5665306da70d8314c1075753e62ccc4163722bc1dd01d6e440f8268e624764bf

Analysis

max time kernel
80s
max time network
34s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConsoleAct_x64.exe
Size

1.0MB
MD5

8101ffc7c364c9d4d6810c9cbe5b3e43
SHA1

fa266f7cc07d7b51fb1d5a86c73cecf204f28912
SHA256

5665306da70d8314c1075753e62ccc4163722bc1dd01d6e440f8268e624764bf
SHA512

9731b223ef1f02a7bb01afe13c985038517838166e1b90fc88aafa23aaf3e3fdb5a64229a0c5a8960608047f93b4afca0a6c10ad64f635104f01929e996520c7
SSDEEP

24576:WV2HeytcxKV0XOnZe8i5dCppc50CxO7EyyXAAsWvZmSGqb4LQRyg:WVceytcb8i5WchOCQrWvZzGVQUg

Score

8^/10

evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 44 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_Emulation = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\GlobalFlag = "256"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\GlobalFlag = "256"	reg.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2704	netsh.exe
2252	netsh.exe
1688	netsh.exe
2144	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Loads dropped DLL 3 IoCs

pid	Process
2104	Process not Found
2492	Process not Found
1028	Process not Found

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001960e-1.dat	upx
behavioral1/memory/3032-0-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral1/memory/3032-2-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral1/memory/3032-3-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral1/memory/3032-6-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral1/memory/3032-11-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral1/memory/3032-16-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral1/memory/3032-17-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral1/memory/3032-79-0x0000000140000000-0x000000014023F000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\SppExtComObjHook.dll	ConsoleAct_x64.exe
File opened for modification	C:\Windows\System32\SppExtComObjHook.dll	ConsoleAct_x64.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ConsoleAct.xml	ConsoleAct_x64.exe
File opened for modification	C:\Windows\ConsoleAct.xml	ConsoleAct_x64.exe
File created	C:\Windows\ConsoleAct_x64.exe	ConsoleAct_x64.exe
File opened for modification	C:\Windows\ConsoleAct_x64.exe	ConsoleAct_x64.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1684	sc.exe
2480	sc.exe
1168	sc.exe
1588	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2412	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
860	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2836	reg.exe
2760	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe
1956	schtasks.exe
2184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe
3032	ConsoleAct_x64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2220	3032	ConsoleAct_x64.exe	31
PID 3032 wrote to memory of 2220	3032	ConsoleAct_x64.exe	31
PID 3032 wrote to memory of 2220	3032	ConsoleAct_x64.exe	31
PID 3032 wrote to memory of 2180	3032	ConsoleAct_x64.exe	32
PID 3032 wrote to memory of 2180	3032	ConsoleAct_x64.exe	32
PID 3032 wrote to memory of 2180	3032	ConsoleAct_x64.exe	32
PID 2180 wrote to memory of 1296	2180	cmd.exe	33
PID 2180 wrote to memory of 1296	2180	cmd.exe	33
PID 2180 wrote to memory of 1296	2180	cmd.exe	33
PID 3032 wrote to memory of 2748	3032	ConsoleAct_x64.exe	35
PID 3032 wrote to memory of 2748	3032	ConsoleAct_x64.exe	35
PID 3032 wrote to memory of 2748	3032	ConsoleAct_x64.exe	35
PID 3032 wrote to memory of 2840	3032	ConsoleAct_x64.exe	37
PID 3032 wrote to memory of 2840	3032	ConsoleAct_x64.exe	37
PID 3032 wrote to memory of 2840	3032	ConsoleAct_x64.exe	37
PID 2840 wrote to memory of 2836	2840	cmd.exe	38
PID 2840 wrote to memory of 2836	2840	cmd.exe	38
PID 2840 wrote to memory of 2836	2840	cmd.exe	38
PID 3032 wrote to memory of 2792	3032	ConsoleAct_x64.exe	39
PID 3032 wrote to memory of 2792	3032	ConsoleAct_x64.exe	39
PID 3032 wrote to memory of 2792	3032	ConsoleAct_x64.exe	39
PID 2792 wrote to memory of 2760	2792	cmd.exe	40
PID 2792 wrote to memory of 2760	2792	cmd.exe	40
PID 2792 wrote to memory of 2760	2792	cmd.exe	40
PID 3032 wrote to memory of 2728	3032	ConsoleAct_x64.exe	41
PID 3032 wrote to memory of 2728	3032	ConsoleAct_x64.exe	41
PID 3032 wrote to memory of 2728	3032	ConsoleAct_x64.exe	41
PID 2728 wrote to memory of 2736	2728	cmd.exe	42
PID 2728 wrote to memory of 2736	2728	cmd.exe	42
PID 2728 wrote to memory of 2736	2728	cmd.exe	42
PID 2736 wrote to memory of 2476	2736	net.exe	43
PID 2736 wrote to memory of 2476	2736	net.exe	43
PID 2736 wrote to memory of 2476	2736	net.exe	43
PID 3032 wrote to memory of 2984	3032	ConsoleAct_x64.exe	44
PID 3032 wrote to memory of 2984	3032	ConsoleAct_x64.exe	44
PID 3032 wrote to memory of 2984	3032	ConsoleAct_x64.exe	44
PID 2984 wrote to memory of 2880	2984	cmd.exe	45
PID 2984 wrote to memory of 2880	2984	cmd.exe	45
PID 2984 wrote to memory of 2880	2984	cmd.exe	45
PID 3032 wrote to memory of 2544	3032	ConsoleAct_x64.exe	47
PID 3032 wrote to memory of 2544	3032	ConsoleAct_x64.exe	47
PID 3032 wrote to memory of 2544	3032	ConsoleAct_x64.exe	47
PID 3032 wrote to memory of 2660	3032	ConsoleAct_x64.exe	48
PID 3032 wrote to memory of 2660	3032	ConsoleAct_x64.exe	48
PID 3032 wrote to memory of 2660	3032	ConsoleAct_x64.exe	48
PID 2660 wrote to memory of 2480	2660	cmd.exe	49
PID 2660 wrote to memory of 2480	2660	cmd.exe	49
PID 2660 wrote to memory of 2480	2660	cmd.exe	49
PID 3032 wrote to memory of 2772	3032	ConsoleAct_x64.exe	50
PID 3032 wrote to memory of 2772	3032	ConsoleAct_x64.exe	50
PID 3032 wrote to memory of 2772	3032	ConsoleAct_x64.exe	50
PID 2772 wrote to memory of 2616	2772	cmd.exe	51
PID 2772 wrote to memory of 2616	2772	cmd.exe	51
PID 2772 wrote to memory of 2616	2772	cmd.exe	51
PID 2616 wrote to memory of 2116	2616	net.exe	52
PID 2616 wrote to memory of 2116	2616	net.exe	52
PID 2616 wrote to memory of 2116	2616	net.exe	52
PID 3032 wrote to memory of 1244	3032	ConsoleAct_x64.exe	53
PID 3032 wrote to memory of 1244	3032	ConsoleAct_x64.exe	53
PID 3032 wrote to memory of 1244	3032	ConsoleAct_x64.exe	53
PID 1244 wrote to memory of 1168	1244	cmd.exe	54
PID 1244 wrote to memory of 1168	1244	cmd.exe	54
PID 1244 wrote to memory of 1168	1244	cmd.exe	54
PID 3032 wrote to memory of 1776	3032	ConsoleAct_x64.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ConsoleAct_x64.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleAct_x64.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /dli 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /dli
    3⤵
    PID:1296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\System32\reg.exe
    REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
    3⤵
    - Modifies registry key
    PID:2836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\System32\reg.exe
    REG QUERY HKLM\Software\WOW6432Node\Microsoft\Office /s /v Path
    3⤵
    - Modifies registry key
    PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net.exe start osppsvc 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\net.exe
    net.exe start osppsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start osppsvc
      4⤵
      PID:2476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /dstatus 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\System32\cscript.exe
    cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /dstatus
    3⤵
    PID:2880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc >nul 2>&1 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\System32\sc.exe
    sc.exe stop sppsvc
    3⤵
    - Launches sc.exe
    PID:2480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\System32\net.exe
    net.exe stop sppsvc /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:2116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe stop osppsvc >nul 2>&1 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\System32\sc.exe
    sc.exe stop osppsvc
    3⤵
    - Launches sc.exe
    PID:1168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f 2>&1
  2⤵
  PID:1776
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f
    3⤵
    PID:1496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger" 2>&1
  2⤵
  PID:1280
- - C:\Windows\System32\schtasks.exe
    schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
    3⤵
    PID:1480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v Debugger 2>&1
  2⤵
  PID:1640
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v Debugger
    3⤵
    PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  PID:2364
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  PID:2000
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  PID:1584
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  PID:2052
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:1476
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger 2>&1
  2⤵
  PID:1320
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
    3⤵
    PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  PID:1724
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  PID:1732
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  PID:1872
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  PID:2576
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:1916
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20 2>&1
  2⤵
  PID:1992
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20
    3⤵
    PID:1988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688 2>&1
  2⤵
  PID:1040
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688
    3⤵
    PID:548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688 2>&1
  2⤵
  PID:784
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2704
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
  2⤵
  PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns 2>&1
  2⤵
  PID:3044
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
    3⤵
    PID:2964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0 2>&1
  2⤵
  PID:1240
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
    3⤵
    PID:1388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms 2>&1
  2⤵
  PID:1100
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
    3⤵
    PID:1220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain 2>&1
  2⤵
  PID:2020
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
    3⤵
    PID:952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
  2⤵
  PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688 2>&1
  2⤵
  PID:2112
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
    3⤵
    PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato 2>&1
  2⤵
  PID:760
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato
    3⤵
    PID:956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "Debugger" 2>&1
  2⤵
  PID:2904
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "Debugger"
    3⤵
    PID:2164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:3020
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation"
    3⤵
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f 2>&1
  2⤵
  PID:2564
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger" 2>&1
  2⤵
  PID:3024
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger"
    3⤵
    PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:2512
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation"
    3⤵
    PID:616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f 2>&1
  2⤵
  PID:1396
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP 2>&1
  2⤵
  PID:236
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /upk XXXXX 2>&1
  2⤵
  PID:1500
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /upk XXXXX
    3⤵
    PID:320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /dlv All 2>&1
  2⤵
  PID:1948
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /dlv All
    3⤵
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig.exe /flushdns 2>&1
  2⤵
  PID:2416
- - C:\Windows\System32\ipconfig.exe
    ipconfig.exe /flushdns
    3⤵
    - Gathers network information
    PID:2412
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:64
  2⤵
  PID:2068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /sethst:10.3.0.20 2>&1
  2⤵
  PID:2732
- - C:\Windows\System32\cscript.exe
    cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /sethst:10.3.0.20
    3⤵
    PID:3000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /setprt:1688 2>&1
  2⤵
  PID:2764
- - C:\Windows\System32\cscript.exe
    cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /setprt:1688
    3⤵
    PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688 2>&1
  2⤵
  PID:2480
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
    3⤵
    PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc >nul 2>&1 2>&1
  2⤵
  PID:1632
- - C:\Windows\System32\sc.exe
    sc.exe stop sppsvc
    3⤵
    - Launches sc.exe
    PID:1588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y 2>&1
  2⤵
  PID:536
- - C:\Windows\System32\net.exe
    net.exe stop sppsvc /y
    3⤵
    PID:1596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:1168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe stop osppsvc >nul 2>&1 2>&1
  2⤵
  PID:1976
- - C:\Windows\System32\sc.exe
    sc.exe stop osppsvc
    3⤵
    - Launches sc.exe
    PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y 2>&1
  2⤵
  PID:2324
- - C:\Windows\System32\net.exe
    net.exe stop sppsvc /y
    3⤵
    PID:380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:1244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM sppsvc.exe 2>&1
  2⤵
  PID:1096
- - C:\Windows\System32\taskkill.exe
    taskkill.exe /t /f /IM sppsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f 2>&1
  2⤵
  PID:1640
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f
    3⤵
    PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger" 2>&1
  2⤵
  PID:2364
- - C:\Windows\System32\schtasks.exe
    schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
    3⤵
    PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v Debugger 2>&1
  2⤵
  PID:1940
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v Debugger
    3⤵
    PID:1952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  PID:2076
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  PID:2332
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  PID:2572
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  PID:1624
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:1360
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger 2>&1
  2⤵
  PID:1808
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
    3⤵
    PID:1860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  PID:1788
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  PID:1960
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  PID:1920
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  PID:1988
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:548
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20 2>&1
  2⤵
  PID:2672
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20
    3⤵
    PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688 2>&1
  2⤵
  PID:1768
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688
    3⤵
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688 2>&1
  2⤵
  PID:2912
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /act 2>&1
  2⤵
  PID:2432
- - C:\Windows\System32\cscript.exe
    cscript.exe "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" //NoLogo /act
    3⤵
    PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "Debugger" 2>&1
  2⤵
  PID:2488
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "Debugger"
    3⤵
    PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:2896
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v "KMS_Emulation"
    3⤵
    PID:300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f 2>&1
  2⤵
  PID:1100
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger" 2>&1
  2⤵
  PID:2168
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger"
    3⤵
    PID:1328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:980
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation"
    3⤵
    PID:1868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f 2>&1
  2⤵
  PID:1604
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP 2>&1
  2⤵
  PID:872
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:1308
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c cls
  2⤵
  PID:1744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:1576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /create /TN ConsoleAct /XML C:\Windows\ConsoleAct.xml 2>&1
  2⤵
  PID:1544
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /create /TN ConsoleAct /XML C:\Windows\ConsoleAct.xml
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:1056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /end /TN ConsoleAct 2>&1
  2⤵
  PID:2444
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /end /TN ConsoleAct
    3⤵
    PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /delete /TN ConsoleAct /F 2>&1
  2⤵
  PID:2032
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /delete /TN ConsoleAct /F
    3⤵
    PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /create /TN ConsoleAct /XML C:\Windows\ConsoleAct.xml 2>&1
  2⤵
  PID:1812
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /create /TN ConsoleAct /XML C:\Windows\ConsoleAct.xml
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:1000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /end /TN ConsoleAct 2>&1
  2⤵
  PID:1580
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /end /TN ConsoleAct
    3⤵
    PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /delete /TN ConsoleAct /F 2>&1
  2⤵
  PID:776
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /delete /TN ConsoleAct /F
    3⤵
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /create /TN ConsoleAct /XML C:\Windows\ConsoleAct.xml 2>&1
  2⤵
  PID:2068
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /create /TN ConsoleAct /XML C:\Windows\ConsoleAct.xml
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp

Filesize
3KB

MD5
5799c5aa4a47e545986487a8b61413f5

SHA1
f818a452430611f300de753ee7cb954d96134463

SHA256
926e5f0dafc5089c97b2d639ab9d9666fec6bbe614bde4b7fbda6eb777be0936

SHA512
527becbbe55bca3bcda28a383f7520be5b2e71f2a331ba50099eed136dc85e3f0d96ce5f16647e32bfec9251494559c4d7c3ecf2c7bb6ecdebd51d976ce919c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp

Filesize
3KB

MD5
9aaf53de44670be85732d08f994117b3

SHA1
33bc9ce41e870cfc9e0dfeb5ed5d9526116386de

SHA256
d5e992fabb2451139a87f116050c8f8d40db2ec0851ff1116eca0418ff3a04e0

SHA512
d31139161e43cd3b0706022c1563004f7f5107d61f7ab13ee6d796ce771aea402968d023ae2c8eab14f3b5c574b17a28bb6285e78251e256075115a3bc112300

Download Submit
C:\Windows\ConsoleAct.xml

Filesize
3KB

MD5
96f9c19a791ea12f5dbcfb24db539184

SHA1
1499be72b074be10f06665029bd88dd4aba7b464

SHA256
a6905e30eec5f19b9138489e15f26f8a6984f5298daddbb081b3760da734eeb6

SHA512
9e832bc54cd9bdcd07ebd6b23794dd02417654741075eceaa9e7e097d75f7686cf493fbcb483c993795e41fe10fc56fc21ed28b7a4e62d7c868892a6188b465c

Download Submit
C:\Windows\ConsoleAct.xml

Filesize
3KB

MD5
1341fcd1f2e3e7668147518da226689c

SHA1
4283c16cbc90a2af9643ac2ee032f5bb30b71373

SHA256
36915ca46f002c06687c9b7a5dfcbe0481691b61ed7bddd67db776b7497674a6

SHA512
17a4c12fc5fc547c06dd79460bace9d7bddfd69a37e69f89e5619422e7d93946faf00d9e952ed5ff3cd34af7df6089d866cda720c89caaad3dd80cda62fd25da

Download Submit
C:\Windows\ConsoleAct.xml

Filesize
3KB

MD5
8b7dc1a18dea232882170fa6dec65304

SHA1
6409fa6589f57ddfb8bc6650326f5873be3bac1b

SHA256
c1cc26b90b7d06c0b227236b984149d7b02a44dfdce595535e8101a8bf2fe9d6

SHA512
66d91b7e44bbc1d16fc4d5576c28fa8d75552e03b89cb7df71499da876c1df64ffba03598c5d00bbf5b307e62d2e94348b16fe1096c876f884c2d61044bded69

Download Submit
\Users\Admin\AppData\Local\Temp\ConsoleAct_x64.exe

Filesize
1.0MB

MD5
8101ffc7c364c9d4d6810c9cbe5b3e43

SHA1
fa266f7cc07d7b51fb1d5a86c73cecf204f28912

SHA256
5665306da70d8314c1075753e62ccc4163722bc1dd01d6e440f8268e624764bf

SHA512
9731b223ef1f02a7bb01afe13c985038517838166e1b90fc88aafa23aaf3e3fdb5a64229a0c5a8960608047f93b4afca0a6c10ad64f635104f01929e996520c7

Download Submit
\Windows\System32\SppExtComObjHook.dll

Filesize
18KB

MD5
95f143ec661a5da85c3c8199d9fe06e7

SHA1
94ee8c5856dc0570a8f12cd08ecb0560f3a61908

SHA256
f239c27b50cef792fea5b34378fbac83bcc06b8442d508bd9add7ddf8ca5c632

SHA512
0fe0304f4fd4810a6aab5f35410b195c44302332c721ebfdb1c87e3081ec98a9ea9ec796bb135883ddf2906d82db51d29e34017c989f4f8ad4e17bbb1b00781e

Download Submit
memory/3032-3-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/3032-17-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/3032-16-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/3032-11-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/3032-6-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/3032-2-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/3032-0-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/3032-79-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download