b80707de08a518394cd343afbd506ffeee25db34b4068f7970f4d2eea3dfdbdc

Analysis

max time kernel
136s
max time network
134s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_VL_ALL_AIO.cmd
Size

285KB
MD5

90d94ab45d1c4acd9377e73e46c4bca8
SHA1

b0704a3e7f0ebe7468b5c2aa8e295d40c50f8804
SHA256

b80707de08a518394cd343afbd506ffeee25db34b4068f7970f4d2eea3dfdbdc
SHA512

d0fb6bb8a7648cf522bfbe57661a82fd4cfa99d32d195642a7a1debb3692cbadbafe731a2faad188aab5fcc85042c3715246cb50112aad15964d2a9fd94a6424
SSDEEP

6144:s0J1JzFmmp3GxGDTSuhMCcT5pw9rIjEUqbj8HmYfu8Ux:vJ1Jzbp3RhMNT5pmUjE/j8GMuP

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDebug = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierFlags = "2147483648"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierFlags = "2147483648"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDebug = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	Process not Found
2388	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\SppExtComObjHook.dll	powershell.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1796	sc.exe
2452	sc.exe
768	sc.exe
2712	sc.exe
2288	sc.exe
1692	sc.exe
320	sc.exe
2540	sc.exe
2752	sc.exe
2376	sc.exe
1980	sc.exe
844	sc.exe
1088	sc.exe
1880	sc.exe

Modifies registry key 1 TTPs 28 IoCs

Modify Registry

T1112

pid	Process
2660	reg.exe
2472	reg.exe
272	reg.exe
2696	reg.exe
2644	reg.exe
1772	reg.exe
2564	reg.exe
2528	reg.exe
1632	reg.exe
560	reg.exe
876	reg.exe
2872	reg.exe
1744	reg.exe
1264	reg.exe
2828	reg.exe
2164	reg.exe
2120	reg.exe
2444	reg.exe
1704	reg.exe
1504	reg.exe
872	reg.exe
2876	reg.exe
2280	reg.exe
608	reg.exe
2892	reg.exe
1984	reg.exe
2480	reg.exe
2040	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2672	powershell.exe
1032	powershell.exe
2488	powershell.exe
1048	powershell.exe
1708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2388	WMIC.exe
Token: SeSecurityPrivilege	2388	WMIC.exe
Token: SeTakeOwnershipPrivilege	2388	WMIC.exe
Token: SeLoadDriverPrivilege	2388	WMIC.exe
Token: SeSystemProfilePrivilege	2388	WMIC.exe
Token: SeSystemtimePrivilege	2388	WMIC.exe
Token: SeProfSingleProcessPrivilege	2388	WMIC.exe
Token: SeIncBasePriorityPrivilege	2388	WMIC.exe
Token: SeCreatePagefilePrivilege	2388	WMIC.exe
Token: SeBackupPrivilege	2388	WMIC.exe
Token: SeRestorePrivilege	2388	WMIC.exe
Token: SeShutdownPrivilege	2388	WMIC.exe
Token: SeDebugPrivilege	2388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2388	WMIC.exe
Token: SeRemoteShutdownPrivilege	2388	WMIC.exe
Token: SeUndockPrivilege	2388	WMIC.exe
Token: SeManageVolumePrivilege	2388	WMIC.exe
Token: 33	2388	WMIC.exe
Token: 34	2388	WMIC.exe
Token: 35	2388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2388	WMIC.exe
Token: SeSecurityPrivilege	2388	WMIC.exe
Token: SeTakeOwnershipPrivilege	2388	WMIC.exe
Token: SeLoadDriverPrivilege	2388	WMIC.exe
Token: SeSystemProfilePrivilege	2388	WMIC.exe
Token: SeSystemtimePrivilege	2388	WMIC.exe
Token: SeProfSingleProcessPrivilege	2388	WMIC.exe
Token: SeIncBasePriorityPrivilege	2388	WMIC.exe
Token: SeCreatePagefilePrivilege	2388	WMIC.exe
Token: SeBackupPrivilege	2388	WMIC.exe
Token: SeRestorePrivilege	2388	WMIC.exe
Token: SeShutdownPrivilege	2388	WMIC.exe
Token: SeDebugPrivilege	2388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2388	WMIC.exe
Token: SeRemoteShutdownPrivilege	2388	WMIC.exe
Token: SeUndockPrivilege	2388	WMIC.exe
Token: SeManageVolumePrivilege	2388	WMIC.exe
Token: 33	2388	WMIC.exe
Token: 34	2388	WMIC.exe
Token: 35	2388	WMIC.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeIncreaseQuotaPrivilege	880	WMIC.exe
Token: SeSecurityPrivilege	880	WMIC.exe
Token: SeTakeOwnershipPrivilege	880	WMIC.exe
Token: SeLoadDriverPrivilege	880	WMIC.exe
Token: SeSystemProfilePrivilege	880	WMIC.exe
Token: SeSystemtimePrivilege	880	WMIC.exe
Token: SeProfSingleProcessPrivilege	880	WMIC.exe
Token: SeIncBasePriorityPrivilege	880	WMIC.exe
Token: SeCreatePagefilePrivilege	880	WMIC.exe
Token: SeBackupPrivilege	880	WMIC.exe
Token: SeRestorePrivilege	880	WMIC.exe
Token: SeShutdownPrivilege	880	WMIC.exe
Token: SeDebugPrivilege	880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	880	WMIC.exe
Token: SeRemoteShutdownPrivilege	880	WMIC.exe
Token: SeUndockPrivilege	880	WMIC.exe
Token: SeManageVolumePrivilege	880	WMIC.exe
Token: 33	880	WMIC.exe
Token: 34	880	WMIC.exe
Token: 35	880	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2120	2888	cmd.exe	29
PID 2888 wrote to memory of 2120	2888	cmd.exe	29
PID 2888 wrote to memory of 2120	2888	cmd.exe	29
PID 2888 wrote to memory of 1720	2888	cmd.exe	30
PID 2888 wrote to memory of 1720	2888	cmd.exe	30
PID 2888 wrote to memory of 1720	2888	cmd.exe	30
PID 2888 wrote to memory of 2388	2888	cmd.exe	31
PID 2888 wrote to memory of 2388	2888	cmd.exe	31
PID 2888 wrote to memory of 2388	2888	cmd.exe	31
PID 2888 wrote to memory of 2344	2888	cmd.exe	32
PID 2888 wrote to memory of 2344	2888	cmd.exe	32
PID 2888 wrote to memory of 2344	2888	cmd.exe	32
PID 2888 wrote to memory of 2672	2888	cmd.exe	34
PID 2888 wrote to memory of 2672	2888	cmd.exe	34
PID 2888 wrote to memory of 2672	2888	cmd.exe	34
PID 2888 wrote to memory of 2724	2888	cmd.exe	35
PID 2888 wrote to memory of 2724	2888	cmd.exe	35
PID 2888 wrote to memory of 2724	2888	cmd.exe	35
PID 2888 wrote to memory of 2852	2888	cmd.exe	36
PID 2888 wrote to memory of 2852	2888	cmd.exe	36
PID 2888 wrote to memory of 2852	2888	cmd.exe	36
PID 2888 wrote to memory of 2868	2888	cmd.exe	37
PID 2888 wrote to memory of 2868	2888	cmd.exe	37
PID 2888 wrote to memory of 2868	2888	cmd.exe	37
PID 2868 wrote to memory of 2548	2868	cmd.exe	38
PID 2868 wrote to memory of 2548	2868	cmd.exe	38
PID 2868 wrote to memory of 2548	2868	cmd.exe	38
PID 2888 wrote to memory of 2552	2888	cmd.exe	39
PID 2888 wrote to memory of 2552	2888	cmd.exe	39
PID 2888 wrote to memory of 2552	2888	cmd.exe	39
PID 2888 wrote to memory of 2432	2888	cmd.exe	40
PID 2888 wrote to memory of 2432	2888	cmd.exe	40
PID 2888 wrote to memory of 2432	2888	cmd.exe	40
PID 2432 wrote to memory of 2816	2432	cmd.exe	41
PID 2432 wrote to memory of 2816	2432	cmd.exe	41
PID 2432 wrote to memory of 2816	2432	cmd.exe	41
PID 2888 wrote to memory of 2800	2888	cmd.exe	42
PID 2888 wrote to memory of 2800	2888	cmd.exe	42
PID 2888 wrote to memory of 2800	2888	cmd.exe	42
PID 2888 wrote to memory of 2636	2888	cmd.exe	43
PID 2888 wrote to memory of 2636	2888	cmd.exe	43
PID 2888 wrote to memory of 2636	2888	cmd.exe	43
PID 2888 wrote to memory of 2580	2888	cmd.exe	44
PID 2888 wrote to memory of 2580	2888	cmd.exe	44
PID 2888 wrote to memory of 2580	2888	cmd.exe	44
PID 2888 wrote to memory of 2524	2888	cmd.exe	45
PID 2888 wrote to memory of 2524	2888	cmd.exe	45
PID 2888 wrote to memory of 2524	2888	cmd.exe	45
PID 2888 wrote to memory of 2520	2888	cmd.exe	46
PID 2888 wrote to memory of 2520	2888	cmd.exe	46
PID 2888 wrote to memory of 2520	2888	cmd.exe	46
PID 2888 wrote to memory of 2540	2888	cmd.exe	47
PID 2888 wrote to memory of 2540	2888	cmd.exe	47
PID 2888 wrote to memory of 2540	2888	cmd.exe	47
PID 2888 wrote to memory of 2576	2888	cmd.exe	48
