cc331c94fd9e4584f405bd6b03fb99ecfbb5293017293fc0a37a9b1737d31722

Analysis

max time kernel
335s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_Suite.v9.5.EN.bat
Size

348KB
MD5

af73bf925361348072469cff78890a4b
SHA1

dca20e41242d9398f474babb80c971e5fc27de69
SHA256

cc331c94fd9e4584f405bd6b03fb99ecfbb5293017293fc0a37a9b1737d31722
SHA512

6c7966852db9921338e6770b07190033ac1fb88035024388c8717c4d080e64587baffbbd99b6ac3657beec59d5ec8685acb4349953d92801a65089eb25253032
SSDEEP

6144:zaGyPc7/Tg7jc4zlw6PhVMt1pOb4RKsFx+GXtO9l0X0dgJ/pGntI/:zaXEDTg84z5pVM9O0lgz70kd0pEE

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
63	4124	powershell.exe

Sets file execution options in registry 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "43200"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDebug = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "4187226795851251830"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "KMS.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierFlags = "2147483648"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "43200"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3320	center.exe
4256	center.exe
1820	center.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	Process not Found

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4852	icacls.exe
3748	icacls.exe
972	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\KMS.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1064	sc.exe
3244	sc.exe
2164	sc.exe
3936	sc.exe
5028	sc.exe
3408	sc.exe
2084	sc.exe
3128	sc.exe
4508	sc.exe
1068	sc.exe
744	sc.exe
3048	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	reg.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.Admin\shell\runas	reg.exe

