6a33a7755cea94bdc8527df33b1e5e238c26a478c50c294387ab603ce7544729

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAS_AIO-CRC32_8B16F764.cmd
Size

438KB
MD5

85d6b9f9cffa62fd7eb22954568a7d9a
SHA1

8c871d7aae9430ae72aa091988e622f14dc31d59
SHA256

6a33a7755cea94bdc8527df33b1e5e238c26a478c50c294387ab603ce7544729
SHA512

30cf6abff4fe1218967d99dd2828698ebf93ed8a9c5d94c601cfb08b3ec20fdabc34b657e4d1ac2570d75247927b886905410b927167f7ac91483a2a8a2684a8
SSDEEP

3072:ZddR3S9mF2TJRMP0u+RciNiYFRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0xOn:XAnHu+R7VLo97bJu9p6zGDNS0KgOuCV

Score

4^/10

Malware Config

Signatures

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2076	sc.exe
2164	sc.exe
2144	sc.exe
944	sc.exe
1704	sc.exe
572	sc.exe
884	sc.exe
1804	sc.exe
1820	sc.exe
2008	sc.exe
2316	sc.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
2888	reg.exe
872	reg.exe
2736	reg.exe
2676	reg.exe
324	reg.exe
2744	reg.exe
2600	reg.exe
1800	reg.exe
2552	reg.exe
2452	reg.exe
2460	reg.exe
1272	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
856	PING.EXE
2544	PING.EXE
2360	PING.EXE
1668	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1436	powershell.exe
2328	powershell.exe
2908	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeIncreaseQuotaPrivilege	1808	WMIC.exe
Token: SeSecurityPrivilege	1808	WMIC.exe
Token: SeTakeOwnershipPrivilege	1808	WMIC.exe
Token: SeLoadDriverPrivilege	1808	WMIC.exe
Token: SeSystemProfilePrivilege	1808	WMIC.exe
Token: SeSystemtimePrivilege	1808	WMIC.exe
Token: SeProfSingleProcessPrivilege	1808	WMIC.exe
Token: SeIncBasePriorityPrivilege	1808	WMIC.exe
Token: SeCreatePagefilePrivilege	1808	WMIC.exe
Token: SeBackupPrivilege	1808	WMIC.exe
Token: SeRestorePrivilege	1808	WMIC.exe
Token: SeShutdownPrivilege	1808	WMIC.exe
Token: SeDebugPrivilege	1808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1808	WMIC.exe
Token: SeRemoteShutdownPrivilege	1808	WMIC.exe
Token: SeUndockPrivilege	1808	WMIC.exe
Token: SeManageVolumePrivilege	1808	WMIC.exe
Token: 33	1808	WMIC.exe
Token: 34	1808	WMIC.exe
Token: 35	1808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1808	WMIC.exe
Token: SeSecurityPrivilege	1808	WMIC.exe
Token: SeTakeOwnershipPrivilege	1808	WMIC.exe
Token: SeLoadDriverPrivilege	1808	WMIC.exe
Token: SeSystemProfilePrivilege	1808	WMIC.exe
Token: SeSystemtimePrivilege	1808	WMIC.exe
Token: SeProfSingleProcessPrivilege	1808	WMIC.exe
Token: SeIncBasePriorityPrivilege	1808	WMIC.exe
Token: SeCreatePagefilePrivilege	1808	WMIC.exe
Token: SeBackupPrivilege	1808	WMIC.exe
Token: SeRestorePrivilege	1808	WMIC.exe
Token: SeShutdownPrivilege	1808	WMIC.exe
Token: SeDebugPrivilege	1808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1808	WMIC.exe
Token: SeRemoteShutdownPrivilege	1808	WMIC.exe
Token: SeUndockPrivilege	1808	WMIC.exe
Token: SeManageVolumePrivilege	1808	WMIC.exe
Token: 33	1808	WMIC.exe
Token: 34	1808	WMIC.exe
Token: 35	1808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe
Token: SeTakeOwnershipPrivilege	1680	WMIC.exe
Token: SeLoadDriverPrivilege	1680	WMIC.exe
Token: SeSystemProfilePrivilege	1680	WMIC.exe
Token: SeSystemtimePrivilege	1680	WMIC.exe
Token: SeProfSingleProcessPrivilege	1680	WMIC.exe
Token: SeIncBasePriorityPrivilege	1680	WMIC.exe
Token: SeCreatePagefilePrivilege	1680	WMIC.exe
Token: SeBackupPrivilege	1680	WMIC.exe
Token: SeRestorePrivilege	1680	WMIC.exe
Token: SeShutdownPrivilege	1680	WMIC.exe
Token: SeDebugPrivilege	1680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1680	WMIC.exe
Token: SeRemoteShutdownPrivilege	1680	WMIC.exe
Token: SeUndockPrivilege	1680	WMIC.exe
Token: SeManageVolumePrivilege	1680	WMIC.exe
Token: 33	1680	WMIC.exe
Token: 34	1680	WMIC.exe
Token: 35	1680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1680	WMIC.exe
Token: SeSecurityPrivilege	1680	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1804	2620	cmd.exe	29
PID 2620 wrote to memory of 1804	2620	cmd.exe	29
PID 2620 wrote to memory of 1804	2620	cmd.exe	29
PID 2620 wrote to memory of 2148	2620	cmd.exe	30
PID 2620 wrote to memory of 2148	2620	cmd.exe	30
PID 2620 wrote to memory of 2148	2620	cmd.exe	30
PID 2620 wrote to memory of 2392	2620	cmd.exe	31
PID 2620 wrote to memory of 2392	2620	cmd.exe	31
