95f54b0f4add55b7b2e444dab06935ffb18973432425ad7ae522061fb7932ccf

General

Target

Activate.cmd
Size

156KB
MD5

7384e2dd276375e071b65aac49861d76
SHA1

cdc5c06a00ec5b530cedcdcb90107b8c07b6d553
SHA256

95f54b0f4add55b7b2e444dab06935ffb18973432425ad7ae522061fb7932ccf
SHA512

3f47fe1772096810349b2b4334aaa74a6de33fb38b4117b1256269e79be4b6382cfb344e4b85d5f5005aa7473a3d0c3effa09ebdc68241d4f72fa8127f8f8820
SSDEEP

1536:KPb6vWkuac+4GWjsisxsGLaNQgEMTV62m0KHzGnFSZVUQG4x0j+E0tNIZleyiGRD:qbguYMTVFpGzGnFSW4xiiIAa

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2056 sc.exe
3872 sc.exe
4780 sc.exe
1596 sc.exe
2824 sc.exe
2148 sc.exe
3988 sc.exe
1668 sc.exe
4936 sc.exe
1440 sc.exe

pid	process
2056	sc.exe
3872	sc.exe
4780	sc.exe
1596	sc.exe
2824	sc.exe
2148	sc.exe
3988	sc.exe
1668	sc.exe
4936	sc.exe
1440	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Integrator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Integrator.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Integrator.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Integrator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Integrator.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe

Modifies registry key 1 TTPs 31 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4936	reg.exe
3152	reg.exe
3280	reg.exe
3712	reg.exe
3240	reg.exe
2276	reg.exe
4808	reg.exe
3528	reg.exe
2936	reg.exe
3144	reg.exe
2936	reg.exe
4976	reg.exe
2684	reg.exe
2884	reg.exe
5052	reg.exe
2400	reg.exe
2756	reg.exe
2956	reg.exe
3048	reg.exe
1320	reg.exe
2816	reg.exe
2808	reg.exe
2296	reg.exe
3716	reg.exe
2880	reg.exe
1100	reg.exe
2700	reg.exe
1920	reg.exe
2876	reg.exe
2000	reg.exe
3152	reg.exe

Runs net.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3288 PING.EXE
1996 PING.EXE
4120 PING.EXE
3552 PING.EXE
4132 PING.EXE
1636 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

460 powershell.exe
460 powershell.exe

pid	process
3288	PING.EXE
1996	PING.EXE
4120	PING.EXE
3552	PING.EXE
4132	PING.EXE
1636	PING.EXE

pid	process
460	powershell.exe
460	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2876	WMIC.exe
Token: SeSecurityPrivilege	2876	WMIC.exe
Token: SeTakeOwnershipPrivilege	2876	WMIC.exe
Token: SeLoadDriverPrivilege	2876	WMIC.exe
Token: SeSystemProfilePrivilege	2876	WMIC.exe
Token: SeSystemtimePrivilege	2876	WMIC.exe
Token: SeProfSingleProcessPrivilege	2876	WMIC.exe
Token: SeIncBasePriorityPrivilege	2876	WMIC.exe
Token: SeCreatePagefilePrivilege	2876	WMIC.exe
Token: SeBackupPrivilege	2876	WMIC.exe
Token: SeRestorePrivilege	2876	WMIC.exe
Token: SeShutdownPrivilege	2876	WMIC.exe
Token: SeDebugPrivilege	2876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2876	WMIC.exe
Token: SeRemoteShutdownPrivilege	2876	WMIC.exe
Token: SeUndockPrivilege	2876	WMIC.exe
Token: SeManageVolumePrivilege	2876	WMIC.exe
Token: 33	2876	WMIC.exe
Token: 34	2876	WMIC.exe
Token: 35	2876	WMIC.exe
Token: 36	2876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2876	WMIC.exe
Token: SeSecurityPrivilege	2876	WMIC.exe
Token: SeTakeOwnershipPrivilege	2876	WMIC.exe
Token: SeLoadDriverPrivilege	2876	WMIC.exe
Token: SeSystemProfilePrivilege	2876	WMIC.exe
Token: SeSystemtimePrivilege	2876	WMIC.exe
Token: SeProfSingleProcessPrivilege	2876	WMIC.exe
Token: SeIncBasePriorityPrivilege	2876	WMIC.exe
Token: SeCreatePagefilePrivilege	2876	WMIC.exe
Token: SeBackupPrivilege	2876	WMIC.exe
Token: SeRestorePrivilege	2876	WMIC.exe
Token: SeShutdownPrivilege	2876	WMIC.exe
Token: SeDebugPrivilege	2876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2876	WMIC.exe
Token: SeRemoteShutdownPrivilege	2876	WMIC.exe
Token: SeUndockPrivilege	2876	WMIC.exe
Token: SeManageVolumePrivilege	2876	WMIC.exe
Token: 33	2876	WMIC.exe
Token: 34	2876	WMIC.exe
Token: 35	2876	WMIC.exe
Token: 36	2876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: 36	644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Integrator.exe

pid process

4976 Integrator.exe

pid	process
4976	Integrator.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3324 wrote to memory of 3032	3324	cmd.exe	findstr.exe
PID 3324 wrote to memory of 3032	3324	cmd.exe	findstr.exe
PID 3324 wrote to memory of 4848	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 4848	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 2956	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2956	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2732	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 2732	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 3800	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 3800	3324	cmd.exe	cmd.exe
PID 3800 wrote to memory of 1976	3800	cmd.exe	cmd.exe
PID 3800 wrote to memory of 1976	3800	cmd.exe	cmd.exe
PID 3800 wrote to memory of 3712	3800	cmd.exe	cmd.exe
PID 3800 wrote to memory of 3712	3800	cmd.exe	cmd.exe
PID 3324 wrote to memory of 2168	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 2168	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 3600	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 3600	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 1772	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 1772	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2876	3324	cmd.exe	WMIC.exe
PID 3324 wrote to memory of 2876	3324	cmd.exe	WMIC.exe
PID 3324 wrote to memory of 2884	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 2884	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 2936	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2936	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2552	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 2552	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 4976	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4976	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2400	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 2400	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 2708	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 2708	3324	cmd.exe	cmd.exe
PID 2708 wrote to memory of 2300	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2300	2708	cmd.exe	reg.exe
PID 3324 wrote to memory of 3716	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3716	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2036	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 2036	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 5032	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 5032	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3540	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 3540	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 4784	3324	cmd.exe	mode.com
PID 3324 wrote to memory of 4784	3324	cmd.exe	mode.com
PID 3324 wrote to memory of 4656	3324	cmd.exe	choice.exe
PID 3324 wrote to memory of 4656	3324	cmd.exe	choice.exe
PID 3324 wrote to memory of 3884	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 3884	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 760	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 760	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 788	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 788	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 644	3324	cmd.exe	WMIC.exe
PID 3324 wrote to memory of 644	3324	cmd.exe	WMIC.exe
PID 3324 wrote to memory of 1452	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 1452	3324	cmd.exe	find.exe
PID 3324 wrote to memory of 3428	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 3428	3324	cmd.exe	cmd.exe
PID 3428 wrote to memory of 4800	3428	cmd.exe	reg.exe
PID 3428 wrote to memory of 4800	3428	cmd.exe	reg.exe
PID 3324 wrote to memory of 3780	3324	cmd.exe	cmd.exe
PID 3324 wrote to memory of 3780	3324	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Activate.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\System32\findstr.exe
findstr /rxc:".*" "Activate.cmd"
2⤵
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:4848

C:\Windows\System32\reg.exe
reg query "HKCU\Console" /v ForceV2
2⤵
PID:2956

C:\Windows\System32\find.exe
find /i "0x0"
2⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
3⤵
PID:1976

C:\Windows\System32\cmd.exe
cmd
3⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\Activate.cmd" "
2⤵
PID:2168

C:\Windows\System32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
2⤵
PID:3600

C:\Windows\System32\reg.exe
reg query HKU\S-1-5-19
2⤵
PID:1772

C:\Windows\System32\wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\find.exe
find /i "ComputerSystem"
2⤵
PID:2884

C:\Windows\System32\reg.exe
reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
2⤵
PID:2936

C:\Windows\System32\find.exe
find /i "0x0"
2⤵
PID:2552

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
2⤵
PID:4976

C:\Windows\System32\find.exe
find /i "0x0"
2⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\System32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
3⤵
PID:2300

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
2⤵
PID:3716

C:\Windows\System32\find.exe
find /i "\Activation-Renewal"
2⤵
PID:2036

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
2⤵
PID:5032

C:\Windows\System32\find.exe
find /i "\Online_KMS_Activation_Script-Renewal"
2⤵
PID:3540

C:\Windows\System32\mode.com
mode con: cols=76 lines=30
2⤵
PID:4784

C:\Windows\System32\choice.exe
choice /C:1234567 /N
2⤵
PID:4656

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
2⤵
PID:3884

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
2⤵
PID:760

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
2⤵
PID:788

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get CreationClassName /value
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\System32\find.exe
find /i "ComputerSystem"
2⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
2⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\System32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:3780

C:\Windows\System32\mode.com
mode con cols=98 lines=31
2⤵
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 1 win.kms.pub
2⤵
PID:4496

C:\Windows\System32\PING.EXE
ping -n 1 win.kms.pub
3⤵
- Runs ping.exe
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 kms.cary.tech 2>nul
2⤵
PID:784

C:\Windows\System32\PING.EXE
ping -4 -n 1 kms.cary.tech
3⤵
- Runs ping.exe
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pathping -4 -h 1 -n -p 1 -q 1 -w 1 kms.cary.tech 2>nul
2⤵
PID:1648

C:\Windows\System32\PATHPING.EXE
pathping -4 -h 1 -n -p 1 -q 1 -w 1 kms.cary.tech
3⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 kms.zhuxiaole.org 2>nul
2⤵
PID:2404

C:\Windows\System32\PING.EXE
ping -4 -n 1 kms.zhuxiaole.org
3⤵
- Runs ping.exe
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
2⤵
PID:2748

C:\Windows\System32\sc.exe
sc query osppsvc
2⤵
- Launches sc.exe
PID:3988

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"
2⤵
PID:4952

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
2⤵
PID:956

C:\Windows\System32\sc.exe
sc query sppsvc
2⤵
- Launches sc.exe
PID:3872

C:\Windows\System32\find.exe
find /i "STOPPED"
2⤵
PID:3084

C:\Windows\System32\net.exe
net stop sppsvc /y
2⤵
PID:3548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc /y
3⤵
PID:5000

C:\Windows\System32\sc.exe
sc query sppsvc
2⤵
- Launches sc.exe
PID:1668

C:\Windows\System32\find.exe
find /i "STOPPED"
2⤵
PID:2284

C:\Windows\System32\sc.exe
sc stop sppsvc
2⤵
- Launches sc.exe
PID:4780

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "202.5.28.218"
2⤵
PID:3132

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
2⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
2⤵
PID:4752

C:\Windows\System32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
3⤵
PID:5048

C:\Windows\System32\find.exe
FIND /I "CurrentVersion"
3⤵
PID:5040

C:\Windows\System32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.22000.318" /v "CurrentState"
2⤵
PID:424

C:\Windows\System32\find.exe
FIND /I "0x70"
2⤵
PID:1396

C:\Windows\System32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.22000.493" /v "CurrentState"
2⤵
PID:2184

C:\Windows\System32\find.exe
FIND /I "0x70"
2⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.22000.493
2⤵
PID:3672

C:\Windows\System32\net.exe
net start sppsvc /y
2⤵
PID:4176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start sppsvc /y
3⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value" 2>nul
2⤵
PID:1684

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value
3⤵
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
2⤵
PID:3500

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
3⤵
PID:4944

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
2⤵
- Modifies registry key
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
2⤵
PID:2728

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:2700

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:2276

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
2⤵
- Modifies registry key
PID:2756

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
2⤵
- Modifies registry key
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:4912

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:3732

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:3944

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:4980

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:3720

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:4736

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
PID:2780

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
3⤵
- Modifies registry key
PID:3716

C:\Windows\System32\findstr.exe
findstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3848

C:\Windows\System32\findstr.exe
findstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3412

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4572

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3984

C:\Windows\System32\findstr.exe
findstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:2572

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4052

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:2652

C:\Windows\System32\findstr.exe
findstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1180

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3936

C:\Windows\System32\findstr.exe
findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1640

C:\Windows\System32\findstr.exe
findstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4600

C:\Windows\System32\findstr.exe
findstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1496

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:2908

C:\Windows\System32\findstr.exe
findstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4648

C:\Windows\System32\findstr.exe
findstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1636

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4212

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:2816

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:788

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4012

C:\Windows\System32\findstr.exe
findstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1780

C:\Windows\System32\findstr.exe
findstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3436

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4792

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:812

C:\Windows\System32\findstr.exe
findstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:5084

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4636

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1272

C:\Windows\System32\findstr.exe
findstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3972

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4276

C:\Windows\System32\findstr.exe
findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:900

C:\Windows\System32\findstr.exe
findstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:2944

C:\Windows\System32\findstr.exe
findstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:800

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3340

C:\Windows\System32\findstr.exe
findstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:460

C:\Windows\System32\findstr.exe
findstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1940

C:\Windows\System32\findstr.exe
findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:3300

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:1964

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4496

C:\Windows\System32\findstr.exe
findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:2840

C:\Windows\System32\findstr.exe
findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:784

C:\Windows\System32\findstr.exe
findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:2364

C:\Windows\System32\findstr.exe
findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"
2⤵
PID:4472

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:4808

C:\Windows\System32\findstr.exe
findstr 2019
2⤵
PID:1580

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:5052

C:\Windows\System32\findstr.exe
findstr 2021
2⤵
PID:2748

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"
2⤵
PID:2348

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%' ) get Name /value
2⤵
PID:248

C:\Windows\System32\find.exe
find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:5088

C:\Windows\System32\find.exe
find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4888

C:\Windows\System32\find.exe
find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4968

C:\Windows\System32\find.exe
find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:5000

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%' ) get Name /value
2⤵
PID:3548

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3852

C:\Windows\System32\find.exe
find /i "Office 21"
2⤵
PID:4780

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1736

C:\Windows\System32\find.exe
find /i "Office 19"
2⤵
PID:2264

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4908

C:\Windows\System32\find.exe
find /i "Office 16"
2⤵
PID:492

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:5012

C:\Windows\System32\find.exe
find /i "Office 15"
2⤵
PID:424

C:\Windows\System32\find.exe
find /i "Office16ProPlusR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1360

C:\Windows\System32\find.exe
find /i "Office16StandardR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4284

C:\Windows\System32\find.exe
find /i "Office16AccessR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4164

C:\Windows\System32\find.exe
find /i "Office16SkypeforBusinessR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1456

C:\Windows\System32\find.exe
find /i "Office16ExcelR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3652

C:\Windows\System32\find.exe
find /i "Office16OutlookR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3008

C:\Windows\System32\find.exe
find /i "Office16PowerPointR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2948

C:\Windows\System32\find.exe
find /i "Office16PublisherR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2676

C:\Windows\System32\find.exe
find /i "Office16WordR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4524

C:\Windows\System32\find.exe
find /i "Office16ProfessionalR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4836

C:\Windows\System32\find.exe
find /i "Office16HomeBusinessR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2528

C:\Windows\System32\find.exe
find /i "Office16HomeStudentR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3464

C:\Windows\System32\find.exe
find /i "Office16ProjectProR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4828

C:\Windows\System32\find.exe
find /i "Office16ProjectStdR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2080

C:\Windows\System32\find.exe
find /i "Office16VisioProR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1328

C:\Windows\System32\find.exe
find /i "Office16VisioStdR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4652

C:\Windows\System32\sc.exe
sc query ClickToRunSvc
2⤵
- Launches sc.exe
PID:1596

C:\Windows\System32\sc.exe
sc query OfficeSvc
2⤵
- Launches sc.exe
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
2⤵
PID:4944

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
2⤵
PID:3036

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
2⤵
PID:2320

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul
2⤵
PID:2740

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul
2⤵
PID:1724

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
3⤵
- Modifies registry key
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID" 2>nul
2⤵
PID:2912

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID
3⤵
- Modifies registry key
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul
2⤵
PID:4156

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
3⤵
- Modifies registry key
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration" 2>nul
2⤵
PID:2148

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration
3⤵
- Modifies registry key
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:4976

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
2⤵
PID:4416

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
3⤵
- Modifies registry key
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get Version /value"
2⤵
PID:3716

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService get Version /value
3⤵
PID:4084

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseStatus='1' AND PartialProductKey is not NULL) get Description
2⤵
PID:3412

C:\Windows\System32\findstr.exe
findstr /V /R "^$"
2⤵
PID:2688

C:\Windows\System32\find.exe
find /i "RETAIL channel" "C:\Windows\Temp\crvRetail.txt"
2⤵
PID:5104

C:\Windows\System32\find.exe
find /i "RETAIL(MAK) channel" "C:\Windows\Temp\crvRetail.txt"
2⤵
PID:4244

C:\Windows\System32\find.exe
find /i "TIMEBASED_SUB channel" "C:\Windows\Temp\crvRetail.txt"
2⤵
PID:4728

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily
2⤵
PID:4260

C:\Windows\System32\findstr.exe
findstr /V /R "^$"
2⤵
PID:3312

C:\Windows\System32\findstr.exe
findstr /I /C:"ProPlus2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2908

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3884

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1112

C:\Windows\System32\findstr.exe
findstr /I /C:"Standard2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1196

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4776

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:708

C:\Windows\System32\findstr.exe
findstr /I /C:"Access2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1452

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4800

C:\Windows\System32\findstr.exe
findstr /I /C:"Excel2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1600

C:\Windows\System32\findstr.exe
findstr /I /C:"Outlook2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2812

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPoint2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2112

C:\Windows\System32\findstr.exe
findstr /I /C:"Publisher2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3512

C:\Windows\System32\findstr.exe
findstr /I /C:"Word2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1968

C:\Windows\System32\findstr.exe
findstr /I /C:"Professional2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:908

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2268

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeStudent2021Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4072

C:\Windows\System32\findstr.exe
findstr /I /C:"ProPlus2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1888

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2952

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3388

C:\Windows\System32\findstr.exe
findstr /I /C:"Standard2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1424

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4860

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1564

C:\Windows\System32\findstr.exe
findstr /I /C:"Access2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:412

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:736

C:\Windows\System32\findstr.exe
findstr /I /C:"Excel2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1852

C:\Windows\System32\findstr.exe
findstr /I /C:"Outlook2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1648

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPoint2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4236

C:\Windows\System32\findstr.exe
findstr /I /C:"Publisher2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2336

C:\Windows\System32\findstr.exe
findstr /I /C:"Word2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4808

C:\Windows\System32\findstr.exe
findstr /I /C:"Professional2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1980

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:5052

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeStudent2019Retail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3740

C:\Windows\System32\findstr.exe
findstr /I /C:"MondoRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1428

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectProRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3872

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioProRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2244

C:\Windows\System32\findstr.exe
findstr /I /C:"StandardRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:432

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2632

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStdRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2788

C:\Windows\System32\findstr.exe
findstr /I /C:"AccessRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2072

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:5088

C:\Windows\System32\findstr.exe
findstr /I /C:"ExcelRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:896

C:\Windows\System32\findstr.exe
findstr /I /C:"OutlookRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3548

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPointRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3352

C:\Windows\System32\findstr.exe
findstr /I /C:"PublisherRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2092

C:\Windows\System32\findstr.exe
findstr /I /C:"WordRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:5092

C:\Windows\System32\findstr.exe
findstr /I /C:"OneNoteRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4304

C:\Windows\System32\findstr.exe
findstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1568

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:572

C:\Windows\System32\findstr.exe
findstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1476

C:\Windows\System32\findstr.exe
findstr /I /C:"O365ProPlusRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:5024

C:\Windows\System32\findstr.exe
findstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:952

C:\Windows\System32\findstr.exe
findstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1972

C:\Windows\System32\findstr.exe
findstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4080

C:\Windows\System32\findstr.exe
findstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3960

C:\Windows\System32\findstr.exe
findstr /I /C:"ProPlus2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1468

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:4176

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3916

C:\Windows\System32\findstr.exe
findstr /I /C:"Standard2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3112

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2252

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3096

C:\Windows\System32\findstr.exe
findstr /I /C:"Access2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:744

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusiness2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3504

C:\Windows\System32\findstr.exe
findstr /I /C:"Excel2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:804

C:\Windows\System32\findstr.exe
findstr /I /C:"Outlook2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2104

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPoint2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2408

C:\Windows\System32\findstr.exe
findstr /I /C:"Publisher2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3664

C:\Windows\System32\findstr.exe
findstr /I /C:"Word2019Volume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1676

C:\Windows\System32\findstr.exe
findstr /I /C:"MondoVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1596

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectProVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2824

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioProVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2792

C:\Windows\System32\findstr.exe
findstr /I /C:"StandardVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2956

C:\Windows\System32\findstr.exe
findstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2808

C:\Windows\System32\findstr.exe
findstr /I /C:"VisioStdVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2732

C:\Windows\System32\findstr.exe
findstr /I /C:"AccessVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3684

C:\Windows\System32\findstr.exe
findstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1976

C:\Windows\System32\findstr.exe
findstr /I /C:"ExcelVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:3600

C:\Windows\System32\findstr.exe
findstr /I /C:"OutlookVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2740

C:\Windows\System32\findstr.exe
findstr /I /C:"PowerPointVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2296

C:\Windows\System32\findstr.exe
findstr /I /C:"PublisherVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1724

C:\Windows\System32\findstr.exe
findstr /I /C:"WordVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:2876

C:\Windows\System32\findstr.exe
findstr /I /C:"OneNoteVolume" "C:\Windows\Temp\crvProductIds.txt"
2⤵
PID:1772

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\B0C731CF-9226-4978-8751-E7D82596FE0B\ProPlusRetail.16
2⤵
- Modifies registry key
PID:2936

C:\Windows\System32\find.exe
find /i "Office16ProPlusVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"
2⤵
PID:1148

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\B0C731CF-9226-4978-8751-E7D82596FE0B\ProPlusVolume.16
2⤵
- Modifies registry key
PID:3144

C:\Windows\System32\find.exe
find /i "Office16MondoVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"
2⤵
PID:2400

C:\Windows\System32\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady
2⤵
- Modifies registry key
PID:3152

C:\Program Files\Microsoft Office\root\integration\Integrator.exe
"C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProPlus2019Volume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady /t REG_SZ /d 1
2⤵
- Modifies registry key
PID:1100

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
- Modifies registry key
PID:3048

C:\Windows\System32\findstr.exe
findstr /I "ProPlus2019Volume"
2⤵
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
2⤵
PID:4656