PID 2888 wrote to memory of 2576	2888	cmd.exe	48
PID 2888 wrote to memory of 2576	2888	cmd.exe	48
PID 2888 wrote to memory of 2596	2888	cmd.exe	49
PID 2888 wrote to memory of 2596	2888	cmd.exe	49
PID 2888 wrote to memory of 2596	2888	cmd.exe	49
PID 2888 wrote to memory of 2644	2888	cmd.exe	50
PID 2888 wrote to memory of 2644	2888	cmd.exe	50
PID 2888 wrote to memory of 2644	2888	cmd.exe	50
PID 2888 wrote to memory of 3032	2888	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\System32\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start
  2⤵
  - Modifies registry key
  PID:2120
- C:\Windows\System32\find.exe
  find /i "0x4"
  2⤵
  PID:1720
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path Win32_ComputerSystem get CreationClassName /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\find.exe
  find /i "ComputerSystem"
  2⤵
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $ExecutionContext.SessionState.LanguageMode
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\find.exe
  find /i "Full"
  2⤵
  PID:2724
- C:\Windows\System32\reg.exe
  reg query HKU\S-1-5-19
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR
    3⤵
    PID:2816
- C:\Windows\System32\reg.exe
  reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:2800
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2636
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
  2⤵
  PID:2580
- C:\Windows\System32\find.exe
  find /i "0x0"
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\skus
  2⤵
  PID:2520
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\System32\spp\tokens\channels
  2⤵
  PID:2576
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:2596
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
  2⤵
  - Modifies registry key
  PID:2644
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:3032
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV6Done
  2⤵
  - Modifies registry key
  PID:2444
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H&for %B in (1) do rem"
  2⤵
  PID:3068
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:2128
- C:\Windows\System32\findstr.exe
  findstr /a:1F /f:`.txt "."
  2⤵
  PID:824
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:2336
- C:\Windows\System32\mode.com
  mode con cols=100 lines=34
  2⤵
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:1980
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1628
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:1940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:1276
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:844
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1936
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2752
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2764
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2712
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "$d='C:\Windows\System32';$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\KMS_VL_ALL_AIO.cmd') -split ':embdbin\:.*';iex ($f[1]);X 2"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\aa9mqq4a.cmdline"
    3⤵
    PID:1716
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RESDCD8.tmp" "c:\Windows\Temp\CSCDCD7.tmp"
      4⤵
      PID:1768
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
  2⤵
  PID:2612
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"
  2⤵
  - Sets file execution options in registry
  PID:1436
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDebug /t REG_DWORD /d 0x00000000
  2⤵
  - Sets file execution options in registry
  PID:2068
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierFlags /t REG_DWORD /d 0x80000000
  2⤵
  - Sets file execution options in registry
  PID:2304
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v GlobalFlag /t REG_DWORD /d 0x00000100
  2⤵
  - Sets file execution options in registry
  PID:2376
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_Emulation /t REG_DWORD /d 1
  2⤵
  - Sets file execution options in registry
  PID:2368
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 120
  2⤵
  - Sets file execution options in registry
  PID:2928
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 10080
  2⤵
  - Sets file execution options in registry
  PID:2092
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v Debugger
  2⤵
  PID:1924
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"
  2⤵
  - Sets file execution options in registry
  PID:380
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDebug /t REG_DWORD /d 0x00000000
  2⤵
  - Sets file execution options in registry
  PID:668
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierFlags /t REG_DWORD /d 0x80000000
  2⤵
  - Sets file execution options in registry
  PID:484
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v GlobalFlag /t REG_DWORD /d 0x00000100
  2⤵
  - Sets file execution options in registry
  PID:768
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_Emulation /t REG_DWORD /d 1
  2⤵
  - Sets file execution options in registry
  PID:576
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 120
  2⤵
  - Sets file execution options in registry
  PID:748
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 10080
  2⤵
  - Sets file execution options in registry
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:2288
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1808
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:1088
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2492
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:1880
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2440
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:1692
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:1092
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 120
  2⤵
  - Sets file execution options in registry
  PID:2412
