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:3044
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:4580
- - C:\Windows\System32\sc.exe
    sc start sppsvc trigger=timer;sessionid=0
    3⤵
    - Launches sc.exe
    PID:4460
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4624
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:1144
- C:\Windows\system32\choice.exe
  choice /C:1234 /N /M "> Enter Your Choice [1,2,3,4] : "
  2⤵
  PID:1460
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:860
- C:\Windows\system32\choice.exe
  choice /C:123456789 /N /M "> Enter Your Choice in the Keyboard [1,2,3,4,5,6,7,8,9] : "
  2⤵
  PID:792
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:4464
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split \":2\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\ReadMe.txt',$f[1].Trim(),[System.Text.Encoding]::ASCII);"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:584
- C:\Windows\system32\notepad.exe
  notepad "C:\Windows\Temp\ReadMe.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1896
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:3328
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:3352
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split \":5\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\ReadMe.txt',$f[1].Trim(),[System.Text.Encoding]::ASCII);"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Windows\system32\notepad.exe
  notepad "C:\Windows\Temp\ReadMe.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2412
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:2724
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:796
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split \":2\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\ReadMe.txt',$f[1].Trim(),[System.Text.Encoding]::ASCII);"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Windows\system32\notepad.exe
  notepad "C:\Windows\Temp\ReadMe.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1680
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:1900
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:2732
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split \":3\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\ReadMe.txt',$f[1].Trim(),[System.Text.Encoding]::ASCII);"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Windows\system32\notepad.exe
  notepad "C:\Windows\Temp\ReadMe.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1808
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:2840
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:2260
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\MAS_1.4_AIO_CRC32_9A7B5B05.cmd') -split \":4\:.*`r`n\"; [io.file]::WriteAllText('C:\Windows\Temp\ReadMe.txt',$f[1].Trim(),[System.Text.Encoding]::ASCII);"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Windows\system32\notepad.exe
  notepad "C:\Windows\Temp\ReadMe.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3384
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:4792
- C:\Windows\system32\mode.com
  mode con cols=98 lines=32
  2⤵
  PID:4800
- C:\Windows\system32\choice.exe
  choice /C:1234567890 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8,9,0] : "
  2⤵
  PID:3548
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:4236
- C:\Windows\system32\choice.exe
  choice /C:123456789 /N /M "> Enter Your Choice in the Keyboard [1,2,3,4,5,6,7,8,9] : "
  2⤵
  PID:4796

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:2244

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1756

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:4572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb360fe47bb794f2a708c02436baec3f

SHA1
cdd0e8a422e28c1d83caa1902c76bcb228a2e20c

SHA256
f77d943533ceea295360f16c7aa5abeedcfaa80122d329a2ed44d62470424bb5

SHA512
0f897205d1b482a18ea99f24847ed510cbb3e93ff776c6cabcb527c70ee9c5f0cd00b36c408668535a983bc84958d45cdc507584b198af04070f863a2ba8ab21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb833baaeec7bceab21fae6c6a7a00d9

SHA1
5715b2ead44ddbdb065609896d85cd9f4fcf13eb

SHA256
6c5834ed980be053769136579f13cc97c57c20a35de763501b34497a9eedb45b

SHA512
254b42a8e7abde61726adff1a77a95581dd06935b2566845c519e9781f9b327c7b9af7faa97825089858a3f872907e22b99f4433ca0aec7f741e98a5a71f4500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2acde155d658f237e85f706bdf803e34

SHA1
28a0e97cecd2ca507b4217c77fec75a182ae7349

SHA256
a5af1a64575f9a02d0aaae3e10c285166f34d8abd9ff2c8486b8e835b502e04d

SHA512
c9794708c38f1b6172cbf216a97be13063f91d7729f13cf830ebd5b37a24ee4b72ca6dfd91445cc630ca30b990c2da6096cbaebd1497fa21139991db2907ba42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0182bed300aaa2cef6df51b519ef7a9

SHA1
3ab7072f2bb0ad9c8866afdf69196db81f0aad99

SHA256
7162c80e3ba768901cb82956f6eeb336ab969ad8658ebe59d9dad886df97e672

SHA512
b4ca20e3e120b61991f28b545fd20d0072d009c6ffdebf0664da79802b24b4f2eb5d6269c64e1e270365557e15a10bf392e13fcd31a60754bcbd3ac28edc6087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81a52ab760d2b83b179126f8cd595bb7

SHA1
a285c263af08e34bb91821d0de47de67d3c81608

SHA256
3d6044196ba35c9f638455f6eca0407a06d1ce2e2b1f604408045a22e21079df

SHA512
2301e20954923c7497969888baa15bdd66e520dedd5a09e6e77f7e86bc365e2e01137e73e73c68f9b5856c27813afc2cd96a36f7f0652ea25d32be9c83d83f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
28aae5aee15990c300ab86d0b8c3d9a0

