f7b32c01e9b624f72dc7d1058dd491eb38b4529caa8c37af5b1f521e919c59c4

Analysis

max time kernel
172s
max time network
148s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
12/12/2023, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Office 2013-2019 C2R Install v6.4.4/OInstall.exe
Size

9.5MB
MD5

f71556138c9eb716330063156db4a6bc
SHA1

bd91945d407cbeee830c15280c8324459f0ff61a
SHA256

41ff83c380b958e918c4061c02a6077590d7630a01d7f2f0f448dc1a6fbf284a
SHA512

259642e8b2398122f00b031f6af4e79a2cea0831b4ef00c0f118f1fd28d32c92122a118921ce2af915f141273a2774ccf9abdfdc596175ac3c190e8f891c139e
SSDEEP

196608:vp1crEM65aqMLvUcm+oz3BkeBTAUW24t13Dr7m0mitn2xe7gXQZ+3jeRBTfYNCH1:hurEzabjm+4keB0vt1Dr7m0mc2xe7gAN

Score

8^/10

evasion upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3236	cscript.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
748	netsh.exe
4128	netsh.exe
2720	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 5 IoCs

pid	Process
3612	conv.exe
1788	kmss.dat
4152	KMSS.exe
2852	FakeClient.exe
4056	test.dat

Loads dropped DLL 1 IoCs

pid	Process
2852	FakeClient.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2988-0-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-4-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-9-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-513-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-570-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-596-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-609-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-883-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral1/memory/2988-889-0x0000000000400000-0x00000000015B4000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2672	sc.exe
3272	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Kills process with taskkill 5 IoCs

evasion

pid	Process
1552	taskkill.exe
356	taskkill.exe
2788	taskkill.exe
4904	taskkill.exe
3984	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1232	WINWORD.EXE
1232	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	OInstall.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	5004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5004	AUDIODG.EXE
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	356	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2988	OInstall.exe
2988	OInstall.exe
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE
1232	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3092	2988	OInstall.exe	71
PID 2988 wrote to memory of 3092	2988	OInstall.exe	71
PID 2988 wrote to memory of 2712	2988	OInstall.exe	74
PID 2988 wrote to memory of 2712	2988	OInstall.exe	74
PID 2712 wrote to memory of 3236	2712	cmd.exe	76
PID 2712 wrote to memory of 3236	2712	cmd.exe	76
PID 2988 wrote to memory of 3612	2988	OInstall.exe	78
PID 2988 wrote to memory of 3612	2988	OInstall.exe	78
PID 2988 wrote to memory of 3612	2988	OInstall.exe	78
PID 2988 wrote to memory of 300	2988	OInstall.exe	80
PID 2988 wrote to memory of 300	2988	OInstall.exe	80
PID 300 wrote to memory of 4140	300	cmd.exe	82
PID 300 wrote to memory of 4140	300	cmd.exe	82
PID 2988 wrote to memory of 4144	2988	OInstall.exe	83
PID 2988 wrote to memory of 4144	2988	OInstall.exe	83
PID 4144 wrote to memory of 4196	4144	cmd.exe	85
PID 4144 wrote to memory of 4196	4144	cmd.exe	85
PID 2988 wrote to memory of 3984	2988	OInstall.exe	86
PID 2988 wrote to memory of 3984	2988	OInstall.exe	86
PID 3984 wrote to memory of 3504	3984	cmd.exe	88
PID 3984 wrote to memory of 3504	3984	cmd.exe	88
PID 2988 wrote to memory of 2604	2988	OInstall.exe	89
PID 2988 wrote to memory of 2604	2988	OInstall.exe	89
PID 2604 wrote to memory of 3976	2604	cmd.exe	91
PID 2604 wrote to memory of 3976	2604	cmd.exe	91
PID 2988 wrote to memory of 2864	2988	OInstall.exe	92
PID 2988 wrote to memory of 2864	2988	OInstall.exe	92
PID 2864 wrote to memory of 1552	2864	cmd.exe	94
PID 2864 wrote to memory of 1552	2864	cmd.exe	94
PID 2988 wrote to memory of 2624	2988	OInstall.exe	95
PID 2988 wrote to memory of 2624	2988	OInstall.exe	95
PID 2624 wrote to memory of 4100	2624	cmd.exe	97
PID 2624 wrote to memory of 4100	2624	cmd.exe	97
PID 2988 wrote to memory of 2760	2988	OInstall.exe	98
PID 2988 wrote to memory of 2760	2988	OInstall.exe	98
PID 2760 wrote to memory of 2228	2760	cmd.exe	100
PID 2760 wrote to memory of 2228	2760	cmd.exe	100
PID 2988 wrote to memory of 4604	2988	OInstall.exe	101
PID 2988 wrote to memory of 4604	2988	OInstall.exe	101
PID 4604 wrote to memory of 3004	4604	cmd.exe	103
PID 4604 wrote to memory of 3004	4604	cmd.exe	103
PID 2988 wrote to memory of 200	2988	OInstall.exe	104
PID 2988 wrote to memory of 200	2988	OInstall.exe	104
PID 200 wrote to memory of 4416	200	cmd.exe	106
PID 200 wrote to memory of 4416	200	cmd.exe	106
PID 2988 wrote to memory of 2152	2988	OInstall.exe	107
PID 2988 wrote to memory of 2152	2988	OInstall.exe	107
PID 2152 wrote to memory of 2900	2152	cmd.exe	109
PID 2152 wrote to memory of 2900	2152	cmd.exe	109
PID 2988 wrote to memory of 2744	2988	OInstall.exe	110
PID 2988 wrote to memory of 2744	2988	OInstall.exe	110
PID 2744 wrote to memory of 4136	2744	cmd.exe	112
PID 2744 wrote to memory of 4136	2744	cmd.exe	112
PID 2988 wrote to memory of 296	2988	OInstall.exe	116
PID 2988 wrote to memory of 296	2988	OInstall.exe	116
PID 296 wrote to memory of 1788	296	cmd.exe	118
PID 296 wrote to memory of 1788	296	cmd.exe	118
PID 296 wrote to memory of 1788	296	cmd.exe	118
PID 2988 wrote to memory of 4904	2988	OInstall.exe	119
PID 2988 wrote to memory of 4904	2988	OInstall.exe	119
PID 2988 wrote to memory of 4904	2988	OInstall.exe	119
PID 2988 wrote to memory of 2716	2988	OInstall.exe	121
PID 2988 wrote to memory of 2716	2988	OInstall.exe	121
PID 2716 wrote to memory of 748	2716	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\Office 2013-2019 C2R Install v6.4.4\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2013-2019 C2R Install v6.4.4\OInstall.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y
  2⤵
  PID:3092
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /dstatusall
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /dstatusall
    3⤵
    - Blocklisted process makes network request
    PID:3236
- C:\Windows\Temp\conv.exe
  "C:\Windows\Temp\conv.exe" -y -pkmsauto
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_KMS_Client-ppd.xrm-ms"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_KMS_Client-ppd.xrm-ms"
    3⤵
    PID:4140
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_KMS_Client-ul-oob.xrm-ms"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_KMS_Client-ul-oob.xrm-ms"
    3⤵
    PID:4196
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_KMS_Client-ul.xrm-ms"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_KMS_Client-ul.xrm-ms"
    3⤵
    PID:3504
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-pl.xrm-ms"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-pl.xrm-ms"
    3⤵
    PID:3976
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-ppd.xrm-ms"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-ppd.xrm-ms"
    3⤵
    PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-ul-oob.xrm-ms"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-ul-oob.xrm-ms"
    3⤵
    PID:4100
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-ul-phn.xrm-ms"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inslic:"C:\Windows\Temp\lic16\ProPlusVL_MAK-ul-phn.xrm-ms"
    3⤵
    PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /unpkey:BTDRB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /unpkey:BTDRB
    3⤵
    PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /dstatusall
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /dstatusall
    3⤵
    PID:4416
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inpkey:NMMKJ-6RK4F-KMJVX-8D9MJ-6MWKP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inpkey:NMMKJ-6RK4F-KMJVX-8D9MJ-6MWKP
    3⤵
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inpkey:XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /inpkey:XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99
    3⤵
    PID:4136
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c kmss.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\AppData\Local\Temp\Office 2013-2019 C2R Install v6.4.4\files\kmss.dat
    kmss.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:1788
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM KMSS.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:748
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=
  2⤵
  PID:4860
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=
    3⤵
    - Modifies Windows Firewall
    PID:4128
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM KMSS.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\Office 2013-2019 C2R Install v6.4.4\files\bin\KMSS.exe
  "C:\Users\Admin\AppData\Local\Temp\Office 2013-2019 C2R Install v6.4.4\files\bin\KMSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\SysWOW64\route.exe
  "route.exe" -p add 100.100.0.10 0.0.0.0 IF 1
  2⤵
  PID:2528
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM FakeClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\Office 2013-2019 C2R Install v6.4.4\files\bin\x64WDV\FakeClient.exe
  "FakeClient.exe" 100.100.0.10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c C:\Windows\Temp\test.dat 100.100.0.10:1688 -l Windows -6
  2⤵
  PID:2424
- - C:\Windows\Temp\test.dat
    C:\Windows\Temp\test.dat 100.100.0.10:1688 -l Windows -6
    3⤵
    - Executes dropped EXE
    PID:4056
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /remhst
  2⤵
  PID:2824
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /remhst
    3⤵
    PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /sethst:100.100.0.10
  2⤵
  PID:3596
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /sethst:100.100.0.10
    3⤵
    PID:3780
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /setprt:1688
  2⤵
  PID:4216
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /setprt:1688
    3⤵
    PID:2884
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /act
  2⤵
  PID:432
- - C:\Windows\system32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /act
    3⤵
    PID:4496
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1232
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM KMSS.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:356
- C:\Windows\SysWOW64\route.exe
  "route" delete 100.100.0.10 0.0.0.0
  2⤵
  PID:2264
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM FakeClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" stop WinDivert1.3
  2⤵
  - Launches sc.exe
  PID:2672
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete WinDivert1.3
  2⤵
  - Launches sc.exe
  PID:3272
- C:\Windows\System32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
  2⤵
  PID:3828
- - C:\Windows\system32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:2720

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Office 2013-2019 C2R Install v6.4.4\files\kmss.dat

Filesize
254KB

MD5
f1834277ce4a0b492e2d4a5ce22f5fe0

SHA1
dbbf5fc2bdff020ec1d132723b25b535bc2c3592

SHA256
ca07e82dcf2fbe00afeacb281fce505abbf5e6d571a01f179d255ddb7e0f3c5c

SHA512
4fbf39b808271cf2659e97eedbd0d693f25ea90644489593e4d68a5658cdcf0137e5e1f4badfbe8293d251afb0fe67723fb9f2ddeeaeeae9d19a14128953960d

Download Submit
C:\Windows\Temp\conv.exe

Filesize
105KB

MD5
c9fe805fa69efa99a5ad5ec57d681d02

SHA1
6f3fe24e423daace3eeb0f4d20c51d8aa63031b0

SHA256
0e8179fc538ae1c956a0dd067cbff0c40ac261d355057be08a090371d2311859

SHA512
eba6d07a2d175cf6e3f6c6421655b4497389b7d35246847015c842baf75c9ed4284e6dcfb6adfded4fb5b82df124de80dae75957135dcd7a4408169cb4538e38

Download Submit
C:\Windows\Temp\conv.exe

Filesize
350KB

MD5
f417716abe59054c8e11c9ef12181118

SHA1
40602a971073b53ef0330b06427dca06d4273e88

SHA256
85d4cec50bdbf70bb75080387c6917109ef6032e09a138732b90cb8a164985db

SHA512
38946ea75f0bdfd1db1655d34917bbacf2ddfdfbdd36fda11ca4cd9607734791df0941ed2648aa80d415d6b9c8e128230dba7988130c231ca3b26fc15bef7f7c

Download Submit
C:\Windows\Temp\lic16\Access2019VL_KMS_Client_AE-ppd.xrm-ms

Filesize
24KB

MD5
584024f3befe3961af785ed152c37bf7

SHA1
fac4c88b563f22707a565033c2758b5e6fc056e4

SHA256
89362f24cbafeef0fe1b622452fcf673b9baa225eabac4b436d8cb5ac504b0b0

SHA512
9690f789735f2994dd39eeeda21a752af56e6b46e7fdb31715c94e53612f20f1e02d5ad687f43fe486297f38697d13445e1fa5ac639cf82974fcfdda6670a5d2

Download Submit
C:\Windows\Temp\lic16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms

Filesize
11KB

MD5
544e2832947cee6278704f439059d903

SHA1
4bc5bf83d81cbf764e67985b26019745d47cf900

SHA256
1e9699820343debdb465d225ff58636a3e8403a697708a1affe1b84e70e6ddd2

SHA512
537c2978e80af1ddf1663c456e0644d9ee54fddd9b59006465d148841795c0b63e2818d2b1a2bbc585f5f402bab250832a885fb010b9684924f86de8ca342f36

Download Submit
C:\Windows\Temp\lic16\Access2019VL_KMS_Client_AE-ul.xrm-ms

Filesize
9KB

MD5
7db672b3257a9df25e099b638acc29e7

SHA1
b76e236ce32d01267a4c060a6b6f9e14f10b2dac

SHA256
a31ce22535dafa80e128dc7ed81aa5e88144d0100ed428285a38c6656dbd250a

SHA512
051d7f129deb80da273e30ca8f5edc23287537cf4070c2f117f2e086bceace0c17c2cc7c3c05d66b3e334cfd635214971db15f195b7f01956228adfda03cde67

Download Submit
C:\Windows\Temp\lic16\Access2019VL_MAK_AE-pl.xrm-ms

Filesize
10KB

MD5
e4d8f6bec30b0d047f6b111df1869807

SHA1
718d4fffb45d6b291278a34d78e348499045014e

SHA256
3ca0d0cac21846992878f67e02cc168140313c99df6f318c257c7cbf7f0b7146

SHA512
fd1f5a0d610a1c0061a6d52382fa7b5e159e4cf0e127cb5b4be1eb22f0bbdfc670dcca5e7ff1f9765b973738bb7629a8f6847da11df5e5d599b0cc302b57406c

Download Submit
C:\Windows\Temp\lic16\Access2019VL_MAK_AE-ppd.xrm-ms

Filesize
23KB

MD5
0a237de618660baab962bedffc8fd046

SHA1
bdedbf3534aa5b6256d362b92b57cfcdcc2018a9

SHA256
78627319efa4798d02d8401ba9e6eba87966038ea8e6babfbc63f68a56aa1d21

SHA512
c25365b0b91d31361724289f15b6c2a44e1e72c3d83b3e21c2953b8e9db69ed56e7c67f9609aa454df0df767cdd126a9e724cea5c60f4bef0eebad67f5ea6307

Download Submit
C:\Windows\Temp\lic16\Access2019VL_MAK_AE-ul-oob.xrm-ms

Filesize
11KB

MD5
ec809725ce50c3eaf7921122e60c67d9

SHA1
6440c106f0b247624f82d30a850a336d1d2ec00b

SHA256
14404a134f58d4c71e15ebc7738c40db13131dbae2b700af4abd966e4723ece2

SHA512
afe8601e972db5e6d369fb525e06af0d50ec286ab75d44d2c179a1b10fa65c2b0d6a334387c5f478544afcf6d580d72d7e16b11877febd9c856d06b19fa57ccb

Download Submit
C:\Windows\Temp\lic16\Access2019VL_MAK_AE-ul-phn.xrm-ms

Filesize
19KB

MD5
0c8a6cabf21e8a8e4510f125b20c535b

SHA1
a52fe03ae19d6f6980deaa6722aa39bb0fad6d4e

SHA256
26cba3b77a293653b77667275a9e4a53830c6aaf11f6854d1f1e03d2f2d952d9

SHA512
ff33c414fa0b747b5d77b6c9133480078945c905c4a671fe49f4e99a90433e7f631346e4f9c766543296ca381c2ea1031dca343f05d23eab2c691524ba6c163d

Download Submit
C:\Windows\Temp\lic16\AccessVL_KMS_Client-ppd.xrm-ms

Filesize
7KB

MD5
6de779c0f9374c0b197cd26f9849209b

SHA1
e54337193b92bc292032d2094d378341329513f5

SHA256
6ed2f2177e8ae7f008884c991fde08646af88d27706909052f2ee1c2a8f47426

SHA512
ff1df609f90bfbd626db0215478236b1d3dd98cf9fba3d6d137c42733c4dd342ed27e832c526cb5b88302b3095a1c30337810d56b9dbe76f4170663b963db0b8

Download Submit
C:\Windows\Temp\lic16\AccessVL_KMS_Client-ul-oob.xrm-ms

Filesize
11KB

MD5
b79828aca02ed3e4da195269421a08f6

SHA1
2477206cd43715fe7f4cb3f53d2ef9fa4047fa48

SHA256
c534a11c1caab9b0c52030b5f67372e095449fda6fdcd94bcb65eaab65a6ba9d

SHA512
649b801a271afdf949ad3ac1ae7df9a0795dbf876b2ebf2d7d04d7f7ef7ff5b222c67276492b67e3be0a7cb817774e42e9ebb89da2995b2251d663e44beb83b9

Download Submit
C:\Windows\Temp\lic16\AccessVL_KMS_Client-ul.xrm-ms

Filesize
9KB

MD5
0e15330f434889a560ebb49c7fcf3f53

SHA1
997a8a925e225b67e3f9ae139509df7f0abd627d

SHA256
59d6237fb75e986299227c9a5397c5ef3e9821d963fd6058cfb7bd91269f8dbf

SHA512
cf90609b1452488d76590f4cb8f9eabd2b352d9ebcfaf4e7985cb2a86a78b080650cabc49e3cb0e58d5dbc1b02cbc21f03c3a60bdbe68aa968d23662b9072e03

Download Submit
C:\Windows\Temp\lic16\AccessVL_MAK-pl.xrm-ms

Filesize
10KB

MD5
3127d49126e34546c0efe9e1d5960bfb

SHA1
a613dd6470ec8983f7607d17a2ef6683d998016d

SHA256
d4842512f0c2e74de2461216b9d0c84c6d97024b059368460982628af8c225dd

SHA512
2948bbc8fc71b6978bbeba810874e9b0547a505048e805deca68e4418a3c1bd584304bdb45e7d9703978c530be69acd2855c5b10366fce6e9edea5a36687645f

Download Submit
C:\Windows\Temp\lic16\AccessVL_MAK-ppd.xrm-ms

Filesize
7KB

MD5
9d730ad0f10c793c436fa96163405399

SHA1
4a6e086480ecfa1ff953823191775ae9ffaa931b

SHA256
865934c9acf124c247964deb213a3b2dccd7996986db0183f9edb36208f92496

SHA512
11c1d3874260270626d881adceaafe441c40d47952436b4775cc2f6153b1135cab76b0f88a7d543bc4502a6cecd07ac043ccfbd3906a62616b02a207222d5b3a

Download Submit
C:\Windows\Temp\lic16\AccessVL_MAK-ul-oob.xrm-ms

Filesize
11KB

MD5
d177b08b679422b8b669851399346369

SHA1
63232efe689309ef91e62671cdc7194187909adf

SHA256
04a2864c7e80334c0f1f318e2e89f8eba7cea4026e0d4ed2a0840c13e35a9ec0

SHA512
1b4b7259bb618802b52df9aa3707c57d447168a6fac86589a561a89c9c29e08b1cc194cf00a1d968f6f4c34a45db441d3d669e9d43ef2c505f918dafad2fe51e

Download Submit
C:\Windows\Temp\lic16\AccessVL_MAK-ul-phn.xrm-ms

Filesize
19KB

MD5
acaa48a604dd26d73593e97b0aa2fa40

SHA1
7d180b72f20b7efbb58a78bde9e947a6afb3b64a

SHA256
e1649e8f3a2bed3966d79bd948af7972540807fc18dd11d3b0bbbc9e0a461bf5

SHA512
8ba440044b649d0872210e54559ba26aecb2f4bfeb90564c793058220fae85f1fc856b1b8685ad6f01f525174dc6c8654dd623c15b2fafaf2c6f69210bf2c329

Download Submit
C:\Windows\Temp\lic16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms

Filesize
24KB

MD5
a3a28b8ab3285bab54baea2c66ac5e11

SHA1
4df63a46e7f60437f69c3d5fbc20308671447a76

SHA256
9efc16886f60e01cc943417b11b171a0c0d162156c7d05f0ee7b6c9d0383ccd6

SHA512
87c7fbd145f566724717f8a62b44b26a15308c057b41a6df477b65d04018da08cad9645f708683858bdbb44f4dde59fcc9538ce1f496e0290f82b706762352d2

Download Submit
C:\Windows\Temp\lic16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms

Filesize
11KB

MD5
35acc4958c7e0b55b5c0917e55dfdfec

SHA1
49424ace12e762d309c31986cfe4e15006d3ebc8

SHA256
52ddde5a2079cfb343b6821a24e9a679d8bee64cbb0904d09d80a7cfa3dd0c9c

SHA512
c3f4468a38cf12301d57b80e646726396885af58d39a890ea1c7ed793c0fe9dd797ac53a6ebd24c822d64565b0d0b74410e6b6b734e9b9f5080eaaa96699a36b

Download Submit
C:\Windows\Temp\lic16\Excel2019VL_KMS_Client_AE-ul.xrm-ms

Filesize
9KB

MD5
35a5249626cc33b3e586aa72f9b97744

SHA1
61aedf75ae04c7c2ea9a0bc6d1f23488fa4f11da

SHA256
df43537cbb512f51212f4acb69c09470953ae92b06a5679d9c55df2342181955

SHA512
9cfc4670551a81418ef03286a5b5c74e5f0f7bfcb59adb19b7238532eacf119c366bb00d842f256e16491a916463dd4d583a514fd2874ecbccec27ae1a5a4ca4

Download Submit
C:\Windows\Temp\lic16\Excel2019VL_MAK_AE-pl.xrm-ms

Filesize
10KB

MD5
5875bfc091adbfe2c7d6ec34391593d3

SHA1
4a8703e381d3da2628e95795483d6f8ed01ec802

SHA256
4726e2675250a52e2715724e9aa666a2b1024888a9e9aef0f83cf68a7dae5bd6

SHA512
3da41f82f7e778a1261d705a1f29be4dd747318a004ea26a9a91d947d0e6a8a7117aa9fe535eeda8685a61dac5e6370e8cc4f8251b6cdf10681907416a963359

Download Submit
C:\Windows\Temp\lic16\Excel2019VL_MAK_AE-ppd.xrm-ms

Filesize
23KB

MD5
e3a607a976f12291e2015eb052b71899

SHA1
ceb2a84548661df3b301de801b455e3944f3b513

SHA256
32c8508487f2b29c1b6fa8d223ea302fd2b22040901b4797db0fb0c318869afc

SHA512
2608af84add933ec2ce47de061aef5cefd59e2b3e5d434d0170951d48fe39ad81f23ee7b492d18c459170d1259eb22a77293d0a076f13c5916afda9427335a3e

Download Submit
C:\Windows\Temp\lic16\Excel2019VL_MAK_AE-ul-oob.xrm-ms

Filesize
11KB

MD5
ceeec1e103d553c87628ff845aaed518

SHA1
c3f0266c7225754aeda7f8469aaf401c8f58bc06

SHA256
adfba85e9ee648f776234eb1e56612c8788d418b0aadd2fdaaa103c1d614ba93

SHA512
5f85bf75f8ede207e138f81998feaab37d322d916a2ed65b726af25c9b6b3772938113f371b03a4b59622a1b1d6f93846f2fbabb1d23cfe762f012e704b9afd3

Download Submit
C:\Windows\Temp\lic16\Excel2019VL_MAK_AE-ul-phn.xrm-ms

Filesize
19KB

MD5
8ed49eddfbe7300f7cdb52fc14c562bb

SHA1
8e6fb6344a3dd73674ec4edc5d0f610b421b4269

SHA256
2456bed9885694e79bbd1eec0a70bc88d0405054706cd3f498482e68445c7b26

SHA512
1ff8ee79adaf35384784d07d0ec97ac248aed988b951fae117fb7b467323f3d1b46f1756333ea98a60ee15144d440fbf9fe779da2e57c4f8bd3f61492eb153f2

Download Submit
C:\Windows\Temp\lic16\ExcelVL_KMS_Client-ppd.xrm-ms

Filesize
7KB

MD5
9e8a02c1ed70aba05616b733643ec02d

SHA1
7cd4f1068dd4b276fafa1f95c9438d7fc9a127a0

SHA256
56088ce6dfb798d2641d03b522e74535ec85c31f5d90e6a601607468df0d91e5

SHA512
6fa0af5ec428e6ab6196d1010b0a9e7d7a5c9cf73410086af6ae68ecc86995a9437f5eeee718680fe76bf7384829265b2d8735557edbac40dccb43c577b0a0ea

Download Submit
C:\Windows\Temp\lic16\ExcelVL_KMS_Client-ul-oob.xrm-ms

Filesize
11KB

MD5
df8526d9792aaa4f4e859991dbccabca

SHA1
87c35fcba9aa592ae4af3950c84c09fcadcbe9d8

SHA256
d6855c16acba789c35a50af185cb8ee83c8c1b08271d64220028f3066c3f2caa

SHA512
66f6605f71efb44b603865e7e4a80c2fc7f4568fd5872ba2d187f312aa2db7340d2f6e3ab4df1deaae17e314cb76df2dc84d49e15a0b44e2dcd010f7441dfd5e

Download Submit
C:\Windows\Temp\lic16\ExcelVL_KMS_Client-ul.xrm-ms

Filesize
9KB

MD5
2a593dcabd7ab2b821f44dc1ec90e1e3

SHA1
b24eccb65eb8cbf5135afdf878752185cce68737

SHA256
bd0383ee51c715f556889b52cc28d920e63ab630089d28ab1103a4c2641d3df8

SHA512
fd30161ea6c4105ff81ba4ae450e8487c4db5ef6e6ba4101a9d3462e20c9f1ff8108a0df9910d550380b8c08dcd5fc0a9896a0934f6d8b817084aa8fada3af64

Download Submit
C:\Windows\Temp\lic16\ExcelVL_MAK-pl.xrm-ms

Filesize
10KB

MD5
f927933219b343f04ba512277ae3469c

SHA1
f8a9cb428969e721eb35114df1de3a57e740c787

SHA256
c4eb0d516fc40acd7f84ec1fb5816b984260e72166c03e90a0c50b43d5f5bccb

SHA512
841e545fdae2f56fb95aa669319ea78247a6be6af1e70bfde02646ecbd1b5c7c023f41b4e8a6c39adefdbf5f421d652b728c4298b7e7abcf222a95000a6ffd88

Download Submit
C:\Windows\Temp\lic16\ExcelVL_MAK-ppd.xrm-ms

Filesize
7KB

MD5
ddb6b0597eddf0407cba2b573a0d1db1

SHA1
32cf19217f1f6156b2d1f11922bf81fddba46dbf

SHA256
3537aa100a6318e39de73089484d69a83ade71a11aa6af108f709001e2e0fbe5

SHA512
13cf897cb0dbe9c19cc5b1116e521c597893d5621f946fa6caad492b735dcd648bc54743e37f4a386ba12ac7f4d148e0208b337032bd68999be4181d2de3a985

Download Submit
C:\Windows\Temp\lic16\ExcelVL_MAK-ul-oob.xrm-ms

Filesize
11KB

MD5
6e18a4cee34709a871242ab742eac1c1

SHA1
6b9943c8af9d2a4cd42acab146f1429ec2ffecda

SHA256
0a7ec2ee8227000833366b2293b982b6051ce55d05fc7c4478597d78e8e56458

SHA512
35f53993325aaec8213aa8bdd232dff3153129c2deff816efc9abdfab3b858d32579bf08440ba15966bfb0239a56de31774e966106de817b248a598fd770a86f

Download Submit
C:\Windows\Temp\lic16\ExcelVL_MAK-ul-phn.xrm-ms

Filesize
19KB

MD5
c11243b185136190856dc080b7fb448f

SHA1
57c27e82be03d013bb11ce615956cf53d8c7eea6

SHA256
cbe2dcad3323a0b3597671a52084dacfb4d005cc14537f2af5d19dd6f979260b

SHA512
449c82775b29f5213bd225ac29febb2dc0d951d84ca67b53a28b0f378dc14a3e8f01349f1cf7bd811789b41fbbc9a6098c38ea57764b9bd965a4375d4947749c

Download Submit
C:\Windows\Temp\lic16\MondoVL_KMS_Client-ppd.xrm-ms

Filesize
12KB

MD5
e0a5aa8461ece4cd42c8ddb9c5990bc6

SHA1
f82317a705e440032f649bf62346357f8700f6f6

SHA256
3344d42494c537e0feb8c7d7ebfe4f611cba51682a3aa9123056e93720ff48d4

SHA512
20440a1b815a0e9a28f01fa89c52eb7a16507def1214c231a61f1b9d277b8a430d60f12e630da0f0feb3179df36d3e68d97492d076f12a090b5566686f7c2786

Download Submit
C:\Windows\Temp\lic16\MondoVL_KMS_Client-ul-oob.xrm-ms

Filesize
11KB

MD5
8ca9d74616c5f71da60061ae17197871

SHA1
08ead1c8a256de90666609e84fe33776c166eb3e

SHA256
5345927c2a89ff8028cb5028afe73b79bd9d42676ef054882a6d1337c39a387c

SHA512
4b776c47c266230ea20fb7b6970bc94cef031420eebf7f5fe73d32bbadfafaa3c97f5238350715dd6a416b075ebd577bf07aa770654148ec9fad61b059025a86

Download Submit
C:\Windows\Temp\lic16\MondoVL_KMS_Client-ul.xrm-ms

Filesize
9KB

MD5
6cdaf046665a94ccf11e696c9b0f896b

SHA1
0677af9dc7afe13efe4d09689a9a3cca3fd73d54

SHA256
fae4d9e283f8c7ca54a11892ea9589e8d043906694b4fe48929edb2811fcd236

SHA512
0d5161b7f20414d8dac3cbbc92ba81073a2b23981b513226fed35a4ec34b1c60930324336e02fc85a2b63c393165c899d9d87a2940a4f5a09ffd98428534f567

Download Submit
C:\Windows\Temp\lic16\MondoVL_MAK-pl.xrm-ms

Filesize
10KB

MD5
d143b157b56311b89370bb8538239c9b

SHA1
2a6e9b81d813c0102a6ab7bcf67f6287739b4015

SHA256
b33f8b7ec2a4a8520fc9f81b7db26d8cbfd9ad76fa61f83d3908a4cefe142b09

SHA512
acddc4eccfdae09a099481313bd5c205f50940c088e3f07cd6d275ac4f1d3c6080e84d0a6382393cb67a0efa30168635c058d69b8d18fc1de01e0b445c2aec72

Download Submit
C:\Windows\Temp\lic16\MondoVL_MAK-ppd.xrm-ms

Filesize
12KB

MD5
3a8c0b2311038cdc1decea07f56270f6

SHA1
38cb6042557fdccf775adfdec626e9624883ad27

SHA256
8615b8475c0a8a5eb0271537deed007a80c6c970e5390dd9a2700ba9aa725ed6

SHA512
0d2f01ecd379da6bbe46300fe571f93a91809395e4237101fa45a07945fa1e49505d83d9caaa2c9a89f5296eda729276ea2eaed9436e9f570aa188600c4c8efa

Download Submit
C:\Windows\Temp\lic16\MondoVL_MAK-ul-oob.xrm-ms

Filesize
11KB

MD5
11e5d8249afb336ba219f20a893d8f75

SHA1
0ca6b5beba6a34767a7bcd5583c8bfccf6dc5fe0

SHA256
889787e344d6bdc202636846e5fdb6fbfc07aab562a5c6413d227c11adfc59aa

SHA512
4ca95f433dcdaf5a5a21caedd15f011f88f84ad6b393d9581abb18a579f209aebdf31cc957f531de28a361ab350a96a6c33a702dec3ea265dde761fb232a2b38

Download Submit
C:\Windows\Temp\lic16\MondoVL_MAK-ul-phn.xrm-ms

Filesize
19KB

MD5
514709d30e82a45fd45679e0d7477267

SHA1
268a72b12964eb92e4ec5d6042c004546207d4bd

SHA256
47862b03d0e8ca61a14efa1c2f65a7216c1ac3df5e3fb2422d9a04c0a170b9f2

SHA512
5b1f4afa48eae6298c6a402f348cafdee456c214cf349ab7225ad35b45582c366f8c151e53deb2fcf00f71035fd41a1597046098c5c9d71a058ccd8580e7cbbf

Download Submit
C:\Windows\Temp\lic16\OneNoteVL_KMS_Client-ppd.xrm-ms

Filesize
7KB

MD5
6c347714cee9020257237728f721606e

SHA1
0e5026a837c46ced9591f4aa4f60133b2f2abc69

SHA256
9d046cb46e1446608e4b5969d87ea843727e8276eff52de1033193260dd18fa2

SHA512
1d8d23bf00901b4d063f861e8676ae702ca075fea6f6b3d8792f2fdc4eb3bb50808f0876155ca6954083dc4b6edbdccd32872754356ea7d253def830e25ca799

Download Submit
C:\Windows\Temp\lic16\OneNoteVL_KMS_Client-ul-oob.xrm-ms

Filesize
11KB

MD5
3ada925b525ce0b1349613289fadaa7b

SHA1
a05a879d7bb8ff2d350856a1ef6123b349c906d3

SHA256
1b1ecb03d49b95ed028a230a8d9cbcb3696cdcc5912af1040119cfc4c94772a6

SHA512
a4a0a4fbe6527efc605198f0690a747e8ace5745d14dcb0600780cab24961cc2dfff069a90a8fda818f8a2f10f68562aa9a84d6f20f66b80fc9560f65409dcee

Download Submit
C:\Windows\Temp\lic16\OneNoteVL_KMS_Client-ul.xrm-ms

Filesize
9KB

MD5
69f760b39ea366744aaf820fb008c69c

SHA1
660666cebf6e42488db998638607a9a08dc3868c

SHA256
14e9f4ef7827488ea0228b421a68fc7405f1acce97f01a5c2c0358fd72a5fcf5

SHA512
fe26952f79d7650f5079e27473347701b15d4077e3de7bf40a154a67ba9e6a056c56fa65bfa5b6739be08a803d4019f57c7e98ae16c5696de03108097bc24ac6

Download Submit
C:\Windows\Temp\lic16\OneNoteVL_MAK-pl.xrm-ms

Filesize
10KB

MD5
a16b445d8e2c0e37ad0fcf8af260127b

SHA1
3ceedd6cce925135587b0e869744a5225e3acc2d

SHA256
84e715d70bbe9da18f8d6887beaf6212ad34d3cfd22adea0cc250758eefc6bb0

SHA512
a920f781f453bf97b51e449c328a61329123739dedfaab02196a80e2aed0bd99261430f475da7c3dc2c3c265eb59857690ccc1f77be0cef1b9c6dadf8a48a084

Download Submit
C:\Windows\Temp\lic16\OneNoteVL_MAK-ppd.xrm-ms

Filesize
7KB

MD5
ee0a3ab17626dc692aae634ba6e472ce

SHA1
dd3cd68bf2d07a1686d2e6722f341d75a59bd971

SHA256
2342f883a614af8600135b3ff578d704c7e71c5725f8f85932be0427e402559f

SHA512
11c52bbb7946d9b6c5d76d854cb4626ef282265be36de40cc63df4f6ec5d8eca61e3b5cfaddfb66bf28859ed5c1f3fd579f9adcf7d376790520ab6f97346188d

Download Submit
C:\Windows\Temp\lic16\OneNoteVL_MAK-ul-oob.xrm-ms

Filesize
11KB

MD5
ea43c00ab8c6784241b381858c44cd1e

SHA1
126c9113d5595db097b0c36ec8eceb6769d8c2b4

SHA256
b5b0db0a5ca375792865e729d88a3730c7e1ac1be4dee101fbb6a225ff6c1891

SHA512
004f0cde21ccd78458f5d5bbaad592f72b5a6f8e3e1df9047e23afa28c0e631fdd7665619f2c6562c729ef1c585e2a972b7ae3f35cb5b892727162342c5682a7

Download Submit
C:\Windows\Temp\lic16\OneNoteVL_MAK-ul-phn.xrm-ms

Filesize
19KB

MD5
6b0b625ada11c90079bb9f9e43cac508

SHA1
a2003d565675b4e062ef97a239dd964427c86f65

SHA256
deac08c57ee413d44dbe0010af1f5316680228e51f7417604353479150cbac04

SHA512
1cee566dd7b7025d0627aa6bd5a976d1ef751a244ec9326594ee8ef7686312baabef33acf0a3b1089b7e82105cc9a5f276955a6f427e15bf47a077ccae1ece06

Download Submit
C:\Windows\Temp\lic16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms

Filesize
24KB

MD5
12279774d7d77ce5ab016743f1cc98db

SHA1
439a96f9696e68518f3a5e4ad184e025e8a48c74

SHA256
dfeb3d6185b06b6341bb40d6741ea85a24af8855ed0806aa5d4377b9518821f8

SHA512
7593a824c651728fd48b3c330caff4d8f4157109b659659e68d845b87da9621a44a2fc4a0d103a722ffb60a017ee0cc77d9a4e57404e9daaa062fcd7272516c1

Download Submit
C:\Windows\Temp\lic16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms

Filesize
11KB

MD5
ea75944ff902d4a32e222e9ec9a8eb2b

SHA1
a0fefdce94e867326d2ae59baa11d2727fb9f0bc

SHA256
818963c5f78779462987553b544fc713812fb25ef2331a095fab9f86c4b5deec

SHA512
c2cf9ff3762d67d9f66f7cee589cc6a93ce3984b5b3f898875d79065dbd437f8beff91f4d0b394d2a8868cd531a9776aeb9baac70b8d8ed5a4964bcf3442a508

Download Submit
C:\Windows\Temp\lic16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms

Filesize
9KB

MD5
d4b02590a965b1701e4dad12ad3b34ab

SHA1
8d5c220f4fe86ff70175312a5fc0c998ed34de8a

SHA256
8d701384d9907a01af22ad32c254f3ea774541c7b15e44110efb05ee81af77c7

SHA512
e5f355e50c07a2459501b9ae723cc3b183b6fa7a9c1fe7505319b9f0a522ce44c177edee4ea2d9a7ef955fa9182aaa1bf7cad9bd27823ccedda7ef8e8f65e22e

Download Submit
C:\Windows\Temp\lic16\Outlook2019VL_MAK_AE-pl.xrm-ms

Filesize
10KB

MD5
d8f72ec9b9d4e129d5196c379810f687

SHA1
cc2ec39b5255d732689f683b940da603c48ac562

SHA256
e49fa78f794104e30fb2845e9e02dece781a0e03a5f16894c70cf2195b4a8dec

SHA512
6c5691c7a49687c3951ef2623821871afe8e024f0d1e4af7b427f8a28b2926d15bf8a2a0992fc1684e3f7a0a63b7cf49e7dac2131a7a9be70e815dab9b287463

Download Submit
C:\Windows\Temp\lic16\Outlook2019VL_MAK_AE-ppd.xrm-ms

Filesize
24KB

MD5
7336c5ea45404561ca1f0eba849d738d

SHA1
19a42e5d89c9aff95902d79061f59bc045ff4bf3

SHA256
392b0d99bed9de2279a3c2a3650f453ba942c525a3d0e51f7b336b52ac2b5814

SHA512
eb4ba417d812c522e362881924ba4301dcaf75478aa0ebc6f5ddd6b9b1c9eaece99eafc3837acf49446aff690afcf6d6efada6a1a0ec8ba77daa329425d0adc5

Download Submit
C:\Windows\Temp\lic16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms

Filesize
11KB

MD5
facc91fa28f0d0f58f35656a25d00797

SHA1
b3f583b8348e65adbb62ade757a0778c161b6871

SHA256
26f8b4f59a3fa88705b9c92cc7072cf1f1ccb9e8270a7faa20c4ca1663ceb3d1

SHA512
d1d4e0e2754b4b3c71b6775531cecc3895713d5494237334f90632925735bc914cdbe17c88b93c9bbc5e31682a127630949a5457c0f025cf8c448c61a7958853

Download Submit
C:\Windows\Temp\lic16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms

Filesize
19KB

MD5
2c9ae9458e66f839abdb20b55daebb2e

SHA1
6b75da9ed1f6ed90e1a05ddc5911f21a81740069

SHA256
cab671920c553eb7b606e92b1c0d23070d2123652a03c302890474fd2fe00c36

SHA512
41b62f6da3a93ec107eca9598a2220930e4834ba0d4c3150b78693dc046e95bf6dd9e117d4dac755de7b7d75fca66d737f8d716b41e1a7834f66f9dd4a8cb457

Download Submit
C:\Windows\Temp\lic16\OutlookVL_KMS_Client-ppd.xrm-ms

Filesize
7KB

MD5
1449da40fc9419d2c909e222ebe5e901

SHA1
106415fd6828ed3813b50b5618307740b71e03ba

SHA256
384c23d93769bbcc99d73ae680617f79aa84046db3b6485977000a9698d188f8

SHA512
8bdfd5d000148b230af855cb5fa2e46824e595e15e69305ed9b312d1eb6a217a2bd8c1294de51c4dacc4f4519601feae93056a8f0ad7587da4bee5cd601cd0ea

Download Submit
C:\Windows\Temp\lic16\OutlookVL_KMS_Client-ul-oob.xrm-ms

Filesize
11KB

MD5
93b5f021784d16ea33fdc09cb2abda83

SHA1
c7f0fad9a25fcf4d84ab439f0a77b64257cc9318

SHA256
cdfd86a37847eb2b3c27089caa1cb14cf1feb12a36d547014b3d5e83341cdba3

SHA512
91a6f796515a61bc1511715091fcfc201bc2976080d3b49eb7b281e5841bba3cac542284d370a57db1e1ae2b6d40b55e921322f12ee980862cffc0cd965c7e28

Download Submit
C:\Windows\Temp\lic16\OutlookVL_KMS_Client-ul.xrm-ms

Filesize
9KB

MD5
2ce47d778c83a1452a0960d6a0424f2e

SHA1
a431ac1005cf138a0c25fb7c5c4167fb6fa9a626

SHA256
8c899dbd0e060e7f8e1280b09cd8d19385b2a36ef6ee88cce81efd54deef1f73

SHA512
4001c793735df129e97c4d673ea8d358855d6f1b4bff2f4d8d144b4be510553a6e3feaff7751d7773baef19a98d3a9d2ae7116dedef4f6736453e7811d44b808

Download Submit
C:\Windows\Temp\lic16\OutlookVL_MAK-pl.xrm-ms

Filesize
10KB

MD5
2786ced1e268a6d8b36f3717f70f79c8

SHA1
267d2bf31d56a6d0677b0dad3a38ed39548c28b9

SHA256
3d3511424d6b93530e03df275b00eb0f8ac770d8e7b15b90e5c0c731dedd63f3

SHA512
b612ef7fedc5dfb9280a96feb689fe3b1842e975cea6f7986c0e433496c84c9fb6223d223bf376227ef5cee655d09a26c4f50e9d7ffe653b463f6f86089ca713

Download Submit
C:\Windows\Temp\lic16\OutlookVL_MAK-ppd.xrm-ms

Filesize
7KB

MD5
9f1fed77253ea60e2a6b154a07ea998f

SHA1
b051331fa81b604edb0f48993fb9815180701d51

SHA256
1d336af623ca736c73f507338b38f22e8b61b9c1d3303aa91c3e63a0e527aae8

SHA512
42225bcd2dbd1a399242f80a1779db8a162d63868ffec692eedd15fe7d49f8fccd573d62806a0a5be15fd0d3f697e431b7865652240e3c7236bc0b43471a3e84

Download Submit
C:\Windows\Temp\lic16\OutlookVL_MAK-ul-oob.xrm-ms

Filesize
11KB

MD5
2f654d3c42113f6c88f5fa8efd798f5f

SHA1
bed582f27844db56c6fcf879d5c5c58422ece5c0

SHA256
244cfca284cdb61e13139d6d8a4a0b8e2a130f5dfbff6e3f9b5d25622a2cf9ff

SHA512
dcfabb40fd99612fd61021cff24e24d6b772867bc6cc4dd68d1d173fc2cefa33e52a1248033c46de4406a51c2363411888f956b1b4c83c9aafb8494de201513f

Download Submit
\??\c:\windows\temp\lic16\proplusvl_kms_client-ppd.xrm-ms

Filesize
10KB

MD5
d493ecfe9d960483f46fc9d5084aa47a

SHA1
28585c715329948e9fe84d66ed6c3b25743b1449

SHA256
73a7edc93425f9be58a82eece36bb1573d55c8f171e1cffc7924d2ea727ae50f

SHA512
ece85980659eb23cdfac234c3b68cbdcc5ba1c05d517f1f9af0f893039e74c2d1edce0e45657d7dea134d65a99b460157741afa526a9e1a1386324bf7e6ab1b2

Download Submit
\??\c:\windows\temp\lic16\proplusvl_kms_client-ul-oob.xrm-ms

Filesize
11KB

MD5
ec1a0f10da040430008cc4c459cd53db

SHA1
09d96f0fe82d55961aec6665bd9a7842e054934e

SHA256
dd5d0488758a177e6c967fb918e446c321f3192c7def48e5cca20eb5550d8ab6

SHA512
788ccb071d32af526aba71c9be9baa2880b9c7fedad796a3d8bbf0ffa9a799128bfea4d0321beda2bff93bea951c7513bbf5cd78ca3ec37542abaf20547ba8b2

Download Submit
\??\c:\windows\temp\lic16\proplusvl_kms_client-ul.xrm-ms

Filesize
9KB

MD5
5383ba68ec40f3444c82e528c2281d58

SHA1
7dbbb5d7fc1de6c7679461e402ac8cb0dd6e7c60

SHA256
d0f65489e6d95acf0f0b9fc2c718f218b8f5e3ff186a79e75fd992806c6fe39a

SHA512
6436660212a24ac577de0d95a356de9ea49571402a3c429e537d4f79bd9a3bd927251e04b2011e900ba55c68715db77de2619d76631538dd38dc5f60b5c10ae4

Download Submit
\??\c:\windows\temp\lic16\proplusvl_mak-pl.xrm-ms

Filesize
10KB

MD5
a2794b102ec1e5aefbedb54a6feb728f

SHA1
d2143f4478eb4f0b549e4a30588a8a176b322b36

SHA256
c043916ad4ad73f922fbf02e31dba1ef5e0da51e17a6a08b7b46b4343c32f81c

SHA512
855aeb483129ed6785ceef03f35749c9aa409ec794e23d1749f7a541eb6ea16d6941d03157c44e1d6fa8911fc2a13c261819a231bc83ae02a817d7d17a7dfe11

Download Submit
\??\c:\windows\temp\lic16\proplusvl_mak-ppd.xrm-ms

Filesize
10KB

MD5
a91ae183cb367611a972e1386c49010a

SHA1
70c0a98117d97e4564ca7bec1ec1d096eeebe8d0

SHA256
025a6693cae4a72deaa5dc6859271e75efb7244a3a373ee2f456ea2f7d33b66a

SHA512
fe4cd56d78d3371c96b09f8763ba9358fdf5960e8e957d2aff40a023a44c29ec72361b7edd08f7b6843ac9788a8a2e42a3fc59c83e1da878ee58378300a27dd5

Download Submit
\??\c:\windows\temp\lic16\proplusvl_mak-ul-oob.xrm-ms

Filesize
11KB

MD5
e598186cb4281e1f672ccde477304e96

SHA1
b3e688df023f65914509f655bae5ac247c211dc9

SHA256
31405ad6a487cf447265868a8b807be5bd68637f68a69d931c4acc1c5057c249

SHA512
3d29ce01195cad88971c09bff53c2e666e7e5ff6549e130df1738373a72e2044587a198fc74fad2031614608301a173519837a27d9375f4140b5cb622a0a6f5b

Download Submit
\??\c:\windows\temp\lic16\proplusvl_mak-ul-phn.xrm-ms

Filesize
19KB

MD5
da103a4e771d93fddc35e51aab6447b3

SHA1
bc3742e09e8836c407595225ffb1fa355491ef4d

SHA256
2970659112c293d8cefc17cca1b290285ce07145c64d1b8e698707d5eff01a7e

SHA512
1595544130f70c3f1f9b884b564dd929df5d0b7adc12694231c089fc6688b1b04e8112801974304ca8ac4d3b502f2543259c62e2d08a09660c80812fb95e403c

Download Submit
memory/1232-635-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-624-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-877-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-873-0x00007FF9D3140000-0x00007FF9D31EE000-memory.dmp

Filesize
696KB

Download
memory/1232-872-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-868-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-867-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-638-0x00007FF991330000-0x00007FF991340000-memory.dmp

Filesize
64KB

Download
memory/1232-629-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-631-0x00007FF991330000-0x00007FF991340000-memory.dmp

Filesize
64KB

Download
memory/1232-633-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-636-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-611-0x00007FF994250000-0x00007FF994260000-memory.dmp

Filesize
64KB

Download
memory/1232-613-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-612-0x00007FF994250000-0x00007FF994260000-memory.dmp

Filesize
64KB

Download
memory/1232-615-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-616-0x00007FF994250000-0x00007FF994260000-memory.dmp

Filesize
64KB

Download
memory/1232-614-0x00007FF994250000-0x00007FF994260000-memory.dmp

Filesize
64KB

Download
memory/1232-617-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-618-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-619-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-620-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-621-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-637-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-625-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-626-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-627-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-628-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-630-0x00007FF9D3140000-0x00007FF9D31EE000-memory.dmp

Filesize
696KB

Download
memory/1232-632-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/1232-634-0x00007FF9D41C0000-0x00007FF9D439B000-memory.dmp

Filesize
1.9MB

Download
memory/2988-4-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-513-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-609-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-0-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-889-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-883-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-9-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-596-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/2988-570-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/4056-606-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4056-598-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4056-599-0x0000000000100000-0x00000000001AE000-memory.dmp

Filesize
696KB

Download
memory/4152-592-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/4152-597-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads