5665306da70d8314c1075753e62ccc4163722bc1dd01d6e440f8268e624764bf

Analysis

max time kernel
90s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConsoleAct_x64.exe
Size

1.0MB
MD5

8101ffc7c364c9d4d6810c9cbe5b3e43
SHA1

fa266f7cc07d7b51fb1d5a86c73cecf204f28912
SHA256

5665306da70d8314c1075753e62ccc4163722bc1dd01d6e440f8268e624764bf
SHA512

9731b223ef1f02a7bb01afe13c985038517838166e1b90fc88aafa23aaf3e3fdb5a64229a0c5a8960608047f93b4afca0a6c10ad64f635104f01929e996520c7
SSDEEP

24576:WV2HeytcxKV0XOnZe8i5dCppc50CxO7EyyXAAsWvZmSGqb4LQRyg:WVceytcb8i5WchOCQrWvZzGVQUg

Score

8^/10

evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 24 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\KMS_HWID = "11176813417530261616"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\KMS_ActivationInterval = "120"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\KMS_RenewalInterval = "10080"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\KMS_Emulation = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\GlobalFlag = "256"	reg.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3616	netsh.exe
1784	netsh.exe
4412	netsh.exe
4872	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Loads dropped DLL 1 IoCs

pid	Process
3124	Process not Found

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-0-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral2/memory/224-1-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral2/memory/224-4-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral2/memory/224-9-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral2/memory/224-14-0x0000000140000000-0x000000014023F000-memory.dmp	upx
behavioral2/memory/224-20-0x0000000140000000-0x000000014023F000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\SppExtComObjHook.dll	ConsoleAct_x64.exe
File opened for modification	C:\Windows\System32\SppExtComObjHook.dll	ConsoleAct_x64.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1784	sc.exe
4748	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2936	ipconfig.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3472	taskkill.exe
3368	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SOFTWAREPROTECTIONPLATFORM\0FF1CE15-A989-479D-AF46-F275C6370663\85DD8B5F-EAA4-4AF3-A628-CCE9E77C9A03	ConsoleAct_x64.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	ConsoleAct_x64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1400	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe
224	ConsoleAct_x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3372	WMIC.exe
Token: SeSecurityPrivilege	3372	WMIC.exe
Token: SeTakeOwnershipPrivilege	3372	WMIC.exe
Token: SeLoadDriverPrivilege	3372	WMIC.exe
Token: SeSystemProfilePrivilege	3372	WMIC.exe
Token: SeSystemtimePrivilege	3372	WMIC.exe
Token: SeProfSingleProcessPrivilege	3372	WMIC.exe
Token: SeIncBasePriorityPrivilege	3372	WMIC.exe
Token: SeCreatePagefilePrivilege	3372	WMIC.exe
Token: SeBackupPrivilege	3372	WMIC.exe
Token: SeRestorePrivilege	3372	WMIC.exe
Token: SeShutdownPrivilege	3372	WMIC.exe
Token: SeDebugPrivilege	3372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3372	WMIC.exe
Token: SeRemoteShutdownPrivilege	3372	WMIC.exe
Token: SeUndockPrivilege	3372	WMIC.exe
Token: SeManageVolumePrivilege	3372	WMIC.exe
Token: 33	3372	WMIC.exe
Token: 34	3372	WMIC.exe
Token: 35	3372	WMIC.exe
Token: 36	3372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3372	WMIC.exe
Token: SeSecurityPrivilege	3372	WMIC.exe
Token: SeTakeOwnershipPrivilege	3372	WMIC.exe
Token: SeLoadDriverPrivilege	3372	WMIC.exe
Token: SeSystemProfilePrivilege	3372	WMIC.exe
Token: SeSystemtimePrivilege	3372	WMIC.exe
Token: SeProfSingleProcessPrivilege	3372	WMIC.exe
Token: SeIncBasePriorityPrivilege	3372	WMIC.exe
Token: SeCreatePagefilePrivilege	3372	WMIC.exe
Token: SeBackupPrivilege	3372	WMIC.exe
Token: SeRestorePrivilege	3372	WMIC.exe
Token: SeShutdownPrivilege	3372	WMIC.exe
Token: SeDebugPrivilege	3372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3372	WMIC.exe
Token: SeRemoteShutdownPrivilege	3372	WMIC.exe
Token: SeUndockPrivilege	3372	WMIC.exe
Token: SeManageVolumePrivilege	3372	WMIC.exe
Token: 33	3372	WMIC.exe
Token: 34	3372	WMIC.exe
Token: 35	3372	WMIC.exe
Token: 36	3372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: 36	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2448	224	ConsoleAct_x64.exe	81
PID 224 wrote to memory of 2448	224	ConsoleAct_x64.exe	81
PID 224 wrote to memory of 1672	224	ConsoleAct_x64.exe	83
PID 224 wrote to memory of 1672	224	ConsoleAct_x64.exe	83
PID 2448 wrote to memory of 3372	2448	cmd.exe	84
PID 2448 wrote to memory of 3372	2448	cmd.exe	84
PID 224 wrote to memory of 4224	224	ConsoleAct_x64.exe	87
PID 224 wrote to memory of 4224	224	ConsoleAct_x64.exe	87
PID 4224 wrote to memory of 2216	4224	cmd.exe	89
PID 4224 wrote to memory of 2216	4224	cmd.exe	89
PID 224 wrote to memory of 1972	224	ConsoleAct_x64.exe	90
PID 224 wrote to memory of 1972	224	ConsoleAct_x64.exe	90
PID 1972 wrote to memory of 1352	1972	cmd.exe	93
PID 1972 wrote to memory of 1352	1972	cmd.exe	93
PID 224 wrote to memory of 4916	224	ConsoleAct_x64.exe	94
PID 224 wrote to memory of 4916	224	ConsoleAct_x64.exe	94
PID 4916 wrote to memory of 756	4916	cmd.exe	97
PID 4916 wrote to memory of 756	4916	cmd.exe	97
PID 224 wrote to memory of 1828	224	ConsoleAct_x64.exe	99
PID 224 wrote to memory of 1828	224	ConsoleAct_x64.exe	99
PID 1828 wrote to memory of 1892	1828	cmd.exe	100
PID 1828 wrote to memory of 1892	1828	cmd.exe	100
PID 224 wrote to memory of 3304	224	ConsoleAct_x64.exe	102
PID 224 wrote to memory of 3304	224	ConsoleAct_x64.exe	102
PID 224 wrote to memory of 4364	224	ConsoleAct_x64.exe	103
PID 224 wrote to memory of 4364	224	ConsoleAct_x64.exe	103
PID 4364 wrote to memory of 1784	4364	cmd.exe	104
PID 4364 wrote to memory of 1784	4364	cmd.exe	104
PID 224 wrote to memory of 3972	224	ConsoleAct_x64.exe	105
PID 224 wrote to memory of 3972	224	ConsoleAct_x64.exe	105
PID 3972 wrote to memory of 4420	3972	cmd.exe	106
PID 3972 wrote to memory of 4420	3972	cmd.exe	106
PID 4420 wrote to memory of 3352	4420	net.exe	107
PID 4420 wrote to memory of 3352	4420	net.exe	107
PID 224 wrote to memory of 2144	224	ConsoleAct_x64.exe	108
PID 224 wrote to memory of 2144	224	ConsoleAct_x64.exe	108
PID 2144 wrote to memory of 4512	2144	cmd.exe	109
PID 2144 wrote to memory of 4512	2144	cmd.exe	109
PID 224 wrote to memory of 4100	224	ConsoleAct_x64.exe	110
PID 224 wrote to memory of 4100	224	ConsoleAct_x64.exe	110
PID 4100 wrote to memory of 412	4100	cmd.exe	111
PID 4100 wrote to memory of 412	4100	cmd.exe	111
PID 224 wrote to memory of 1316	224	ConsoleAct_x64.exe	112
PID 224 wrote to memory of 1316	224	ConsoleAct_x64.exe	112
PID 1316 wrote to memory of 3128	1316	cmd.exe	113
PID 1316 wrote to memory of 3128	1316	cmd.exe	113
PID 224 wrote to memory of 2036	224	ConsoleAct_x64.exe	114
PID 224 wrote to memory of 2036	224	ConsoleAct_x64.exe	114
PID 2036 wrote to memory of 2416	2036	cmd.exe	115
PID 2036 wrote to memory of 2416	2036	cmd.exe	115
PID 224 wrote to memory of 3212	224	ConsoleAct_x64.exe	116
PID 224 wrote to memory of 3212	224	ConsoleAct_x64.exe	116
PID 3212 wrote to memory of 2280	3212	cmd.exe	117
PID 3212 wrote to memory of 2280	3212	cmd.exe	117
PID 224 wrote to memory of 5056	224	ConsoleAct_x64.exe	118
PID 224 wrote to memory of 5056	224	ConsoleAct_x64.exe	118
PID 5056 wrote to memory of 368	5056	cmd.exe	119
PID 5056 wrote to memory of 368	5056	cmd.exe	119
PID 224 wrote to memory of 4392	224	ConsoleAct_x64.exe	120
PID 224 wrote to memory of 4392	224	ConsoleAct_x64.exe	120
PID 4392 wrote to memory of 4124	4392	cmd.exe	121
PID 4392 wrote to memory of 4124	4392	cmd.exe	121
PID 224 wrote to memory of 3364	224	ConsoleAct_x64.exe	122
PID 224 wrote to memory of 3364	224	ConsoleAct_x64.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ConsoleAct_x64.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleAct_x64.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\ConsoleAct_x64.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\ConsoleAct_x64.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSSS.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\KMSSS.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjPatcher.exe"
    3⤵
    PID:1352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\System32\SppExtComObjHook.dll"
    3⤵
    PID:756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /dli 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /dli
    3⤵
    PID:1892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:3304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc >nul 2>&1 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\System32\sc.exe
    sc.exe stop sppsvc
    3⤵
    - Launches sc.exe
    PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\System32\net.exe
    net.exe stop sppsvc /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:3352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f
    3⤵
    PID:4512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger" 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\System32\schtasks.exe
    schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
    3⤵
    PID:412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v Debugger 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v Debugger
    3⤵
    PID:3128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:3364
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_HWID" /t REG_QWORD /d 0x9B1C049600B60070 2>&1
  2⤵
  PID:1876
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_HWID" /t REG_QWORD /d 0x9B1C049600B60070
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger 2>&1
  2⤵
  PID:3096
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
    3⤵
    PID:1084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  PID:4028
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  PID:832
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  PID:4864
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  PID:896
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:2620
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20 2>&1
  2⤵
  PID:2284
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20
    3⤵
    PID:4316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688 2>&1
  2⤵
  PID:3108
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688
    3⤵
    PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688 2>&1
  2⤵
  PID:3536
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3616
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
  2⤵
  PID:512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns 2>&1
  2⤵
  PID:4284
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
    3⤵
    PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0 2>&1
  2⤵
  PID:4556
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
    3⤵
    PID:3564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms 2>&1
  2⤵
  PID:2356
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
    3⤵
    PID:4964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain 2>&1
  2⤵
  PID:2448
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
    3⤵
    PID:1476
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
  2⤵
  PID:3236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688 2>&1
  2⤵
  PID:4560
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
    3⤵
    PID:1260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato 2>&1
  2⤵
  PID:1200
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato
    3⤵
    PID:3248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe 2>&1
  2⤵
  PID:540
- - C:\Windows\System32\taskkill.exe
    taskkill.exe /t /f /IM SppExtComObj.Exe
    3⤵
    - Kills process with taskkill
    PID:3472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" 2>&1
  2⤵
  PID:2100
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
    3⤵
    PID:3480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:1180
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
    3⤵
    PID:4112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f 2>&1
  2⤵
  PID:868
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger" 2>&1
  2⤵
  PID:2996
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger"
    3⤵
    PID:4196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:2008
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation"
    3⤵
    PID:4836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f 2>&1
  2⤵
  PID:1600
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP 2>&1
  2⤵
  PID:3640
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:3520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
  2⤵
  PID:4356
- - C:\Windows\System32\reg.exe
    REG QUERY HKLM\Software\Microsoft\Office /s /v Path /reg:64
    3⤵
    - Modifies registry key
    PID:1400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig.exe /flushdns 2>&1
  2⤵
  PID:4432
- - C:\Windows\System32\ipconfig.exe
    ipconfig.exe /flushdns
    3⤵
    - Gathers network information
    PID:2936
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:64
  2⤵
  PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" //NoLogo /sethst:10.3.0.20 2>&1
  2⤵
  PID:2368
- - C:\Windows\System32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" //NoLogo /sethst:10.3.0.20
    3⤵
    PID:368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" //NoLogo /setprt:1688 2>&1
  2⤵
  PID:1212
- - C:\Windows\System32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" //NoLogo /setprt:1688
    3⤵
    PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688 2>&1
  2⤵
  PID:1776
- - C:\Windows\System32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
    3⤵
    PID:3140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc >nul 2>&1 2>&1
  2⤵
  PID:1204
- - C:\Windows\System32\sc.exe
    sc.exe stop sppsvc
    3⤵
    - Launches sc.exe
    PID:4748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y 2>&1
  2⤵
  PID:4864
- - C:\Windows\System32\net.exe
    net.exe stop sppsvc /y
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc /y
      4⤵
      PID:4032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f 2>&1
  2⤵
  PID:916
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /f
    3⤵
    PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger" 2>&1
  2⤵
  PID:2376
- - C:\Windows\System32\schtasks.exe
    schtasks.exe /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"
    3⤵
    PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v Debugger 2>&1
  2⤵
  PID:3736
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v Debugger
    3⤵
    PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  PID:4488
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    PID:4396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  PID:4104