SHA1
c4973feb0c2c8cc610f38682dee6725ca3928bf1

SHA256
54a17d21e8ec8d91ab32c74269e72f7903f14e624c0e654290b8fd558677a114

SHA512
af3d14c24a8de69b3a11c1d2dffa64268fb0d94f445ce43325bd13b4983b1b66d6c5b7e86002ab4d65f52d3dbeea4c89a485c1e0ff472bdcf74354992b374647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c5572edff66520528133842aac33e7f

SHA1
3b2b5fa5485d377343e1abf6fbd01fb6794a2656

SHA256
f39f9ed774e8db111047cc9fb3afcad429305eab6830e97a8da5c45bd23532cd

SHA512
eab8d634f0ecdd23c6c05f272ebe8db4292e38f81875b975da17ee2ae263d461679d9ef1256996dad9aebf602c59416ebf345aede558a08160a9f435faf048ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0fb00dae08b686dee0b5406053e5fd10

SHA1
e03e1342c2004d83c20a9656892f69ad9ec64251

SHA256
7ff1a89cd6988ec8084527b162664060d2806fe5e5bdbc2301b5e97a01b5accb

SHA512
bfb9d0d3b78721de1956a2c986f5df32bfc2b3e30c1e0b2a3c1edb46843955b06c1514fa63daaa510284c459d038d8b213ec29f73fd89b56e9cad922204dd73e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2444e35a9096ed68cf5b3aca519e77b

SHA1
75017edede830af5b9f0ef75ccdfd5683bdd4103

SHA256
bfa09e1af13ccdcffabffc96b302404ec17e5adae039fb6556906500d49ae863

SHA512
46807bc8d256c74c44e38eb646b5c3b1225d77a584e8cca6f50e1c77b6938aca032dbff50a625c9f3f60bd1afb116cbd1bf8c2268c65fa61cc07157558cfbd33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b30e046b9816b440402c70e6d0a8b034

SHA1
5b026becbc14eb31ed6b8dacdae743f67afd8232

SHA256
81a49babcb33605eb4c59859a7714d81e8fdef1364097b505079f581d459f425

SHA512
917fc3bf847b57475d770a4fc51481d1965d27e01a22f569eca9191401616571307b87dfb993e28432beb637ab093fe5346faec4a9caa6e6a84cc658c002590a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09504f1610b539aa51cbd0d4bc70cbf6

SHA1
6b934d7a9350d6d43738d158b549bda5b6b21648

SHA256
549d12a5c7782909df9d69393ac198a39bcc1cf6f7e50cfbebff9849a460c016

SHA512
ff1c45783048ea2e0f07da5af431962f3fdc54f144f36afa7dc42a87a3616eb216b4b9e26b0ac040f198446b9a91933969aa00ba526c9117fe38d25742093994

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE4D7.tmp

Filesize
1KB

MD5
e844910971c18d3c859b85dd6da079b7

SHA1
7afefb93648061184ad8bba89b440a8b79a1c61c

SHA256
b3b587266859acf009e9a1b4d7ee9417c618920242c4ede6d696f50212db4a7d

SHA512
7ef5a57226172d4fd72acddb91f06c746da1571d28a27ec830bec8e7f82254e89903cddc316b78e4faf790fe21724971dd5ec7f38cb7f3525d89867deac3c1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrvc3ef\chrvc3ef.dll

Filesize
4KB

MD5
fc78695d39b53dc1d6d42d7d40457777

SHA1
491cb186320e19a0e9d9dd86bdcbbd6cf33b738d

SHA256
5d66155e0d90cfc5d8ad2d58ac13a486d9458f21680bb5d74da6920f0531ff35

SHA512
c3df3d205ece1ec8410924bca842093334f53b7ee877683f3dcc15dadaaecb4663830d6554c8eba545f68a61f979a39f6ae12ce9cf538aeb9e79ca5bfed03300

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
C:\Windows\Temp\ReadMe.txt

Filesize
14KB

MD5
c5805158749ee9bbd71306d995b11a18

SHA1
84bffadaf6fbaee62a31121fe367375d94add6f3

SHA256
9cdc78ecffc929ee5effa948b0a3f8b69034a23f666b6605b8937599b9ec7570

SHA512
fecea6e59a0a3f94f32bdc96288f0b82d1df0de1eb215f377ae5c0e5d201a8bbc449d2333a75ed772cc5bed1fa38399417b4694b71f48b637aad3f78dd855a3f