Modifies registry key 1 TTPs 32 IoCs

Modify Registry

T1112

pid	Process
3848	reg.exe
4620	reg.exe
836	reg.exe
4928	reg.exe
1484	reg.exe
3004	reg.exe
4496	reg.exe
2320	reg.exe
2696	reg.exe
1048	reg.exe
1400	reg.exe
736	reg.exe
2304	reg.exe
4728	reg.exe
1416	reg.exe
3236	reg.exe
3416	reg.exe
3840	reg.exe
208	reg.exe
4416	reg.exe
4448	reg.exe
2280	reg.exe
1600	reg.exe
3920	reg.exe
1752	reg.exe
3796	reg.exe
5092	reg.exe
1964	reg.exe
468	reg.exe
2132	reg.exe
3284	reg.exe
4280	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1404	powershell.exe
1404	powershell.exe
968	powershell.exe
968	powershell.exe
1492	powershell.exe
1492	powershell.exe
4360	powershell.exe
4360	powershell.exe
4308	powershell.exe
4308	powershell.exe
3484	powershell.exe
3484	powershell.exe
2928	powershell.exe
2928	powershell.exe
2444	powershell.exe
2444	powershell.exe
400	powershell.exe
400	powershell.exe
1604	powershell.exe
1604	powershell.exe
2484	powershell.exe
2484	powershell.exe
3724	powershell.exe
3724	powershell.exe
2688	powershell.exe
2688	powershell.exe
3932	powershell.exe
3932	powershell.exe
3468	powershell.exe
3468	powershell.exe
4124	powershell.exe
4124	powershell.exe
1076	powershell.exe
1076	powershell.exe
4552	powershell.exe
4552	powershell.exe
4220	powershell.exe
4220	powershell.exe
1520	powershell.exe
1520	powershell.exe
4656	powershell.exe
4656	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: 35	3792	cmd.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 3008	540	cmd.exe	85
PID 540 wrote to memory of 3008	540	cmd.exe	85
PID 540 wrote to memory of 208	540	cmd.exe	86
PID 540 wrote to memory of 208	540	cmd.exe	86
PID 540 wrote to memory of 1236	540	cmd.exe	87
PID 540 wrote to memory of 1236	540	cmd.exe	87
PID 540 wrote to memory of 3920	540	cmd.exe	88
PID 540 wrote to memory of 3920	540	cmd.exe	88
PID 540 wrote to memory of 1404	540	cmd.exe	89
PID 540 wrote to memory of 1404	540	cmd.exe	89
PID 1404 wrote to memory of 4508	1404	powershell.exe	90
PID 1404 wrote to memory of 4508	1404	powershell.exe	90
PID 4508 wrote to memory of 8	4508	csc.exe	91
PID 4508 wrote to memory of 8	4508	csc.exe	91
PID 1404 wrote to memory of 3724	1404	powershell.exe	92
PID 1404 wrote to memory of 3724	1404	powershell.exe	92
PID 540 wrote to memory of 440	540	cmd.exe	98
PID 540 wrote to memory of 440	540	cmd.exe	98
PID 540 wrote to memory of 3792	540	cmd.exe	95
PID 540 wrote to memory of 3792	540	cmd.exe	95
PID 3792 wrote to memory of 4280	3792	cmd.exe	94
PID 3792 wrote to memory of 4280	3792	cmd.exe	94
PID 3792 wrote to memory of 968	3792	cmd.exe	93
PID 3792 wrote to memory of 968	3792	cmd.exe	93
PID 968 wrote to memory of 4444	968	powershell.exe	96
PID 968 wrote to memory of 4444	968	powershell.exe	96
PID 4444 wrote to memory of 3500	4444	csc.exe	97
PID 4444 wrote to memory of 3500	4444	csc.exe	97
PID 3792 wrote to memory of 2976	3792	cmd.exe	99
PID 3792 wrote to memory of 2976	3792	cmd.exe	99
PID 3792 wrote to memory of 1492	3792	cmd.exe	100
PID 3792 wrote to memory of 1492	3792	cmd.exe	100
PID 3792 wrote to memory of 4576	3792	cmd.exe	101
PID 3792 wrote to memory of 4576	3792	cmd.exe	101
PID 3792 wrote to memory of 2712	3792	cmd.exe	102
PID 3792 wrote to memory of 2712	3792	cmd.exe	102
PID 3792 wrote to memory of 3320	3792	cmd.exe	103
PID 3792 wrote to memory of 3320	3792	cmd.exe	103
PID 3792 wrote to memory of 3320	3792	cmd.exe	103
PID 3792 wrote to memory of 4072	3792	cmd.exe	104
PID 3792 wrote to memory of 4072	3792	cmd.exe	104
PID 4072 wrote to memory of 4360	4072	cmd.exe	105
PID 4072 wrote to memory of 4360	4072	cmd.exe	105
PID 3792 wrote to memory of 1968	3792	cmd.exe	108
PID 3792 wrote to memory of 1968	3792	cmd.exe	108
PID 1968 wrote to memory of 4308	1968	cmd.exe	107
PID 1968 wrote to memory of 4308	1968	cmd.exe	107
PID 3792 wrote to memory of 2728	3792	cmd.exe	109
PID 3792 wrote to memory of 2728	3792	cmd.exe	109
PID 3792 wrote to memory of 4984	3792	cmd.exe	110
PID 3792 wrote to memory of 4984	3792	cmd.exe	110
PID 3792 wrote to memory of 1928	3792	cmd.exe	111
PID 3792 wrote to memory of 1928	3792	cmd.exe	111
PID 3792 wrote to memory of 4520	3792	cmd.exe	112
PID 3792 wrote to memory of 4520	3792	cmd.exe	112
PID 3792 wrote to memory of 4728	3792	cmd.exe	113
PID 3792 wrote to memory of 4728	3792	cmd.exe	113
PID 3792 wrote to memory of 2516	3792	cmd.exe	114
PID 3792 wrote to memory of 2516	3792	cmd.exe	114
PID 3792 wrote to memory of 2752	3792	cmd.exe	115
PID 3792 wrote to memory of 2752	3792	cmd.exe	115
PID 3792 wrote to memory of 4888	3792	cmd.exe	116
PID 3792 wrote to memory of 4888	3792	cmd.exe	116
PID 3792 wrote to memory of 5096	3792	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.5.EN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\system32\mode.com
  mode con cols=78 lines=5
  2⤵
  PID:3008
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:208
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:1236
- C:\Windows\system32\reg.exe
  reg delete hkcu\software\classes\.Admin\ /f
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:3920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMSSuite\:.*';iex($f[1]); X(1)
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rg4bea22\rg4bea22.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50B0.tmp" "c:\Users\Admin\AppData\Local\Temp\rg4bea22\CSCF511DB691DCD4DC08A19BF1ACAA98F2.TMP"
      4⤵
      PID:8
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:3724
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat -suite
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:2976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:4576
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\2588\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:4984
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:1928
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:4520
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:4728
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:2516
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:2752
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:4888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2696
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:5096
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:368
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:4548
- - C:\Windows\system32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:4280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:1004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=42
    3⤵
    PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:4224
- - C:\Windows\system32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:3500
- - C:\Windows\system32\choice.exe
    choice /C:WOA /N /M "YOUR CHOICE : "
    3⤵
    PID:2276
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
    3⤵
    - Modifies registry key
    PID:4416
- - C:\Windows\System32\find.exe
    find /i "0x4"
    3⤵
    PID:4028
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\System32\find.exe
    find /i "ComputerSystem"
    3⤵
    PID:1340
- - C:\Windows\System32\cmd.exe
    cmd /v:on /c echo(^!param^!
    3⤵
    PID:3016
- - C:\Windows\System32\findstr.exe
    findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
    3⤵
    PID:1472
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:4220
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4928
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:1352
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:1416
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:1480
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
    3⤵
    PID:3408
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:744
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
    3⤵
    PID:4708
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
    3⤵
    PID:3112
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:3048
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:4856
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:1256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:4948
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:5028
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2660
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\KMS.dll" /findsid *S-1-5-32-545
    3⤵
    - Modifies file permissions
    PID:4852
- - C:\Windows\System32\find.exe
    find /i "KMS.dll"
    3⤵
    PID:2788
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\KMS.dll" /grant *S-1-5-32-545:RX
    3⤵
    - Modifies file permissions
    PID:3748
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v Debugger
    3⤵
    PID:4572
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDlls /t REG_SZ /d "KMS.dll"
    3⤵
    - Sets file execution options in registry
    PID:1976
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDebug /t REG_DWORD /d 0x00000000
    3⤵
    - Sets file execution options in registry
    PID:1620
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierFlags /t REG_DWORD /d 0x80000000
    3⤵
    - Sets file execution options in registry
    PID:2248
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v GlobalFlag /t REG_DWORD /d 0x00000100
    3⤵
    - Sets file execution options in registry
    PID:1408
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_Emulation /t REG_DWORD /d 1
    3⤵
    - Sets file execution options in registry
    PID:1696
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 43200
    3⤵
    - Sets file execution options in registry
    PID:2488
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 43200
    3⤵
    - Sets file execution options in registry
    PID:4116
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_HWID /t REG_QWORD /d "0x3A1C049600B60076"
    3⤵
    - Sets file execution options in registry
    PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
    3⤵
    PID:1316
  - - C:\Windows\System32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:4956
  - - C:\Windows\System32\find.exe
      FIND /I "CurrentVersion"
      4⤵
      PID:32
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"
    3⤵
    PID:4444
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:2068
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:4476
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.264" /v "CurrentState"
    3⤵
    PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288
    3⤵
    PID:4432
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:3936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value" 2>nul
    3⤵
    PID:4960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3920
- - C:\Windows\System32\mode.com
    mode con:cols=92 lines=25
    3⤵
    PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:3504
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:4884
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
    3⤵
    PID:3132
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
      4⤵
      Modifies registry key
      PID:1752
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:4728
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:4496
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
    3⤵
    - Modifies registry key
    PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:4944
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:3612
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:532
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2432
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:2424
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    PID:3888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
      4⤵
      Modifies registry key
      PID:836
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4088
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1916
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3412
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4280
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2388
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3592
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3172
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4612
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:592
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3900
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1616
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1748
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2380
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3232
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4876
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4224
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1844
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4408
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3932
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1372
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3532
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1440
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3956
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2920
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4156
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2900
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2448
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1068
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2964
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2228
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2276
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3176
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4028
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4860
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4212
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3224
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3332
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:968
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4764
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:640
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1472
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:4928
- - C:\Windows\System32\findstr.exe
    findstr 2019
    3⤵
    PID:4384
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:1416
- - C:\Windows\System32\findstr.exe
    findstr 2021
    3⤵
    PID:1360
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:3652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value
    3⤵
    PID:3104
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
    3⤵
    PID:4708
- - C:\Windows\System32\reg.exe
    reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
    3⤵
    PID:3112
- - C:\Windows\System32\reg.exe
    reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:3048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get Name /value
    3⤵
    PID:4656
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value" 2>nul
    3⤵
    PID:4008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value
      4⤵
      PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get Version /value"
    3⤵
    PID:1864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get Version /value
      4⤵
      PID:4128
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
    3⤵
    PID:60
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:4412
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
    3⤵
    PID:4952
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
    3⤵
    PID:4996
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
    3⤵
    PID:5088
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
    3⤵
    PID:2112
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
    3⤵
    PID:4956
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
    3⤵
    PID:3264
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
    3⤵
    PID:1512
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value"
    3⤵
    PID:5032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value
      4⤵
      PID:4596
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get LicenseStatus /value
    3⤵
    PID:840
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:1920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:3060
- - C:\Windows\System32\findstr.exe
    findstr /i "2de67392-b7a7-462a-b1ca-108dd189f588"
    3⤵
    PID:2308
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f
    3⤵
    PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value"
    3⤵
    PID:3540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value
      4⤵
      PID:4068
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
    3⤵
    PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value"
    3⤵
    PID:4728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value
      4⤵
      PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile write-host -back Green -fore Black Product Activation Successful
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee') get LicenseStatus /value
    3⤵
    PID:2432
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:1632
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:836
- - C:\Windows\System32\findstr.exe
    findstr /i "3f1afc82-f8ac-4f6c-8005-1d233e606eee"
    3⤵
    PID:3888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='73111121-5638-40f6-bc11-f1d7b0d64300') get LicenseStatus /value
    3⤵
    PID:1916
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:812
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:2688
- - C:\Windows\System32\findstr.exe
    findstr /i "73111121-5638-40f6-bc11-f1d7b0d64300"
    3⤵
    PID:2132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='82bbc092-bc50-4e16-8e18-b74fc486aec3') get LicenseStatus /value
    3⤵
    PID:3300
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:1228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:3316
- - C:\Windows\System32\findstr.exe
    findstr /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"
    3⤵
    PID:468
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='e0c42288-980c-4788-a014-c080d2e1926e') get LicenseStatus /value
    3⤵
    PID:2476
- - C:\Windows\System32\findstr.exe
    findstr /i "e0c42288-980c-4788-a014-c080d2e1926e"
    3⤵
    PID:1800
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:212
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='e4db50ea-bda1-4566-b047-0ca50abc6f07') get LicenseStatus /value
    3⤵
    PID:696
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:4724
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:4540
- - C:\Windows\System32\findstr.exe
    findstr /i "e4db50ea-bda1-4566-b047-0ca50abc6f07"
    3⤵
    PID:1900
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='ec868e65-fadf-4759-b23e-93fe37f2cc29') get LicenseStatus /value
    3⤵
    PID:2900
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:4360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:920
- - C:\Windows\System32\findstr.exe
    findstr /i "ec868e65-fadf-4759-b23e-93fe37f2cc29"
    3⤵
    PID:1628
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
    3⤵
    PID:1056
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:3244
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
    3⤵
    PID:3296
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
    3⤵
    PID:4316
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
    3⤵
    PID:1164
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
    3⤵
    PID:4816
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
    3⤵
    PID:1780
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
    3⤵
    PID:4504
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:32
    3⤵
    PID:4940
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
    3⤵
    PID:2976
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
    3⤵
    PID:2104
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
    3⤵
    PID:1700
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:860
- - C:\Windows\System32\reg.exe
    reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:1972
- - C:\Windows\System32\reg.exe
    reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
    3⤵
    PID:3704
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:3408
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:1520
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:4708
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:2084
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:2392
- - C:\Windows\System32\icacls.exe
    icacls "C:\Windows\System32\KMS.dll" /reset
    3⤵
    - Modifies file permissions
    PID:972
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe"
    3⤵
    PID:2660
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
    3⤵
    - Sets file execution options in registry
    PID:2148
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
    3⤵
    PID:780
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe"
    3⤵
    PID:1644
- - C:\Windows\System32\schtasks.exe
    schtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
    3⤵
    PID:1620
- - C:\Windows\System32\sc.exe
    sc start sppsvc trigger=timer;sessionid=0
    3⤵
    - Launches sc.exe
    PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:4412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:3208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1604
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=42
    3⤵
    PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2792
- - C:\Windows\System32\choice.exe
    choice /C:12345678 /N /M "YOUR CHOICE : "
    3⤵
    PID:8
- - C:\Windows\System32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File disablex.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2484
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbylevlt\cbylevlt.cmdline"
      4⤵
      PID:3444
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BE5.tmp" "c:\Users\Admin\AppData\Local\Temp\cbylevlt\CSCA0CFB9C5A1654677B5D469A835D8F5B.TMP"
        5⤵
        
        PID:532
- - C:\Windows\System32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:3484
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\2588\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:4256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3932
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2900
- - C:\Windows\System32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:2312
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:2276
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:3896
- - C:\Windows\System32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:1056
- - C:\Windows\System32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:2940
- - C:\Windows\System32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:1340
- - C:\Windows\System32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:4172
- - C:\Windows\System32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:4816
- - C:\Windows\System32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:1780
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2104
- - C:\Windows\System32\choice.exe
    choice /C:WOAM /N /M "YOUR CHOICE : "
    3⤵
    PID:1700
- - C:\Windows\System32\reg.exe
    reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
    3⤵
    - Modifies registry key
    PID:5092
- - C:\Windows\System32\find.exe
    find /i "0x4"
    3⤵
    PID:1360
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_ComputerSystem get CreationClassName /value
    3⤵
    PID:1600
- - C:\Windows\System32\find.exe
    find /i "ComputerSystem"
    3⤵
    PID:1972
- - C:\Windows\System32\cmd.exe
    cmd /v:on /c echo(^!param^!
    3⤵
    PID:4848
- - C:\Windows\System32\findstr.exe
    findstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"
    3⤵
    PID:3104
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-19
    3⤵
    PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:632
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2056
- - C:\Windows\System32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:4460
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4284
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
    3⤵
    PID:1784
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:3112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -nologo "If([Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]'{DCB00C01-570F-4A9B-8D69-199FDBA5723B}')).IsConnectedToInternet){Exit 0}Else{Exit 1}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile "$t = New-Object Net.Sockets.TcpClient;try{$t.Connect("""kms9.MSGuides.com""", 1688)}catch{};$t.Connected"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:4124
- - C:\Windows\System32\findstr.exe
    findstr /i true
    3⤵
    PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
    3⤵
    PID:408
- - C:\Windows\System32\sc.exe
    sc query osppsvc
    3⤵
    - Launches sc.exe
    PID:2164
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
    3⤵
    PID:2692
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
    3⤵
    PID:2308
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:3936
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:4264
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:4960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:4596
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:4508
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:4536
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:4772
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "kms9.MSGuides.com"
    3⤵
    PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
    3⤵
    PID:3812
  - - C:\Windows\System32\reg.exe
      REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
      4⤵
      PID:1076
  - - C:\Windows\System32\find.exe
      FIND /I "CurrentVersion"
      4⤵
      PID:1664
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"
    3⤵
    PID:1152
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:1156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288
    3⤵
    PID:2904
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.264" /v "CurrentState"
    3⤵
    PID:3672
- - C:\Windows\System32\find.exe
    FIND /I "0x70"
    3⤵
    PID:3868
- - C:\Windows\System32\net.exe
    net start sppsvc /y
    3⤵
    PID:5004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc /y
      4⤵
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value" 2>nul
    3⤵
    PID:4304
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value
      4⤵
      PID:5060
- - C:\Windows\System32\mode.com
    mode con:cols=92 lines=25
    3⤵
    PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
    3⤵
    PID:5024
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:1632
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
    3⤵
    PID:836
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
      4⤵
      Modifies registry key
      PID:3004
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:2304
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
    3⤵
    - Modifies registry key
    PID:3236
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
    3⤵
    - Modifies registry key
    PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1676
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1916
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:4888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1004
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:1216
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
    3⤵
    PID:3300
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
      4⤵
      Modifies registry key
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    PID:4224
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
      4⤵
      Modifies registry key
      PID:1048
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3172
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4724
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2716
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2984
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2448
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3608
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4368
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4540
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4916
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4408
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1236
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4360
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1068
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2312
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2964
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4064
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3176
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1056
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4860
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4316
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1164
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4592
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4816
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4244
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3720
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3364
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3904
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:2932
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3968
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3580
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4268
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:404
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:392
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:1668
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4220
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3304
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4384
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3048
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:3040
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:4152
- - C:\Windows\System32\findstr.exe
    findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"
    3⤵
    PID:5092
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:3840
- - C:\Windows\System32\findstr.exe
    findstr 2019
    3⤵
    PID:1956
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
    3⤵
    - Modifies registry key
    PID:1600
- - C:\Windows\System32\findstr.exe
    findstr 2021
    3⤵
    PID:4920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value
    3⤵
    PID:4848
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:4252
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get Name /value
    3⤵
    PID:3708
- - C:\Windows\System32\findstr.exe
    findstr /i Windows
    3⤵
    PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value" 2>nul
    3⤵
    PID:4460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value
      4⤵
      PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get Version /value"
    3⤵
    PID:740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingService get Version /value
      4⤵
      PID:4008
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "kms9.MSGuides.com"
    3⤵
    PID:2660
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:1880
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "kms9.MSGuides.com" /reg:32
    3⤵
    PID:5028
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
    3⤵
    PID:2864
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
    3⤵
    PID:2600
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "kms9.MSGuides.com" /reg:32
    3⤵
    PID:4952
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
    3⤵
    PID:3476
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
    3⤵
    PID:3128
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "kms9.MSGuides.com"
    3⤵
    PID:4996
- - C:\Windows\System32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
    3⤵
    PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value"
    3⤵
    PID:1512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value
      4⤵
      PID:3736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get LicenseStatus /value
    3⤵
    PID:3264
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:1620
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f
    3⤵
    PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value"
    3⤵
    PID:4852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value
      4⤵
      PID:1736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
    3⤵
    PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value"
    3⤵
    PID:4864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value
      4⤵
      PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile write-host -back Green -fore Black Product Activation Successful
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1076
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee') get LicenseStatus /value
    3⤵
    PID:4588
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:5004
- - C:\Windows\System32\findstr.exe
    findstr /i "3f1afc82-f8ac-4f6c-8005-1d233e606eee"
    3⤵
    PID:1660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:3132
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='73111121-5638-40f6-bc11-f1d7b0d64300') get LicenseStatus /value
    3⤵
    PID:3892
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:4364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:2020
- - C:\Windows\System32\findstr.exe
    findstr /i "73111121-5638-40f6-bc11-f1d7b0d64300"
    3⤵
    PID:3004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='82bbc092-bc50-4e16-8e18-b74fc486aec3') get LicenseStatus /value
    3⤵
    PID:936
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:3520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:4256
- - C:\Windows\System32\findstr.exe
    findstr /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"
    3⤵
    PID:3912
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='e0c42288-980c-4788-a014-c080d2e1926e') get LicenseStatus /value
    3⤵
    PID:1228
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:4888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:2012
- - C:\Windows\System32\findstr.exe
    findstr /i "e0c42288-980c-4788-a014-c080d2e1926e"
    3⤵
    PID:4348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='e4db50ea-bda1-4566-b047-0ca50abc6f07') get LicenseStatus /value
    3⤵
    PID:5012
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:1748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:1048
- - C:\Windows\System32\findstr.exe
    findstr /i "e4db50ea-bda1-4566-b047-0ca50abc6f07"
    3⤵
    PID:1772
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ID='ec868e65-fadf-4759-b23e-93fe37f2cc29') get LicenseStatus /value
    3⤵
    PID:2716
- - C:\Windows\System32\findstr.exe
    findstr "1"
    3⤵
    PID:1372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
    3⤵
    PID:3608
- - C:\Windows\System32\findstr.exe
    findstr /i "ec868e65-fadf-4759-b23e-93fe37f2cc29"
    3⤵
    PID:4468
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
    3⤵
    PID:4916
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
    3⤵
    PID:4408
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1068
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:3328
- - C:\Windows\System32\net.exe
    net stop sppsvc /y
    3⤵
    PID:1236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:2312
- - C:\Windows\System32\sc.exe
    sc query sppsvc
    3⤵
    - Launches sc.exe
    PID:1064
- - C:\Windows\System32\find.exe
    find /i "STOPPED"
    3⤵
    PID:4028
- - C:\Windows\System32\sc.exe
    sc start sppsvc trigger=timer;sessionid=0
    3⤵
    - Launches sc.exe
    PID:3244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File disablex.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4552
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\01crkb4t\01crkb4t.cmdline"
      4⤵
      PID:404
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E4B.tmp" "c:\Users\Admin\AppData\Local\Temp\01crkb4t\CSC82280957F2C3498C98FC74856EC85B4C.TMP"
        5⤵
        