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 10080
  2⤵
  - Sets file execution options in registry
  PID:2468
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 120
  2⤵
  - Sets file execution options in registry
  PID:1336
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 10080
  2⤵
  - Sets file execution options in registry
  PID:2196
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 120
  2⤵
  - Sets file execution options in registry
  PID:2012
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 10080
  2⤵
  - Sets file execution options in registry
  PID:1532
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
  2⤵
  PID:1676
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"
  2⤵
  PID:1868
- - C:\Windows\System32\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
    3⤵
    PID:1308
- - C:\Windows\System32\find.exe
    FIND /I "CurrentVersion"
    3⤵
    PID:2024
- C:\Windows\System32\reg.exe
  REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514" /v "CurrentState"
  2⤵
  PID:940
- C:\Windows\System32\find.exe
  FIND /I "0x70"
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-UltimateEdition~31bf3856ad364e35~amd64~~6.1.7601.17514
  2⤵
  PID:468
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  PID:1876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value 2>nul
  2⤵
  PID:1976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul
  2⤵
  PID:2348
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    PID:1184
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2480
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2280
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2828
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1656
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2472
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1504
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:876
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:872
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2892
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1772
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%'" get Name /value
  2⤵
  PID:2936
- C:\Windows\System32\findstr.exe
  findstr /i Windows
  2⤵
  PID:2136
- C:\Windows\System32\net.exe
  net start osppsvc /y
  2⤵
  PID:1612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start osppsvc /y
    3⤵
    PID:2408
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where "Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%'" get Name /value
  2⤵
  PID:2392
- C:\Windows\System32\find.exe
  find /i "Office 24" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2724
- C:\Windows\System32\find.exe
  find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2220
- C:\Windows\System32\find.exe
  find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2896
- C:\Windows\System32\find.exe
  find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2648
- C:\Windows\System32\find.exe
  find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2852
- C:\Windows\System32\find.exe
  find /i "Office 14" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2548
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%'" get Name /value
  2⤵
  PID:2868
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2636
- C:\Windows\System32\find.exe
  find /i "Office 21"
  2⤵
  PID:2580
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2536
- C:\Windows\System32\find.exe
  find /i "Office 19"
  2⤵
  PID:2556
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2540
- C:\Windows\System32\find.exe
  find /i "Office 16"
  2⤵
  PID:2576
- C:\Windows\System32\find.exe
  find /i "R_Retail" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2596
- C:\Windows\System32\find.exe
  find /i "Office 15"
  2⤵
  PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path OfficeSoftwareProtectionProduct where "LicenseFamily='OfficeVisioPrem-MAK'" get LicenseStatus /value 2>nul
  2⤵
  PID:3032
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where "LicenseFamily='OfficeVisioPrem-MAK'" get LicenseStatus /value
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path OfficeSoftwareProtectionProduct where "LicenseFamily='OfficeVisioPro-MAK'" get LicenseStatus /value 2>nul
  2⤵
  PID:3000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where "LicenseFamily='OfficeVisioPro-MAK'" get LicenseStatus /value
    3⤵
    PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path OfficeSoftwareProtectionService get Version /value
  2⤵
  PID:2192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionService get Version /value
    3⤵
    PID:1244
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"
  2⤵
  PID:1680
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"
  2⤵
  PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path OfficeSoftwareProtectionProduct where "Description like '%KMSCLIENT%'" get ID /value
  2⤵
  PID:2756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where "Description like '%KMSCLIENT%'" get ID /value
    3⤵
    PID:2624
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where "ID='6f327760-8c5c-417c-9b61-836a98287e0c'" get Name /value
  2⤵
  PID:1828
- C:\Windows\System32\find.exe
  find /i "Office 14" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1812
- C:\Windows\System32\find.exe
  find /i "Office 15" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1040
- C:\Windows\System32\find.exe
  find /i "Office 16" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1028
- C:\Windows\System32\find.exe
  find /i "Office 19" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1032
- C:\Windows\System32\find.exe
  find /i "Office 21" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:2340
- C:\Windows\System32\find.exe
  find /i "Office 24" "C:\Windows\Temp\sppchk.txt"
  2⤵
  PID:1872
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where "PartialProductKey is not NULL" get ID /value
  2⤵
  PID:2224
- C:\Windows\System32\findstr.exe
  findstr /i "6f327760-8c5c-417c-9b61-836a98287e0c"
  2⤵
  PID:3036
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59a52881-a989-479d-af46-f275c6370663\6f327760-8c5c-417c-9b61-836a98287e0c" /f
  2⤵
  PID:1276
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\6f327760-8c5c-417c-9b61-836a98287e0c" /f
  2⤵
  PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path OfficeSoftwareProtectionProduct where "ID='6f327760-8c5c-417c-9b61-836a98287e0c'" get Name /value
  2⤵
  PID:1432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where "ID='6f327760-8c5c-417c-9b61-836a98287e0c'" get Name /value
    3⤵
    PID:1952
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path OfficeSoftwareProtectionProduct where ID='6f327760-8c5c-417c-9b61-836a98287e0c' call Activate
  2⤵
  PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path OfficeSoftwareProtectionProduct where "ID='6f327760-8c5c-417c-9b61-836a98287e0c'" get GracePeriodRemaining /value
  2⤵
  PID:2244
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path OfficeSoftwareProtectionProduct where "ID='6f327760-8c5c-417c-9b61-836a98287e0c'" get GracePeriodRemaining /value
    3⤵
    PID:2312
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableDnsPublishing
  2⤵
  PID:1960
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching
  2⤵
  PID:2108
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:1796
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2060
- C:\Windows\System32\net.exe
  net stop sppsvc /y
  2⤵
  PID:572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sppsvc /y
    3⤵
    PID:2488
- C:\Windows\System32\sc.exe
  sc query sppsvc
  2⤵
  - Launches sc.exe
  PID:2452
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2264
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:2376
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:2368
- C:\Windows\System32\net.exe
  net stop osppsvc /y
  2⤵
  PID:2056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop osppsvc /y
    3⤵
    PID:1684
- C:\Windows\System32\sc.exe
  sc query osppsvc
  2⤵
  - Launches sc.exe
  PID:320
- C:\Windows\System32\find.exe
  find /i "STOPPED"
  2⤵
  PID:784
- C:\Windows\System32\sc.exe
  sc start sppsvc trigger=timer;sessionid=0
  2⤵
  - Launches sc.exe
  PID:768
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:2292
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
  2⤵
  - Modifies registry key
  PID:1632
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:1636
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV6Done
  2⤵
  - Modifies registry key
  PID:560
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:1864
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /v VerifierFlags
  2⤵
  PID:1048
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierFlags
  2⤵
  PID:1044
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:1808
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:1620
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:1880
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:2404
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:1092
- C:\Windows\System32\mode.com
  mode con cols=100 lines=34
  2⤵
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Windows\System32\net.exe
  net start sppsvc /y
  2⤵
  PID:468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start sppsvc /y
    3⤵
    PID:2004
- C:\Windows\System32\cscript.exe
  cscript.exe //NoLogo slmgr.vbs /dli
  2⤵
  PID:2240
- C:\Windows\System32\cscript.exe
  cscript.exe //NoLogo slmgr.vbs /xpr
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:2164
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1744
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1704
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1264
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1772
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul
  2⤵
  PID:1736
- - C:\Windows\System32\reg.exe
    reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path
    3⤵
    - Modifies registry key
    PID:272
- C:\Windows\System32\cscript.exe
  cscript.exe //NoLogo "C:\Program Files (x86)\Microsoft Office\Office14\\ospp.vbs" /dstatus
  2⤵
  PID:1516
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2876
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2564
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:2872
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath
  2⤵
  - Modifies registry key
  PID:1984
- C:\Windows\System32\reg.exe
  reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\CVH /f Click2run /k
  2⤵
  - Modifies registry key
  PID:2660
- C:\Windows\System32\mode.com
  mode con cols=80 lines=34
  2⤵
  PID:2868
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV5Done
  2⤵
  - Modifies registry key
  PID:2696
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:2524
- C:\Windows\System32\reg.exe
  reg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext /v MigrationToV6Done
  2⤵
  - Modifies registry key
  PID:2528
- C:\Windows\System32\find.exe
  find /i "0x1"
  2⤵
  PID:2520
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe" /v VerifierFlags
  2⤵
  PID:2544
- C:\Windows\System32\reg.exe
  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierFlags
  2⤵
  PID:2588
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:2576
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:2644
- C:\Windows\System32\findstr.exe
  findstr /a:07 /f:`.txt "."
  2⤵
  PID:3068
- C:\Windows\System32\findstr.exe
  findstr /a:0A /f:`.txt "."
  2⤵
  PID:2444
- C:\Windows\System32\choice.exe
  choice /c 1234567890EDRSVX /n /m "> Choose a menu option, or press 0 to Exit: "
  2⤵
  PID:1304

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x17c
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\slmgr.vbs

Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
adc5cc782920c3720f4f2a5527504a8a

SHA1
5a9110f4fa93cee87c2dd9781becd6aeeb9ea617

SHA256
8fc11166aaf6b521e174ac2b99308da278690a805234a8cc1fcb7f557b784466

SHA512
c2390c7876a9905b21f55c7ce93a6a267ba5ac2ff7104e943c8e7b50f0d0b514f1fcc9ad6fce634c50f3e0146ef5120a01c5b5fb15e227b640726d6c05f90819

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ca1b3e4f93297fb99af2687ea316397c

SHA1
e0c399d1808307f7178e9216f131231cb84263c5

SHA256
b405661d8be1deaf5d5c740da0ba597161a0b4445e5e2e18577d483582bbe64e

SHA512
8425d065ffb2465199f4ebd7af77dd7db19e13e574313b0d37f417223057067d50f4d9793db64e4492b03379a7b5dbd94d6b6809c3f7b0a68ec0c15ca5abab2b

Download Submit
C:\Windows\Temp\'

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Windows\Temp\RESDCD8.tmp

Filesize
1KB

MD5
f0089dc3db63d5c916182cb035a974e7

SHA1
6e2e3886d3a0898b50e0975ef6e0e09b07664eec

SHA256
6113ba7ab603e9dab0e00f3a7076028e171f93c89ada0a6e78f402b44492d371

SHA512
2ea260821fc4532f629ee8a78a0e811f260c02ff312907ade938dc17ed1ccd812c5ddb1e99776617ee9272a877649469dd4777424ee2ea4086d952cfd5033dba

Download Submit
C:\Windows\Temp\`.txt

Filesize
35B

MD5
ffe40be0916c7302ae237feebe53cf4b

SHA1
59f9f73c5f1cf616c159bd13d9245794b2edcecd

SHA256
6ef78a8ef8e0752565dcc75e10db254a573a51eaa183f0bff99494e62f0b57c6

SHA512
8068814f7cf1b06bc2428409402aae8fa885705eebc5cf96415e77d50003c13665ef75fc818d992fa994034f9507c3f9cbc1345a6150fa4e9077bd16b8d88ada

Download Submit
C:\Windows\Temp\`.txt

Filesize
20B

MD5
b2e5b29ecc16ade3184ed0b5321166c9

SHA1
6cdff60bb711d7edb0583d5d2f0656c6e1a1aee2

SHA256
79af99b57c308bf4d412f6d95f6e5ee488f1f56f7643461cafa168a0bca50b4d

SHA512
d98540f803974426e82222d9aca3632060af3daa45d43c60ac66ee16b01f6af28db93b323ade968094e4ebe068639e8fd178fd34903937b2569aaa229767bd03

Download Submit
C:\Windows\Temp\`.txt

Filesize
26B

MD5
d10b004bada4d69dc9ce0115011be5e0

SHA1
d7314923b5e8063df26b3cafd6b76c8d57788cca

SHA256
267c049a486941f2019a92b8610c67a8ad11fc45336aea5e3a8af32abfe15d17

SHA512
a03dab3454e1623a624056cc0c6d5b85f76504177aecbd42962ccfd211f80a8bcedab8e320c9be8bdf414a11ae667fb33fe209f91cb9c62744685f223771a9cd

Download Submit
C:\Windows\Temp\`.txt

Filesize
58B

MD5
a975fb319622da2116642f375a6eec70

SHA1
07fe1e39dd3cb73db1729ad5caf703495020fdf1

SHA256
c9521683e61bb4790420ac1c69a4748b8f1869d488bcf17ddf355996169b702a

SHA512
deb2874c1c2126f06164f3da0c53a9ff9fe34249fa2b5d513884a138671c57c58d8e9776cf2faa8b827adff3e6e4828bcbe1f811346b79b013cae29098b12a50

Download Submit
C:\Windows\Temp\`.txt

Filesize
18B

MD5
8d38cf7003a523332bc396f8921e81e7

SHA1
050c1c8ad5cf39e967a2254feb763382e84d9105

SHA256
07eff0e3ef79be21836324dec2a94fdf902e41cc87b5796c0a2b946cd19f1423

SHA512
508bfc3e5b1c321f68ff6d9fe3b6d971d6e9a5b3bf03cbfc4345c10eb8e3ba28cfcba8af1d172cd5f19ce010f5de152142c47fb8ef1076b7f7d4c60a97a6bb06

Download Submit
C:\Windows\Temp\aa9mqq4a.dll

Filesize
4KB

MD5
c20f3a14e89c9a23c4c581353069dd8b

SHA1
799750f8498e5d80eeae0405d49e737fe3e056bf

SHA256
c28cabb5c5b16c005c966896f2bd5a0f13e4aa44292f9e85d84873dc0b60f19f

SHA512
c3a96d4ea5c48bc046374a53f48e2264d4acebc5236bc2774be187225ddef07e6e8dae49067f4260ff61fca4cdcb1d8f1055f129cc965d531ac0e6b3d1c2d2fb

Download Submit
C:\Windows\Temp\aa9mqq4a.pdb

Filesize
11KB

MD5
40362bded035eec925ac66aa3bd392e6

SHA1
ec3f0ec56c31b45247c483e1e961c65e66d03dc4

SHA256
eabc2408d6237ec8f09a734bc2ee37055251f1ef16488e3bb525b5007b3593fb

SHA512
f8aefca676c9dbdb0f75952f61ef9cc719b0e79aeab70d16f8d850991a7397f3c815135e424156d855afe48d94499c98faad627a69c09fddcbb58b719de1effc

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
118B

MD5
139c34473cb65b61c2439f45df8fb70d

SHA1
f5611ffdb810dd1eb4908036402e5d214b5b189d

SHA256
3ca4ceaf4fac99811a37e1809823a4e669025d4efd5058a84b784f74f3bc4639

SHA512
72b149ac334dfa681f40253aba088f1fdc9b298fbae127432c3f9057a0d81bef6e5edfae83c9981c020706ff84d271889d564415e59e0f4edb8c3840d091294b

Download Submit
C:\Windows\Temp\sppchk.txt

Filesize
36B

MD5
c3c912dcb6cb96fbcc7a4de5b65ddf67

SHA1
adb82109a2f87b2e9cf068967f063f7b07196171

SHA256
4bc38ee8ddd6deaacfef121e09085e64464265bc4e01728d9f8b3f08ed3ad5db

SHA512
10502adb85d26e4a65d73fe4211ba1dccbdfee99e990edeb23fb31ae6df204e2c3c6e69e207cdb856b0b0cc590b33cf9b296891cfc4806d649e29dc9e6fac452

Download Submit
\??\c:\Windows\Temp\CSCDCD7.tmp

Filesize
652B

MD5
a3367ee1348a5bb8b05a38758da3b5b8

SHA1
1ae08a05f2c10ebc660d977d75b7403a4dda4d09

SHA256
1549b74e6cd68d4b64f3e4279bbe3e69ca703409cc1c221314c92c7b40221f59

SHA512
4100a1b7153ff742b5cdaae49bd9793dc3d6eea03ed161cf8fdeb1c1b9d6c7653d0a618ebd10c22f783baeca8e4489d58a745b89dcdab2f186e926b215af0508

Download Submit
\??\c:\Windows\Temp\aa9mqq4a.0.cs

Filesize
884B

MD5
eafbb318108fc62a15b458ebba405940

SHA1
0c5f45d0cab61ef4fa12f13f020ca45cba04863a

SHA256
45ee3dd57aa47fcf92c09a44276de5ef1688bb0563e09206d8e882528e6de9d2

SHA512
bac80550d7fedc768522907ba72f2802ac2fead886015356a417533f9fc0e2a767b992c58010e67160b4ee071971c7cc6a5337ffb948cf685dca0811ccaa52f8

Download Submit
\??\c:\Windows\Temp\aa9mqq4a.cmdline

Filesize
273B

MD5
0fc64705f6223b4f44b60b5d99ef4e80

SHA1
94d05827a22f59eb62ce40c8f8986a892bf5619e

SHA256
4487c11c1673f6d64e77cdac5b584a4c90d65a29e5c19e6ae1201b072fa50411

SHA512
e3b22a4b0728679351f7fc44dc473ab1a55f09c9f57db8668860188176f333b8496e8276b7e3db6a66b3f693a8c3175f36432dd829f202d74b8ee98d243ab75c

Download Submit
\Windows\System32\SppExtComObjHook.dll

Filesize
19KB

MD5
2914300a6e0cdf7ed242505958ac0bb5

SHA1
684103f5c312ae956e66a02b965d9aad59710745

SHA256
29ae6f149e581f8dbdc01eed2d5d20b82b597c4b4c7e102cab6d012b168df4d8

SHA512
6fa6b773275e61596f1d4885fa3089ff24a2f72166dc0a2c40667f0bd03de26b032f2a39aa05e74077ada96bbb6b0785424bfe387b995c147fd74860a11948c9

Download Submit
memory/1032-24-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1032-23-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1708-76-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1708-75-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2488-43-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2672-8-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-10-0x0000000002D5B000-0x0000000002DC2000-memory.dmp

Filesize
412KB

Download
memory/2672-9-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-6-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/2672-4-0x000007FEF545E000-0x000007FEF545F000-memory.dmp

Filesize
4KB

Download
memory/2672-7-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download