PID 2620 wrote to memory of 2392	2620	cmd.exe	31
PID 2620 wrote to memory of 2276	2620	cmd.exe	32
PID 2620 wrote to memory of 2276	2620	cmd.exe	32
PID 2620 wrote to memory of 2276	2620	cmd.exe	32
PID 2620 wrote to memory of 2248	2620	cmd.exe	33
PID 2620 wrote to memory of 2248	2620	cmd.exe	33
PID 2620 wrote to memory of 2248	2620	cmd.exe	33
PID 2620 wrote to memory of 2256	2620	cmd.exe	34
PID 2620 wrote to memory of 2256	2620	cmd.exe	34
PID 2620 wrote to memory of 2256	2620	cmd.exe	34
PID 2620 wrote to memory of 2092	2620	cmd.exe	35
PID 2620 wrote to memory of 2092	2620	cmd.exe	35
PID 2620 wrote to memory of 2092	2620	cmd.exe	35
PID 2620 wrote to memory of 2532	2620	cmd.exe	36
PID 2620 wrote to memory of 2532	2620	cmd.exe	36
PID 2620 wrote to memory of 2532	2620	cmd.exe	36
PID 2620 wrote to memory of 1272	2620	cmd.exe	37
PID 2620 wrote to memory of 1272	2620	cmd.exe	37
PID 2620 wrote to memory of 1272	2620	cmd.exe	37
PID 2620 wrote to memory of 1880	2620	cmd.exe	38
PID 2620 wrote to memory of 1880	2620	cmd.exe	38
PID 2620 wrote to memory of 1880	2620	cmd.exe	38
PID 2620 wrote to memory of 2584	2620	cmd.exe	39
PID 2620 wrote to memory of 2584	2620	cmd.exe	39
PID 2620 wrote to memory of 2584	2620	cmd.exe	39
PID 2584 wrote to memory of 2544	2584	cmd.exe	40
PID 2584 wrote to memory of 2544	2584	cmd.exe	40
PID 2584 wrote to memory of 2544	2584	cmd.exe	40
PID 2620 wrote to memory of 2644	2620	cmd.exe	41
PID 2620 wrote to memory of 2644	2620	cmd.exe	41
PID 2620 wrote to memory of 2644	2620	cmd.exe	41
PID 2620 wrote to memory of 2656	2620	cmd.exe	42
PID 2620 wrote to memory of 2656	2620	cmd.exe	42
PID 2620 wrote to memory of 2656	2620	cmd.exe	42
PID 2620 wrote to memory of 2664	2620	cmd.exe	43
PID 2620 wrote to memory of 2664	2620	cmd.exe	43
PID 2620 wrote to memory of 2664	2620	cmd.exe	43
PID 2620 wrote to memory of 2892	2620	cmd.exe	44
PID 2620 wrote to memory of 2892	2620	cmd.exe	44
PID 2620 wrote to memory of 2892	2620	cmd.exe	44
PID 2620 wrote to memory of 2592	2620	cmd.exe	45
PID 2620 wrote to memory of 2592	2620	cmd.exe	45
PID 2620 wrote to memory of 2592	2620	cmd.exe	45
PID 2592 wrote to memory of 2580	2592	cmd.exe	46
PID 2592 wrote to memory of 2580	2592	cmd.exe	46
PID 2592 wrote to memory of 2580	2592	cmd.exe	46
PID 2620 wrote to memory of 2888	2620	cmd.exe	47
PID 2620 wrote to memory of 2888	2620	cmd.exe	47
PID 2620 wrote to memory of 2888	2620	cmd.exe	47
PID 2620 wrote to memory of 872	2620	cmd.exe	48
PID 2620 wrote to memory of 872	2620	cmd.exe	48
PID 2620 wrote to memory of 872	2620	cmd.exe	48
PID 2620 wrote to memory of 2556	2620	cmd.exe	49
PID 2620 wrote to memory of 2556	2620	cmd.exe	49
PID 2620 wrote to memory of 2556	2620	cmd.exe	49
PID 2620 wrote to memory of 2624	2620	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_8B16F764.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\System32\sc.exe
  sc query Null
  2⤵
  - Launches sc.exe
  PID:1804
- C:\Windows\System32\find.exe
  find /i "RUNNING"
  2⤵
  PID:2148
- C:\Windows\System32\findstr.exe
  findstr /v "$" "MAS_AIO-CRC32_8B16F764.cmd"
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\MAS_AIO-CRC32_8B16F764.cmd" "
  2⤵
  PID:2256
- C:\Windows\System32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:2092
- C:\Windows\System32\fltMC.exe
  fltmc
  2⤵
  PID:2532
- C:\Windows\System32\reg.exe
  reg query HKCU\Console /v QuickEdit
  2⤵
  - Modifies registry key
  PID:1272
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\System32\PING.EXE
    ping -4 -n 1 updatecheck.massgrave.dev
    3⤵
    - Runs ping.exe
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
  2⤵
  PID:2644
- C:\Windows\System32\find.exe
  find "127.69"
  2⤵
  PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
  2⤵
  PID:2664
- C:\Windows\System32\find.exe
  find "127.69.2.6"
  2⤵
  PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2580
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:2888
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:872
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:2556
- C:\Windows\System32\choice.exe
  choice /C:123456780 /N
  2⤵
  PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Red"' -fore '"white"' '"==== ERROR ===="'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe write-host -back '"Black"' -fore '"Yellow"' '"Press any key to Go back..."'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\mode.com
  mode 76, 30
  2⤵
  PID:552
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:3024
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:1556
- C:\Windows\System32\choice.exe
  choice /C:123456780 /N
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
  2⤵
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
  2⤵
  PID:2108
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
    3⤵
    PID:2236
- C:\Windows\System32\wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:1748
- C:\Windows\System32\reg.exe
  reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:2916
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2060
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:1956
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2080
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
  2⤵
  - Modifies registry key
  PID:324
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:608
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
  2⤵
  PID:580
- C:\Windows\System32\find.exe
  find /i "\Activation-Renewal"
  2⤵
  PID:336
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks" /f Path /s
  2⤵
  PID:956
- C:\Windows\System32\findstr.exe
  findstr /i "\Activation-Renewal \Online_KMS_Activation_Script-Renewal"
  2⤵
  PID:900
- C:\Windows\System32\mode.com
  mode con: cols=76 lines=30
  2⤵
  PID:1500
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:584
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:1484
- C:\Windows\System32\choice.exe
  choice /C:12345670 /N
  2⤵
  PID:852
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f
  2⤵
  PID:3020
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
  2⤵
  PID:1884
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
  2⤵
  PID:876
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName
  2⤵
  PID:2412
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort
  2⤵
  PID:1540
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
  2⤵
  PID:1644
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
  2⤵
  PID:2936
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:1000
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName
  2⤵
  PID:856
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
  2⤵
  PID:2312
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
  2⤵
  PID:1036
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
  2⤵
  PID:2052
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:2288
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:2268
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
  2⤵
  PID:1740
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:1780
- C:\Windows\System32\net.exe
  net use C:
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  PID:1404
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR 2>nul
  2⤵
  PID:2176
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR
    3⤵
    PID:1032
- C:\Windows\System32\mode.com
  mode con cols=98 lines=31
  2⤵
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 1 kms.zhuxiaole.org
  2⤵
  PID:1064
- - C:\Windows\System32\PING.EXE
    ping -n 1 kms.zhuxiaole.org
    3⤵
    - Runs ping.exe
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -4 -n 1 xincheng213618.cn 2>nul
  2⤵
  PID:404
- - C:\Windows\System32\PING.EXE
    ping -4 -n 1 xincheng213618.cn
    3⤵
    - Runs ping.exe
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
  2⤵
  PID:884
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\channels
  2⤵
  PID:820
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:1820
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:628
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:1512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:2364
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:2008
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2348
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2164
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2196
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1804