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    PID:1160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  PID:4308
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    PID:512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  PID:2664
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    PID:1380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:4652
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    PID:4132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_HWID" /t REG_QWORD /d 0x9B1C049600B60070 2>&1
  2⤵
  PID:804
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_HWID" /t REG_QWORD /d 0x9B1C049600B60070
    3⤵
    PID:4944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger 2>&1
  2⤵
  PID:3336
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger
    3⤵
    PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1 2>&1
  2⤵
  PID:5028
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" /t REG_DWORD /d 1
    3⤵
    PID:3308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256 2>&1
  2⤵
  PID:1896
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "GlobalFlag" /t REG_DWORD /d 256
    3⤵
    PID:4616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120 2>&1
  2⤵
  PID:4964
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_ActivationInterval" /t REG_DWORD /d 120
    3⤵
    PID:4192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080 2>&1
  2⤵
  PID:3604
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_RenewalInterval" /t REG_DWORD /d 10080
    3⤵
    PID:1984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll" 2>&1
  2⤵
  PID:1408
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "VerifierDlls" /t REG_SZ /d "SppExtComObjHook.dll"
    3⤵
    PID:3288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20 2>&1
  2⤵
  PID:4224
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServiceName" /t REG_SZ /d 10.3.0.20
    3⤵
    PID:3232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688 2>&1
  2⤵
  PID:5060
- - C:\Windows\System32\reg.exe
    reg.exe add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v "KeyManagementServicePort" /t REG_SZ /d 1688
    3⤵
    PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688 2>&1
  2⤵
  PID:4560
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
    3⤵
    - Modifies Windows Firewall
    PID:4412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" //NoLogo /act 2>&1
  2⤵
  PID:2744
- - C:\Windows\System32\cscript.exe
    cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" //NoLogo /act
    3⤵
    PID:1484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe 2>&1
  2⤵
  PID:552
- - C:\Windows\System32\taskkill.exe
    taskkill.exe /t /f /IM SppExtComObj.Exe
    3⤵
    - Kills process with taskkill
    PID:3368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" 2>&1
  2⤵
  PID:4820
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
    3⤵
    PID:3480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:4868
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
    3⤵
    PID:1180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f 2>&1
  2⤵
  PID:4584
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
    3⤵
    PID:868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger" 2>&1
  2⤵
  PID:5044
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "Debugger"
    3⤵
    PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation" 2>&1
  2⤵
  PID:1916
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v "KMS_Emulation"
    3⤵
    PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f 2>&1
  2⤵
  PID:3304
- - C:\Windows\System32\reg.exe
    reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f
    3⤵
    PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP 2>&1
  2⤵
  PID:4364
- - C:\Windows\System32\netsh.exe
    Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
    3⤵
    - Modifies Windows Firewall
    PID:4872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy C:\Windows\System32\Tasks\ConsoleAct "C:\Users\Admin\AppData\Local\Temp\ConsoleAct.tmp" /Y 2>&1
  2⤵
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\SppExtComObjHook.dll

Filesize
18KB

MD5
95f143ec661a5da85c3c8199d9fe06e7

SHA1
94ee8c5856dc0570a8f12cd08ecb0560f3a61908

SHA256
f239c27b50cef792fea5b34378fbac83bcc06b8442d508bd9add7ddf8ca5c632

SHA512
0fe0304f4fd4810a6aab5f35410b195c44302332c721ebfdb1c87e3081ec98a9ea9ec796bb135883ddf2906d82db51d29e34017c989f4f8ad4e17bbb1b00781e

Download Submit
memory/224-0-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/224-1-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/224-4-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/224-9-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/224-14-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/224-20-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download