        PID:4084
- - C:\Windows\System32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:3652
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\2588\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    PID:752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    PID:2172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4656
- - C:\Windows\System32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:2068
- - C:\Windows\System32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:4116
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORT MICROSOFT PRUDUCTS" nul
    3⤵
    PID:3736
- - C:\Windows\System32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:5000
- - C:\Windows\System32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:2164
- - C:\Windows\System32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:1620
- - C:\Windows\System32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:4264
- - C:\Windows\System32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:4760
- - C:\Windows\System32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:1736
- - C:\Windows\System32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:3436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEMPmessage.vbs"
    3⤵
    PID:4436
- C:\Windows\system32\xcopy.exe
  xcopy /s /h KMS_Suite 2588
  2⤵
  PID:440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -executionpolicy remotesigned -File disablex.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2iiaabx3\2iiaabx3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5340.tmp" "c:\Users\Admin\AppData\Local\Temp\2iiaabx3\CSC7DA2B19EB9C04B8E893526244A3ABFE1.TMP"
    3⤵
    PID:3500

C:\Windows\system32\mode.com
mode con cols=78 lines=6
1⤵
PID:4280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85e5e39f6a7ef03ebe973c41df304a2b

SHA1
ee67275ef877790ffc6dbec30bbcb1a9a0746c1a

SHA256
98e35da114ea99edc1ad2db73d689d30fa2a59a62068458dff2618e0851527cb

SHA512
12ee1f4730769c641ab6153b9dae2417b0e6e8dc1e1c468aa4a8a5c808fd78d249db86202d2e8366376372d55521f82cc551a251958b1c53ad8b424d472d46f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b023fb9840210bfbead6ae71adfdc141

SHA1
a23d036a11bb9f8ac6798b3bfae84fd3496ea5ec

SHA256
9a2834daa15f3adedbb4ab39f19910833aeac3b3562c342a946d77ea09bbf32e

SHA512
add4ebecce63aa2146f876cfd75d1d6a794d55252bb28f286110c961a9a6317e32efb37fec2a5e39641e7d4e7e3a949ab9d4510eaf07ff1e35dba6e98c4a3418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d7deee7618235e759c8437a20e539d39

SHA1
d680de536f127115cb591051aa4c7c8dbda99eb8

SHA256
91ebe002c75425d65ef09b7692db5bfcd0150a9cd56e909e773b0657c49741fc

SHA512
0d9b3a68f5c7846d747c52f7b0067014689f99e3af5dc6934e0dc6a11e89dd872c9de7e73c744afd9585482a52ec570b5da645acb829461ecaa4746a026740e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.5 - mephistooo2 - www.TNCTR.com

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
273KB

MD5
2b6d8e1e450072798b678f8f6a8d623f

SHA1
42eca47fc83a233d237a5d082dc0d3316e408fca

SHA256
0297edf9bfc2d0c9e0c479185812a95258cec5d3a04262f5ba7b89990b32c847

SHA512
a75fec4977c8538aa1dc0dbfefc7681ea6b67396de5bb70dd78152d267202b634ae3c0389d4affa89bfc41d6e5505ce6ba86d433201419de8e3d3df3522661e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\KMS_Suite.bat

Filesize
138KB

MD5
1d011778610d37abea44c8539dfb7d94

SHA1
cc24087866d58aa6d93a0a4fe9b7d192796bec07

SHA256
1719b3e603da1985efa521038d8d730c884585136c2ec0e74af3ade7c2180aa4

SHA512
11643572c7b4e8fda7f0f5fbe05a058501811090b116ee51fcefea3f8d99cb72c0955ed6fb705bcf4eeb85c0f913627c8f9bd5a245affcd489fe1c5c781088b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
341B

MD5
d401c5effa22436e0382bdd71b145ed3

SHA1
b2632b7e74c21d9791d2a7202beab9fcb878c46b

SHA256
cb02f5670b0f7f13d87a4df29879d275c23adcdc15f3345dedbbe4ccc3ba0231

SHA512
22b7d96c9022dfe114f2997866f2e5a23e135d6d61708483eb9342b90d1b521d45618ff8dfc821b9a08c1740fda54aedd1f95f54c1d80c882cbabb8fac8cd517

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Digital\OEM_KMS38\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
343B

MD5
0d2e7f7d3632f02a4f5f605ee9750f56

SHA1
b17e185829d03518be196fb37d801dfd8cc3f6af

SHA256
eeb96f5030386b06c8b11101f3beb740f2932e3e755f5e0f9da11d56d1cec69c

SHA512
4febee13af76e7f8adfbcb58470729d6b43870b5d94e8da28310c8546bd3c6eb6d769da2c0b07d61cd1ad16dc904dc75d48a80a394b029e09f79f02c19ebb10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Digital\bin\gatherosstate.exe

Filesize
330KB

MD5
15ce0753a16dd4f9b9f0f9926dd37c4e

SHA1
fabb5a0fc1e6a372219711152291339af36ed0b5

SHA256
028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d

SHA512
4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Digital\bin\slc.dll

Filesize
7KB

MD5
f18dd5b638590be87ccd56fe338bed10

SHA1
da1afd97d92dd6026e7095ee7442a2144f78ed0b

SHA256
e7eca8c7476df70ef525ae55a0d8ccc715f22a727165a05fd4c380032cf763a9

SHA512
a3b3bbcdc3a3f83776793fd5b02578d59d38998f19a653467422e61127f063ad317d19857cd21e2723870cd1fdb6b0fe8dd436e07f2b93a7c9b4497f7e986662

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Inject\$OEM$\$$\Setup\Scripts\SETUPCOMPLETE.bat

Filesize
983B

MD5
d98118ac31e94e4d5f2a3baab1e4c777

SHA1
b5649576144d09fbb04bd616a9a1a78db1bad29b

SHA256
7c85f1b5724fa3fd960e3c2892b15546a007d70ad3cc57fd537399e1ce369de5

SHA512
b62dd33fa2dd791f3ad11c41528dae15ff51efedffa769245fe5ee8498dfcba4e5d4c90a117c2cb4b89269c868261206ec44d192a42dae723c51084fc5a3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Inject\bin\A64.dll

Filesize
21KB

MD5
9d1554f10bf9eebc408a84400c75e6c0

SHA1
134d39e422f15922feae4081a6faeb2fc8b82be8

SHA256
9e25370c8cd4949689d33f9c67f65ea77349e2999a45bc9e5df33f5005ec1409

SHA512
727b332c6b2357f507db784f3cbdac945fa333ed1caaff7833271fdb82984673b4e46ac09071397ccddb75f1563f8c3374e86388ff70555893df3831a2f35a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Inject\bin\KMS.xml

Filesize
3KB

MD5
672791216f102bdb76fb550adb0ea923

SHA1
e5fa7406143f7bb9aa28de777e62465ae55975bb

SHA256
0cb32bea8fc9ef6150e071049497b51750b8f4cb13cf83adac1f1357560f751a

SHA512
9801da8df68dad6f40e63c02b481463cb1b59e2d57f183b17e7168cbb96eafb95c98c226e196ba379b6cbde6bce911cecd8511ac40af76f5b35f705866f824b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Inject\bin\cleanosppx64.exe

Filesize
19KB

MD5
162ab955cb2f002a73c1530aa796477f

SHA1
d30a0e4e5911d3ca705617d17225372731c770e2

SHA256
5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e

SHA512
e0288dcf78092449d9cbaef4488041131925387c1aedc9e9512da0f66efe2fb68350ca3937f6715834e62e7c931c5dad0fc8bc3c6c0c3daedeff356d6feaac2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Inject\bin\cleanosppx86.exe

Filesize
17KB

MD5
5fd363d52d04ac200cd24f3bcc903200

SHA1
39ed8659e7ca16aaccb86def94ce6cec4c847dd6

SHA256
3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9

SHA512
f8ea73b0cb0a90fac6032a54028c60119022173334e68db3fbd63fe173032dd3fc3b438678064edb8c63d4eceaa72990ce039819df3d547d7d7627ad2eee36b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Inject\bin\x64.dll

Filesize
20KB

MD5
a8f669ab8fad00bd193a82b8f62e7660

SHA1
1925f6f7b904d0289da8cdc55e84875f7739b0b1

SHA256
bcde6b7bbafa2b4eeb6c75f051b5949d27b49b4030e376a7838ba84e4e103daf

SHA512
1adaa8aaa55c7cf3d36435646aa8312cd62511edaa54f31160ef6ba4e8364f0a6cb9c0d9b96f796d777d0448b3a3fc8ae28ee213456c66dfeef046b40d57b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\Inject\bin\x86.dll

Filesize
16KB

MD5
fee7e8f5472041f6b2c0e5d8f8d0da45

SHA1
063eeee055d4646e91e15ac6a785bd9c7bcaa10b

SHA256
c43ccfcc2f7ab3e2d229da6b1fb9715cc707991835108518cb0aa9a667ea15cc

SHA512
c535d5a68b99e9a8ea5b937d382a2827b99b37edaf55bd6af4e6196242575a4102ff2f14297ae6be875477df5a7f9997f3c3d00821fe8ea94d5bef08a157f8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\2588\bin\disablex.ps1

Filesize
1KB

MD5
522c0e01b280581a62954cf1e7971eaa

SHA1
4b8a66cd6839d05a3bd2732124a4441797940075

SHA256
2d2e271131e130688218b369cada1444807a0a65120df942a98e7887bdfe7201

SHA512
c9299b176f3279f1f37a9744d6361009daafe815a8e8b96e3d9dd0865ef9f938e3c33773fde3dac93f5d3cebc6b1d2952c02e0816a9b0ca5c8d0c6f19f3f1950

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iiaabx3\2iiaabx3.dll

Filesize
3KB

MD5
ffee85565d5d1ead5e1b7313d34418a5

SHA1
0955780bf34181255597f7d65a5bac3688eb6020

SHA256
cf12d957ee7ba79f4383f6e444910ec20af971a48253cd2a29cb347988034c92

SHA512
fd25360a7a4ba96b3c80f67b5f36a4fe4a86b9cf47c2352cb941810c63c64f0c155bd1d520c6c006591d693680086eca3e4e14f226ef737238698c5c44137f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Digital\OEM_Digital\$OEM$\$$\Setup\Scripts\digi.bat

Filesize
26KB

MD5
a9d3f449da7e990816be1d58417d4fe6

SHA1
9af0b5044a1d6d7d9c101dd73d34137512dde810

SHA256
11322fc30bc92eb4f1f6ea5ad6c2c9f2fe3204e017f8d7f4cdcfbf36e33e93ab

SHA512
b878f3543af1e1a4c66cff752be2b528c9e61c4fc7574b57abf869cc38de15a9b7736fd39c2c835b3bc6e74957771892b3e9b9a16335cf6be53434153be0d2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite\bin\Inject\$OEM$\$$\Setup\Scripts\run.bat

Filesize
136KB

MD5
53cb484e0b83961bdbf49435d8ece712

SHA1
5ef9d58a676eaf640e278c6482f782df5c1e5367

SHA256
9e9950ddf841b475bc81d4bcf7b621a07269c433361ecf5d8c2a959414f6fe04

SHA512
4fa8feb0aa516aef89ac6b1e543cfe6cade7d6aa07c044b90a646cfaabac7d82c100b6164b63253ba09f544b8ed18605b12be5942d0ad58dc2a42c995bd41a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50B0.tmp

Filesize
1KB

MD5
ca44121c90b08cd7f3e9dec2ef3cc3bd

SHA1
034dca4b44f748b2830f1cb402f0c21b903ff2fc

SHA256
c8562c615cd776a5fc3085a320b7c7d4050556d08a06694a2e077242f7c6018e

SHA512
ddc082f1c4f1eb3bd6ecb6df4ccdf2b7e1656235be57ede6214d8713e7f478e984215fee9d79ffa085306de132e1298ace725f261def856e1787623927075388

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5340.tmp

Filesize
1KB

MD5
72647416c8b0fbb01999665150a0068f

SHA1
04ea5801f76a217fe4fc903ac713f3bcfaa8a55e

SHA256
54cce41809a877ac02fc99388f3c2ced26b91162083678cad62164ae21446b80

SHA512
588496f6bded1735c3b62b9010bca7e70148293da86860235bb7674bf5c9906395cb4d45651c7af1c45b73bb6795ec52a1d4ad570154fe220fc9f450a8d456ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6BE5.tmp

Filesize
1KB

MD5
8727bfcd5e9affdc7661c16e37175fc0

SHA1
f531f43bd338587ceb1d34a15571644d348f3cdb

SHA256
714a786bcbace412a9e7126a1d9b4bb1e6d29575f99be577112ff3ac18aa78a3

SHA512
30c5df8298f893ef9bcbaf03feaaba10799de82dd1ef927486a2f5a21807b0ea8412e76c8e06ec6636409e43c9dd54033d9b714bc4933762dd29f73d7cd94adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yuwm2shf.tjw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbylevlt\cbylevlt.dll

Filesize
3KB

MD5
0ca4827d086efac6f6141b4a8b47de82

SHA1
09756324cb8fb77c4f3374b91d2261f97e654e92

SHA256
81e626d99c16969b6e648bfa094f3e50f86c9ee994b7b4e5502f1d75e9c927d9

SHA512
290eba2f143e417fed2ca933e1da3e06c34ffebfd427de02b081cbf14a6261ad1966ea82b7b2162ed17b151c421ee022507a8dab2f13882ade2f745a42bfca18

Download Submit
C:\Users\Admin\AppData\Local\Temp\rg4bea22\rg4bea22.dll

Filesize
3KB

MD5
d78d9655d72b81f21d3eb8b5646495ae

SHA1
0091cafc2ef4fdb31fe3268c6e869faaa94f6252

SHA256
fc0a717de735650f63415dcecfbd7a5f99bd79cb9044ad3804b446a8f58d7a43

SHA512
5b2dd4fa960c99744d0cd208df8c62e988563fe1116ff2674ac9f416b1a13391b6f71f8fac68c3a89999bca5f85eb31910c565b532e5e484390ca74c1f8e0cb5

Download Submit
C:\Windows\Temp\c2rchk.txt

Filesize
15B

MD5
606d9abf768025ebe0b25958d417be6c

SHA1
81b33a8807f17530f00225d09943a30a2d2bc94d

SHA256
5e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d

SHA512
e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2iiaabx3\2iiaabx3.0.cs

Filesize
1KB

MD5
810a30d3e12a7bb7b78a5ec70fec88ee

SHA1
921dc2985f892a800c2bb00e9166d232e78accf4

SHA256
86a49c1dfe76226db0daa8be63437e41d76c379f6c8a80d77930b771a6780487

SHA512
6792ef5c81b717b90f2bd211973d52be6ff2677915e76c2bb21b44610b5803852bac0d90df32faf9a50636c67ebc516abf3a2ca4a37ceb411133527740d5543a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2iiaabx3\2iiaabx3.cmdline

Filesize
369B

MD5
b872a76c6fa663402fbfacfdd01cfdb0

SHA1
b075c0e351596105ab72056f21bb20c0f852d50a

SHA256
95173baa411ea325dd4a48782990cd3ba63ab792f2acfff02bbbb354a43a3cd1

SHA512
2f0e3a240cca12545953d5670099fd38fb6f75c4d22d5d9a62dcd80bb2c7a04bd7070e25eb328ad11797985518bc2499bb7e24353252f9511a8814bd249dbf3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2iiaabx3\CSC7DA2B19EB9C04B8E893526244A3ABFE1.TMP

Filesize
652B

MD5
dceab7f964dcd49ba09043b25c495db4

SHA1
ec672e58ff240a298f60b927b72d19a46492c43a

SHA256
43e6751cf090bc83536f1620e757df3f7c767d542db4ce2fce2bfa6c4068ddbc

SHA512
925f28a04fc09d5f49a47a6b1833f30f643aa109803d83417e485a8dc1776cb5233599b7ff947a3e3062018caf496ee31cf08982974ccc23f662f62cfd547665

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cbylevlt\CSCA0CFB9C5A1654677B5D469A835D8F5B.TMP

Filesize
652B

MD5
a9176d7d03aafb145e47eedb86edf2d7

SHA1
c1925a9c2b0ba86a65e6e39140df53f147f8b570

SHA256
098f64acea5512b88f8bc29803aa5306d96c3da4e45fb8acdbbc6304e5353522

SHA512
45e47f3745a5e20e503d02220ce05b1b5dc35b8ed7f72a48195167b711f9abeb647a8a16ca2b95cd91bdc6f916b52cf5d8f37a5abd9cd4e0a4af4bd1d49c823a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cbylevlt\cbylevlt.cmdline

Filesize
369B

MD5
24663cbf60067f2640fb737b4934c7c2

SHA1
00a125fa309b7e93f288616a038d0791843d01e7

SHA256
1394e671956d97a1e60b4a88988a369fdefb05eb3d7a5104e48a533df68b841e

SHA512
c5b39e8893da5e2a42397acd241628e0ee5f34a0cef150a621cd1dac2cf10ae9388c315870fc359d8a95a3def9b8631c545beea8c43bdddef772a6aff1bc4b6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rg4bea22\CSCF511DB691DCD4DC08A19BF1ACAA98F2.TMP

Filesize
652B

MD5
ca59391b029e372f474c64c112e48e55

SHA1
184cc0f46accaa4aed2ea2d70b0c4cb07a8f13b4

SHA256
81c94ecd5a52bc488af7b87715533cf1a3d0948c3e3c5e7a6778e96890589264

SHA512
5f5e1ec71ae271e7020555e969684667f65c1db891d9a226c84ce84912a49ea65f3ceca1686e5d1881c5dc81aa136981adcdf826318a107febe62f677e801081

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rg4bea22\rg4bea22.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rg4bea22\rg4bea22.cmdline

Filesize
369B

MD5
8d4906592b4f35f00453e8a5b419d171

SHA1
426b2aed1a0e321e6b176e1f3c9e8c24a22af6a5

SHA256
30b3c4eb7a9bd7e5816dfde2200487081ddbf549a678f8af13a29f1554ea76be

SHA512
444bd38bc31213548f77f3e8106d7a827dd7f8f0823d8705f23d69b141ea52cb837fc4d8607b58699b7cf23b59d9a3e53eda84c6c2675813bb2de8ea7c17062d

Download Submit
memory/400-325-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/400-317-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/400-322-0x000002213A220000-0x000002213A230000-memory.dmp

Filesize
64KB

Download
memory/968-197-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/968-179-0x0000024544AB0000-0x0000024544AC0000-memory.dmp

Filesize
64KB

Download
memory/968-174-0x0000024544AB0000-0x0000024544AC0000-memory.dmp

Filesize
64KB

Download
memory/968-168-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/968-194-0x0000024544A90000-0x0000024544A98000-memory.dmp

Filesize
32KB

Download
memory/1404-10-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/1404-11-0x0000026CA0AA0000-0x0000026CA0AB0000-memory.dmp

Filesize
64KB

Download
memory/1404-0-0x0000026CBB290000-0x0000026CBB2B2000-memory.dmp

Filesize
136KB

Download
memory/1404-12-0x0000026CA0AA0000-0x0000026CA0AB0000-memory.dmp

Filesize
64KB

Download
memory/1404-89-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/1404-25-0x0000026CA2800000-0x0000026CA2808000-memory.dmp

Filesize
32KB

Download
memory/1492-198-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/1492-199-0x0000028237AE0000-0x0000028237AF0000-memory.dmp

Filesize
64KB

Download
memory/1492-200-0x0000028237AE0000-0x0000028237AF0000-memory.dmp

Filesize
64KB

Download
memory/1492-212-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/1604-326-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/1604-338-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/2444-311-0x00007FFB4D760000-0x00007FFB4E221000-memory.dmp

Filesize
10.8MB

Download
memory/2444-299-0x000001FBA70B0000-0x000001FBA70C0000-memory.dmp

Filesize
64KB

Download
memory/2444-298-0x000001FBA70B0000-0x000001FBA70C0000-memory.dmp

Filesize
64KB

Download
memory/2444-297-0x00007FFB4D760000-0x00007FFB4E221000-memory.dmp

Filesize
10.8MB

Download
memory/2484-348-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/2484-349-0x000001D1D4A50000-0x000001D1D4A60000-memory.dmp

Filesize
64KB

Download
memory/2484-366-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/2484-363-0x000001D1D49A0000-0x000001D1D49A8000-memory.dmp

Filesize
32KB

Download
memory/2688-394-0x000002A098310000-0x000002A098320000-memory.dmp

Filesize
64KB

Download
memory/2688-393-0x000002A098310000-0x000002A098320000-memory.dmp

Filesize
64KB

Download
memory/2688-396-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/2688-392-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/2928-290-0x00000178C3F00000-0x00000178C3F10000-memory.dmp

Filesize
64KB

Download
memory/2928-288-0x00007FFB4D810000-0x00007FFB4E2D1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-289-0x00000178C3F00000-0x00000178C3F10000-memory.dmp

Filesize
64KB

Download
memory/2928-292-0x00007FFB4D810000-0x00007FFB4E2D1000-memory.dmp

Filesize
10.8MB

Download
memory/3468-420-0x000001B889680000-0x000001B889690000-memory.dmp

Filesize
64KB

Download
memory/3468-419-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/3468-421-0x000001B889680000-0x000001B889690000-memory.dmp

Filesize
64KB

Download
memory/3468-432-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/3484-273-0x00007FFB4D810000-0x00007FFB4E2D1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-274-0x000001A9ABD60000-0x000001A9ABD70000-memory.dmp

Filesize
64KB

Download
memory/3484-275-0x000001A9ABD60000-0x000001A9ABD70000-memory.dmp

Filesize
64KB

Download
memory/3484-277-0x00007FFB4D810000-0x00007FFB4E2D1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-367-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/3724-373-0x0000014363B50000-0x0000014363B60000-memory.dmp

Filesize
64KB

Download
memory/3724-379-0x0000014363B50000-0x0000014363B60000-memory.dmp

Filesize
64KB

Download
memory/3724-381-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/3932-397-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/3932-398-0x000002171EF00000-0x000002171EF10000-memory.dmp

Filesize
64KB

Download
memory/3932-399-0x000002171EF00000-0x000002171EF10000-memory.dmp

Filesize
64KB

Download
memory/3932-410-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/4124-433-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/4124-446-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/4124-440-0x0000027772D90000-0x0000027772DA0000-memory.dmp

Filesize
64KB

Download
memory/4124-439-0x0000027772D90000-0x0000027772DA0000-memory.dmp

Filesize
64KB

Download
memory/4308-241-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/4308-242-0x00000159522A0000-0x00000159522B0000-memory.dmp

Filesize
64KB

Download
memory/4308-245-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/4308-243-0x00000159522A0000-0x00000159522B0000-memory.dmp

Filesize
64KB

Download
memory/4360-226-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/4360-230-0x00007FFB4DB40000-0x00007FFB4E601000-memory.dmp

Filesize
10.8MB

Download
memory/4360-228-0x000001ACD55C0000-0x000001ACD55D0000-memory.dmp

Filesize
64KB

Download
memory/4360-227-0x000001ACD55C0000-0x000001ACD55D0000-memory.dmp

Filesize
64KB

Download