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
  2⤵
  PID:1336
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
  2⤵
  PID:1612
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
    3⤵
    PID:2304
- - C:\Windows\System32\find.exe
    FIND /I "CurrentVersion"
    3⤵
    PID:1724
- C:\Windows\System32\reg.exe
  REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514" /v "CurrentState"
  2⤵
  PID:1304
- C:\Windows\System32\find.exe
  FIND /I "0x70"
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514
  2⤵
  PID:1696
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  PID:2120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value" 2>nul
  2⤵
  PID:2548
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL) get LicenseFamily /value
    3⤵
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
  2⤵
  PID:2580
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    PID:2592
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2888
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2744
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:872
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2732
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2724
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1984
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1812
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2444
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2336
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2460
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value
  2⤵
  PID:2484
- C:\Windows\System32\findstr.exe
  findstr /i Windows
  2⤵
  PID:2512
- C:\Windows\System32\net.exe
  net start osppsvc /y
  2⤵
  PID:2488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start osppsvc /y
    3⤵
    PID:2096
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%' ) get Name /value
  2⤵
  PID:2320
- C:\Windows\System32\find.exe
  find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2856
- C:\Windows\System32\find.exe
  find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2716
- C:\Windows\System32\find.exe
  find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2836
- C:\Windows\System32\find.exe
  find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:3012
- C:\Windows\System32\find.exe
  find /i "Office 14" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1788
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where (ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%' ) get Name /value
  2⤵
  PID:2344
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2752
- C:\Windows\System32\find.exe
  find /i "Office 21"
  2⤵
  PID:1864
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2464
- C:\Windows\System32\find.exe
  find /i "Office 19"
  2⤵
  PID:2504
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2480
- C:\Windows\System32\find.exe
  find /i "Office 16"
  2⤵
  PID:2468
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2872
- C:\Windows\System32\find.exe
  find /i "Office 15"
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPrem-MAK') get LicenseStatus /value" 2>nul
  2⤵
  PID:2368
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPrem-MAK') get LicenseStatus /value
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPro-MAK') get LicenseStatus /value" 2>nul
  2⤵
  PID:2324
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (LicenseFamily='OfficeVisioPro-MAK') get LicenseStatus /value
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionService get Version /value" 2>nul
  2⤵
  PID:1436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionService get Version /value
    3⤵
    PID:3028
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218"
  2⤵
  PID:2540
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%' ) get ID /value"
  2⤵
  PID:2692
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (Description like '%KMSCLIENT%' ) get ID /value
    3⤵
    PID:2780
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') get Name /value
  2⤵
  PID:3024
- C:\Windows\System32\find.exe
  find /i "Office 14" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1604
- C:\Windows\System32\find.exe
  find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1768
- C:\Windows\System32\find.exe
  find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2536
- C:\Windows\System32\find.exe
  find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2116
- C:\Windows\System32\find.exe
  find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2040
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where (PartialProductKey is not NULL) get ID /value
  2⤵
  PID:2260
- C:\Windows\System32\findstr.exe
  findstr /i "6f327760-8c5c-417c-9b61-836a98287e0c"
  2⤵
  PID:3040
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663\6f327760-8c5c-417c-9b61-836a98287e0c" /f
  2⤵
  PID:2088
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\6f327760-8c5c-417c-9b61-836a98287e0c" /f
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') get Name /value"
  2⤵
  PID:2056
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') get Name /value
    3⤵
    PID:540
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' call Activate
  2⤵
  PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') get GracePeriodRemaining /value"
  2⤵
  PID:1100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') get GracePeriodRemaining /value
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -4 -n 1 kms.wxlost.com 2>nul
  2⤵
  PID:1000
- - C:\Windows\System32\PING.EXE
    ping -4 -n 1 kms.wxlost.com
    3⤵
    - Runs ping.exe
    PID:856
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "152.70.90.79"
  2⤵
  PID:2024
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "152.70.90.79"
  2⤵
  PID:2016
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663\6f327760-8c5c-417c-9b61-836a98287e0c" /f
  2⤵
  PID:2280
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\6f327760-8c5c-417c-9b61-836a98287e0c" /f
  2⤵
  PID:1548
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' call Activate
  2⤵
  PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') get GracePeriodRemaining /value"
  2⤵
  PID:1364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where (ID='6f327760-8c5c-417c-9b61-836a98287e0c') get GracePeriodRemaining /value
    3⤵
    PID:964
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:1032
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
  2⤵
  PID:1716
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
  2⤵
  PID:1048
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:944
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2896
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:1044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:600
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:2316
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2240
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:1704
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2204
- C:\Windows\System32\net.exe
  net stop osppsvc /y
  2⤵
  PID:1064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop osppsvc /y
    3⤵
    PID:1056
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:572
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1396
- C:\Windows\System32\sc.exe
  sc start sppsvc trigger=timer;sessionid=0
  2⤵
  - Launches sc.exe
  PID:884
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName
  2⤵
  PID:2012
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort
  2⤵
  PID:2356
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing
  2⤵
  PID:2932
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
  2⤵
  PID:2924
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
  2⤵
  PID:2420
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName
  2⤵
  PID:2364
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort
  2⤵
  PID:1512
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
  2⤵
  PID:3052
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
  2⤵
  PID:2188
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:1712
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
  2⤵
  PID:2164
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f"
  2⤵
  PID:2196
- C:\Windows\System32\findstr.exe
  findstr /a:0E /f:`.txt "."
  2⤵
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12b99542d8b47131800892ad6ee1c3f7

SHA1
0c644b67dba91253a66cb9313c73a6e647c3a879

SHA256
f90662c4f0a5f0f39f32db50ba8cea94a464b9abc45c90bca5ee6bb1ef150517

SHA512
7839f0e72fc083a301f60f12f6a43e213a5a9e645a84a44754213ecc5e88765308f7742ba1ce75bd75586c82934de6bece9cc7f035f43bb21d3141a34136652e

Download Submit
C:\Windows\Temp\'

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\`.txt

Filesize
36B

MD5
af8e4f60116d991bdbf6db9e3b8ecb81

SHA1
cd6118633ba815dfa9fc09eec7a67519d713e29d

SHA256
49dc7e026282be0bf62c018e05add9d48ab0556dd3e6a2b3b8aece685d678774

SHA512
daf0e78de40bac856734a28ea443186e3282724668d28b35008e3a778ba678f913bcf2df20c763f06dbcc4a5896c32ead996d3d72d62d7bd4249a48c514c20d7

Download Submit
C:\Windows\Temp\`.txt

Filesize
34B

MD5
0abd8fb693d5b20745a376aa0d71c21b

SHA1
efbadffe2cb8a900e4d075553cc79459cee8ac20

SHA256
4fd4aadb307be6d0ccf54a78c3aedeeef788b5e640595ab45e6c9444b7315789

SHA512
34b6295dbf7f64ad12fe6f21b81cba8dddb1523dad27830dafe7ff2a57ce2c991d0621021bd977a98322bbbd6cd00835b117ccd6d003a1663156a6b338b8b4fc

Download Submit
C:\Windows\Temp\`.txt

Filesize
17B

MD5
c48de30a6d93de10929a00f17d725a24

SHA1
002e95b585f523b9f1dab14bdad2729032b1a81a

SHA256
96ba30bf853b79cd26e5399db76def0f6be3c936fc1263232937fbc8a0c8c5b5

SHA512
8657c3448c231484a7354b5bbf1cbc0377d0f49841baa67fdb8e6d162274470fa6128160209e9ee2d286172f0156aca0ab9a6440f4d5d69cab56612b4bc53b12

Download Submit
C:\Windows\Temp\`.txt

Filesize
64B

MD5
77d46f20e0040efbb88b3546e07ca3bc

SHA1
e96b144bd7bc5b26cb9adf58399353223d10f404

SHA256
4be35005732a8f6ca965235189ed6934bf6a4e3ba7c4e44f4291ed41752ec34c

SHA512
6fcd8a48a149b453459e35337c277ebb87a09bdcb899bdfeadf588ff3729b4f09edbb94213f99fda012f5f96a65cd21ac43de997b0391d6bf93795efe2e9acde

Download Submit
C:\Windows\Temp\`.txt

Filesize
18B

MD5
92e0789e3f36d25ace53731f8a7943be

SHA1
74d97cda686710b8c89b25cf5b10cc1166a00a60

SHA256
55e8b1c1205fb1bec196d55be47155fb2745fa218d1248e03b3c4ead3860691a

SHA512
16f16916ebf513eb5c3482772103ec2d3783ab528915c59bc0feb5a23c2eaceae49e3035e5c2eb502e50b44b2f2713827beb91c5aca0f41209d8a5101b9b4184

Download Submit
C:\Windows\Temp\`.txt

Filesize
60B

MD5
83cb4f5c2f9cf996d576a42b06705797

SHA1
7e7c402443e028ac30fe896e376586f29d84a40a

SHA256
ef48614dd43c2c85fee7094a12a35c5ecd2c73e791bd771d498bbbe5e9dbd226

SHA512
0ea2050b68561109f11b3fd14dc314aca8a11cf14881e3ab0d130e1321a41a2879a5bd2c030af31f8d1ba02f273cde056d63600372c2eb426030ed8096168405

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
118B

MD5
139c34473cb65b61c2439f45df8fb70d

SHA1
f5611ffdb810dd1eb4908036402e5d214b5b189d

SHA256
3ca4ceaf4fac99811a37e1809823a4e669025d4efd5058a84b784f74f3bc4639

SHA512
72b149ac334dfa681f40253aba088f1fdc9b298fbae127432c3f9057a0d81bef6e5edfae83c9981c020706ff84d271889d564415e59e0f4edb8c3840d091294b

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
36B

MD5
c3c912dcb6cb96fbcc7a4de5b65ddf67

SHA1
adb82109a2f87b2e9cf068967f063f7b07196171

SHA256
4bc38ee8ddd6deaacfef121e09085e64464265bc4e01728d9f8b3f08ed3ad5db

SHA512
10502adb85d26e4a65d73fe4211ba1dccbdfee99e990edeb23fb31ae6df204e2c3c6e69e207cdb856b0b0cc590b33cf9b296891cfc4806d649e29dc9e6fac452

Download Submit
memory/1436-10-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/1436-11-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2328-18-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2328-17-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download