C:\Windows\System32\reg.exe
reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds
3⤵
- Modifies registry key
PID:1320

C:\Windows\System32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds /t REG_SZ /d "ProPlusRetail,ProPlus2019Volume" /f
2⤵
- Modifies registry key
PID:2816

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService where version='10.0.22000.493' call RefreshLicenseStatus
2⤵
PID:788

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"
2⤵
PID:644

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%' ) get Name /value
2⤵
PID:4532

C:\Windows\System32\find.exe
find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3780

C:\Windows\System32\find.exe
find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1612

C:\Windows\System32\find.exe
find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4636

C:\Windows\System32\find.exe
find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4264

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%' ) get Name /value
2⤵
PID:3076

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3068

C:\Windows\System32\find.exe
find /i "Office 21"
2⤵
PID:4556

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:460

C:\Windows\System32\find.exe
find /i "Office 19"
2⤵
PID:3388

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1940

C:\Windows\System32\find.exe
find /i "Office 16"
2⤵
PID:4860

C:\Windows\System32\find.exe
find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4496

C:\Windows\System32\find.exe
find /i "Office 15"
2⤵
PID:412

C:\Windows\System32\find.exe
find /i "Office16ProPlusR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4324

C:\Windows\System32\find.exe
find /i "Office16StandardR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2364

C:\Windows\System32\find.exe
find /i "Office16AccessR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2668

C:\Windows\System32\find.exe
find /i "Office16SkypeforBusinessR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3544

C:\Windows\System32\find.exe
find /i "Office16ExcelR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1580

C:\Windows\System32\find.exe
find /i "Office16OutlookR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:560

C:\Windows\System32\find.exe
find /i "Office16PowerPointR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2748

C:\Windows\System32\find.exe
find /i "Office16PublisherR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4952

C:\Windows\System32\find.exe
find /i "Office16WordR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:956

C:\Windows\System32\find.exe
find /i "Office16ProfessionalR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:248

C:\Windows\System32\find.exe
find /i "Office16HomeBusinessR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:2304

C:\Windows\System32\find.exe
find /i "Office16HomeStudentR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1044

C:\Windows\System32\find.exe
find /i "Office16ProjectProR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:1300

C:\Windows\System32\find.exe
find /i "Office16ProjectStdR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:4968

C:\Windows\System32\find.exe
find /i "Office16VisioProR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:5000

C:\Windows\System32\find.exe
find /i "Office16VisioStdR" "C:\Windows\Temp\sppchk.txt"
2⤵
PID:3792

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value
2⤵
PID:3372

C:\Windows\System32\findstr.exe
findstr /i Windows
2⤵
PID:896

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get Name /value
2⤵
PID:3744

C:\Windows\System32\findstr.exe
findstr /i Windows
2⤵
PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value" 2>nul
2⤵
PID:4752

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL) get GracePeriodRemaining /value
3⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingService get Version /value"
2⤵
PID:3488

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService get Version /value
3⤵
PID:4204

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "202.5.28.218"
2⤵
PID:1608

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
2⤵
PID:1364

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "202.5.28.218" /reg:32
2⤵
PID:3692

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
2⤵
PID:3680

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
2⤵
PID:2192

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "202.5.28.218" /reg:32
2⤵
PID:3996

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
2⤵
PID:4172

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:4392

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "202.5.28.218"
2⤵
PID:4876

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
2⤵
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value"
2⤵
PID:3764

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' ) get ID /value
3⤵
PID:1268

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get LicenseStatus /value
2⤵
PID:3928

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:3664

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:1836

C:\Windows\System32\findstr.exe
findstr /i "2de67392-b7a7-462a-b1ca-108dd189f588"
2⤵
PID:2824

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f
2⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value"
2⤵
PID:3036

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get Name /value
3⤵
PID:2276

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
2⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value"
2⤵
PID:2884

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value
3⤵
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 kms.loli.beer 2>nul
2⤵
PID:1200

C:\Windows\System32\PING.EXE
ping -4 -n 1 kms.loli.beer
3⤵
- Runs ping.exe
PID:4132

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "20.222.16.243"
2⤵
PID:3720

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "20.222.16.243"
2⤵
PID:1184

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "20.222.16.243"
2⤵
PID:4640

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "20.222.16.243" /reg:32
2⤵
PID:1860

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "20.222.16.243" /reg:32
2⤵
PID:2972

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f
2⤵
PID:4736

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
2⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value"
2⤵
PID:3848

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value
3⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 xincheng213618.cn 2>nul
2⤵
PID:1496

C:\Windows\System32\PING.EXE
ping -4 -n 1 xincheng213618.cn
3⤵
- Runs ping.exe
PID:1636

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
2⤵
PID:2816

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
2⤵
PID:4012

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
2⤵
PID:4004

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218" /reg:32
2⤵
PID:3436

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218" /reg:32
2⤵
PID:4800

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f
2⤵
PID:812

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
2⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value"
2⤵
PID:4636

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value
3⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -4 -n 1 win.kms.pub 2>nul
2⤵
PID:3268

C:\Windows\System32\PING.EXE
ping -4 -n 1 win.kms.pub
3⤵
- Runs ping.exe
PID:3288

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
2⤵
PID:3068

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
2⤵
PID:8

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
2⤵
PID:460

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218" /reg:32
2⤵
PID:1076

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218" /reg:32
2⤵
PID:1940

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f
2⤵
PID:2928

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate
2⤵
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value"
2⤵
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='2de67392-b7a7-462a-b1ca-108dd189f588') get GracePeriodRemaining /value
3⤵
PID:1788

C:\Windows\System32\cmd.exe
cmd /c exit /b -1073418124
2⤵
PID:3352

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee') get LicenseStatus /value
2⤵
PID:3372

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:896

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:5092

C:\Windows\System32\findstr.exe
findstr /i "3f1afc82-f8ac-4f6c-8005-1d233e606eee"
2⤵
PID:5012

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='73111121-5638-40f6-bc11-f1d7b0d64300') get LicenseStatus /value
2⤵
PID:1568

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:4284

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:5024

C:\Windows\System32\findstr.exe
findstr /i "73111121-5638-40f6-bc11-f1d7b0d64300"
2⤵
PID:3672

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='82bbc092-bc50-4e16-8e18-b74fc486aec3') get LicenseStatus /value
2⤵
PID:3652

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:4176

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:3112

C:\Windows\System32\findstr.exe
findstr /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"
2⤵
PID:2356

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69') get LicenseStatus /value
2⤵
PID:1808

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:3480

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:2080

C:\Windows\System32\findstr.exe
findstr /i "ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69"
2⤵
PID:3464

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='e0c42288-980c-4788-a014-c080d2e1926e') get LicenseStatus /value
2⤵
PID:3788

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:1676

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:3500

C:\Windows\System32\findstr.exe
findstr /i "e0c42288-980c-4788-a014-c080d2e1926e"
2⤵
PID:1836

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='e4db50ea-bda1-4566-b047-0ca50abc6f07') get LicenseStatus /value
2⤵
PID:1976

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:4720

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:4216

C:\Windows\System32\findstr.exe
findstr /i "e4db50ea-bda1-4566-b047-0ca50abc6f07"
2⤵
PID:3968

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (ID='ec868e65-fadf-4759-b23e-93fe37f2cc29') get LicenseStatus /value
2⤵
PID:3576

C:\Windows\System32\findstr.exe
findstr "1"
2⤵
PID:2880

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingProduct where (PartialProductKey is not NULL) get ID /value
2⤵
PID:4852

C:\Windows\System32\findstr.exe
findstr /i "ec868e65-fadf-4759-b23e-93fe37f2cc29"
2⤵
PID:2424

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
2⤵
PID:4240

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
2⤵
PID:3144

C:\Windows\System32\sc.exe
sc query sppsvc
2⤵
- Launches sc.exe
PID:2148

C:\Windows\System32\find.exe
find /i "STOPPED"
2⤵
PID:4132

C:\Windows\System32\net.exe
net stop sppsvc /y
2⤵
PID:2708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc /y
3⤵
PID:4868

C:\Windows\System32\sc.exe
sc query sppsvc
2⤵
- Launches sc.exe
PID:4936

C:\Windows\System32\find.exe
find /i "STOPPED"
2⤵
PID:4516

C:\Windows\System32\sc.exe
sc stop sppsvc
2⤵
- Launches sc.exe
PID:2056

C:\Windows\System32\sc.exe
sc start sppsvc trigger=timer;sessionid=0
2⤵
- Launches sc.exe
PID:1440

C:\Windows\System32\Wbem\WMIC.exe
wmic path SoftwareLicensingService get Version /value
2⤵
PID:5036

C:\Windows\System32\findstr.exe
findstr /r "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"
2⤵
PID:4000

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "10.0.0.10"
2⤵
PID:4104

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
2⤵
PID:5108

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
2⤵
PID:4688

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
2⤵
PID:852

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:3864

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "10.0.0.10" /reg:32
2⤵
PID:2804

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
2⤵
PID:1152

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:32
2⤵
PID:3532

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "10.0.0.10" /reg:32
2⤵
PID:1180