Download Submit
C:\Windows\Temp\ReadMe.txt

Filesize
6KB

MD5
6d28006c40c4983066f3946dce920778

SHA1
6c0697f17d1a7d8589eaaf37a4275fa745615f30

SHA256
78613b623cb1e123459c109a80d4e6f4eb8e0859b6c4531186720b44ef6c5871

SHA512
11d80775c1c6ecb08a6f946182de55a49a82c6819d30abfad1858b1a03e6281e9b710c28967239f51b0611f7c85208f51ac5015448e9b45bdc2e139872958ebf

Download Submit
C:\Windows\Temp\ReadMe.txt

Filesize
14KB

MD5
c5805158749ee9bbd71306d995b11a18

SHA1
84bffadaf6fbaee62a31121fe367375d94add6f3

SHA256
9cdc78ecffc929ee5effa948b0a3f8b69034a23f666b6605b8937599b9ec7570

SHA512
fecea6e59a0a3f94f32bdc96288f0b82d1df0de1eb215f377ae5c0e5d201a8bbc449d2333a75ed772cc5bed1fa38399417b4694b71f48b637aad3f78dd855a3f

Download Submit
C:\Windows\Temp\ReadMe.txt

Filesize
16KB

MD5
0daca7fb40c3b157d9224896089f4ff8

SHA1
a53371e73405ba9c1c4fa6a29c604bf3b954117c

SHA256
24cb9942229c4a8e81efd2d0f7fa5ef45cfae447309a524a633756a0515f3186

SHA512
fc6d16a056399c931289d12d06903043e781a2ecb5ce11805bbfc97a414314dffb521d3abc6cf99451fb2d99c68efbe348f4cadc23df96a01e227a7455c037a1

Download Submit
C:\Windows\Temp\ReadMe.txt

Filesize
28KB

MD5
9224ac59c75ca4d22a293516f3b3efaf

SHA1
2ca8daf456c858d58d51d20ccf6857da7460bcae

SHA256
91368db48286da8559a3096b5fcca142b2a377a31a2467fdc94e7d9c16450930

SHA512
7e5c2f6be8bbaadf0490bcab0a0cb495e4b2af838869399aeaff07434676008cb02a622c84eab0b4374712b7a10235eb296759da47876bdb376dd831cda369a2

Download Submit
C:\Windows\Temp\_MAS\1._

Filesize
14KB

MD5
050ea0eaf253fa38914ce62386c2b6bb

SHA1
6b8b01c748e3bdee36a10d6fa2abc2b1555539d5

SHA256
abd98fa1238ae8e66e8125d1cd3f9678cf49c9a507acf4950e8273df8b4a1dcb

SHA512
0d717e188e0c3b8f1d7f123d04072cd8635b5d4620ea7aab1c581a23f58935ef0b698d373abfbd79b8f8d7af173dcc345aa76f46beeb84edaca5ec421cb864c7

Download Submit
C:\Windows\Temp\_MAS\Activate.cmd

Filesize
88KB

MD5
864cf3f1539e2b6deb6003c08054d401

SHA1
1c0c8c24a70d211e1a74c91aa80e11ed97c0d661

SHA256
57955e698b9f3d55f364cb0fefe0aa56693532dcd81704abe6b89bb73eaf2d77

SHA512
5447310c26d1abb5ce86a2dd89d291bdf47bba7e534fa636367372429ac46e92d5c330574378be5e4ebc17f11b98f6e1901dd2b4e5605dad4a173006d6b822e6

Download Submit
C:\Windows\Temp\_MAS\BIN\CLEANO~2.EXE

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Windows\Temp\_MAS\BIN\_Info.txt

Filesize
896B

MD5
d0a2dcedb5a970e057e075722e0937bb

SHA1
9d5b4b3e761cca9531d64200dfbbfa0dec94f5b0

SHA256
be84ead20bf2bee7985eadc83a91c3cbe19f77637ecb9f353bec53e57b57e897

SHA512
607bebd0e712abeae7184594c7d46d07468ccab9c45c64e2ec8d2291749a52083dc4c0c8e7aa883ac09906de06e26aebe81558357bb8cae1e1e0360704f51b0e

Download Submit
C:\Windows\Temp\_MAS\BIN\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Windows\Temp\_MAS\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Windows\Temp\c2rchk.txt

Filesize
15B

MD5
606d9abf768025ebe0b25958d417be6c

SHA1
81b33a8807f17530f00225d09943a30a2d2bc94d

SHA256
5e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d

SHA512
e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f

Download Submit
C:\Windows\Temp\crvProductIds.txt

Filesize
15B

MD5
606d9abf768025ebe0b25958d417be6c

SHA1
81b33a8807f17530f00225d09943a30a2d2bc94d

SHA256
5e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d

SHA512
e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
582B

MD5
e8d6c0d51dad68d755f21325b1c5394a

SHA1
780ac027f741fbcff716bb0d35b3e41288a310b0

SHA256
a3b06071dc1a3d01a5f2cae78d0c9c46e5a8ab7cd14c7c52bdd1277266a6ff0d

SHA512
967b498d92acf196c0e813ec5f559e190cbfa41e50dce1b33a7e147111f6856a9bf3854e22155ddb37810332b0e16a7f7d1fa14190b993465414ef3c494eeb8c

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
1KB

MD5
263445931b567b90cb3762b33f70b834

SHA1
0604f1f29ec020ec525e9919fc4a2b0eb7246bff

SHA256
5a3731e50125632d76ec575ec7ed9899420526ea19e37620ec466e0a704bd77f

SHA512
22fa40c722d349de4ccad20b40414a8826bfd070cbd62a61279a6847a41ad2a665056bd92dcbc3c0cf98d4b170656ccdcda74f973b5c0d531722de2cb43b02b2

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
746B

MD5
9a7ffe6ef53917e0742fbbfbaff92495

SHA1
d1b03be7a545634f01f8b7353d6b593e1581b346

SHA256
50bbd6ab372206f85b8392a8fd2cb7785ac453983d7137c6bd4d5d5b63581e78

SHA512
9efdc2d9520ca67bb4ff263dec00305ab672776b85bcd4d3eaf3130781104af6e5f3033a94e12fec28cfa59da71c7cbe41c6d8c11ce678ebb88ac5a1f7c3fe41

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
622B

MD5
9fc0ee5a461289fcad3068cd7b9f6ab6

SHA1
9bedf79e5e4e4b305891828d7a3b00038d94fa24

SHA256
86c4d982441c7f7e0a3544f43ad68820a5b522fa6e9463e2460c3bfcf6e6b79f

SHA512
1ae571d534c8a1d904b0bf072f629303fda1fd2ff4724abb8b47e155d966fc92c428aafb255b9846276e0831eec8e93b063669f5e0853d4384f6db10aa61229a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chrvc3ef\CSC1C61C69C8D240DB8754AA36F0EABB52.TMP

Filesize
652B

MD5
b6482899e17078d89d932aaf0a1326d9

SHA1
7bccf0f1fda7ac8d613793ee5b7424a32acc4739

SHA256
1ead6aeb5a27fcd9c1519e40b5c8edba6e6e32758bf7a903bfd0a4a194c80897

SHA512
11ff03be8ffd2a7d31e38e0057119900ecf5634992e002c94eb00888d4b72b96fd9945dbc260447a0ceac5d31d27a11cf91f5e093a28ebdd22524048d4f3d4a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chrvc3ef\chrvc3ef.0.cs

Filesize
884B

MD5
eafbb318108fc62a15b458ebba405940

SHA1
0c5f45d0cab61ef4fa12f13f020ca45cba04863a

SHA256
45ee3dd57aa47fcf92c09a44276de5ef1688bb0563e09206d8e882528e6de9d2

SHA512
bac80550d7fedc768522907ba72f2802ac2fead886015356a417533f9fc0e2a767b992c58010e67160b4ee071971c7cc6a5337ffb948cf685dca0811ccaa52f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\chrvc3ef\chrvc3ef.cmdline

Filesize
369B

MD5
f0150ae8d1553c247686842eade5f218

SHA1
d9609b1bbdcde61652ae822b3aa6fff7dd395e6c

SHA256
6b4c4c26c563fdc3465b3b81010e18e1ddb45de5c06d6c93fec188257d9c7cdb

SHA512
67fafb211105c655db2b0d88e2be470033a5d3e4b4ffc9f30d02a12c0b180e6776d793ff2cbb666afdb383002b7cd7cda07b26b48dfd93b480cc881a1af17aed

Download Submit
memory/5104-135-0x00000223E0940000-0x00000223E0950000-memory.dmp

Filesize
64KB

Download
memory/5104-134-0x00000223F8F10000-0x00000223F8F92000-memory.dmp

Filesize
520KB

Download
memory/5104-136-0x00000223F8EB0000-0x00000223F8ED2000-memory.dmp

Filesize
136KB

Download
memory/5104-137-0x00000223F9570000-0x00000223F9672000-memory.dmp

Filesize
1.0MB

Download
memory/5104-140-0x00000223F9280000-0x00000223F92F6000-memory.dmp

Filesize
472KB

Download
memory/5104-154-0x00000223F8F00000-0x00000223F8F08000-memory.dmp

Filesize
32KB

Download