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:32
2⤵
PID:980

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:1916

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "10.0.0.10"
2⤵
PID:4744

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
2⤵
PID:3052

C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:4656

C:\Windows\System32\reg.exe
reg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
- Modifies data under HKEY_USERS
PID:1112

C:\Windows\System32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "10.0.0.10"
2⤵
PID:688

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
2⤵
PID:1636

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
2⤵
PID:1780

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
2⤵
PID:4012

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
2⤵
PID:760

C:\Windows\System32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:1628

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
2⤵
PID:4800

C:\Windows\System32\find.exe
find /i "\Activation-Renewal"
2⤵
PID:4792

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
2⤵
PID:4068

C:\Windows\System32\find.exe
find /i "\Online_KMS_Activation_Script-Renewal"
2⤵
PID:4600

C:\Windows\System32\mode.com
mode con: cols=76 lines=30
2⤵
PID:1600

C:\Windows\System32\choice.exe
choice /C:1234567 /N
2⤵
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnbu4npv.hhj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\c2rchk.txt
Filesize
15B

MD5
606d9abf768025ebe0b25958d417be6c

SHA1
81b33a8807f17530f00225d09943a30a2d2bc94d

SHA256
5e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d

SHA512
e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f

Download Submit
C:\Windows\Temp\crvRetail.txt
Filesize
80B

MD5
8bf63053cd3d9b456db6f0f5364fbdd8

SHA1
66f296e2f8f2557651948768d23940a364fbbd8b

SHA256
6745801207605da64109696eb8edc436e5599da0012092fc5b5b0d3fc58649d8

SHA512
06f09dde15ae5077b19149f4ef682ece57cd8d83ab1ab1dc30b342b24f534e7926a6671d7268e365dcd9378529bf6f9af682798dd985a4f5522044c047e901a0

Download Submit
C:\Windows\Temp\crvVolume.txt
Filesize
600B

MD5
1374862854ec28d35d8d726f9e16b5b2

SHA1
1a3a6774d07ebbe2a29876be291434e8079a4042

SHA256
b3df27075dfec96fa1765a8714ab31a5502c6d722ba86d73495464240d5da602

SHA512
aa59eadbf536032b44449ec7e4d3b0e55192204b943fad569b140cca341285d02fb89a3ec6852494fb30a93045a4d8459a15e48c166bdb74c5d4872107781959

Download Submit
C:\Windows\Temp\sppchk.txt
Filesize
850B

MD5
32d4eec64d26c57a30802124903ba56f

SHA1
266bea2c586bc0ab52f4dc9fd90739c491acf6d9

SHA256
0068a0d6ccc9c175d21bacfa9e8549fb6a813ff2ab231c9f97e33e3f039ac8e3

SHA512
213b0e520da4260f46aa467d1892d1a9486edd6f211837f95306aa1e3f08410e054ea9abe44cd063b0e7703325242c9564e8d35e6b964d18d04cfbf0fb2d9635

Download Submit
C:\Windows\Temp\sppchk.txt
Filesize
1KB

MD5
9ca430ff9d23c91111e7f982880bb1b5

SHA1
d19b69dfcf697895275aadc5c4d43cf77c5f2de9

SHA256
9297e408b04114294f766ca92924527538621948c094adbdc70255af3ef92634

SHA512
01df1ae217f1ed261984cd09bb864874b2a945886bc3e565477c5769710e80fd307f28247edc119167992cc7d4d8c1e1a926eb9ac029e5d27ba9169474465dcb

Download Submit
C:\Windows\Temp\sppchk.txt
Filesize
988B

MD5
8143fc3337a4f055fe860865ed91aac9

SHA1
d122ff2171c37d49847e244aae508da311644c3e

SHA256
92da4b983f90fcc59d65e8378520c8732ecfb6857dcbe0014f3de1775be6c44e

SHA512
24fde039e1fe96d1eeaafd501d0892299657a9034e1fc2295d7c0e0f093bda9c4711565a688f3f7b24f0467028d7e1648a74a0a02be2edfe9cedd2b3dd15cb87

Download Submit
C:\Windows\Temp\sppchk.txt
Filesize
1KB

MD5
fdc85c1a6784c8631b7a03a84b8eb139

SHA1
366b646aea42bc9c90fccd17f0e96a6201fc0b82

SHA256
c418635620f8fb9b9b2787e142e77ae8c560295836bf42ca4779c1fdac3a6393

SHA512
60a6248f152fe40e34ed84b07abc46dff10387f20ee6ac4f23a69f848215e8eb2123eac4979df7ad2bb1a331b218129b6bdd56fa96a726a4c61c99dda35fe43e

Download Submit
memory/460-5-0x000001F60B1F0000-0x000001F60B212000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads